9-21
Configuring and Monitoring Port Security
MAC Lockdown
These messages in the log file can be useful for troubleshooting problems. If
you are trying to connect a device which has been locked down to the wrong
port, it will not work but it will generate error messages like this to help you
determine the problem.
Limiting the Frequency of Log Messages. The first move attempt (or
intrusion) is logged as you see in the example above. Subsequent move
attempts send a message to the log file also, but message throttling is imposed
on the logging on a per-module basis. What this means is that the logging
system checks again after the first 5 minutes to see if another attempt has been
made to move to the wrong port. If this is the case the log file registers the
most recent attempt and then checks again after one hour. If there are no
further attempts in that period then it will continue to check every 5 minutes.
If another attempt was made during the one hour period then the log resets
itself to check once a day. The purpose of rate-limiting the log messaging is to
prevent the log file from becoming too full. You can also configure the switch
to send the same messages to a Syslog server. Refer to “Debug and Syslog
Messaging Operation” in appendix C of the Management and Configuration
Guide for your switch.
Deploying MAC Lockdown
When you deploy MAC Lockdown you need to consider how you use it within
your network topology to ensure security. In some cases where you are using
techniques such as Spanning Tree Protocol (STP) to speed up network
performance by providing multiple paths for devices, using MAC Lockdown
either will not work or else it defeats the purpose of having multiple data paths.
The purpose of using MAC Lockdown is to prevent a malicious user from
“hijacking” an approved MAC address so they can steal data traffic being sent
to that address.
As we have seen, MAC Lockdown can help prevent this type of hijacking by
making sure that all traffic to a specific MAC address goes only to the proper
port on a switch which is supposed to be connected to the real device bearing
that MAC address.
However, you can run into trouble if you incorrectly try to deploy MAC
Lockdown in a network that uses multiple path technology, like Spanning
Tree.
Let’s examine a good use of MAC Lockdown within a network to ensure
security first.
To Next Page
Loading...
Need help?
General
