Defining security violation actions, Shutdown the interface, Restricting interface access – Brocade BigIron RX Series Configuration Guide User Manual

Page 1112: Restricting, Interface access, Defining security, Violation actions, Defining security violation actions 4

Advertising
background image

1034

BigIron RX Series Configuration Guide

53-1002484-04

Defining security violation actions

33

Defining security violation actions

A MAC Port Security violation can occur when any of the following occurs:

The maximum number of secure MAC addresses has been exceeded.

The MAC address received is in the deny MAC address list.

When a MAC Port Security violation occurs, an SNMP trap and Syslog message are generated. Also,
you can configure the device to take any of the following actions when a MAC Port Security violation
occurs:

Shutdown the interface, either permanently or for a specified amount of time. This is the
default violation action if no violation action is configured at the global and interface levels.

Restrict packets. With this action, packets from the unauthorized MAC address are dropped,
but packets from the secure MAC addresses are allowed. The interface remains enabled.

Deny the packet from the unauthorized MAC address, but allow packets from secure MAC
addresses.

These actions can be configured on the global or interface level. The violation action on the global
level is not used if violation action is configured on an interface level.

Shutdown the interface

By default, the device shuts down the interface on the first violation. When the interface is
shutdown, it is disabled for a period of time, as specified by the configured age timer.

To enable this action, enter the following command.

BigIron RX(config)# interface ethernet 7/11

BigIron RX(config-if-e100-7/11)#port security

BigIron RX(config-port-security-e100-7/11)# violation shutdown

Syntax: [no] violation shutdown

Restricting interface access

You can configure the device to drop packets from an unsecure MAC address, while allowing
packets from secure MAC address to access the interface. The interface remains enabled.

To enable this action, enter the following commands.

BigIron RX(config)# interface ethernet 7/11

BigIron RX(config-if-e100-7/11)# port security

BigIron RX(config-port-security-e100-7/11)# violation restrict

Syntax: [no] violation restrict [<#-denied-packets-processed> | force]

The violation restrict command enables the violation restrict action.

Entering a value for #-denied-packets-processed specifies the number of packets from one
unsecure MAC address that can be processed in one second on the interface. Once this number is
reached, the interface is shutdown. Refer to

“Restricting the number of packets per MAC address”

on page 1035 for details.

Advertising
Popular Brands
Popular manuals