User's Manual
Table Of Contents
- Contents
- Figures
- Preface
- Chapter 1
- AlliedWare Plus™ Version 2.1.2 Web Browser Interface
- Chapter 2
- Starting a Management Session
- Chapter 3
- Basic Switch Parameters
- Setting the System Date and Time
- Setting a Telnet or SSH Server
- Setting a Remote Log Server
- Setting the Switch Information
- Setting the Configuration File
- Managing User Accounts
- Rebooting a Switch
- Upgrading the Software
- Returning the AlliedWare Plus Management Software to the Factory Default Values
- Displaying System Information
- Chapter 4
- Setting Port Parameters
- Chapter 5
- Setting Port Statistics
- Chapter 6
- Setting Port Mirroring
- Chapter 7
- Setting the Port Spanning Tree Protocol
- Chapter 8
- Setting the MAC Address
- Chapter 9
- Setting LACP
- Chapter 10
- Setting Static Port Trunks
- Chapter 11
- Setting Port-based and Tagged VLANs
- Chapter 12
- Setting Switch Spanning Tree Protocols
- Chapter 13
- Setting Internet Group Management Protocol (IGMP) Snooping
- Chapter 14
- Setting MAC Address-based Port Security
- Chapter 15
- Setting RADIUS and TACACS+ Clients
- Chapter 16
- Setting 802.1x Port-based Network Access
- Chapter 17
- Setting IPv4 and IPv6 Management
- Chapter 18
- Setting LLDP and LLDP-MED
- Chapter 19
- Setting sFlow
Chapter 14: Setting MAC Address-based Port Security
156
Overview
This feature lets you control access to the ports on the switch based on
the source MAC addresses of the network devices. You specify the
maximum number of source MAC addresses that ports can learn. Ports
that learn their maximum number of addresses discard packets that have
new, unknown addresses, preventing access to the switch by any
additional devices.
For example, if you configure port 3 on the switch to learn five source MAC
addresses, the port learns up to five address and forwards the ingress
packets of the devices that belong to those addresses. If the port receives
ingress packets that have source MAC addresses other than the five it has
already learned, it discards those packets to prevent the devices from
passing traffic through the switch.
Static Versus
Dynamic
Addresses
The MAC addresses that the ports learn can be stored as either static or
dynamic addresses in the MAC address table in the switch. Ports that
store the addresses as static addresses do not learn new addresses after
they have learned their maximum number. In contrast, ports that store
the addresses as dynamic addresses can learn new addresses when
addresses are timed out from the table by the switch. The addresses are
aged out according to the aging time of the MAC address table.
Intrusion Actions The intrusion actions define what the switch does when ports that have
learned their maximum number of MAC addresses receive packets that
have unknown source MAC addresses. Intrusion actions are also called
violation actions. The possible settings are:
Protect - Ports discard those frames that have unknown MAC
addresses. No other action is taken. For example, if port 14 is
configured to learn 18 addresses, it starts to discard packets with
unknown source MAC addresses after learning 18 MAC addresses.
Restrict - This is the same as the protect action, except that the switch
sends SNMP traps when the ports discard frames. For example, if port
12 is configured to learn two addresses, the switch sends a trap every
time the port, after learning two addresses, discards a packet that has
an unknown MAC address.
Shutdown - The switch disables the ports and sends SNMP traps. For
example, if port 5 is configured to learn three MAC addresses, it is
disabled by the switch to prevent it from forwarding any further traffic if
it receives a packet with an unknown source MAC address, after
learning three addresses. The switch also sends an SNMP trap.