HP (Hewlett-Packard) 2650 (J4899A/B) ユーザーズマニュアル
9-20
Configuring and Monitoring Port Security
MAC Lockdown
MAC Lockdown
MAC Lockdown Operating Notes
Limits.
There is a limit of 500 MAC Lockdowns that you can safely code per
switch. To truly lock down a MAC address it would be necessary to use the
MAC Lockdown command for every MAC Address and VLAN ID on every
switch. In reality few network administrators will go to this length, but it is
important to note that just because you have locked down the MAC address
and VID for a single switch, the device (or a hacker “spoofing” the MAC
address for the device) may still be able to use another switch which hasn’t
been locked down.
MAC Lockdown command for every MAC Address and VLAN ID on every
switch. In reality few network administrators will go to this length, but it is
important to note that just because you have locked down the MAC address
and VID for a single switch, the device (or a hacker “spoofing” the MAC
address for the device) may still be able to use another switch which hasn’t
been locked down.
Event Log Messages.
If someone using a locked down MAC address is
attempting to communicate using the wrong port the “move attempt” gener-
ates messages in the log file like this:
ates messages in the log file like this:
Move attempt (lockdown) logging:
W 10/30/03 21:33:43 maclock: module A: Move 0001e6-1f96c0
to A15 denied
W 10/30/03 21:33:48 maclock: module A: Move 0001e6-1f96c0
to A15 denied
W 10/30/03 21:33:48 maclock: module A: Ceasing move-denied
logs for 5m
These messages in the log file can be useful for troubleshooting problems. If
you are trying to connect a device which has been locked down to the wrong
port, it will not work but it will generate error messages like this to help you
determine the problem.
you are trying to connect a device which has been locked down to the wrong
port, it will not work but it will generate error messages like this to help you
determine the problem.
Limiting the Frequency of Log Messages.
The first move attempt (or
intrusion) is logged as you see in the example above. Subsequent move
attempts send a message to the log file also, but message throttling is imposed
on the logging on a per-module basis. What this means is that the logging
system checks again after the first 5 minutes to see if another attempt has been
made to move to the wrong port. If this is the case the log file registers the
most recent attempt and then checks again after one hour. If there are no
further attempts in that period then it will continue to check every 5 minutes.
If another attempt was made during the one hour period then the log resets
itself to check once a day. The purpose of rate-limiting the log messaging is to
prevent the log file from becoming too full. You can also configure the switch
to send the same messages to a Syslog server. Refer to “Debug and Syslog
Messaging Operation” in appendix C of the Management and Configuration
Guide
attempts send a message to the log file also, but message throttling is imposed
on the logging on a per-module basis. What this means is that the logging
system checks again after the first 5 minutes to see if another attempt has been
made to move to the wrong port. If this is the case the log file registers the
most recent attempt and then checks again after one hour. If there are no
further attempts in that period then it will continue to check every 5 minutes.
If another attempt was made during the one hour period then the log resets
itself to check once a day. The purpose of rate-limiting the log messaging is to
prevent the log file from becoming too full. You can also configure the switch
to send the same messages to a Syslog server. Refer to “Debug and Syslog
Messaging Operation” in appendix C of the Management and Configuration
Guide
for your switch.