KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

401

402

403

404

405

406

407

408

409

410

Total number of MAC addressesNumber of MAC lockout addressesVLANs configured

16,38416257-1024

16,38481025-2048

There are l imits for the number of VLANs, Multicast Filters, and Lockout MACs that can be

configured concurrently as all use MAC table entries. The limits are shown below.

Table 42 Limits on Lockout MACs

# Lockout MACs# Multicast filters# VLANs

1616<=1024

881025-2048

If someone using a locked out MAC address tries to send data through the switch a message is

generated in the log file:

Lockout logging format:

W 10/30/03 21:35:15 maclock: module A: 0001e6-1f96c0 detected on port A15

W 10/30/03 21:35:18 maclock: module A: 0001e6-1f96c0 detected on port A15

W 10/30/03 21:35:18 maclock: module A: Ceasing lock-out logs for 5m

As with MAC Lockdown a rate limiting algorithm is used on the log file so that it does not become

overclogged with error messages. See “Limiting the frequency of log messages” (page 404).

Port security and MAC Lockout

MAC Lockout is independent of port-security and in fact will override it. MAC Lockout is preferable

to port-security to stop access from known devices because it can be configured for all ports on

the switch with one command.

It is possible to use MAC Lockout in conjunction with port-security. You can use MAC Lockout to

lock out a single address—deny access to a specific device—but still allow the switch some flexibility

in learning other MAC Addresses. Be careful if you use both together, however:

• If a MAC Address is locked out and appears in a static learn table in port-security, the

apparently "authorized" address will still be locked out anyway.

• MAC entry configurations set by port security will be kept even if MAC Lockout is configured

and the original port security settings will be honored once the Lockout is removed.

• A port security static address is permitted to be a lockout address. In that case (MAC Lockout),

the address will be locked out (SA/DA drop) even though it's an "authorized" address from

the perspective of port security.

• When MAC Lockout entries are deleted, port security will then re-learn the address as needed

later on.

Reading intrusion alerts and resetting alert flags

Notice of security violations

When the switch detects an intrusion on a port, it sets an "alert flag" for that port and makes the

intrusion information available as described below. While the switch can detect additional intrusions

for the same port, it does not list the next chronological intrusion for that port in the Intrusion Log

until the alert flag for that port has been reset.

408 Port Security