Monitoring mac address movement – Brocade FastIron Ethernet Switch Platform and Layer 2 Switching Configuration Guide User Manual

When you create a MAC address filter, it takes effect immediately. You do not need to reset the system.
However, you do need to save the configuration to flash memory to retain the filters across system
resets.

Monitoring MAC address movement

MAC address movement notification allows you to monitor the movement of MAC addresses that
migrate from port to port. It enables you to distinguish between legitimate movement and malicious
movement by allowing you to define malicious use as a threshold number of times a MAC address
moves within a specific interval.

Malicious use typically involves many MAC address moves, while legitimate use usually involves a
single move. Malicious movement is often the result of MAC address spoofing, in which a malicious
user masquerades as a legitimate user by changing his own MAC address to that of a legitimate user.
As a result, the MAC address moves back and forth between the ports where the legitimate and
malicious users are connected. A legitimate use might be to spoof the MAC address of a failed device in
order to continue access using a different device.

You can monitor MAC address movements in the following ways:

• Threshold-rate notifications allow you to configure the maximum number of movements over a

specified interval for each MAC address before a notification is sent. For example you could define
the malicious move rate as three moves every 30 seconds.

• Interval-history notifications are best suited for a statistical analysis of the number of MAC address

movements for a configured time interval. For example, you may want to find out how many MAC
addresses have moved in the system over a given interval or how many times a specific MAC
address has moved during that interval. However, it is not possible to get this information for every
MAC address if there are a lot of MAC addresses that moved during the interval. Consequently, the
number of MAC addresses that can have a recorded history is limited.

NOTE
MAC address move notification does not detect MAC movements across an MCT cluster between MCT
peers. It only detects MAC movements locally within a cluster MCT peer.

Configuring the MAC address movement threshold rate

To enable notification of MAC address moves, enter the mac-movement notification threshold-rate
command at the global configuration level. This command enables a corresponding SNMP trap.
Notification is triggered when a threshold number of MAC address moves occurs within a specified
period for the same MAC address. This command sets the threshold level and the sampling interval.

Avoid threshold rates and sampling intervals that are too small. If you choose a small threshold and a
sampling interval that is also small, an unneccessarily high number of traps could occur.

The following example enables notification of MAC address moves and sends an SNMP trap when any
MAC address moves to a different port five times in a 10-second interval.

device(config)# mac-movement notification threshold-rate 5 sampling-interval 10

To disable notification of MAC address moves and disable the SNMP trap, use the no form of the
command, as shown in the following example.

device(config)# no mac-movement notification threshold-rate 5 sampling-interval 10

Monitoring MAC address movement

FastIron Ethernet Switch Platform and Layer 2 Switching Configuration Guide

31

53-1003086-04