Dell PowerSwitch S4112F-ON SmartFabric OS10 Security Best Practices Guide July - Page 10

Sticky MAC addresses configuration example, MAC address movement

Get Dell PowerSwitch S4112F-ON PDF manuals and user guides View all Dell PowerSwitch S4112F-ON manuals
Add to My Manuals
Save this manual to your list of manuals

Page 10 highlights

MAC address learning limit violation actions configuration example OS10# configure terminal OS10(config)# interface ethernet 1/1/1 OS10(config-if-eth1/1/1)# switchport port-security OS10(config-if-port-sec)# no disable OS10(config-if-port-sec)# mac-learn limit 100 OS10(config-if-port-sec)# mac-learn limit violation shutdown OS10(config-if-port-sec)# end OS10# write memory Configure sticky MAC addresses Rationale: When you reload the system, port security removes the dynamically learned secure MAC addresses. You can use the sticky feature to make the dynamically learned secure MAC addresses persist even after a system reboot so that the interface does not have to learn these MAC addresses again. Configuration: Enter the following command in INTERFACE PORT SECURITY mode: sticky NOTE: Before enabling sticky MAC address learning, ensure that you restrict the number of MAC address that an interface can learn using the mac-learn limit command. Sticky MAC addresses configuration example OS10# configure terminal OS10(config)#interface ethernet 1/1/1 OS10(config-if-eth1/1/1)#switchport port-security OS10(config-if-port-sec)#no disable OS10(config-if-port-sec)#mac-learn limit 100 OS10(config-if-port-sec)#sticky OS10(config-if-port-sec)# end OS10# write memory MAC address movement Rationale: A MAC address movement happens when the system detects the same MAC address on an interface which it has already learned through another port security-enabled interface on the same broadcast domain. MAC address movement is not allowed for secure static and sticky MAC addresses. By default, MAC address movement for dynamically-learned MAC address is disabled on the system. Secure dynamic MAC address movement is allowed between port-security-enabled and port-security-disabled interfaces. Configuration: Use the following command in INTERFACE PORT SECURITY mode: OS10(config-if-port-sec)#mac-move allow OS10(config-if-port-sec)# end OS10# write memory MAC address movement configuration example OS10# configure terminal OS10(config)# interface ethernet 1/1/1 OS10(config-if-eth1/1/1)# switchport port-security OS10(config-if-port-sec)# no disable OS10(config-if-port-sec)# mac-learn limit 100 OS10(config-if-port-sec)# mac-move allow OS10(config-if-port-sec)# end OS10# write memory Configure MAC address movement violation actions Rationale: If the system detects the same MAC address in a port-security-enabled interface which it has already learned through another port-security-enabled interface, by default, the system considers this as a MAC address move violation. You can configure MAC address move violation actions. You can also configure the system to permit MAC address movement across port security-enabled interfaces. Configuration: 10 OS10 security best practices

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
MAC address learning limit violation actions configuration example
OS10# configure terminal
OS10(config)# interface ethernet 1/1/1
OS10(config-if-eth1/1/1)# switchport port-security
OS10(config-if-port-sec)# no disable
OS10(config-if-port-sec)# mac-learn limit 100
OS10(config-if-port-sec)# mac-learn limit violation shutdown
OS10(config-if-port-sec)# end
OS10# write memory
Configure sticky MAC addresses
Rationale
: When you reload the system, port security removes the dynamically learned secure MAC addresses. You can use the sticky
feature to make the dynamically learned secure MAC addresses persist even after a system reboot so that the interface does not have to
learn these MAC addresses again.
Configuration
:
Enter the following command in INTERFACE PORT SECURITY mode:
sticky
NOTE:
Before enabling sticky MAC address learning, ensure that you restrict the number of MAC address that an
interface can learn using the
mac-learn limit
command.
Sticky MAC addresses configuration example
OS10# configure terminal
OS10(config)#interface ethernet 1/1/1
OS10(config-if-eth1/1/1)#switchport port-security
OS10(config-if-port-sec)#no disable
OS10(config-if-port-sec)#mac-learn limit 100
OS10(config-if-port-sec)#sticky
OS10(config-if-port-sec)# end
OS10# write memory
MAC address movement
Rationale
: A MAC address movement happens when the system detects the same MAC address on an interface which it has already
learned through another port security-enabled interface on the same broadcast domain. MAC address movement is not allowed for secure
static and sticky MAC addresses. By default, MAC address movement for dynamically-learned MAC address is disabled on the system.
Secure dynamic MAC address movement is allowed between port-security-enabled and port-security-disabled interfaces.
Configuration
:
Use the following command in INTERFACE PORT SECURITY mode:
OS10(config-if-port-sec)#mac-move allow
OS10(config-if-port-sec)# end
OS10# write memory
MAC address movement configuration example
OS10# configure terminal
OS10(config)# interface ethernet 1/1/1
OS10(config-if-eth1/1/1)# switchport port-security
OS10(config-if-port-sec)# no disable
OS10(config-if-port-sec)# mac-learn limit 100
OS10(config-if-port-sec)# mac-move allow
OS10(config-if-port-sec)# end
OS10# write memory
Configure MAC address movement violation actions
Rationale
: If the system detects the same MAC address in a port-security-enabled interface which it has already learned through another
port-security-enabled interface, by default, the system considers this as a MAC address move violation. You can configure MAC address
move violation actions. You can also configure the system to permit MAC address movement across port security-enabled interfaces.
Configuration
:
10
OS10 security best practices