14-26
Configuring and Monitoring Port Security
MAC Lockdown
MAC Lockdown Operating Notes
Limits.
There is a limit of 500 MAC Lockdowns that you can safely code per
switch. To truly lock down a MAC address it would be necessary to use the
MAC Lockdown command for every MAC Address and VLAN ID on every
switch. In reality few network administrators will go to this length, but it is
important to note that just because you have locked down the MAC address
and VID for a single switch, the device (or a hacker “spoofing” the MAC
address for the device) may still be able to use another switch which hasn’t
been locked down.
Event Log Messages.
If someone using a locked down MAC address is
attempting to communicate using the wrong port the “move attempt” gener-
ates messages in the log file similar to this:
Move attempt (lockdown) logging:
W 10/30/03 21:33:43 maclock: module A: Move 0001e6-1f96c0
to A15 denied
W 10/30/03 21:33:48 maclock: module A: Move 0001e6-1f96c0
to A15 denied
W 10/30/03 21:33:48 maclock: module A: Ceasing move-denied
logs for 5m
These messages in the log file can be useful for troubleshooting problems. If
you are trying to connect a device which has been locked down to the wrong
port, it will not work but it will generate error messages like this to help you
determine the problem.
Limiting the Frequency of Log Messages.
The first move attempt (or
intrusion) is logged as you see in the example above. Subsequent move
attempts send a message to the log file also, but message throttling is imposed
on the logging on a per-module basis. What this means is that the logging
system checks again after the first 5 minutes to see if another attempt has been
made to move to the wrong port. If this is the case the log file registers the
most recent attempt and then checks again after one hour. If there are no
further attempts in that period then it will continue to check every 5 minutes.
If another attempt was made during the one hour period then the log resets
itself to check once a day. The purpose of rate-limiting the log messaging is to
prevent the log file from becoming too full. You can also configure the switch
to send the same messages to a Syslog server. Refer to “Debug and Syslog
Messaging Operation” in appendix C of the
Management and Configuration
Guide
for your switch.
Содержание E3800 Series
Страница 1: ...HP Switch Software E3800 switches Software version KA 15 03 September 2011 Access Security Guide ...
Страница 2: ......
Страница 3: ...HP Networking E3800 Switches Access Security Guide September 2011 KA 15 03 ...
Страница 30: ...xxviii ...
Страница 86: ...2 36 Configuring Username and Password Security Password Recovery ...
Страница 186: ...4 72 Web and MAC Authentication Client Status ...
Страница 290: ...6 74 RADIUS Authentication Authorization and Accounting Dynamic Removal of Authentication Limits ...
Страница 364: ...8 32 Configuring Secure Shell SSH Messages Related to SSH Operation ...
Страница 510: ...10 130 IPv4 Access Control Lists ACLs General ACL Operating Notes ...
Страница 548: ...11 38 Configuring Advanced Threat Protection Using the Instrumentation Monitor ...
Страница 572: ...12 24 Traffic Security Filters and Monitors Configuring Traffic Security Filters ...
Страница 659: ...14 11 Configuring and Monitoring Port Security Port Security Figure 14 5 Examples of Show Mac Address Outputs ...
Страница 730: ...20 Index ...
Страница 731: ......