beautypg.com

Port security mac violation limit, Denying mac addresses globally, Denying mac addresses on an interface – Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 308: Displaying mac addresses that have been denied, Configuring port security

background image

290

Multi-Service IronWare Security Configuration Guide

53-1003035-02

Configuring the MAC port security feature

7

Denying MAC addresses globally

To deny a specific MAC address globally, enable the violation deny mode, then specify the MAC
address to be denied.

Brocade(config)# global-port-security

Brocade(config-port-security)# violation deny

Brocade(config-port-security)# deny-mac-address 0000.0000.0001 2

Global denied secure MAC addresses are denied system-wide. These MAC entries are added to the
MAC table as deny entries, when a flow is received and are the only MAC addresses that are
denied. All other MAC addresses are allowed.

A maximum of 512 deny MAC addresses can be configured on a global level.

Denying MAC addresses on an interface

You can specify which MAC addresses can be denied on an interface.

Brocade(config)# internet ethernet 7/11

Brocade(config-if-e100-7/11)# port security

Brocade(config-port-security-e100-7/11)# violation deny

Brocade(config-port-security-e100-7/11)# deny-mac-addr 0000.1111.2222 4

Only the configured MAC addresses are denied on the specified interface. All other MAC addresses
are allowed.

A maximum of 64 deny MAC addresses can be configured at an interface level.

Displaying MAC addresses that have been denied

Use the show port security global-deny command to display all the MAC addresses that have been
denied globally. Use the show port security denied-macs command to display all the denied MAC
addresses

Port security MAC violation limit

Use the violation restrict command to specify how many packets the system can receive in a
one-second interval from denied MAC address before the system shuts the port down.

Configuring port security

To enable this new mode, enter a command such as the following.

Brocade(config)# global-port-security

Brocade(config-port-security)# violation restrict 12

Syntax: violation restrict [#-denied-packets processed]

Enter 0 – 64000. This parameter has no default.

NOTE

With the introduction of this command, packets from denied MAC addresses are now processed in
software by the LP. They are no longer programmed in the hardware.

See also other documents in the category Brocade Computer Accessories: