Configuring and Monitoring Port Security

MAC Lockdown

MAC Lockdown Operating Notes

Limits. There is a limit of 500 MAC Lockdowns that you can safely code per switch. To truly lock down a MAC address it would be necessary to use the MAC Lockdown command for every MAC Address and VLAN ID on every switch. In reality few network administrators will go to this length, but it is important to note that just because you have locked down the MAC address and VID for a single switch, the device (or a hacker “spoofing” the MAC address for the device) may still be able to use another switch which hasn’t been locked down.

Event Log Messages. If someone using a locked down MAC address is attempting to communicate using the wrong port the “move attempt” gener- ates messages in the log file like this:

Move attempt (lockdown) logging:

W10/30/03 21:33:43 maclock: module A: Move 0001e6-1f96c0 to A15 denied

W10/30/03 21:33:48 maclock: module A: Move 0001e6-1f96c0 to A15 denied

W10/30/03 21:33:48 maclock: module A: Ceasing move-denied logs for 5m

These messages in the log file can be useful for troubleshooting problems. If you are trying to connect a device which has been locked down to the wrong port, it will not work but it will generate error messages like this to help you determine the problem.

Limiting the Frequency of Log Messages. The first move attempt (or intrusion) is logged as you see in the example above. Subsequent move attempts send a message to the log file also, but message throttling is imposed on the logging on a per-module basis. What this means is that the logging system checks again after the first 5 minutes to see if another attempt has been made to move to the wrong port. If this is the case the log file registers the most recent attempt and then checks again after one hour. If there are no further attempts in that period then it will continue to check every 5 minutes. If another attempt was made during the one hour period then the log resets itself to check once a day. The purpose of rate-limiting the log messaging is to prevent the log file from becoming too full. You can also configure the switch to send the same messages to a Syslog server. Refer to “Debug and Syslog Messaging Operation” in appendix C of the Management and Configuration Guide for your switch.

9-20

Page 250
Image 250
HP 6108, 4100gl, 2650 (J4899A/B), 2626 (J4900A/B), 2600-PWR manual MAC Lockdown Operating Notes