Configuring Learned Port Security Learned Port Security Overview
OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 33-8
Dynamic Configuration of Authorized MAC Addresses
When LPS is configured on a switch port, the learning of source MAC addresses is initiated. An entry
containing the address and the port that learns the MAC address is made in an LPS database table. This
entry is used as a criteria for authorizing future traffic from the source MAC address on that same port. In
other words, the learned MAC addresses are authorized to send traffic through the LPS port.
For example, if the source MAC address 00:da:95:00:59:0c is received on port 2/10 and meets the LPS
restrictions defined for that port, then this address and its port are recorded in the LPS table. All traffic that
is received on port 2/10 is compared to the 00:da:95:00:59:0c entry. If any traffic received on this port
consists of packets that do not contain a matching source address, the packets are then subject to the LPS
source learning time limit window and the criteria for maximum number of addresses allowed.
Static Configuration of Authorized MAC Addresses
It is also possible to statically configure authorized source MAC address entries into the LPS table. This
type of entry behaves the same way as dynamically configured entries providing authorized port access to
traffic that contains a matching source MAC address.
Static source MAC address entries, however, take precedence over dynamically learned entries. For
example, if there are 2 static MAC address entries configured for port 2/1 and the maximum number
allowed on port 2/1 is 10, then only 8 dynamically learned MAC addresses are allowed on this port.
There are three ways to configure a static source MAC address entry in the LPS table:
• Use the LPS port-security mac command to manually configure a static MAC address for one or more
LPS ports.
• Use the LPS learning window no-aging and convert-to-static options (see “Configuring the LPS
Learning Window” on page 33-12 for more information).
• Use the LPS port-security convert-to-static command to manually convert all dynamic addresses on
a specific port to static MAC addresses.
Understanding the LPS Table
The LPS database table is separate from the source learning MAC address table. However, when a MAC
is authorized for learning on an LPS port, an entry is made in the MAC address table in the same manner
as if it was learned on a non-LPS port (see Chapter 3, “Managing Source Learning,” for more
information).
In addition to dynamic and configured source MAC address entries, the LPS table also provides the
following information for each eligible LPS port:
• The LPS status for the port; enabled or disabled.
• The maximum number of MAC addresses allowed on the port.
• The maximum number of MAC addresses that can be filtered on the port.
• The violation mode selected for the port; restrict, discard, or shutdown.
• Statically configured MAC addresses and MAC address ranges.
Note. Statically configured authorized MAC addresses are displayed permanently in the MAC address
table for the specified LPS port; they are not learned on any other port in the same VLAN.
To Next Page
Loading...
Need help?
General
