Restricting the number of packets per mac address, Restricting the number of denied mac addresses, Logging denied packets – Brocade BigIron RX Series Configuration Guide User Manual

Page 1113

Advertising
background image

BigIron RX Series Configuration Guide

1035

53-1002484-04

Defining security violation actions

33

Entering the force parameter forces the interface to shutdown once the
#-denied-packets-processed has been reached. If this parameter is not configured, then the
system will ask to confirm whether or not the interface is to be shutdown.

If violation restrict is the configured action when a security violation occurs, one of the following
options can be configured:

Restrict the number of packets received per MAC address

Restrict the number of MAC addresses denied on an interface

Log denied MAC addresses

Restricting the number of packets per MAC address

You can indicate the number of packets in one second that can be processed for one particular
denied MAC address before the interface shuts down. If the number of packets received exceeds
this number, the interace shuts down.

To enable this option, enter a command such as the following.

BigIron RX(config)# interface ethernet 7/11

BigIron RX(config-if-e100-7/11)# port security

BigIron RX(config-port-security-e100-7/11)# violation restrict 3200

Syntax: violation restrict [<#-denied-packets-processed> | force]

Enter 1 – 64000 for #-denied-packets-processed. There is no default.

Restricting the number of denied MAC addresses

If the action for a violation is restrict, you can indicate how many denied MAC addresses that will be
dropped on an interface before the interface shuts down. Once this number is reached, the
interface is shut down.

BigIron RX(config)# interface ethernet 7/11

BigIron RX(config-if-e100-7/11)# port security

BigIron RX(config-port-security-e100-7/11)# violation restrict

BigIron RX(config-port-security-e100-7/11)# restrict-mac-deny 1000

Syntax: [no] restrict-max-deny <number>

Enter 1 – 1024. The default is 128. In the example above, the interface shuts down after 1000
MAC addresses are denied.

Logging denied packets

You can specify how many packets can be logged per second.

To enable this option, enter the following command:

BigIron RX(config)# interface ethernet 7/11

BigIron RX(config-if-e100-7/11)# port security

BigIron RX(config-port-security-e100-7/11)# violation restrict 3200

BigIron RX(config-port-security-e100-7/11)# deny-log-rate 5

Syntax: [no] deny-log-rate <number-per-second>

Enter 1 - 10. The default is 0, which means the feature is disabled.

Advertising
Popular Brands
Popular manuals