Dropping packets from a violating address, Disabling the port for a specified amount of time – Brocade TurboIron 24X Series Configuration Guide User Manual

Page 1029

Advertising
background image

Brocade TurboIron 24X Series Configuration Guide

995

53-1003053-01

Configuring the MAC port security feature

Specifying the action taken when a security
violation occurs

A security violation can occur when a user tries to connect to a port where a MAC address is
already locked, or the maximum number of secure MAC addresses has been exceeded. When a
security violation occurs, an SNMP trap and Syslog message are generated.

You can configure the device to take one of two actions when a security violation occurs; either
drop packets from the violating address (and allow packets from secure addresses), or disable the
port for a specified time.

Dropping packets from a violating address

To configure the device to drop packets from a violating address and allow packets from secure
addresses, enter the following commands.

TurboIron(config)#int e 11

TurboIron(config-if-e10000-11)#port security

TurboIron(config-port-security-e10000-11)#violation restrict

Syntax: violation restrict

NOTE

When the restrict option is used, the maximum number of MAC addresses that can be restricted is
128. If the number of violating MAC addresses exceeds this number, the port is shut down. An
SNMP trap and the following Syslog message are generated "Port Security violation restrict limit 128
exceeded on interface ethernet <port_id>". This is followed by a port shutdown Syslog message and
trap.

Specifying the period of time to drop packets from a violating address
To specify the number of minutes that the device drops packets from a violating address, use
commands similar to the following.

TurboIron(config)#int e 11

TurboIron(config-if-e10000-11)#port security

TurboIron(config-port-security-e10000-11)#violation restrict 5

Syntax: violation restrict <age>

<age>can be from 0 – 1440 minutes. The default is 5 minutes. Specifying 0 drops packets from
the violating address permanently.

Aging for restricted MAC addresses is done in software. There can be a worst case inaccuracy of
one minute from the specified time.

The restricted MAC addresses are denied in hardware.

Disabling the port for a specified amount of time

You can configure the device to disable the port for a specified amount of time when a security
violation occurs.

To shut down the port for 5 minutes when a security violation occurs, enter the following
commands.

Advertising
Popular Brands
Popular manuals