Enabling security and traps, Enabling security and traps -12, For details – Cabletron Systems SEHI-22/24 User Manual

Security

6-12

Enabling Security and Traps

Enabling Security and Traps

You can enable or disable all applicable protections by locking or unlocking ports
via the repeater, hub, or port Security window, as described in the sections below.
There are two levels of lock status to choose from: if you select Full lock status, the
port will stop learning new source addresses, accept packets only from secured
source addresses, employ either full or partial eavesdrop protection (as
configured), and take the configured steps (send trap and/or disable port) if a
violation occurs; if you select Continuous lock status, the port will implement the
configured level of eavesdrop protection, but continue to learn source addresses
and allow all packets to pass, effectively disabling intruder protection.

Enabling and disabling traps from the Security windows has the same effect as
enabling and disabling them from the Source Address windows; you can enable
and disable the following traps:

•

A newSourceAddress trap is generated when a station port — one receiving
packets from zero, one, or two source addresses — receives a packet from a
source address that is not currently in its source address table. Information
included in this trap includes the board number, port number, and source
address associated with the trap. Trunk ports — those receiving packets from
three or more source addresses — will not issue newSourceAddress traps.

•

A sourceAddressTimeout trap is issued anytime a source address is aged out
of the Source Address Table due to inactivity. The trap’s interesting
information includes the board and port index, and the source address that
timed out. (See Setting the Ageing Time in Chapter 4, Source Addressing, for
more information.)

All other source address traps (portTypeChanged, lockStatusChanged,
portSecurityViolation, and portViolationReset, all defined in Chapter 4, Source
Addressing

) will continue to be generated as appropriate, as will the security-

specific traps:

•

A secureStateChange trap indicates that a port has changed from a securable
state to an unsecurable state, or vice versa; the interesting information includes
board and port index.

•

A learnStateChange trap indicates that a port has had its learned addresses
reset. Interesting information includes board and port index, and current learn
state. Note that SPMA always maintains ports in a learn state, and just resets
that learn state to achieve a reset of existing learned and secure addresses.

•

A learnModeChange trap is issued when a port is set to continuous lock
mode; interesting information includes board and port index, and current
learn mode.

When setting these parameters at the various levels, keep in mind that the most
recent setting will override the existing status: for example, if you lock one or
more ports at the port level, then unlock them at the hub level, all ports on the
hub will be unlocked. Similarly, if you enable traps at the hub level, then disable
them at the repeater level, traps will be disabled for all ports on the repeater.