This security feature for high-security environments restricts access to the network based on the layer 2 media access control (MAC) address of the network devices connected to the Passport routing switch. This feature is enabled per port. (Refer to MAC Learning tab for information on enabling MAC Learning at the port level.) The idea of Unknown MAC Discard is that any frame originating from or destined to a MAC address that is not known by the Passport routing switch on that port is a security violation and will be dropped.
You can create a table of MAC addresses that are allowed access to the specified port. So a MAC address is "known" and is forwarded normally if it has been defined in the allowed MAC table or if there is a static VLAN forwarding database (fdb) entry for the MAC address.
An allowed MAC table is created for each port and applies to all VLANs associated with that port. The table defines which MAC addresses are allowed on the port, in addition to any static MAC entries; this table is separate from the VLAN forwarding databases. Because each port has an allowed MAC table, the same MAC address can be allowed on multiple ports. This situation contrasts to a VLAN fdb, in which a given MAC address can exist on only one port for a given VLAN.
Entries are added to the allowed MAC table either manually or using AutoLearn, which is in either One-Shot AutoLearn mode or Continuous AutoLearn mode. An additional feature is the Lock AutoLearn MACs setting. These settings are described as follows:
|
| Note: When in One-Shot AutoLearn mode, the MAC addresses in the allowed MAC table are not saved and restored across resets unless both Unknown MAC Discard and the Lock AutoLearn mode parameters are enabled. |
|
| Note: When in Continuous AutoLearn mode, the MAC addresses in the allowed MAC table are not saved and restored across switch resets unless both Unknown MAC Discard and the Lock AutoLearn mode parameters are enabled. |
|
| Note: The Lock AutoLearn MACs feature should be enabled after the allowed MAC table reaches a steady state of one or more MAC addresses. When enforced, no new MAC addresses are allowed. |
| When Lock AutoLearn MACs is enabled, the allowed MAC table can be saved in the configuration file; thus all entries using AutoLearn are saved and restored across system reboots. (Refer to the "Routing and the Unknown MAC Discard Feature" section for a discussion of the feature limitations.) |
Unknown MAC Discard is fundamentally a security feature. If a MAC address other than an allowed MAC address attempts to send traffic through the routing switch, that is considered a violation.
The three configurable actions that the switch performs when triggered by a MAC violation on a port are to log the violation, to send a trap, and to administratively down the port:
| A MAC violation log entry looks like the following: |
| 24: [07/22/1999 20:08:29] WARNING: Code=0x0 Task=tCppRxTask: An intrusion MAC address:00:00:6f:21:00:00 at port 3/2 |
| The log entry includes the date and time of the violation, the port at which the violation occurred, and the disallowed MAC address. |
|
|
Note:
The maximum number of allowed MAC addresses the system can track is 1000. The maximum number of entries that can be saved in the binary configuration is 100. If more than 100 MAC entries must be stored in a configuration, an ASCII configuration file can be used. If you exceed 1000 MAC addresses while using Continuous AutoLearn, you receive the log and console note: "WARNING: All Mac Address table is full. Can't learn Mac xx:xx:xx:xx:xx:xx!" This situation could affect SNMP and CPU performance. |