Manualshelf

Configuration Guide User guide

ManualsBrandsBrocade ManualsComputer AccessoriesFastIron
631632633634635636637638639640
574 FastIron Configuration Guide
53-1002494-02
Locking a port to restrict addresses
Locking a port to restrict addresses
Address-lock filters allow you to limit the number of devices that have access to a specific port.
Access violations are reported as SNMP traps. This feature is disabled by default. A maximum of
2048 entries can be specified for access. The default address count is eight.
Lock address configuration notes
Static trunk ports and link-aggregation configured ports do not support the lock-address
option.
The MAC port security feature is a more robust version of this feature. Refer to “MAC port
security configuration” on page 1839.
Lock address command syntax
To enable address locking for port 2 and place a limit of 15 entries, enter a command such as the
following.
Brocade(config)#lock e 2 addr 15
Syntax: lock-address ethernet [<port> [addr-count <num>]
Specify the port variable in one of the following formats:
FWS, FCX, and ICX stackable switches – stack-unit/slotnum/portnum
FSX 800 and FSX 1600 chassis devices – slotnum/portnum
ICX devices – slotnum/portnum
FESX compact switches – portnum
The <num> parameter is a value from 1 – 2048.
Monitoring MAC address movement
MAC address movement notification allows you to monitor the movement of MAC addresses that
migrate from port to port. It enables you to distinguish between legitimate movement and malicious
movement by allowing you to define malicious use as a threshold number of times a MAC address
moves within a specific interval.
Malicious use typically involves many MAC address moves, while legitimate use usually involves a
single move. Malicious movement is often the result of MAC address spoofing, in which a malicious
user masquerades as a legitimate user by changing his own MAC address to that of a legitimate
user. As a result, the MAC address moves back and forth between the ports where the legitimate
and malicious users are connected. A legitimate use might be to spoof the MAC address of a failed
device in order to continue access using a different device.
You can monitor MAC address movements in the following ways:
Threshold-rate notifications allow you to configure the maximum number of movements over a
specified interval for each MAC address before a notification is sent. For example you could
define the malicious move rate as three moves every 30 seconds.