Local and global resources, Configuring the mac port security feature, Configuration considerations – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

286

Multi-Service IronWare Security Configuration Guide

53-1003035-02

Configuring the MAC port security feature

7

The secure MAC addresses are not flushed when an interface is disabled and brought up again.
The secure addresses can be kept secure permanently (the default), or can be configured to age
out, at which time they are no longer secure. You can configure the device to automatically save the
list of secure MAC addresses to the startup-config file at specified intervals, allowing addresses to
be kept secure across system restarts.

The port security feature applies only to Ethernet interfaces.

Configuration Considerations

When using the MAC port security feature, the following should be considered.

•

If there is no port security configuration at the interface level, global level port security
configuration is inherited.

•

If a port security attribute is configured at the interface level, interface level configuration for
that attribute takes precedence over global level configuration for the same attribute.The rest
of the port security attributes that are not configured at the interface level will be inherited
from the global level configuration.

Local and global resources

The port security feature uses a concept of local and global “resources” to determine how many
MAC addresses can be secured on each interface. In this context, a “resource” is the ability to store
one secure MAC address entry. Each interface is allocated 64 local resources. When the port
security feature is enabled, the interface can store up to 64 secure MAC addresses using local
resources.

Besides the maximum of 64 local resources available to an interface, there are 4096 global
resources available. When an interface has secured enough MAC addresses to reach its limit for
local resources, it can secure additional MAC addresses by using global resources. Global
resources are shared among all the interfaces on a first-come, first-served basis.

The maximum number of MAC addresses any single interface can secure is 64 (the maximum
number of local resources available to the interface), plus the number of global resources not
allocated to other interfaces.

Configuring the MAC port security feature

To configure the MAC port security feature, you perform the following tasks:

•

Enable the MAC port security feature

•

Set the maximum number of secure MAC addresses for an interface

•

Set the port security age timer

•

Specify secure MAC addresses

•

Configure the device to automatically save secure MAC addresses to the startup-config file

•

Specify the action taken when a security violation occurs

•

Deny specific MAC addresses

•

Port Security MAC Violation Limits