Cabletron Systems EMM-E6 User Manual
Security
7-12
Enabling Security and Traps
transmitted clean to all ports on that channel unless security has been enabled
there, too. Packets bridged to Channel A will always be transmitted clean to all
ports, regardless of lock status; however, careful bridge configuration and
prudent use of each port’s forwarding and blocking abilities can provide some
measure of security in this case.
there, too. Packets bridged to Channel A will always be transmitted clean to all
ports, regardless of lock status; however, careful bridge configuration and
prudent use of each port’s forwarding and blocking abilities can provide some
measure of security in this case.
•
Security must be disabled on any port which is connected to an external bridge,
or the bridge will discard all packets it receives as error packets (since the CRC
is not recalculated after a packet is scrambled).
or the bridge will discard all packets it receives as error packets (since the CRC
is not recalculated after a packet is scrambled).
•
Security should also be disabled on any port which is supporting a trunk
connection, unless you are sure that no more than 34 source addresses will
attempt to use the port, and you have secured all necessary addresses. Note
that, with the newest versions of security, a
connection, unless you are sure that no more than 34 source addresses will
attempt to use the port, and you have secured all necessary addresses. Note
that, with the newest versions of security, a
LANVIEW
SECURE
port that sees
more than 35 addresses in its Source Address table (or exactly 35 addresses for
two consecutive aging intervals) is considered unsecurable and cannot be
locked.
two consecutive aging intervals) is considered unsecurable and cannot be
locked.
•
Full security should not be implemented on any port which supports a name
server or a bootp server, as those devices would not receive the broadcast and
multicast messages they are designed to respond to (partial security — which
does not scramble broadcasts or multicasts — will not affect their operation).
Note that users who require responses to broadcast or multicast requests can
still operate successfully if their ports are fully secured, as the reply to a
broadcast has a single, specific destination address.
server or a bootp server, as those devices would not receive the broadcast and
multicast messages they are designed to respond to (partial security — which
does not scramble broadcasts or multicasts — will not affect their operation).
Note that users who require responses to broadcast or multicast requests can
still operate successfully if their ports are fully secured, as the reply to a
broadcast has a single, specific destination address.
In general, scrambling is most effective when employed in a single chassis which
contains only
contains only
LANVIEW
SECURE
MIMs operating on channels B and/or C;
remember, non-
LANVIEW
SECURE
MIMs and any ports operating on Channel A do
not support scrambling as part of their security functionality.
Enabling Security and Traps
You can enable or disable all applicable protections by locking or unlocking ports
via the repeater, module, or port Security window, as described in the sections
below. There are two levels of lock status to choose from: if you select Full lock
status, the port will stop learning new source addresses, accept packets only from
secured source addresses, employ either full or partial eavesdrop protection (as
configured), and take the configured steps (send trap and/or disable port) if a
violation occurs; if you select Continuous lock status, the port will implement the
configured level of eavesdrop protection, but continue to learn source addresses
and allow all packets to pass, effectively disabling intruder protection.
via the repeater, module, or port Security window, as described in the sections
below. There are two levels of lock status to choose from: if you select Full lock
status, the port will stop learning new source addresses, accept packets only from
secured source addresses, employ either full or partial eavesdrop protection (as
configured), and take the configured steps (send trap and/or disable port) if a
violation occurs; if you select Continuous lock status, the port will implement the
configured level of eavesdrop protection, but continue to learn source addresses
and allow all packets to pass, effectively disabling intruder protection.
Enabling and disabling traps from the Security windows has the same effect as
enabling and disabling them from the Source Address windows; you can enable
and disable the following traps:
enabling and disabling them from the Source Address windows; you can enable
and disable the following traps: