The MAC Port Security feature restricts unauthorized access to an interface by limiting and
identifying MAC addresses that are allowed to access an Ethernet interface on a device. You can
configure the BigIron RX with a limited number of “secure” MAC addresses on an interface. The
interface will forward only packets with source MAC addresses that match these secure addresses.
The secure MAC addresses can be specified manually (static), or the device can learn them
automatically (dynamic).

An interface can store up to the maximum number of secure MAC addresses. If the maximum
number of secure MAC addresses are learned and the interface receives a packet with a source
MAC address that is different from any of the secure learned MAC addresses, the address is
considered a security violation.

NOTE

The MAC Port Security feature applies only to Ethernet interfaces. It is not available on loopback,
virtual routing (ve) or other interface types.

Violation actions

When a security violation occurs, a Syslog entry is generated. In addition, the device takes one of
the following actions:

•

Shuts down the interface, either permanently or for a specified amount of time. This is the
default.

•

Drops packets from the unauthorized MAC address, but allows packets from the secure MAC
addresses. The interface remains enabled.

•

Denies the packet from the unauthorized MAC address, but allows packets from secure MAC
addresses. The interface remains enabled.