Asante Technologies 35160 user manual Configuring Port New Node Detection Trap

Configuring Port New Node Detection Trap

The port new node detection trap security measure (also called “port security trap”) ensures that when any new device is connected to the secured port, an alert will be sent to the designated trap receiver. The new device is detected when it is connected to the switch and its MAC address is recognized as one not present in the current address table. The information shown in the alert includes the new node’s MAC address and IP address (if available) and the port to which they are connected.

After a device has been connected and has generated traffic on the network, the trap will not be re-sent. If the switch ages out the MAC address of a connected device from its forwarding database, new traffic from that device will result in a new node trap being sent. The default age-out time is 300 seconds. The user may reduce the number of traps sent by lengthening the age-out time, as explained in “Setting the MAC Address Age-Out Time” in Chapter 3.

By default, New Node detection is disabled.

To enable or disable detection of a new node on the system, first set the security level on a port or group of ports to 1. Then, if it is not already enabled, enable New Node detection.

To set security level 1 on a port:

1.From the Configuration Menu, type t to access the Security Management Menu.

2.Type p to access the Port Security Configuration Menu.

3.Select o to Set/Clear port security.

4.Type s to set security.

5.Type the numbers of the ports on which to set the security. The manager can specify a single port, a series of port numbers separated by commas, a range of ports shown with a hyphen, or a combination of ranges and single ports. For example, type 1-8, 14 to specify ports one through eight, and port fourteen. See Help for more information.

6.Type l for Port Security Level 1.

To enable New Node detection:

1.From the Configuration Menu, type t to access the Security Management Menu.

2.Type p to access the Port Security Configuration Menu.

3.Type t to choose Toggle Port Security Trap.

4.Type 1 to toggle the new node trap (if it is not already enabled).

Configuring Port Lock and Intruder Lock

The port intruder security measure creates a port-trusted MAC address that is the only station with full rights to have traffic the port. Attempts to send traffic to the port from other stations are regarded as security intrusions, and can be disallowed. The security measure may be enabled as a port lock (security level 2) or an intruder lock (security level 3).

Note: The three security levels are mutually exclusive; a port can have security level 1, level 2, or level 3, but never a combination of security levels.

To configure security level 2 or 3, specify the port-trusted MAC address directly, or direct the system to trust the address of the first station that addresses the port. By trusting the first station to address the port, the manager can configure port security before knowing which system will ultimately use that port.

When security level 2 (port lock) is enabled and an intruder attempts to direct traffic to the port, the port is immediately disabled. The port is then re-enabled only by clearing the security level by management.

When security level 3 (intruder lock) is enabled and an intruder attempts to direct traffic to the port, the switch locks out the intruder’s MAC address; the port will not accept any traffic from that station. The intruder’s address is then re-enabled only by clearing the security level by management.

Important! If the security level is set at 2 or 3, the Intruder Trap must also be set. If this trap is not set, no notification that the port has been disabled can be received. See “Setting the Intruder Trap” section below.

49