Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

if the interface then receives a packet with a source MAC address that does not match the learned
addresses, it is considered a security violation.

When a security violation occurs, a Syslog entry and an SNMP trap are generated. In addition, the
device takes one of two actions: it either drops packets from the violating address (and allows packets
from the secure addresses), or disables the port for a specified amount of time. You specify which of
these actions takes place.

The secure MAC addresses are not flushed when an interface is disabled and re-enabled on FastIron
X Series devices. The secure MAC addresses are flushed when an interface is disabled and re-
enabled on FCX and ICX devices.

The secure addresses can be kept secure permanently (the default), or can be configured to age out,
at which time they are no longer secure. You can configure the device to automatically save the
secure MAC address list to the startup-config file at specified intervals, allowing addresses to be kept
secure across system restarts.

Local and global resources used for MAC port security

The MAC port security feature uses a concept of local and global "resources" to determine how many
MAC addresses can be secured on each interface. In this context, a "resource" is the ability to store
one secure MAC address entry. Each interface is allocated 64 local resources. Additional global
resources are shared among all interfaces on the device.

When the MAC port security feature is enabled on an interface, the interface can store one secure
MAC address. You can increase the number of MAC addresses that can be secured using local
resources to a maximum of 64.

Besides the maximum of 64 local resources available to an interface, there are additional global
resources. Depending on flash memory size, a device can have 1024, 2048, or 4096 global resources
available. When an interface has secured enough MAC addresses to reach its limit for local resources,
it can secure additional MAC addresses by using global resources. Global resources are shared
among all the interfaces on a first-come, first-served basis.

The maximum number of MAC addresses any single interface can secure is 64 (the maximum number
of local resources available to the interface), plus the number of global resources not allocated to other
interfaces.

Configuration notes and feature limitations for MAC port security

The following limitations apply to this feature:

• MAC port security applies only to Ethernet interfaces.
• Unknown unicast traffic is flooded out of port with maximum secure MAC learnt on removing the

ACL.

• MAC port security is not supported on static trunk group members or ports that are configured for

link aggregation.

• MAC port security is not supported on 802.1X port security-enabled ports.
• Brocade devices do not support the reserved-vlan-id num command, which changes the default

VLAN ID for the MAC port security feature.

• The SNMP trap generated for restricted MAC addresses indicates the VLAN ID associated with the

MAC address, as well as the port number and MAC address.

• MAC port security is not supported on ports that have multi-device port authentication enabled.
• The first packet from each new secure MAC address is dropped if secure MAC addresses are

learned dynamically.

• Violated MAC movement is not supported.

Local and global resources used for MAC port security

218

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03