Port security, Default configurations – Brocade Network OS Administrator’s Guide v4.1.1 User Manual

database, the connecting device is allowed to join the fabric. If the neighboring device is not specified in
the SCC policy active list, both devices are segmented.

By default, any device is allowed to join the fabric; the SCC policy is not enforced until it is created and
activated. Creating a policy without any entries blocks access from all devices. The local switch is not
required to be included in a switch-local SCC policy.

SCC policy commands are not distributed across the cluster. The RBridge ID of the node should be
used to configure policy configurations.

NOTE
The configuration is applicable only to E_Ports on the Brocade VDX 6730 platforms. All configurations
are local to the switch and are not automatically distributed across the fabric

Port security

Port security can be used to prevent administrators or malicious users from being able to change the
MAC address of a virtual machine (VM) in a data center environment. This is especially helpful in virtual
desktop infrastructure (VDI) environments, where users might have full administrative control of the VM
and can change the MAC address of a virtual network interface card (vNIC). Here port security can be
used to provide more control over the behavior of VMs.

The secured ports can be categorized as either trusted or untrusted. The administrator can apply
policies appropriate to those categories to protect against various types of attacks.

Port security features can be turned on to obtain the most robust port-security level that is appropriate.
Basic port-security features are enabled in the switch's default configuration. Additional features can be
enabled with minimal configuration steps.

The following MAC port-security features enhance security at Layer 2:

• MAC address limiting: This restricts input to an interface by limiting and identifying the MAC

addresses of workstations that are allowed to access the port. When secure MAC addresses are
assigned to a secure port, the port does not forward packets with source addresses outside the
group of defined addresses.

• OUI-based port security: If an administrator knows which types of systems are connecting to the

network, it is possible to configure an Organizationally Unique Identifier (OUI) on a secure port to
ensure that only traffic coming from devices that are part of the configured OUI is forwarded.

• Port security with sticky MAC addresses: Using sticky MAC addresses is similar to using static

secure MAC addresses, but sticky MAC addresses are learned dynamically. These addresses are
retained when a link goes down.

Default configurations

Port security is disabled by default. The following table summarizes default port-security configurations
that are applied to an interface when it is made a secure port.

Default configurations for port security

TABLE 53

Feature

Default configuration

Max. number of secure MAC addresses

8192

Violation mode

Shutdown

Shutdown time (minutes)

0

Port security

Network OS Administrator’s Guide

305

53-1003225-04