API Guide
Table Of Contents
- Dell EMC SmartFabric OS10 Security Best Practices Guide May 2021
- Contents
- OS10 security best practices
Port security
Use the port security feature to restrict the number of workstations that can send traffic through an interface and to control
MAC address movement. Port security is a package of the following sub features that provide added security to the system:
1. MAC address learning limit (MLL)
2. Sticky MAC
3. MAC address movement control
Configure the MAC address learning limit
Rationale: Using the MAC address learning limit method, you can set an upper limit on the number of allowed MAC addresses
on an interface. Limiting the MAC addresses protects switches from MAC address flooding attacks. After the configured limit is
reached on an interface, by default, the system drops all traffic from any unknown device. After you enable port security on an
interface, the interface can learn one secure MAC address by default. This limit is applicable for both secure dynamic and secure
static MAC addresses.
Configuration:
1. Enable port security on the system in CONFIGURATION mode.
OS10(config)# switchport port-security
2. Enable port security on an interface in CONFIGURATION mode.
OS10(config)# switchport port-security
OS10(config)# no disable
3. Configure the number of secure MAC addresses that an interface can learn in INTERFACE PORT SECURITY mode:
mac-learn {limit | no-limit}
For the limit keyword, the range is from 0 to 3072. To enable the interface to learn the maximum number of MAC
addresses that the hardware supports, use the no-limit keyword.
MAC address learning limit example
OS10# configure terminal
OS10(config)#interface ethernet 1/1/1
OS10(config-if-eth1/1/1)# switchport port-security
OS10(config-if-port-sec)# no disable
OS10(config-if-port-sec)# mac-learn limit 100
OS10(config-if-port-sec)# end
OS10# write memory
Configure MAC address learning limit violation actions
Rationale: After the number of secure MAC addresses reaches the maximum configured, if an interface receives a frame with
the source MAC address different from any of the learned MAC addresses, the system considers this as a MAC address learning
limit violation.
Configuration:
Use the following commands in INTERFACE PORT SECURITY mode:
● To display which MAC address causes a violation, use the log option. The system also drops the packet.
OS10(config-if-port-sec)#mac-learn limit violation log
● To drop the packet when a MAC address learning limit violation occurs, use the drop option.
OS10(config-if-port-sec)#mac-learn limit violation drop
● To forward the packet when a MAC address learning limit violation occurs, use the flood option. The system does not learn
the MAC address.
OS10(config-if-port-sec)#mac-learn limit violation forward
10
OS10 security best practices