Configuring and Monitoring Port Security

MAC Lockout

MAC Lockout overrides MAC Lockdown, port security, and 802.1X authenti- cation.

You cannot use MAC Lockout to lock:

Broadcast or Multicast Addresses (Switches do not learn these)

Switch Agents (The switch’s own MAC Address)

There are limits for the number of VLANs and Lockout MACs that can be configured concurrently as all use MAC table entries. The limits are shown below.

Table 11-10. Limits on Lockout MACs

# VLANs

# Lockout MACs

 

 

< = 1024

16

1025-2048

8

 

 

If someone using a locked out MAC address tries to send data through the switch a message is generated in the log file:

Lockout logging format:

W10/30/03 21:35:15 maclock: module A: 0001e6-1f96c0 detected on port A15

W 10/30/03 21:35:18 maclock: module A: 0001e6-1f96c0 detected on port A15

W 10/30/03 21:35:18 maclock: module A: Ceasing lock-out logs for 5m

As with MAC Lockdown a rate limiting algorithm is used on the log file so that it does not become overclogged with error messages. (Refer to “Limiting the Frequency of Log Messages” on page 11-25.)

11-28