Cabletron Systems EMM-E6 User Manual
Page 89
What is LANVIEWsecure?
7-3
Security
When the
LANVIEW
SECURE
feature is enabled, it provides two kinds of
protection: intruder protection will prevent any unauthorized source addresses
from communicating with the network via a secure port, and can be configured to
secure both station and trunk ports; eavesdropper protection scrambles the data
portion of any packet transmitted via a secure port to all but the destination port,
and can be extended to broadcast and multicast packets as well as packets
destined for a single address. Security is activated by enabling port locking; you
can lock and unlock ports and enable or disable traps at the repeater-, module-,
and port-level Security windows, as well as via the Source Address windows (see
Chapter 6, Source Address, for more information).
LANVIEW
SECURE
includes the following features:
New definitions for station and trunk ports
Under
LANVIEW
SECURE
, station ports are now defined as those detecting zero,
one, or two source addresses; trunk ports are defined as those detecting three or
more.
Secure address assignment
The first two source addresses detected on any port are automatically secured for
both station and trunk ports; you can accept these default addresses as your
secure addresses, or you can replace them. In addition, each board contains a
floating cache that allows you to assign an additional 32 secure addresses among
the ports of your choosing. Some boards even provide multiple caches; see
Trunk port security
When locking is enabled, all ports will be secured — including natural trunk
ports. (Only ports which have been forced to trunk status will remain unlocked.)
Before implementing locking on trunk ports, however, be sure you have secured
the necessary source addresses; as with station ports, only the first two detected
source addresses are secured by default.
For devices with the newest security firmware (3.11.xx), a port’s topology status
— whether it is considered to be a station port or a trunk port — no longer
determines its securability; securability is only determined by the number of
source addresses in a port’s source address table: any port which detects fewer
than 35 source addresses will be locked. Ports which exceed those numbers are
designated “unsecurable,” and will be displayed as such in the port-level Security
window; in addition, a new feature allows you to force any port to an unsecurable
(that is, unlockable) state.
TIP
When you lock ports from a repeater-, module,-, or port-level Security window, you have
the option of setting two lock modes: Full or Continuous. When you lock ports via a
Source Address window, the lock setting will default to the Full lock mode. See the section
on Continuous Address Learning, below, or
,
for more information on these two lock modes.