Alcatel-Lucent 6850-48 Guida Di Rete
Configuring Learned Port Security
Learned Port Security Overview
OmniSwitch AOS Release 6 Network Configuration Guide
September 2009
page 3-5
How LPS Authorizes Source MAC Addresses
When a packet is received on a port that has LPS enabled, switch software checks the following criteria to
determine if the source MAC address contained in the packet is allowed on the port:
determine if the source MAC address contained in the packet is allowed on the port:
• Is the source learning time window open?
• Is the number of MAC addresses learned on the port below the maximum number allowed?
• Is there a configured authorized MAC address entry for the LPS port that matches the packet’s source
MAC address?
Using the above criteria, the following table shows the conditions under which a MAC address is learned
or blocked on an LPS port:
or blocked on an LPS port:
When a source MAC address violates any of the LPS conditions, the address is considered unauthorized.
The LPS violation mode determines if the unauthorized MAC address is simply blocked (filtered) on the
port or if the entire port is disabled (see
The LPS violation mode determines if the unauthorized MAC address is simply blocked (filtered) on the
port or if the entire port is disabled (see
). Regard-
less of which mode is selected, notice is sent to the Switch Logging task to indicate that a violation has
occurred.
occurred.
Dynamic Configuration of Authorized MAC Addresses
Once LPS authorizes the learning of a source MAC address, an entry containing the address and the port it
was learned on is made in an LPS database table. This entry is then used as criteria for authorizing future
traffic from this source MAC on that same port. In other words, learned authorized MAC addresses
become configured criteria for an LPS port.
was learned on is made in an LPS database table. This entry is then used as criteria for authorizing future
traffic from this source MAC on that same port. In other words, learned authorized MAC addresses
become configured criteria for an LPS port.
For example, if the source MAC address 00:da:95:00:59:0c is received on port 2/10 and meets the LPS
restrictions defined for that port, then this address and its port are recorded in the LPS table. All traffic that
is received on port 2/10 is compared to the 00:da:95:00:59:0c entry. If any traffic received on this port
consists of packets that do not contain a matching source address, the packets are then subject to the LPS
source learning time limit window and the maximum number of addresses allowed criteria.
restrictions defined for that port, then this address and its port are recorded in the LPS table. All traffic that
is received on port 2/10 is compared to the 00:da:95:00:59:0c entry. If any traffic received on this port
consists of packets that do not contain a matching source address, the packets are then subject to the LPS
source learning time limit window and the maximum number of addresses allowed criteria.
When a dynamically configured MAC address is added to the LPS table, it does not become a configured
MAC address entry in the LPS table until the switch configuration file is saved and the switch is rebooted.
If a reboot occurs before this is done, all dynamically learned MAC addresses in the LPS table are cleared.
MAC address entry in the LPS table until the switch configuration file is saved and the switch is rebooted.
If a reboot occurs before this is done, all dynamically learned MAC addresses in the LPS table are cleared.
Time Limit
Max Number
Configured MAC
Result
Open
Below
No entry
No LPS violation; MAC learned
Closed
Below
No entry
LPS violation; MAC blocked
Open
Above
No entry
LPS violation; MAC blocked
Open
Below
Yes; entry matches
No LPS violation; MAC learned
Closed
Below
Yes; entry matches
No LPS violation; MAC learned
Open
Above
Yes; entry matches
LPS violation; MAC blocked
Open
Below
Yes; entry doesn’t match
No LPS violation; MAC learned
Closed
Below
Yes; entry doesn’t match
LPS violation; MAC blocked
Open
Above
Yes; entry doesn’t match
LPS violation; MAC blocked