Mac Address Security; Limiting Dynamic Mac Addresses - Extreme Networks ExtremeWare XOS Guide Manual

MAC Address Security

mode. Although SNMP, Telnet, and switch ports are enabled by default, the script prompts you to
confirm those settings. By answering to each question, you keep the default settings.
N (No)
Would you like to disable Telnet? [y/N]: No
Would you like to disable SNMP [y/N]: No
Would you like unconfigured ports to be turned off by default [y/N]: No
In addition, if you keep the default settings for SNMP and Telnet, the switch returns the following
interactive script:
Since you have chosen less secure management methods, please remember to increase
the security of your network by taking the following actions:
* change your admin password
* change your SNMP public and private strings
* consider using SNMPv3 to secure network management traffic
For more detailed information about safe defaults mode, see "Safe Defaults Setup Method" on page 47.
MAC Address Security
The switch maintains a database of all media access control (MAC) addresses received on all of its ports.
The switch uses the information in this database to decide whether a frame should be forwarded or
filtered. MAC address security allows you to control the way the Forwarding Database (FDB) is learned
and populated. For more information about the FDB, see Chapter 11, "Forwarding Database."
The following section

"Limiting Dynamic MAC Addresses"

describes how MAC address security
allows you to limit the number of dynamically-learned MAC addresses allowed per virtual port. The
section "MAC Address Lock Down" on page 317 describes how you can also "lock" the FDB entries for
a virtual port, so that the current entries will not change, and no additional addresses can be learned on
the port.
NOTE
You can either limit dynamic MAC FDB entries or lock down the current MAC FDB entries, but not both.
Using ACLS, you can also prioritize or stop packet flows based on the source MAC address of the
ingress virtual LAN (VLAN) or the destination MAC address of the egress VLAN. For more information
about ACL policies, see Chapter 13, "Access Lists (ACLs)."
Another method of enhancing security, depending on your network configuration, is to disable Layer 2
flooding. For more information about enabling and disabling Layer 2 flooding, see the section,
"Disabling Egress Flooding" in Chapter 11, "Forwarding Database."
Limiting Dynamic MAC Addresses
You can set a predefined limit on the number of dynamic MAC addresses that can participate in the
network. After the FDB reaches the MAC limit, all new source MAC addresses are blackholed at both
the ingress and egress points. These dynamic blackhole entries prevent the MAC addresses from
learning and responding to Internet Control Message Protocol (ICMP) and address resolution protocol
(ARP) packets.
315
ExtremeWare XOS 11.3 Concepts Guide