Syntax:
MAC Lockout involves configuring a MAC address on all ports and VLANs for a switch, so that any traffic to or from the "locked-out" MAC address is dropped: all data packets addressed to or from the given address are stopped by the switch. MAC Lockout is like a simple blacklist.
MAC Lockout is implemented on a per switch assignment. To use it you must know the MAC Address to block. To fully lock out a MAC address from the network it is necessary to use the MAC Lockout command on all switches.
Let's say a customer knows there are unauthorized wireless clients who should not have access to the network. The network administrator "locks out" the MAC addresses for the wireless clients by using the MAC Lockout command (lockout-mac <
). When the wireless clients then attempt to use the network, the switch recognizes the intruding MAC addresses and prevents them from sending or receiving data on that network.mac-address
>
If a particular MAC address can be identified as unwanted on the switch then that MAC Address can be disallowed on all ports on that switch with a single command. You don't have to configure every single port—just perform the command on the switch and it is effective for all ports.
MAC Lockout overrides MAC Lockdown, port security, and 802.1X authentication.
You cannot use MAC Lockout to lock:
-
Broadcast or Multicast Addresses (Switches do not learn these)
-
Switch Agents (The switch’s own MAC Address)
A MAC address can exist on many different VLANs, so a lockout MAC address must be added to the MAC table as a drop. As this can quickly fill the MAC table, restrictions are placed on the number of lockout MAC addresses based on the number of VLANs configured.
VLANs configured | Number of MAC lockout addresses | Total number of MAC addresses |
---|---|---|
1-8 | 200 | 1,600 |
9-16 | 100 | 1,600 |
17-256 | 64 | 16,384 |
257-1024 | 16 | 16,384 |
1025-2048 | 8 | 16,384 |
There are limits for the number of VLANs, Multicast Filters, and Lockout MACs that can be configured concurrently as all use MAC table entries. The limits are shown below.
If someone using a locked out MAC address tries to send data through the switch a message is generated in the log file:
Lockout logging format:
W 10/30/03 21:35:15 maclock: 0001e6-1f96c0 detected on port 15
W 10/30/03 21:35:18 maclock: 0001e6-1f96c0 detected on port 15
W 10/30/03 21:35:18 maclock: Ceasing lock-out logs for 5m
As with MAC Lockdown a rate limiting algorithm is used on the log file so that it does not become overclogged with error messages. See Limiting the frequency of log messages.