Programmable Internetworking & Communication Operating System Docs ... Click Spaces -> Space Directory to see docs for all releases ...
Page tree
Skip to end of metadata
Go to start of metadata

Port security is a layer two traffic control feature on Pica8 switches. It enables an administrator to configure individual switch ports to allow only a specified number of source MAC addresses to ingress through the port. Port security enables the switch administrator to prevent unauthorized devices from gaining access to the network. Port security is normally enabled on access layer switches for this purpose.

NOTE:

Port security is only supported on the following platforms:

  • AS4610_30T
  • AS4610_30P
  • AS4610_54T
  • AS4610_54P
  • N3048EP-ON
  • N3132PX-ON

Enabling Port Security

Port security is not enabled by default. It can be enabled with default parameters by issuing a single command on an interface:

admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 port-security mac-limit 10
admin@XorPlus# commit 
Merging the configuration.
Commit OK.
Save done.
admin@XorPlus#

Configuring the Maximum Number of Secure Dynamically Learned MAC Addresses

User can use port security with dynamically learned MAC addresses to restrict a port's ingress traffic by limiting the MAC addresses that are allowed to send traffic into the port.

admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 port-security mac-limit 5
admin@XorPlus# commit 
Merging the configuration.
Commit OK.
Save done.
admin@XorPlus# 
admin@XorPlus# run show port-security address 
Secure Mac Address Table
-----------------------------------------------------
Vlan MAC Address Type Interfaces 
---- ----------------- ------- ---------- 
1 00:00:11:11:11:11 dynamic ge-1/1/1 
1 00:00:11:11:11:12 dynamic ge-1/1/1 
1 00:00:11:11:11:13 dynamic ge-1/1/1 
1 00:00:11:11:11:14 dynamic ge-1/1/1 
1 00:00:11:11:11:15 dynamic ge-1/1/1 
-----------------------------------------------------
MAC age time :300s
admin@XorPlus#

Configuring Static Secure MAC Addresses on a Port

User can use port security with static MAC addresses to restrict a port's ingress traffic by limiting the MAC addresses that are allowed to send traffic into the port.

admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 port-security mac-address 00:00:23:23:23:23 vlan 1
admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 port-security mac-address 00:00:23:23:23:24 vlan 1
admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 port-security mac-address 00:00:23:23:23:25 vlan 1
admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 port-security mac-address 00:00:23:23:23:26 vlan 1
admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 port-security mac-address 00:00:23:23:23:27 vlan 1
admin@XorPlus# commit 
Merging the configuration.
Commit OK.
Save done.
admin@XorPlus# 
admin@XorPlus# run show port-security address 
Secure Mac Address Table
-----------------------------------------------------
Vlan MAC Address Type Interfaces 
---- ----------------- ------- ---------- 
1 00:00:23:23:23:23 static ge-1/1/1 
1 00:00:23:23:23:24 static ge-1/1/1 
1 00:00:23:23:23:25 static ge-1/1/1 
1 00:00:23:23:23:26 static ge-1/1/1 
1 00:00:23:23:23:27 static ge-1/1/1 
-----------------------------------------------------
MAC age time :300s 
admin@XorPlus# 

Configuring Port Security with Sticky MAC Addresses on a Port

Port security with sticky MAC addresses retains dynamically learned MAC addresses when the link is down and restores the MAC addresses when the link is up.

admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 port-security sticky true
admin@XorPlus# commit 
Merging the configuration.
Commit OK.
Save done.
admin@XorPlus#

Configuring Secure MAC Address Aging Time

The aging time is global whether port security is configured or not.

admin@XorPlus# set interface ethernet-switching-options mac-table-aging-time 100
admin@XorPlus# commit 
Merging the configuration.
Commit OK.
Save done.
admin@XorPlus# 

Configuring Port Security Violation Mode on a Port

Port security can be configured to take one of four actions upon detecting a violation:

  • protect (default) - Frames from MAC. Addresses other than the allowed addresses are dropped. Traffic from allowed addresses is permitted to pass normally. 
  • restrict - Like protect mode but generates a syslog message and increases the violation counter. 
  • shutdown - The interface is placed into the error-discard state, blocking all traffic. 
  • shutdown-temp - The interface is placed into the error-discard state and blocking all traffic temporarily. After 20 seconds (default), the interface comes up.

admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 port-security violation ?
Possible completions:
protect Drop packets with unknown source addresses
restrict Drop packets with unknown source addresses and log violation
shutdown Disable interface
shutdown-temp Disable interface temporarily(20 seconds for the default)
admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 port-security violation restrict 
admin@XorPlus# commit 
Merging the configuration.
Commit OK.
Save done.
admin@XorPlus#

Configuring Port Security Auto-recovery Time

When the port security violation mode is configured to shutdown-temp, user can configure the recovery interval with the command below.

admin@XorPlus# set interface ethernet-switching-options port-error-discard timeout 30
admin@XorPlus# commit 
Merging the configuration.
Commit OK.
Save done.
admin@XorPlus# 

Recovering the Port in Error-discard

When the port security violation mode is configured to shutdown, the port will be placed into the error-discard state after detecting a violation. User can recover the port with the following command.

admin@XorPlus# run clear port-security port-error 
Clear done.
admin@XorPlus#

Configuring Port Security Block Mode on a Port

Port security can be configured to take one of five block actions:

  • all – All traffic are not permitted to forward normally on egress.
  • broadcast– Broadcast packets will be blocked on egress, but unknown uni/multi cast addresses can forwards normally.
  • multicast – Only the multicast packets will be dropped.
  • uni-multi-cast- The unknown uni/multi cast packets will be blocked on egress.
  • unicast - Only the unknown unicast packets will be dropped.

admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 port-security block ?
Possible completions:
all Block broadcast and unknow addresses
broadcast Block broadcast address
multicast Block unknow multicast addresses
uni-multi-cast Block unknow uni/multi cast addresses
unicast Block unknow unicast addresses
admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 port-security block broadcast 
admin@XorPlus# commit 
Merging the configuration.
Commit OK.
Save done.
admin@XorPlus# 

Displaying Port Security Settings

To display port security settings, enter this command:

admin@XorPlus# run show port-security address 
Secure Mac Address Table
-----------------------------------------------------
Vlan MAC Address Type Interfaces 
---- ----------------- ------- ---------- 
1 00:00:11:11:11:11 dynamic ge-1/1/1 
1 00:00:11:11:11:12 dynamic ge-1/1/1 
1 00:00:11:11:11:13 dynamic ge-1/1/1 
1 00:00:11:11:11:14 dynamic ge-1/1/1 
1 00:00:11:11:11:15 dynamic ge-1/1/1 
1 00:00:23:23:23:23 static ge-1/1/1 
1 00:00:23:23:23:24 static ge-1/1/1 
1 00:00:23:23:23:25 static ge-1/1/1 
1 00:00:23:23:23:26 static ge-1/1/1 
1 00:00:23:23:23:27 static ge-1/1/1 
-----------------------------------------------------
MAC age time :100s
admin@XorPlus# run show port-security brief 
System MAC limit : 32767 
Secure port DynamicMacLim CurrentAddr ViolationCount Action 
-------------------------------------------------------------------------------
ge-1/1/1 5 10 213940 restrict 
------------------------------------------------------------------------------- 
admin@XorPlus#
admin@XorPlus# run show port-security interface gigabit-ethernet ge-1/1/1 
Interface ge-1/1/1
----------------------------------------
Port security : enabled
Violation action : restrict
Block type : broadcast
Sticky : true
Dynamic MAC limit : 5
Total MAC addresses : 10
Configured MAC addresses : 5
Sticky MAC addresses : 5
Security violation count : 286062
admin@XorPlus#

Disabling Port Security

To disable port security, enter this command:

admin@XorPlus# delete interface gigabit-ethernet ge-1/1/1 port-security 
Deleting: 
port-security {
mac-limit: 5
violation: "restrict"
mac-address 00:00:23:23:23:23 {
vlan 1 {
}
}
mac-address 00:00:23:23:23:24 {
vlan 1 {
}
}
mac-address 00:00:23:23:23:25 {
vlan 1 {
}
}
mac-address 00:00:23:23:23:26 {
vlan 1 {
}
}
mac-address 00:00:23:23:23:27 {
vlan 1 {
}
}
sticky: true
block: "broadcast"
} 
OK 
admin@XorPlus# commit 
Merging the configuration.
Commit OK.
Save done.
admin@XorPlus# 
  • No labels