Configuring Learned Port Security Configuring Learned Port Security
page 25-12 OmniSwitch AOS Release 7 Network Configuration Guide March 2011
If the maximum number of filtered MAC addresses allowed is reached, either the LPS port is disabled
(Shutdown Violation mode) or MAC address learning is disabled (Restrict Violation mode). Under both
these modes, SNMP traps are generated and the events are logged in the switch log. For information on
configuring the security violation modes, see “Selecting the Security Violation Mode” on page 25-12.
Configuring an Authorized MAC Address Range
By default, each LPS port is set to a range of 00:00:00:00:00:00–ff:ff:ff:ff:ff:ff, which includes all MAC
addresses. If this default is not changed, then addresses received on LPS ports are subject only to the
source learning time limit and restrictions on the maximum number of MAC addresses allowed for the
port.
To configure a source MAC address range for an LPS port, enter port-security followed by the port
keyword and slot/port designation, mac-range followed by low and a MAC address, high and a MAC
address. For example, the following command configures a MAC address range for port 1 on slot 4:
-> port-security port 4/1 mac-range low 00:20:da:00:00:10 high 00:20:da:00:00:50
To configure a source MAC address range specify a single port number or a range of port numbers. For
example:
-> port-security port 4/1-5 mac-range low 00:20:da:00:00:10 high
00:20:da:00:00:50
-> port-security port 2/1-4 mac-range low 00:20:d0:59:0c:9a high
00:20:d0:59:0c:9f
To restore the range to the default values, enter the port-security parameter followed by the port keyword
and slot/port designation of the port and the mac-range. The MAC address range is restored to
00:00:00:00:00:00 and ff:ff:ff:ff:ff:ff when the low and high MAC addresses are excluded. For example,
the following command sets the authorized MAC address range to the default values for port 12 of slot 4:
-> port-security port 4/12 mac-range
In addition, specifying a low end MAC and a high end MAC is optional. If either one is not specified, the
default value is used. For example, the following commands set the authorized MAC address range on the
specified ports to 00:da:25:59:0c:10–ff:ff:ff:ff:ff:ff and 00:00:00:00:00:00–00:da:25:00:00:9a:
-> port-security port 2/8 mac-range low pp:da:25:59:0c
-> port-security port 2/10 mac-range high 00:da:25:00:00:9a
Refer to the OmniSwitch CLI Reference Guide for more information about this command.
Selecting the Security Violation Mode
By default, the security violation mode for an LPS port is set to restrict. In this mode, when an
unauthorized MAC address is received on an LPS port, the packet containing the address is blocked.
However, all other packets that contain an authorized source MAC address are allowed to forward on the
port.
Note. Unauthorized source MAC addresses are not learned in the LPS table but are still recorded in the
source learning MAC address table with a filtered operational status. This allows the user to view MAC
addresses that were attempting unauthorized access to the LPS port.
To Next Page
Loading...
