Maclock - secure switches against mac flooding

  • Introduction

Maclocking assign mac address to port so unauthorized devices cannot send frames through this port.

Maclocking is also a great tool to prevent against macflooding attacks and also in some case mac spoofing attacks.

  • Maclock configuration - steps:

(su)->set maclock trap ge.1.1-48 enable

Enable trap in case of violation.

set maclock agefirstarrival ge.1.1-48 enable

Enable aging for mac addresses(default is 300 secs).

set maclock firstarrival ge.1.1-48 100

Set limit dynamic mac addresses per port.

set maclock static ge.1.1-48 1

Set max static mac addresses per port.In most cases "1" is sufficient,e.g.for servers but you can adjust it in accordance to your needs.

set maclock enable ge.1.1-48

Enable maclock feature on ports. On port where other switches are connected the best option is not to enable it.

set maclock enable

Enable maclock globally.From this moment your mac locking started to work.

  • Usefull options

(su)->set maclock move ge.1.48

Change dynamic addresses to static on particular port.

set maclock 00:00:00:00:00:01 ge.1.48 {create/disable/enable}

Assign mac address to port with following action:

create - create and enable MAC locking for this entry

disable - disable MAC locking for this entry

enable - enable MAC locking for this entry(mac has to exist)

  • Monitoring maclocking

(su)->show maclock stations static

Show statically assigned mac addresses.


maclock1.png


(su)->show maclock stations firstarrival

Show dynamically assigned mac addresses.


maclock2.png


(su)->show maclock stations

Show all assigned mac addresses.


maclock3.png

(su)->show maclock

check settings

maclock4.png


dzbanek 2011-12-13

This site uses cookies. Some of the cookies we use are essential for parts of the site to operate and have already been set. You may delete and block all cookies from this site, but parts of the site will not work.