Table of Contents
Advertisement
Enabling Logging of Packets Denied by MAC Filters
You can configure the Foundry device to generate Syslog entries and SNMP traps for packets that are denied by
Layer 2 MAC filters. You can enable logging of denied packets on a global basis or an individual port basis.
The first time an entry in a MAC filter denies a packet and logging is enabled for that entry, the software generates
a Syslog message and an SNMP trap. Messages for packets denied by MAC filters are at the warning level of the
Syslog.
When the first Syslog entry for a packet denied by a MAC filter is generated, the software starts a five-minute MAC
filter timer. After this, the software sends Syslog messages every five minutes. The messages list the number of
packets denied by each MAC filter during the previous five-minute interval. If a MAC filter does not deny any
packets during the five-minute interval, the software does not generate a Syslog entry for that MAC filter.
NOTE: For a MAC filter to be eligible to generate a Syslog entry for denied packets, logging must be enabled for
the filter. The Syslog contains entries only for the MAC filters that deny packets and have logging enabled.
When the software places the first entry in the log, the software also starts the five-minute timer for subsequent log
entries. Thus, five minutes after the first log entry, the software generates another log entry and SNMP trap for
denied packets.
Configuration Notes
MAC filter logging is supported in the following FastIron configurations:
•
FESX devices running software release 02.1.01 or later
•
All FSX devices and associated software releases
•
All FWSX devices and associated software releases
These releases support MAC filter logging of management traffic only.
Command Syntax
To configure Layer 2 MAC filter logging globally, enter the following CLI commands at the global CONFIG level:
FESX424 Switch(config)# mac filter log-enable
FESX424 Switch(config)# write memory
Syntax: [no] mac filter log-enable
To configure Layer 2 MAC filter logging for MAC filters applied to ports 1 and 3, enter the following CLI commands:
FESX424 Switch(config)# int ethernet 1
FESX424 Switch(config-if-e1000-1)# mac filter-group log-enable
FESX424 Switch(config-if-e1000-1)# int ethernet 3
FESX424 Switch(config-if-e1000-3)# mac filter-group log-enable
FESX424 Switch(config-if-e1000-3)# write memory
Syntax: [no] mac filter-group log-enable
Locking a Port To Restrict Addresses
Address-lock filters allow you to limit the number of devices that have access to a specific port. Access violations
are reported as SNMP traps. This feature is disabled by default. A maximum of 2048 entries can be specified for
access. The default address count is eight.
Configuration Notes
•
Static trunk ports and link-aggregation configured ports on FastIron devices do not support the lock-address
option.
•
The MAC port security feature is a more robust version of this feature. See "Using the MAC Port Security
December 2005
© Foundry Networks, Inc.
Configuring Basic Layer 2 Features
4 - 7
- Quick Links:
- Configuration Guide
- Web Access
Hide quick links:
Advertisement
Table of Contents
