MAC lock configuration on Enterasys switches Filed Under: Networks
Introduction
The purpose of MAC lock as you probably will know is to block the connection of unauthorized devices like switches or hubs by monitoring the source mac address flowing through the port and blocking any traffic whose mac address is not the same as the one currently recorded in the port of the switch.
Normally MAC lock is configured only on the access ports as in those ports are where users connect and where there is the high risk of someone connecting an unwanted device to the network.
Configuration
First we will configure the ports to record the MAC address that they have first seen and how many it should allow through. Normally users PCs will only need one but if you are running virtual machines you may need to allow more than one.
set maclock firstarrival port-range “number of mac addresses to allow”
For example:
set maclock firstarrival fe.1.1-40 1
After that we will configure aging on the records that the switch holds so they are cleared up after the user unplugs a PC from the port.
set maclock agefirstarrival port-range enable
For example
set maclock agefirstarrival fe.1.1-40 enable
Now we will setup the alerting so in case that an event is triggered, the alert is sent to syslog and also generates a SNMP trap.
set maclock trap port-range enable
set maclock syslog port-range enable
For example
set maclock trap fe.1.1-40 enable
set maclock syslog fe.1.1-40 enable
At the end we just need to enable maclock in each of the ports of the switch.
set maclock enable port-range
For example
set maclock enable fe.1.1-40
At this point the commands are all in place but we need to enable maclock generally to the switch to make the MAC lock configuration work.
set maclock enable
Check information output
show maclock
Display the status of MAC locking in the switch ports.
show maclock
MAC locking is globally enabled.
Port Port Trap Syslog Aging Max Max First Last Violating
Number Status Status Status Status Static Arrival MAC Address
-------- -------- -------- -------- -------- ------ --------- -----------------
fe.1.1 enabled enabled enabled enabled 64 1 00-00-00-00-00-00
fe.1.2 enabled enabled enabled enabled 64 1 00-00-00-00-00-00
fe.1.3 enabled enabled enabled enabled 64 1 00-12-3f-bd-68-9b
fe.1.4 enabled enabled enabled enabled 64 1 00-00-00-00-00-00
show maclock stations
This will display the current mac address that has being recorded and how they have being learned.
show maclock stations
Port Number MAC Address Status State Aging
----------- ----------------- ------------- ------------- -----
fe.1.1 00-0f-1f-73-0e-80 active first arrival true
fe.1.2 00-12-3f-97-08-a0 active first arrival true
fe.1.5 00-23-7d-3f-98-09 active first arrival true
fe.1.6 00-22-64-16-82-80 active first arrival true
fe.1.8 00-1b-24-54-5d-42 active first arrival true
Tags: enterasys, mac lock, network
- Permalink
- Alberto Diaz
- 5 Feb 2010 8:24 PM
- Comments (0)