Brocade Communications Systems Brocade ICX 6650 6650 Manual De Usuario
206
Brocade ICX 6650 Security Configuration Guide
53-1002601-01
MAC port security configuration
The minutes variable can be from 15 through 1440 minutes. By default, secure MAC addresses are
not autosaved to the startup-config file.
not autosaved to the startup-config file.
If you change the autosave interval, the next save happens according to the old interval, then the
new interval takes effect. To change the interval immediately, disable autosave by entering the no
autosave command, then configure the new autosave interval using the autosave command.
new interval takes effect. To change the interval immediately, disable autosave by entering the no
autosave command, then configure the new autosave interval using the autosave command.
Specifying the action taken when a security
violation occurs
violation occurs
A security violation can occur when a user tries to connect to a port where a MAC address is
already locked, or the maximum number of secure MAC addresses has been exceeded. When a
security violation occurs, an SNMP trap and syslog message are generated.
already locked, or the maximum number of secure MAC addresses has been exceeded. When a
security violation occurs, an SNMP trap and syslog message are generated.
You can configure the device to take one of two actions when a security violation occurs; either
drop packets from the violating address (and allow packets from secure addresses), or disable the
port for a specified time.
drop packets from the violating address (and allow packets from secure addresses), or disable the
port for a specified time.
Dropping packets from a violating address
To configure the device to drop packets from a violating address and allow packets from secure
addresses, enter the following commands.
addresses, enter the following commands.
Brocade(config)# interface ethernet 1/1/7
Brocade(config-if-e10000-1/1/7)# port security
Brocade(config-port-security-e10000-1/1/7)# violation restrict
Brocade(config-if-e10000-1/1/7)# port security
Brocade(config-port-security-e10000-1/1/7)# violation restrict
Syntax: violation [restrict]
NOTE
When the restrict option is used, the maximum number of MAC addresses that can be restricted is
128. If the number of violating MAC addresses exceeds this number, the port is shut down. An SNMP
trap and the following Syslog message are generated: "Port Security violation restrict limit 128
exceeded on interface ethernet port_id". This is followed by a port shutdown Syslog message and
trap.
When the restrict option is used, the maximum number of MAC addresses that can be restricted is
128. If the number of violating MAC addresses exceeds this number, the port is shut down. An SNMP
trap and the following Syslog message are generated: "Port Security violation restrict limit 128
exceeded on interface ethernet port_id". This is followed by a port shutdown Syslog message and
trap.
Specifying the period of time to drop packets from a violating address
To specify the number of minutes that the device drops packets from a violating address, use
commands similar to the following.
To specify the number of minutes that the device drops packets from a violating address, use
commands similar to the following.
Brocade(config)# interface ethernet 1/1/7
Brocade(config-if-e10000-1/1/7)# port security
Brocade(config-port-security-e10000-1/1/7)# violation restrict 5
Brocade(config-if-e10000-1/1/7)# port security
Brocade(config-port-security-e10000-1/1/7)# violation restrict 5
Syntax: violation restrict age
The age variable can be from 0 through 1440 minutes. The default is 5 minutes. Specifying 0 drops
packets from the violating address permanently.
packets from the violating address permanently.
Aging for restricted MAC addresses is done in software. There can be a worst case inaccuracy of
one minute from the specified time.
one minute from the specified time.
The restricted MAC addresses are denied in hardware.