Security

A newSourceAddress trap is generated when a station port — one receiving packets from zero, one, or two source addresses — receives a packet from a source address that is not currently in its source address table. Information included in this trap includes the board number, port number, and source address associated with the trap. Trunk ports — those receiving packets from three or more source addresses — will not issue newSourceAddress traps.

A sourceAddressTimeout trap is issued anytime a source address is aged out of the Source Address Table due to inactivity. The trap’s interesting information includes the board and port index, and the source address that timed out. (See Setting the Aging Time in Chapter 6, Source Addressing, for more information.)

All other source address traps (portTypeChanged, lockStatusChanged, portSecurityViolation, and portViolationReset, all defined in Chapter 6, Source Addressing) will continue to be generated as appropriate, as will the security- specific traps:

A secureStateChange trap indicates that a port has changed from a securable state to an unsecurable state, or vice versa; the interesting information includes board and port index.

A learnStateChange trap indicates that a port has had its learned addresses reset. Interesting information includes board and port index, and current learn state. Note that SPMA always maintains ports in a learn state, and just resets that learn state to achieve a reset of existing learned and secure addresses.

A learnModeChange trap is issued when a port is set to continuous lock mode; interesting information includes board and port index, and current learn mode.

When setting these parameters at the various levels, keep in mind that the most recent setting will override the existing status: for example, if you lock one or more ports at the port level, then unlock them at the module level, all ports on the module will be unlocked. Similarly, if you enable traps at the module level, then disable them at the repeater level, traps will be disabled for all ports on the repeater.

NOTE

Enabling and disabling locking from the Source Address application (described in Chapter 6) will implement all applicable security features as they have been configured via the port-level Security window. Note that locking ports from the Source Address window implements Full lock status by default; however, this will not override the status of any ports which have already been set to Continuous lock mode.

Enabling and disabling traps from the Source Address window also has the same effect as enabling or disabling them from the Security application. Keep in mind, however, that SPMA does not accept the trap messages; that task is left to your network management system. (See the appropriate network management system documentation for details about viewing trap messages.) Note, too, that no traps will be sent by the EMM-E6 unless its trap table has been properly configured; see the EMM-E6 hardware manual and/or the Trap Table chapter in the SPMA Tools Guide for more information.

Enabling Security and Traps

7-13

Page 99
Image 99
Cabletron Systems EMM-E6 manual Security