Manualshelf

Network Hardware User Manual

ManualsBrandsCabletron Systems ManualsNetwork HardwareSEHI-22/24
71727374757677787980
Configuring Security 6-11
Security
4. Click to select the Reset Learned Addresses option. A confirmation window
will appear; click on to reset addresses, or on to cancel.
The port’s address table will be cleared of all Learned and Secure addresses,
and the learning process will restart.
Tips for Successfully Implementing Eavesdropper Protection
There are a couple of things to note about eavesdropper protection, or scrambling,
that must be taken into consideration as you are planning security for your
network.
Security can only be implemented by locking a port, and can only be
completely disabled by unlocking the port. You cannot enable intruder
protection on a LANVIEW
SECURE hub without also enabling eavesdropper
protection. You can, however, effectively enable eavesdropper protection
alone by selecting the noDisable option for the violation response; selecting
noDisable basically eliminates intruder protection, as all packets will be
allowed to pass regardless of their source address. (Note, however, that the
port will issue a trap after the first violation.) You can also enable eavesdropper
protection without intruder protection by selecting the Continuous lock mode;
see Enabling Security and Traps, page 6-12, for details.
Security must be disabled on any port which is connected to an external bridge,
or the bridge will discard all packets it receives as error packets (since the CRC
is not recalculated after a packet is scrambled).
Security should also be disabled on any port which is supporting a trunk
connection, unless you are sure that no more than 34 source addresses will
attempt to use the port, and you have secured all necessary addresses. Note
that, with the newest versions of security, a LANVIEWSECURE port that sees
more than 35 addresses in its Source Address table (or exactly 35 addresses for
two consecutive ageing intervals) is considered unsecurable and cannot be
locked.
Full security should not be implemented on any port which supports a Name
Server or a BootP server, as those devices would not receive the broadcast and
multicast messages they are designed to respond to (partial security — which
does not scramble broadcasts or multicasts — will not affect their operation).
Note that users who require responses to broadcast or multicast requests can
still operate successfully if their ports are fully secured, as the reply to a
broadcast has a single, specific destination address.
In general, scrambling is most effective when employed in a single hubstack
which contains only LANVIEWSECURE hubs; remember, non-LANVIEWSECURE
hubs do not support scrambling as part of their security functionality.