Secured, Locked, Invalid frames and intrusion actions – Allied Telesis AT-S62 User Manual

AT-S62 Management Software Menus Interface User’s Guide

Section VI: Port Security

635

Secured

A port set to this security level forwards packets only using static MAC
addresses. The port does not learn dynamic MAC addresses and deletes
any it has already learned. The port discards an ingress packet if its
source MAC address is not specified as a static address.

You must enter, either before or after activating this security level on a
port, the static MAC addresses of the source end nodes to be allowed to
forward frames through the port.

Locked

A port set to the Locked security level stops learning new source dynamic
MAC addresses and forwards packets based on the source MAC
addresses that it learned before being set to this security level. Packets
with a source MAC address that it did not learn are discarded.

The dynamic addresses learned by the port prior to its being set to this
security level are converted into static addresses and so are never timed
out from the MAC address table, even when the corresponding end nodes
are inactive. They are also retained when the switch is reset or power
cycled.

You can add new static MAC addresses to a port operating under this
security level.

Invalid Frames

and Intrusion

Actions

When a port receives an invalid frame, it performs an action referred to as
the intrusion action, which defines the action taken by the port and switch.

Before defining the intrusion actions, it can help to understand first what
constitutes an invalid frame for each security level:

ˆ

Limited Security Level - An invalid frame for this security level is an
ingress frame with a source MAC address that the port did not learn
before reaching its maximum number of allowed dynamic MAC
addresses, or that was not assigned to the port as a static address.

ˆ

Secured Security Level - An invalid frame for this security level is an
ingress frame whose source MAC address was not entered as a static
address on the port.

ˆ

Locked - An invalid frame for this security level is an ingress frame
whose source MAC address was not learned before the port was set to
this security level, or was not assigned to it as a static address.

Intrusion action defines the action of a port when it receives an invalid
frame. There is only one intrusion action for a port operating under the
Secured or Locked security mode. The action is to discard the invalid
frame.

The Limited security mode lets you specify one of the following intrusion
actions:

ˆ

Discard the invalid frame.