KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5412R-92G-PoE+/2SFP+ (No PSU) v2 zl2 Switch

401

402

403

404

405

406

407

408

409

410

NOTE: If the device moves to a distant part of the network where data sent to its MAC address

never goes through the locked-down switch, it may be possible for the device to have full two-way

communication. For full and complete lockdown network-wide, all switches must be configured

appropriately.

• Once you lock down a MAC address/VLAN pair on one port that pair cannot be locked

down on a different port.

• You cannot perform MAC Lockdown and 802.1X authentication on the same port or on the

same MAC address. MAC Lockdown and 802.1X authentication are mutually exclusive.

• Lockdown is permitted on static trunks (manually configured link aggregations).

MAC Lockdown operating notes

Limits

There is a limit of 500 MAC Lockdowns that you can safely code per switch. To truly lock down

a MAC address it would be necessary to use the MAC Lockdown command for every MAC Address

and VLAN ID on every switch. In reality, few network administrators will go to this length, but just

because you have locked down the MAC address and VID for a single switch, the device (or a

hacker spoofing the device MAC address) may still be able to use another switch that is not locked

down.

Event Log messages

If someone using a locked down MAC address is attempting to communicate using the wrong port

the "move attempt" generates messages in the log file such as:

Example 17 Move attempt

Move attempt (lockdown) logging:

W 10/30/03 21:33:43 maclock: module A: Move 0001e6-1f96c0 to A15 denied

W 10/30/03 21:33:48 maclock: module A: Move 0001e6-1f96c0 to A15 denied

W 10/30/03 21:33:48 maclock: module A: Ceasing move-denied logs for 5m

These messages can be useful for troubleshooting. If you are trying to connect a device which has

been locked down to the wrong port, the device will not work but will generate similar error

messages.

Limiting the frequency of log messages

The purpose of rate-limiting the log messaging is to prevent the log file from becoming too full.

When a move attempt (or intrusion) is logged and a message sent to the log file, message throttling

is imposed on the logging of subsequent move attempts. The logging system checks move attempts

to incorrect ports 5 minutes after the initial attack. If there has been a second attack within the 5

minute interval, the log file registers the most recent attempt and then checks every hour for new

attempts If, after an hour, no other attempts have been made, the log resets itself and reverts to

checking one time per day.

The switch can also be configured to copy the log messages to a chosen syslog server. See the

Management and Configuration Guide for your switch.

Differences between MAC lockdown and port security

Because port-security relies upon MAC addresses, it is often confused with the MAC Lockdown

feature. However, MAC Lockdown is a completely different feature and is implemented on a

different architecture level.

404 Port Security