beautypg.com

Dropping packets from a violating address – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 222

background image

For example, to automatically save learned secure MAC addresses every 20 minutes, enter the
following commands.

device(config)#port security

device(config-port-security)#autosave 20

Syntax: [no] autosave minutes ]

The minutes variable can be from 15 through 1440 minutes. By default, secure MAC addresses are
not autosaved to the startup-config file.

If you change the autosave interval, the next save happens according to the old interval, then the new
interval takes effect. To change the interval immediately, disable autosave by entering the no
autosave command, then configure the new autosave interval using the autosave command.

Specifying the action taken when a security violation occurs

A security violation can occur when a user tries to connect to a port where a MAC address is already
locked, or the maximum number of secure MAC addresses has been exceeded. When a security
violation occurs, an SNMP trap and Syslog message are generated.

You can configure the device to take one of two actions when a security violation occurs; either drop
packets from the violating address (and allow packets from secure addresses), or disable the port for a
specified time.

Dropping packets from a violating address

To configure the device to drop packets from a violating address and allow packets from secure
addresses, enter the following commands.

device(config)#interface ethernet 7/11

device(config-if-e1000-7/11)#port security

device(config-port-security-e1000-7/11)#violation restrict

Syntax: violation [ restrict ]

NOTE
When the restrict option is used, the maximum number of MAC addresses that can be restricted is
128. If the number of violating MAC addresses exceeds this number, the port is shut down. An SNMP
trap and the following Syslog message are generated: "Port Security violation restrict limit 128
exceeded on interface ethernet port_id ". This is followed by a port shutdown Syslog message and
trap.

Specifying the period of time to drop packets from a violating address

To specify the number of minutes that the device drops packets from a violating address, use
commands similar to the following.

device(config)#interface ethernet 7/11

device(config-if-e1000-7/11)#port security

device(config-port-security-e1000-7/11)#violation restrict 5

Syntax: violation [ restrict ] [age ]

The age variable can be from 0 through 1440 minutes. The default is 5 minutes. Specifying 0 drops
packets from the violating address permanently.

Specifying the action taken when a security violation occurs

222

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

See also other documents in the category Brocade Computer Accessories: