How MAC Lockout works

Let's say a customer knows there are unauthorized wireless clients who should not have access to the network. The network administrator "locks out" the MAC addresses for the wireless clients by using the MAC Lockout command (lockout-mac mac-address ). When the wireless clients then attempt to use the network, the switch recognizes the intruding MAC addresses and prevents them from sending or receiving data on that network.

If a particular MAC address can be identified as unwanted on the switch then that MAC Address can be disallowed on all ports on that switch with a single command. You don't have to configure every single port—just perform the command on the switch and it is effective for all ports.

MAC Lockout overrides MAC Lockdown, port security, and 802.1X authentication.

You cannot use MAC Lockout to lock:
  • Broadcast or Multicast Addresses (Switches do not learn these)

  • Switch Agents (The switch own MAC Address)

A MAC address can exist on many different VLANs, so a lockout MAC address must be added to the MAC table as a drop. As this can quickly fill the MAC table, restrictions are placed on the number of lockout MAC addresses based on the number of VLANs configured.

VLANs configured

Number of MAC lockout addresses

Total number of MAC addresses

1-8

200

1,600

9-16

100

1,600

17-256

64

16,384

257-1024

16

16,384

1025-2048

8

16,384

There are limits for the number of VLANs, Multicast Filters, and Lockout MACs that can be configured concurrently as all use MAC table entries. The limits are shown below.

Limits on Lockout MACs

# VLANs

# Multicast filters

# Lockout MACs

<=1024

16

16

1025-2048

8

8

If someone using a locked out MAC address tries to send data through the switch a message is generated in the log file:

Lockout logging format:
W 10/30/03 21:35:15 maclock: module A: 0001e6-1f96c0 detected on port A15
W 10/30/03 21:35:18 maclock: module A: 0001e6-1f96c0 detected on port A15
W 10/30/03 21:35:18 maclock: module A: Ceasing lock-out logs for 5m

As with MAC Lockdown a rate limiting algorithm is used on the log file so that it does not become clogged with error messages. See Limiting the frequency of log messages.