Configuring and Monitoring Port Security

MAC Lockout

 

Deploying MAC Lockdown

 

When you deploy MAC Lockdown you need to consider how you use it within

 

your network topology to ensure security. In some cases where you are using

 

techniques such as Spanning Tree Protocol (STP) to speed up network per-

 

formance by providing multiple paths for devices, using MAC Lockdown

 

either will not work or else it defeats the purpose of having multiple data paths.

 

The purpose of using MAC Lockdown is to prevent a malicious user from

 

“hijacking” an approved MAC address so they can steal data traffic being sent

 

to that address.

 

As we have seen, MAC Lockdown can help prevent this type of hijacking by

 

making sure that all traffic to a specific MAC address goes only to the proper

 

port on a switch which is supposed to be connected to the real device bearing

 

that MAC address.

 

However, you can run into trouble if you incorrectly try to deploy MAC

 

Lockdown in a network that uses multiple path technology, like Spanning

 

Tree.

 

 

C a u t i o n

Using MAC Lockdown still does not protect against a hijacker within the core!

 

In order to protect against someone spoofing the MAC Address on a server

 

inside the Core Network, you would have to lock down each and every switch

 

inside the Core Network as well, not just on the edge.

MAC Lockout

MAC Lockout involves configuring a MAC address on all ports and VLANs for a switch so that any traffic to or from the “locked-out” MAC address will be dropped. This means that all data packets addressed to or from the given address are stopped by the switch. MAC Lockout is implemented on a per switch assignment.

You can think of MAC Lockout as a simple blacklist. The MAC address is locked out on the switch and on all VLANs. No data goes out or in from the blacklisted MAC address to a switch using MAC Lockout.

To fully lock out a MAC address from the network it would be necessary to use the MAC Lockout command on all switches.

11-26