Manualshelf

Users Guide

ManualsBrandsDell ManualsAccess PlatformsPowerSwitch N3000 Series
661662663664665666667668669670
664 Port and System Security
Two methods are used to implement Port Security: dynamic locking and static
locking. Static locking further has an optional sticky mode. Dynamic locking
implements a first arrival mechanism for MAC locking.
The administrator specifies how many dynamic addresses may be learned on
the locked port. If the limit has not been reached, then a packet with an
unknown source MAC address is learned and forwarded normally. If the MAC
address limit has been reached, the packet is discarded. The administrator can
disable dynamic locking (learning) by setting the number of allowable
dynamic entries to zero.
When a Port Security-enabled link goes down, all of the dynamically locked
addresses are freed. When the link is restored, that port can once again learn
MAC addresses up to the administrator specified limit.
A dynamically locked MAC address is eligible to be aged out if another packet
with that MAC address is not seen within the age-out time. Dynamically
locked MAC addresses are also eligible to be relearned on another port if
station movement occurs. Statically locked MAC addresses are not eligible for
aging. If a packet arrives on a port with a source MAC address that is statically
locked on another port, then the packet is discarded.
Static locking allows the administrator to specify a list of host MAC addresses
that are allowed on a port. The behavior of packets is the same as for dynamic
locking: only packets received with a known source MAC address can be
forwarded.
Any packets with source MAC addresses that are not configured are
discarded. The switch treats this as violation and supports the ability to send
an SNMP port security trap.
If the specific MAC address (or addresses) that will be connected to a
particular port are known, the administrator can specify those addresses as
static entries. By setting the number of allowable dynamic entries to zero,
only packets with a source MAC address matching a MAC address in the
static list are forwarded.
Sticky mode configuration converts all the existing dynamically learned MAC
addresses on an interface to sticky. This means that they will not age out and
will appear in the running-config. In addition, new addresses learned on the
interface will also become sticky. Note that sticky is not the same as static