How MAC Lockout works
Let's say a customer knows there are unauthorized wireless clients who should not have access to the network. The network administrator "locks out" the MAC addresses for the wireless clients by using the MAC Lockout command (lockout-mac
mac-address
). When the wireless clients then attempt to use the network, the switch recognizes the intruding MAC addresses and prevents them from sending or receiving data on that network.
If a particular MAC address can be identified as unwanted on the switch then that MAC Address can be disallowed on all ports on that switch with a single command. You don't have to configure every single port—just perform the command on the switch and it is effective for all ports.
MAC Lockout overrides MAC Lockdown, port security, and 802.1X authentication.
-
Broadcast or Multicast Addresses (Switches do not learn these)
-
Switch Agents (The switch own MAC Address)
A MAC address can exist on many different VLANs, so a lockout MAC address must be added to the MAC table as a drop. As this can quickly fill the MAC table, restrictions are placed on the number of lockout MAC addresses based on the number of VLANs configured.
VLANs configured |
Number of MAC lockout addresses |
Total number of MAC addresses |
---|---|---|
1-8 |
200 |
1,600 |
9-16 |
100 |
1,600 |
17-256 |
64 |
16,384 |
257-1024 |
16 |
16,384 |
1025-2048 |
8 |
16,384 |
There are limits for the number of VLANs, Multicast Filters, and Lockout MACs that can be configured concurrently as all use MAC table entries. The limits are shown below.
# VLANs |
# Multicast filters |
# Lockout MACs |
---|---|---|
<=1024 |
16 |
16 |
1025-2048 |
8 |
8 |
If someone using a locked out MAC address tries to send data through the switch a message is generated in the log file:
Lockout logging format:
W 10/30/03 21:35:15 maclock: module A: 0001e6-1f96c0 detected on port A15
W 10/30/03 21:35:18 maclock: module A: 0001e6-1f96c0 detected on port A15
W 10/30/03 21:35:18 maclock: module A: Ceasing lock-out logs for 5m
As with MAC Lockdown a rate limiting algorithm is used on the log file so that it does not become clogged with error messages. See Limiting the frequency of log messages.