Users Guide
Network security
OS10 switch has security features to restrict network traffic, protect the network from attacks, and prevent unauthorized
access to the network.
Access control lists
Access control lists (ACLs) restrict network traffic using policies and improve network performance. For more information about
ACL, see Access control lists.
DHCP snooping
DHCP snooping protects your network from attacks by monitoring the DHCP messages and blocking untrusted or rogue DHCP
servers. For more information about DHCP snooping, see DHCP snooping.
802.1X port access control
802.1x defines access control that prevents unauthorized devices or users from connecting to a network. For more information
about 802.1X, see 802.1X.
Port security
Use the port security feature to restrict the number of workstations that can send traffic through an interface and to control
MAC address movement.
Port security is a package of the following sub features that provide added security to the system:
1. MAC address learning limit (MLL)
2. Sticky MAC
3. MAC address movement control
Use the port security feature to define the number of workstations that can send traffic through an interface. MAC addresses
that are learnt or statically configured on a port security enabled interface are called secure MAC addresses.
NOTE: Port security features are not supported in a VLT setup.
There are three types of Secure MAC addresses :
1. Static secure MAC addresses are configured manually. These MAC addresses are stored both in the MAC address table
and in the running configuration of the switch. Similar to static MAC addresses, when the system reloads, the system does
not remove the static secure MAC addresses. When you enable port security on an interface, all existing static MAC
addresses become static secure MAC addresses. These static secure MAC addresses remain in the system until you remove
them.
2. Dynamic secure MAC addresses are dynamically-learned by the switch and stored in the MAC address table. These MAC
addresses are removed from the MAC address table when the switch restarts. By default, dynamic secure MAC addresses
do not age out.
3. Sticky secure MAC addresses are learned dynamically but are saved in the running configuration. Secure sticky MAC
addresses never age out.
After you enable port security on an interface, by default, the maximum number of MAC address that the interface can learn is
one. This is applicable for both dynamic and static secure MAC addresses. After you enable port security on an interface, by
default, sticky MAC addresses and MAC movement are disabled on the interface.
MAC address learning limit
Using the MAC address learning limit method, you can set an upper limit on the number of allowed MAC addresses on an
interface. Limiting the MAC addresses protects switches from MAC address flooding attacks. After the configured limit is
reached on an interface, by default, the system drops all traffic from any unknown device.
1410
Security