Configuring Learned Port Security Configuring Learned Port Security
OmniSwitch AOS Release 8 Network Configuration Guide December 2017 page 33-16
Configuring the Trap Threshold for Bridged MAC Addresses
The LPS trap threshold value determines how many bridged MAC addresses the port must learn before a
trap is sent. Once this value is reached, a trap is sent for every MAC learned thereafter.
By default, when one bridged MAC addresses is learned on an LPS port, the switch sends a trap. To
change the trap threshold value, use the port-security learn-trap-threshold command. For example:
-> port-security port learn-trap-threshold 10
Sending a trap when this threshold is reached provides notification of newly learned bridged MAC
addresses. Trap contents includes identifying information about the MAC, such as the address itself, the
corresponding IP address, switch identification, and the slot/port number on which the MAC was learned.
Configuring the Number of Filtered MAC Addresses Allowed
To configure the number of filtered MAC addresses allowed on an LPS port, use the port-security port
max-filtering command. For example, the following command sets the maximum number of filtered
MAC addresses learned on port 9 of slot 5 to 18:
-> port-security port 5/9 max-filtering 18
To specify a maximum number of filtered MAC addresses learned on multiple ports, specify a range of
ports or multiple slots. For example:
-> port-security port 5/9-15 max-filtering 10
-> port-security port 1/1-5 max-filtering 25
If the maximum number of filtered MAC addresses allowed is reached:
• The violation mode configured for the LPS port is applied (see “Selecting the Security Violation
Mode” on page 33-17 for more information).
• An SNMP trap is generated.
• An event is entered into the switch log.
Configuring an Authorized MAC Address Range
By default, each LPS port is set to a range of 00:00:00:00:00:00–ff:ff:ff:ff:ff:ff, which includes all MAC
addresses. If this default is not changed, then addresses received on LPS ports are subject only to the
learning window time and restrictions on the maximum number of MAC addresses allowed for the port.
All MAC addresses that fall within the default or a specific configured range of addresses are dynamically
learned as bridged MAC addresses (up to the maximum of bridged addresses allowed). If a MAC address
falls outside of the specified range, the address is dynamically learned as a filtered MAC address (up to
the maximum of filtered addresses allowed).
To configure a source MAC address range for an LPS port, use the port-security mac-range command.
For example, the following command configures a MAC address range for port 1 on slot 4:
-> port-security port 4/1 mac-range low 00:20:da:00:00:10 high 00:20:da:00:00:50
The following command examples configure a MAC address range for a range of ports:
-> port-security port 4/1-5 mac-range low 00:20:da:00:00:10 high
00:20:da:00:00:50
To Next Page
Loading...
Need help?
General
