MACLOCK preventing unauthorized mac address


Hi.

I want to configure port's B5 (firmware 6.81) something like Cisco port security. I want statically provisioning a mac port lock. I configure this:

set maclock enable
set maclock trap ge.6.30 enable violation
set maclock syslog ge.6.30 enable violation
set maclock static ge.6.30 1
set maclock 00:1d:70:96:8c:1c ge.6.30 create

If an other device with a diferent mac address conect in this port, port go to down.

This way don't work, I tested.

Anyone can help me.

Thks.

10 replies

Userlevel 7
I'm not an expert but I think you'd need this command ...

# set maclock disable-port

If it doesn't work could you provide a screenshot of "show maclock"

-Ron
Userlevel 7
That works for me.....

G3(su)-> show config maclock
#maclock
set maclock enable
set maclock static ge.1.8 1
set maclock firstarrival ge.1.8 0
set maclock disable-port ge.1.8
set maclock enable ge.1.8
set maclock 00:1d:70:96:8c:1c ge.1.8 create
!

G3(su)->show maclock ge.1.8
MAC locking is globally enabled

Port Port Trap Syslog Aging Port Clr Max Max Last Violating
Number Stat Thr|Viol Thr|Viol Stat Dis|Viol OLC Stc FA MAC Address
-------- ---- -------- -------- ---- -------- --- --- ---- -----------------
ge.1.8 ena dis|dis dis|dis dis ena|ena ena 1 0 00:04:96:8b:d2:98

G3(su)->show port status ge.1.8
Alias Oper Admin Speed
Port (truncated) Status Status (bps) Duplex Type
--------- ------------ ------- ------- --------- ------- ------------
ge.1.8 XOS_X430 Down Up N/A N/A BaseT RJ45/PoE
G3(su)->
Hi Ronald.

I configured "set maclock disable-port", but don't work. I configured "set maclock firstarrival ge.6.30 1 " too, it works in case more than 2 mac address try to conect the port, a switch for example.

Screenshot of "show maclock":

Ronald now works.

Did you note my configuration "set maclock firstarrival ge.6.30 1 " ?

When I saw your configuration set maclock firstarrival ge.1.8 0

Then I changed and ok. Port locked when the different mac address showed up.

Thks Ronald.
Userlevel 7
Great, glad that I was able to help.

-Ron
Thks again Ronald.

🙂
Hi, Ronald.

Another help.

Look what has happened. The mac address marked "last violation" not connected, like this mac address is prohibited.



Do you know, how can I clear this entry?
Userlevel 7
You could clear the violation with this command....

G3(su)->clear maclock violation disable-port ge.1.8
I did this, but don't clear.

If I configure port firstarrival 0, the device with this mac don't work.

SW_B5_7B(su)->show mac port ge.6.30
No entries found.

Thks again for your help.
Ronald, I understand.

I have to create each mac address I want to connect in this port.
When a change to happen, I will create a new entry and delete an old mac.

set maclock 00:0e:08:d4:c7:9f ge.6.30 create
set maclock 00:1d:70:96:8c:1c ge.6.30 create

What do you think? Is it correct?

Reply