Security
Enabling Security and Traps
You can enable or disable all applicable protections by locking or unlocking ports via the repeater, hub, or port Security window, as described in the sections below. There are two levels of lock status to choose from: if you select Full lock status, the port will stop learning new source addresses, accept packets only from secured source addresses, employ either full or partial eavesdrop protection (as configured), and take the configured steps (send trap and/or disable port) if a violation occurs; if you select Continuous lock status, the port will implement the configured level of eavesdrop protection, but continue to learn source addresses and allow all packets to pass, effectively disabling intruder protection.
Enabling and disabling traps from the Security windows has the same effect as enabling and disabling them from the Source Address windows; you can enable and disable the following traps:
•A newSourceAddress trap is generated when a station port — one receiving packets from zero, one, or two source addresses — receives a packet from a source address that is not currently in its source address table. Information included in this trap includes the board number, port number, and source address associated with the trap. Trunk ports — those receiving packets from three or more source addresses — will not issue newSourceAddress traps.
•A sourceAddressTimeout trap is issued anytime a source address is aged out of the Source Address Table due to inactivity. The trap’s interesting information includes the board and port index, and the source address that timed out. (See Setting the Ageing Time in Chapter 4, Source Addressing, for more information.)
All other source address traps (portTypeChanged, lockStatusChanged, portSecurityViolation, and portViolationReset, all defined in Chapter 4, Source Addressing) will continue to be generated as appropriate, as will the security- specific traps:
•A secureStateChange trap indicates that a port has changed from a securable state to an unsecurable state, or vice versa; the interesting information includes board and port index.
•A learnStateChange trap indicates that a port has had its learned addresses reset. Interesting information includes board and port index, and current learn state. Note that SPMA always maintains ports in a learn state, and just resets that learn state to achieve a reset of existing learned and secure addresses.
•A learnModeChange trap is issued when a port is set to continuous lock mode; interesting information includes board and port index, and current learn mode.
When setting these parameters at the various levels, keep in mind that the most recent setting will override the existing status: for example, if you lock one or more ports at the port level, then unlock them at the hub level, all ports on the hub will be unlocked. Similarly, if you enable traps at the hub level, then disable them at the repeater level, traps will be disabled for all ports on the repeater.
| Enabling Security and Traps |
