beautypg.com

Denying specific mac addresses – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 307

background image

Multi-Service IronWare Security Configuration Guide

289

53-1003035-02

Configuring the MAC port security feature

7

You can configure the delete-dynamic-learn command at the global level.

To enable the delete-dynamic-learn command, enter a command such as the following.

Brocade(config)# global-port-security

Brocade(config-port-security)# delete-dynamic-learn

Syntax: global-port-security

Syntax: [no] delete-dynamic-learn

By default, delete-dynamic-learn is disabled.

Specifying the action taken when a security violation
occurs

A security violation can occur when a user tries to plug into a port where a MAC address is already
locked, or the maximum number of secure MAC addresses has been exceeded. When a security
violation occurs, an SNMP trap and Syslog message are generated.

In addition, you configure the device to take one of two actions when a security violation occurs:
either drop packets from the violating address (and allow packets from secure addresses), or
disable the port altogether for a specified amount of time.

To configure the device to drop packets from a violating address and allow packets from secure
addresses.

Brocade(config)# interface ethernet 7/11

Brocade(config-if-e100-7/11)# port security

Brocade(config-port-security-e100-7/11)# violation restrict

Syntax: violation restrict

To shut down the port when a security violation occurs.

Brocade(config)# interface ethernet 7/11

Brocade(config-if-e100-7/11)# port security

Brocade(config-port-security-e100-7/11)# violation shutdown

Syntax: violation shutdown

To specific the mac-addresses that will be denied. All other mac-addresses no specified will be
allowed.

Brocade(config)# interface ethernet 7/11

Brocade(config-if-e100-7/11)# port security

Brocade(config-port-security-e100-7/11)# deny-mac-address

Syntax: deny-mac-address

NOTE

When using this feature with a 24-port 10/100 module (part number B24E) only the shutdown
option is supported. The restrict option is not supported on the B24E.

Denying specific MAC addresses

You can configure the violation deny mode. The violation deny mode allows you to deny MAC
addresses on a global level or on a per port level.

See also other documents in the category Brocade Computer Accessories: