Brocade Communications Systems Brocade ICX 6650 6650 User Manual
202
Brocade ICX 6650 Security Configuration Guide
53-1002601-01
MAC port security overview
MAC port security overview
You can configure the Brocade device to learn “secure” MAC addresses on an interface. The
interface will forward only packets with source MAC addresses that match these learned secure
addresses. The secure MAC addresses can be specified manually, or the Brocade device can learn
them automatically. After the device reaches the limit for the number of secure MAC addresses it
can learn on the interface, if the interface then receives a packet with a source MAC address that
does not match the learned addresses, it is considered a security violation.
interface will forward only packets with source MAC addresses that match these learned secure
addresses. The secure MAC addresses can be specified manually, or the Brocade device can learn
them automatically. After the device reaches the limit for the number of secure MAC addresses it
can learn on the interface, if the interface then receives a packet with a source MAC address that
does not match the learned addresses, it is considered a security violation.
When a security violation occurs, a syslog entry and an SNMP trap are generated. In addition, the
device takes one of two actions: it either drops packets from the violating address (and allows
packets from the secure addresses), or disables the port for a specified amount of time. You
specify which of these actions takes place.
device takes one of two actions: it either drops packets from the violating address (and allows
packets from the secure addresses), or disables the port for a specified amount of time. You
specify which of these actions takes place.
The secure MAC addresses are flushed when an interface is disabled and re-enabled .
The secure addresses can be kept secure permanently (the default), or can be configured to age
out, at which time they are no longer secure. You can configure the device to automatically save the
secure MAC address list to the startup-config file at specified intervals, allowing addresses to be
kept secure across system restarts.
out, at which time they are no longer secure. You can configure the device to automatically save the
secure MAC address list to the startup-config file at specified intervals, allowing addresses to be
kept secure across system restarts.
Local and global resources used for MAC port security
The MAC port security feature uses a concept of local and global “resources” to determine how
many MAC addresses can be secured on each interface. In this context, a “resource” is the ability
to store one secure MAC address entry. Each interface is allocated 64 local resources. Additional
global resources are shared among all interfaces on the device.
many MAC addresses can be secured on each interface. In this context, a “resource” is the ability
to store one secure MAC address entry. Each interface is allocated 64 local resources. Additional
global resources are shared among all interfaces on the device.
When the MAC port security feature is enabled on an interface, the interface can store one secure
MAC address. You can increase the number of MAC addresses that can be secured using local
resources to a maximum of 64.
MAC address. You can increase the number of MAC addresses that can be secured using local
resources to a maximum of 64.
Besides the maximum of 64 local resources available to an interface, there are additional global
resources. Depending on flash memory size, a device can have 1024, 2048, or 4096 global
resources available. When an interface has secured enough MAC addresses to reach its limit for
local resources, it can secure additional MAC addresses by using global resources. Global
resources are shared among all the interfaces on a first-come, first-served basis.
resources. Depending on flash memory size, a device can have 1024, 2048, or 4096 global
resources available. When an interface has secured enough MAC addresses to reach its limit for
local resources, it can secure additional MAC addresses by using global resources. Global
resources are shared among all the interfaces on a first-come, first-served basis.
The maximum number of MAC addresses any single interface can secure is 64 (the maximum
number of local resources available to the interface), plus the number of global resources not
allocated to other interfaces.
number of local resources available to the interface), plus the number of global resources not
allocated to other interfaces.
Configuration notes and feature limitations
for MAC port security
for MAC port security
The following limitations apply to this feature:
•
MAC port security applies only to Ethernet interfaces.
•
MAC port security is not supported on static trunk group members or ports that are configured
for link aggregation.
for link aggregation.
•
MAC port security is not supported on 802.1X port security-enabled ports.