Cabletron Systems EMM-E6 manual Enabling Security and Traps, 7-12

Security

transmitted clean to all ports on that channel unless security has been enabled there, too. Packets bridged to Channel A will always be transmitted clean to all ports, regardless of lock status; however, careful bridge configuration and prudent use of each port’s forwarding and blocking abilities can provide some measure of security in this case.

•Security must be disabled on any port which is connected to an external bridge, or the bridge will discard all packets it receives as error packets (since the CRC is not recalculated after a packet is scrambled).

•Security should also be disabled on any port which is supporting a trunk connection, unless you are sure that no more than 34 source addresses will attempt to use the port, and you have secured all necessary addresses. Note that, with the newest versions of security, a LANVIEWSECURE port that sees more than 35 addresses in its Source Address table (or exactly 35 addresses for two consecutive aging intervals) is considered unsecurable and cannot be locked.

•Full security should not be implemented on any port which supports a name server or a bootp server, as those devices would not receive the broadcast and multicast messages they are designed to respond to (partial security — which does not scramble broadcasts or multicasts — will not affect their operation). Note that users who require responses to broadcast or multicast requests can still operate successfully if their ports are fully secured, as the reply to a broadcast has a single, specific destination address.

In general, scrambling is most effective when employed in a single chassis which contains only LANVIEWSECURE MIMs operating on channels B and/or C; remember, non-LANVIEWSECUREMIMs and any ports operating on Channel A do not support scrambling as part of their security functionality.

Enabling Security and Traps

You can enable or disable all applicable protections by locking or unlocking ports via the repeater, module, or port Security window, as described in the sections below. There are two levels of lock status to choose from: if you select Full lock status, the port will stop learning new source addresses, accept packets only from secured source addresses, employ either full or partial eavesdrop protection (as configured), and take the configured steps (send trap and/or disable port) if a violation occurs; if you select Continuous lock status, the port will implement the configured level of eavesdrop protection, but continue to learn source addresses and allow all packets to pass, effectively disabling intruder protection.

Enabling and disabling traps from the Security windows has the same effect as enabling and disabling them from the Source Address windows; you can enable and disable the following traps: