Cabletron Systems SEHI-22/24 Tips for Successfully Implementing Eavesdropper Protection, 6-11

Security

4.Click to select the Reset Learned Addresses option. A confirmation window

will appear; click on to reset addresses, or on to cancel. The port’s address table will be cleared of all Learned and Secure addresses, and the learning process will restart.

Tips for Successfully Implementing Eavesdropper Protection

There are a couple of things to note about eavesdropper protection, or scrambling, that must be taken into consideration as you are planning security for your network.

•Security can only be implemented by locking a port, and can only be completely disabled by unlocking the port. You cannot enable intruder protection on a LANVIEWSECURE hub without also enabling eavesdropper protection. You can, however, effectively enable eavesdropper protection alone by selecting the noDisable option for the violation response; selecting noDisable basically eliminates intruder protection, as all packets will be allowed to pass regardless of their source address. (Note, however, that the port will issue a trap after the first violation.) You can also enable eavesdropper protection without intruder protection by selecting the Continuous lock mode; see Enabling Security and Traps, page 6-12, for details.

•Security must be disabled on any port which is connected to an external bridge, or the bridge will discard all packets it receives as error packets (since the CRC is not recalculated after a packet is scrambled).

•Security should also be disabled on any port which is supporting a trunk connection, unless you are sure that no more than 34 source addresses will attempt to use the port, and you have secured all necessary addresses. Note that, with the newest versions of security, a LANVIEWSECURE port that sees more than 35 addresses in its Source Address table (or exactly 35 addresses for two consecutive ageing intervals) is considered unsecurable and cannot be locked.

•Full security should not be implemented on any port which supports a Name Server or a BootP server, as those devices would not receive the broadcast and multicast messages they are designed to respond to (partial security — which does not scramble broadcasts or multicasts — will not affect their operation). Note that users who require responses to broadcast or multicast requests can still operate successfully if their ports are fully secured, as the reply to a broadcast has a single, specific destination address.

In general, scrambling is most effective when employed in a single hubstack which contains only LANVIEWSECURE hubs; remember, non-LANVIEWSECUREhubs do not support scrambling as part of their security functionality.