Using the mac port security feature, Overview, Local and global resources – Brocade TurboIron 24X Series Configuration Guide User Manual

Page 1025: Chapter 31

background image

Brocade TurboIron 24X Series Configuration Guide

991

53-1003053-01

Chapter

31

Using the MAC Port Security Feature

In this chapter

Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 991

Configuring the MAC port security feature. . . . . . . . . . . . . . . . . . . . . . . . . . 992

Clearing port security statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 996

Displaying port security information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 996

This chapter describes how to configure devices to learn “secure” MAC addresses on an interface
so that the interface will forward only packets that match the secure addresses.

Overview

You can configure the device to learn “secure” MAC addresses on an interface. The interface will
forward only packets with source MAC addresses that match these learned secure addresses. The
secure MAC addresses can be specified manually, or the device can learn them automatically. After
the device reaches the limit for the number of secure MAC addresses it can learn on the interface,
if the interface then receives a packet with a source MAC address that does not match the learned
addresses, it is considered a security violation.

When a security violation occurs, a Syslog entry and an SNMP trap are generated. In addition, the
device takes one of two actions; it either drops packets from the violating address (and allows
packets from the secure addresses), or disables the port for a specified amount of time. You
specify which of these actions takes place.

The secure MAC addresses are not flushed when an interface is disabled and re-enabled. The
secure addresses can be kept secure permanently (the default), or can be configured to age out, at
which time they are no longer secure. You can configure the device to automatically save the
secure MAC address list to the startup-config file at specified intervals, allowing addresses to be
kept secure across system restarts.

Local and global resources

The port security feature uses a concept of local and global “resources” to determine how many
MAC addresses can be secured on each interface. In this context, a “resource” is the ability to store
one secure MAC address entry. Each interface is allocated 64 local resources. Additional global
resources are shared among all interfaces on the device.

When the port security feature is enabled on an interface, the interface can store one secure MAC
address. You can increase the number of MAC addresses that can be secured using local
resources to a maximum of 64.

See also other documents in the category Brocade Computer Accessories: