MAC learning
This security feature for high-security environments restricts access to the network based on the layer 2 media access control (MAC) address of the network devices connected to the Passport routing switch. This feature is enabled per port. (Refer to MAC Learning tab for information about enabling MAC learning at the port level.) The idea of Unknown MAC Discard is that any frame originating from or destined to a MAC address that is not known by the Passport routing switch on that port is a security violation and will be dropped.
You can create a table of MAC addresses that are allowed access to the specified port. A MAC address is "known" and is forwarded normally if it has been defined in the allowed MAC table or if there is a static VLAN forwarding database (fdb) entry for the MAC address.
An allowed MAC table is created for each port and applies to all VLANs associated with that port. The table defines which MAC addresses are allowed on the port, in addition to any static MAC entries; this table is separate from the VLAN forwarding databases. Because each port has an allowed MAC table, the same MAC address can be allowed on multiple ports. This situation contrasts to a VLAN fdb, in which a given MAC address can exist on only one port for a given VLAN.
Entries are added to the allowed MAC table either manually or using AutoLearn, which is in either One-Shot AutoLearn mode or Continuous AutoLearn mode. An additional feature is the Lock AutoLearn MACs setting. These settings are described as follows:
- Manual--A user can manually enter a MAC address into the allowed MAC table for a given port. Manual entries in the allowed MAC table are saved in the configuration file; thus all manual entries are saved and restored across system reboots.
- One-Shot AutoLearn--In this mode, the user specifies the number of first- learned MAC addresses to allow access on that port, and the switch adds the addresses into the allowed MAC table. The allowed MAC table continues to grow because entries are never aged out; in this mode, the entries remain until the user clears the table. To clear the autolearned entries, refer to the configuration instructions following this section.
|
Note:
When in One-Shot AutoLearn mode, the MAC addresses in the allowed MAC table are not saved and restored across resets unless both Unknown MAC Discard and the Lock AutoLearn mode parameters are enabled.
|
- Continuous AutoLearn--In this mode, the routing switch adds new MAC addresses into the allowed MAC table. The entries in the allowed MAC table are aged out as the entries in the underlying VLAN fdbs age out. To manually clear the autolearned entries, refer to the configuration instructions following this section.
|
Note:
When in Continuous AutoLearn mode, the MAC addresses in the allowed MAC table are not saved and restored across switch resets unless both Unknown MAC Discard and the Lock AutoLearn mode parameters are enabled.
|
- Lock AutoLearn MACs--The Lock AutoLearn MACs setting fixes the allowed MAC table to its current state for the port. No new MAC addresses will be allowed even if an AutoLearn mode (either One-Shot AutoLearn or Continuous AutoLearn) is enabled.
|
Note:
You should enable the Lock AutoLearn MACs feature after the allowed MAC table reaches a steady state of one or more MAC addresses. When enforced, no new MAC addresses are allowed.
|
| When Lock AutoLearn MACs is enabled, you can save the allowed MAC table in the configuration file; thus all entries using AutoLearn are saved and restored across system reboots. (Refer to the "Routing and the Unknown MAC Discard feature" section for a discussion of the feature limitations.) |
Unknown MAC Discard is fundamentally a security feature. If a MAC address other than an allowed MAC address attempts to send traffic through the routing switch, that is considered a violation.
The three configurable actions that the switch performs when triggered by a MAC violation on a port are to log the violation, to send a trap, and to administratively down the port:
- MAC violation logging--When there is a MAC violation, you can configure the switch to create a system log entry.
| A MAC violation log entry looks like the following: |
| 24: [07/22/1999 20:08:29] WARNING: Code=0x0 Task=tCppRxTask: An intrusion MAC address:00:00:6f:21:00:00 at port 3/2 |
| The log entry includes the date and time of the violation, the port at which the violation occurred, and the disallowed MAC address. |
- MAC violation SNMP trap--When there is a MAC violation, you can configure the switch to send an SNMP trap. The trap sent by the switch is the Nortel Networks enterprise trap rcMacViolation.
- Administratively downing the port--When there is a MAC violation, you
can configure the switch to administratively down (AdminDown) the port. Downing the port will deny all devices including the offending device access on that port. This action is particularly useful in high-security environments where intrusions from unknown machines cannot be tolerated. The port remains in the AdminDown state until it is manually brought into an AdminUp state by the administrator or during a system reboot.
|
Note:
The maximum number of allowed MAC addresses the system can track is 1000. The maximum number of entries that you can save in the binary configuration is 100. If you need to store more than 100 MAC entries in a configuration, use an ASCII configuration file.
If you exceed 1000 MAC addresses while using Continuous AutoLearn, you receive the log and console note: "WARNING: All Mac Address table is full. Can't learn Mac xx:xx:xx:xx:xx:xx!" This situation could affect SNMP and CPU performance.
|