Allied Telesis AT-9000/52 User Manual
Chapter 14: Setting MAC Address-based Port Security
156
Overview
This feature lets you control access to the ports on the switch based on
the source MAC addresses of the network devices. You specify the
maximum number of source MAC addresses that ports can learn. Ports
that learn their maximum number of addresses discard packets that have
new, unknown addresses, preventing access to the switch by any
additional devices.
the source MAC addresses of the network devices. You specify the
maximum number of source MAC addresses that ports can learn. Ports
that learn their maximum number of addresses discard packets that have
new, unknown addresses, preventing access to the switch by any
additional devices.
For example, if you configure port 3 on the switch to learn five source MAC
addresses, the port learns up to five address and forwards the ingress
packets of the devices that belong to those addresses. If the port receives
ingress packets that have source MAC addresses other than the five it has
already learned, it discards those packets to prevent the devices from
passing traffic through the switch.
addresses, the port learns up to five address and forwards the ingress
packets of the devices that belong to those addresses. If the port receives
ingress packets that have source MAC addresses other than the five it has
already learned, it discards those packets to prevent the devices from
passing traffic through the switch.
Static Versus
Dynamic
Addresses
The MAC addresses that the ports learn can be stored as either static or
dynamic addresses in the MAC address table in the switch. Ports that
store the addresses as static addresses do not learn new addresses after
they have learned their maximum number. In contrast, ports that store
the addresses as dynamic addresses can learn new addresses when
addresses are timed out from the table by the switch. The addresses are
aged out according to the aging time of the MAC address table.
dynamic addresses in the MAC address table in the switch. Ports that
store the addresses as static addresses do not learn new addresses after
they have learned their maximum number. In contrast, ports that store
the addresses as dynamic addresses can learn new addresses when
addresses are timed out from the table by the switch. The addresses are
aged out according to the aging time of the MAC address table.
Intrusion Actions
The intrusion actions define what the switch does when ports that have
learned their maximum number of MAC addresses receive packets that
have unknown source MAC addresses. Intrusion actions are also called
violation actions. The possible settings are:
learned their maximum number of MAC addresses receive packets that
have unknown source MAC addresses. Intrusion actions are also called
violation actions. The possible settings are:
Protect - Ports discard those frames that have unknown MAC
addresses. No other action is taken. For example, if port 14 is
configured to learn 18 addresses, it starts to discard packets with
unknown source MAC addresses after learning 18 MAC addresses.
addresses. No other action is taken. For example, if port 14 is
configured to learn 18 addresses, it starts to discard packets with
unknown source MAC addresses after learning 18 MAC addresses.
Restrict - This is the same as the protect action, except that the switch
sends SNMP traps when the ports discard frames. For example, if port
12 is configured to learn two addresses, the switch sends a trap every
time the port, after learning two addresses, discards a packet that has
an unknown MAC address.
sends SNMP traps when the ports discard frames. For example, if port
12 is configured to learn two addresses, the switch sends a trap every
time the port, after learning two addresses, discards a packet that has
an unknown MAC address.
Shutdown - The switch disables the ports and sends SNMP traps. For
example, if port 5 is configured to learn three MAC addresses, it is
disabled by the switch to prevent it from forwarding any further traffic if
it receives a packet with an unknown source MAC address, after
learning three addresses. The switch also sends an SNMP trap.
example, if port 5 is configured to learn three MAC addresses, it is
disabled by the switch to prevent it from forwarding any further traffic if
it receives a packet with an unknown source MAC address, after
learning three addresses. The switch also sends an SNMP trap.