API Guide
Table Of Contents
- Dell EMC SmartFabric OS10 Security Best Practices Guide May 2021
- Contents
- OS10 security best practices
Rationale: If the system detects the same MAC address in a port-security-enabled interface which it has already learned
through another port-security-enabled interface, by default, the system considers this as a MAC address move violation. You
can configure MAC address move violation actions. You can also configure the system to permit MAC address movement across
port security-enabled interfaces.
Configuration:
● To display which MAC address causes a violation, use the log option. The system also drops the packet.
OS10(config-if-port-sec)#mac-move violation log
● To drop the packet when a MAC address movement violation occurs, use the drop option.
OS10(config-if-port-sec)#mac-move violation drop
● To shut down the original interface that learned the MAC address on a MAC movement violation, use the shutdown-
original option.
OS10(config-if-port-sec)#mac-move violation shutdown-original
● To shut down the interface that detected a MAC address that is already learned by another interface, use the shutdown-
offending option.
OS10(config-if-port-sec)#mac-move violation shutdown-offending
● To shut down both original and offending interfaces, use the shutdown-both option.
OS10(config-if-port-sec)#mac-move violation shutdown-both
Verify what port security features are enabled and running
Use the following command to verify if the port security is enabled on all interfaces. This command also shows information
about the status of port security features. Specify specific interfaces to view details about individual interfaces.
OS10# show switchport port-security interface erthernet 1/1/1
Global Port-security status : Enabled
Interface name : ethernet1/1/1
Port Security : Enabled
Port Status : Up
Mac learn limit : 100
MAC-learn-limit-Violation action : Log
Sticky : Disabled
Mac-move-allow : Not Allowed
Mac-move-violation action : shutdown-both
Aging : Enabled
Total MAC Addresses : 10
Secure static MAC Addresses : 0
Sticky MAC Addresses : 10
Secure Dynamic MAC addresses : 0
Management plane
These settings are applicable to services, settings, and configuration services of OS10.
Role-based access control
Role-based access control (RBAC) provides control for access and authorization. Users are granted permissions based on
defined roles. Create user roles based on job functions to allow users appropriate system access. A user can be assigned only a
single role, and many users can have the same role. A user role authenticates and authorizes a user at login.
Enable AAA login authentication
Rationale: Authentication, authorization, and accounting (AAA) services secure networks against unauthorized access. AAA is a
centralized means of access control to users who want to access the system.
12
OS10 security best practices