Secured, Locked, Invalid frames and intrusion actions – Allied Telesis AT-S63 User Manual

AT-S63 Management Software Menus Interface User’s Guide

Section VII: Port Security

709

port has already learned its maximum number of dynamic MAC
addresses. A switch port can have up to 255 dynamic and static MAC
addresses.

Secured

The Secured security level instructs a port to forward frames using only
static MAC addresses. The port does not learn any dynamic MAC
addresses and deletes any dynamic addressees that it has already
learned. Only those end nodes whose MAC addresses are entered as
static addresses are able to forward frames through the port.

After you have activated this security level, you must enter the static MAC
addresses of the end nodes that are to be allowed to forward frames
through the port.

Locked

The Locked security level causes a port to immediately stop learning new
dynamic MAC addresses. Frames are forwarded using the dynamic MAC
addresses that the port has already learned and any static MAC
addresses assigned to the port.

Dynamic MAC addresses learned by the port prior to the activation of this
security level never time out from the MAC address table, even when the
corresponding end nodes are inactive. However, the port does not learn
new dynamic addresses.

You can continue to add new static MAC addresses to a port operating
under this security level.

Note

For background information on MAC addresses and aging time,
refer to “MAC Address Overview” on page 136.

Invalid Frames

and Intrusion

Actions

When a port receives an invalid frame, it has to decide what action it takes.
This is what is referred to as intrusion action.

Before defining the intrusion actions, it helps to understand what
constitutes an invalid frame. This differs for each security level, as
explained here:

ˆ

Limited Security Level - An invalid frame for this security level is an
ingress frame with a source MAC address not already learned by a
port after the port had reached its maximum number of dynamic MAC
addresses, or that was not assigned to the port as a static address.

ˆ

Secured Security Level - An invalid frame for this security level is an
ingress frame with a source MAC address that was not entered as a
static address on the port.

ˆ

Locked - An invalid frame for this security level is an ingress frame with
a source MAC address that the port has not already learned or that
was not assigned as a static address.