Reset Search
 

 

Article

Understanding Mac Locking on Extreme N,S,K-Series platforms

« Go Back

Information

 
TitleUnderstanding Mac Locking on Extreme N,S,K-Series platforms
Objective
Understanding MAC Locking , how it works and how to configure
Environment
  • N-Series
  • K-Series
  • S-Series 
  • Mac Locking
Procedure
MAC Locking Overview

MAC locking is a security feature which limits access to the network switch based on a device’s MAC address. It controls a port to allow specified MAC addresses or a maximum number of MAC addresses on a first come first serve basis. 

There are two types of MAC locking:
  • Static MAC Locking
Locking one or more specified MAC addresses to a port. A device with a MAC address that is not specifically configured will not be allowed access to a port. This provides the network administrator with confidence that only known devices will gain access to a port. 
  • Dynamic MAC Locking 
Locking one or more MAC addresses to a port based on first arrival of received frames after dynamic MAC locking is enabled. The configuration specifies the maximum number of end users that will be allowed. As each new end user is identified, it is MAC locked up to the configured limit. Once the maximum number of users have been MAC locked, all other users will be denied access to the port until a MAC locked address is either aged, if aging is configured, or the session for that user ends.

Default Status

MAC Locking is disabled by default. MAC locking must be both globally enabled and enabled on the desired ports.


Configuring Mac Locking
 
  • Enable MAC Locking
Globally enable MAC locking, optionally specifying the port(s) to be enabled. If no port is specified, all ports on the device are enabled. If one or more ports are specified, all unspecified ports remain disabled.
set maclock enable [port_string]
 
  • ​​For Static Mac Locking configuration
Enable static MAC locking configuration.For ports where you are going to restrict access based upon a device’s MAC address, set the port to MAC lock static and specify the maximum number of configured MAC addresses for that port
 
​set maclock static port_string value

Create static MAC locking entries for the specified MAC address and port.
 
set maclock mac_address port_string {create | enable | disable}
 
  • For Dynamic Mac Locking configuration
For ports you are going to restrict on a first come first serve basis for a set number of MAC addresses, enable dynamic MAC locking specifying the maximum number of MAC addresses allowed for that port
 
set maclock firstarrival port_string value
 
  • Other useful optional configurations
 
Optionally move all current dynamically enabled MAC locking MAC addresses to a static MAC locking configuration. This is useful for learning mac addresses in order to easily configure static mac locking:
 
set maclock move port-string

Optionally allow dynamic firstarrival MAC addresses to age based upon the configured MAC agetime. If the Filter DataBase (FDB) entry ages out for this station, the corresponding dynamic MAC locked stations will no longer be MAC locked. The agetime for the FDB is set by the set mac agetime command and is displayed using the show mac agetime command. Dynamic MAC lock address aging is disabled by default.
 
set maclock agefirstarrival port_string {enable | disable}
 
Optionally, enable or disable MAC lock trap messaging:
 
set maclock trap port_string {enable | disable}

Managing and Troubleshooting Mac Locking 
 
  • Display MAC locking information for dynamic configurations, static configurations or by port
show maclock [stations [firstarrival | static]] [port_string]

Example Configurations 
 
System(rw)->set maclock enable ge.1.1

The following command lines enable port ge.1.1 for a maximum of 3 static MAC address entries. 
This is followed by four static MAC address creation entries. 
The fourth entry fails because the maximum allowed has been set to 3:

System(rw)->set maclock static ge.1.1 3
System(rw)->set maclock 00-10-a4-e5-08-4e ge.1.1 create
System(rw)->set maclock 08-00-20-7c-e0-db ge.1.1 create
System(rw)->set maclock 00-60-08-14-4b-15 ge.1.1 create
System(rw)->set maclock 00-01-f4-2c-ad-b4 ge.1.1 create

Set failed for ge.1.1.

System(rw)->show maclock stations static
Port Number  MAC Address        Status         State        Aging
-----------  -----------------  ------------- ------------- -----
ge.1.1       00-10-a4-e5-08-4e  active         static       false
ge.1.1       00-60-08-14-4b-15  active         static       false
ge.1.1       08-00-20-7c-e0-db  active         static       false
 
The following command lines configure ports ge.1.2 through 5 for dynamic MAC locking with a maximum of 15 users on each port. 
This line is followed by a line enabling MAC locking trap messaging on ports ge.1.1 through 5:

System(rw)->set maclock firstarrival ge.1.2-5 15
System(rw)->set maclock trap ge.1.1-5 enable
 
 
Additional notes
Default Parameter Values
  • MAC locking status 
Specifies whether MAC locking is enabled or disabled both globally and on a specific port.
Default state : disabled
  • maximum number of dynamic MAC addresses
Specifies the maximum number of MAC addresses that will be locked by default on a port configured for dynamic MAC locking.
Default value : 600
  • first arrival MAC address aging
Specifies that dynamic MAC locked addresses will be aged after the time set by the MAC agetime configuration.
Default state : disabled
  • MAC lock traps
Specifies whether traps associated with MAC locking will be sent.
Default state : disabled
  • maximum number of static MAC addresses
Specifies the maximum number of static MAC addresses allowed on a port.
Default value : 64

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255