WISEKUMASearching knowledge on IT and languages

MAC lock configuration on Enterasys switches   Filed Under: Networks

Introduction

The purpose of MAC lock as you probably will know is to block the connection of unauthorized devices like switches or hubs by monitoring the source mac address flowing through the port and blocking any traffic whose mac address is not the same as the one currently recorded in the port of the switch.

Normally MAC lock is configured only on the access ports as in those ports are where users connect and where there is the high risk of someone connecting an unwanted device to the network.

Configuration

First we will configure the ports to record the MAC address that they have first seen and how many it should allow through. Normally users PCs will only need one but if you are running virtual machines you may need to allow more than one.

set maclock firstarrival port-range “number of mac addresses to allow”

For example:

set maclock firstarrival fe.1.1-40 1

After that we will configure aging on the records that the switch holds so they are cleared up after the user unplugs a PC from the port.

set maclock agefirstarrival port-range enable

For example

set maclock agefirstarrival fe.1.1-40 enable

Now we will setup the alerting so in case that an event is triggered, the alert is sent to syslog and also generates a SNMP trap.

set maclock trap port-range enable
set maclock syslog port-range enable

For example

set maclock trap fe.1.1-40 enable
set maclock syslog fe.1.1-40 enable

At the end we just need to enable maclock in each of the ports of the switch.

set maclock enable port-range

For example

set maclock enable fe.1.1-40

At this point the commands are all in place but we need to enable maclock generally to the switch to make the MAC lock configuration work.

set maclock enable

Check information output

show maclock

Display the status of MAC locking in the switch ports.

show maclock

MAC locking is globally enabled.

Port     Port     Trap     Syslog   Aging    Max    Max First Last Violating
Number   Status   Status   Status   Status   Static Arrival   MAC Address
-------- -------- -------- -------- -------- ------ --------- -----------------
fe.1.1   enabled  enabled  enabled  enabled  64     1         00-00-00-00-00-00
fe.1.2   enabled  enabled  enabled  enabled  64     1         00-00-00-00-00-00
fe.1.3   enabled  enabled  enabled  enabled  64     1         00-12-3f-bd-68-9b
fe.1.4   enabled  enabled  enabled  enabled  64     1         00-00-00-00-00-00

show maclock stations

This will display the current mac address that has being recorded and how they have being learned.

show maclock stations

Port Number   MAC Address            Status            State            Aging
-----------   -----------------      -------------     -------------    -----
fe.1.1        00-0f-1f-73-0e-80      active            first arrival    true
fe.1.2        00-12-3f-97-08-a0      active            first arrival    true
fe.1.5        00-23-7d-3f-98-09      active            first arrival    true
fe.1.6        00-22-64-16-82-80      active            first arrival    true
fe.1.8        00-1b-24-54-5d-42      active            first arrival    true

Tags: enterasys, mac lock, network