MAC address monitoring allows Account Administrators to control the installation of unauthorized hardware by employees; the VPN Gateway would recognize the hardware as unauthorized and alert the account administrator.

The Account Administrator can configure a list of authorized MAC addresses in the Device Profile in the AT&T Administration Server. Or, the list can also be defined dynamically by working with AT&T Support personnel; an Account Administrator can request an immediate survey or schedule a survey of all MAC addresses using an VPN Gateway for network access. Any machines ON and using the VPN Gateway for network access at the time of the survey would be marked as authorized. The VPN Gateway will combine both a static and dynamic list of MAC addresses if both methods of definition are used. Once the list of authorized MAC addresses is defined, the VPN Gateway monitors future MAC addresses for deviations from the authorized list.

Valid machines are detected by sending ARP packets and by monitoring the ARP table.

When a MAC address that is not on the authorized list is recognized, the VPN Gateway, if configured to do so, will send an alert via an SNMP trap or SNMP inform. The VPN Gateway can be configured to allow the traffic from the unauthorized MAC address, or discard it, in the VPN Gateway Device Profile.

The MAC address authorized and unauthorized lists are visible using the VPN Gateway Customer Support page. The lists of authorized and unauthorized MAC addresses persist after reboot, but resetting the VPN Gateway to default values or performing a catastrophic reset would erase the authorized MAC address list.

The MAC monitoring can be enabled at a per VLAN level. There is also an optional ability to disable the VLAN port when an unauthorized MAC address is detected. If multiple devices are plugged into a single VPN Gateway VLAN port via a hub or switch, they will all be disabled when the unauthorized MAC is detected. The port will remain disabled until the VPN Gateway is rebooted.