Dropping packets from a violating address – Brocade Communications Systems Brocade ICX 6650 6650 User Manual

Page 226

Advertising
background image

206

Brocade ICX 6650 Security Configuration Guide

53-1002601-01

MAC port security configuration

The minutes variable can be from 15 through 1440 minutes. By default, secure MAC addresses are
not autosaved to the startup-config file.

If you change the autosave interval, the next save happens according to the old interval, then the
new interval takes effect. To change the interval immediately, disable autosave by entering the no
autosave command, then configure the new autosave interval using the autosave command.

Specifying the action taken when a security
violation occurs

A security violation can occur when a user tries to connect to a port where a MAC address is
already locked, or the maximum number of secure MAC addresses has been exceeded. When a
security violation occurs, an SNMP trap and syslog message are generated.

You can configure the device to take one of two actions when a security violation occurs; either
drop packets from the violating address (and allow packets from secure addresses), or disable the
port for a specified time.

Dropping packets from a violating address

To configure the device to drop packets from a violating address and allow packets from secure
addresses, enter the following commands.

Brocade(config)# interface ethernet 1/1/7
Brocade(config-if-e10000-1/1/7)# port security
Brocade(config-port-security-e10000-1/1/7)# violation restrict

Syntax: violation [restrict]

NOTE

When the restrict option is used, the maximum number of MAC addresses that can be restricted is
128. If the number of violating MAC addresses exceeds this number, the port is shut down. An SNMP
trap and the following Syslog message are generated: "Port Security violation restrict limit 128
exceeded on interface ethernet port_id". This is followed by a port shutdown Syslog message and
trap.

Specifying the period of time to drop packets from a violating address
To specify the number of minutes that the device drops packets from a violating address, use
commands similar to the following.

Brocade(config)# interface ethernet 1/1/7
Brocade(config-if-e10000-1/1/7)# port security
Brocade(config-port-security-e10000-1/1/7)# violation restrict 5

Syntax: violation restrict age

The age variable can be from 0 through 1440 minutes. The default is 5 minutes. Specifying 0 drops
packets from the violating address permanently.

Aging for restricted MAC addresses is done in software. There can be a worst case inaccuracy of
one minute from the specified time.

The restricted MAC addresses are denied in hardware.

Advertising
Popular Brands
Popular manuals