Dell PowerSwitch S4112F-ON SmartFabric OS10 Security Best Practices Guide July - Page 9

Port security

Get Dell PowerSwitch S4112F-ON PDF manuals and user guides View all Dell PowerSwitch S4112F-ON manuals
Add to My Manuals
Save this manual to your list of manuals

Page 9 highlights

Port security Use the port security feature to restrict the number of workstations that can send traffic through an interface and to control MAC address movement. Port security is a package of the following sub features that provide added security to the system: 1. MAC address learning limit (MLL) 2. Sticky MAC 3. MAC address movement control Configure the MAC address learning limit Rationale: Using the MAC address learning limit method, you can to set an upper limit on the number of allowed MAC addresses on an interface. Limiting the MAC addresses protects switches from MAC address flooding attacks. After the configured limit is reached on an interface, by default, the system drops all traffic from any unknown device. After you enable port security on an interface, the interface can learn one secure MAC address by default. This limit is applicable for both secure dynamic and secure static MAC addresses. Configuration: 1. Enable port security on the system in CONFIGURATION mode. OS10(config)# switchport port-security 2. Enable port security on an interface in CONFIGURATION mode. OS10(config)# switchport port-security OS10(config)# no disable 3. Configure the number of secure MAC addresses that an interface can learn in INTERFACE PORT SECURITY mode: mac-learn {limit | no-limit} For the limit keyword, the range is from 0 to 3072. To enable the interface to learn the maximum number of MAC addresses that the hardware supports, use the no-limit keyword. MAC address learning limit example OS10# configure terminal OS10(config)#interface ethernet 1/1/1 OS10(config-if-eth1/1/1)# switchport port-security OS10(config-if-port-sec)# no disable OS10(config-if-port-sec)# mac-learn limit 100 OS10(config-if-port-sec)# end OS10# write memory Configure MAC address learning limit violation actions Rationale: After the number of secure MAC addresses reaches the maximum configured, if an interface receives a frame with the source MAC address different from any of the learned MAC addresses, the system considers this as a MAC address learning limit violation. Configuration: Use the following commands in INTERFACE PORT SECURITY mode: • To display which MAC address causes a violation, use the log option. The system also drops the packet. OS10(config-if-port-sec)#mac-learn limit violation log • To drop the packet when a MAC address learning limit violation occurs, use the drop option. OS10(config-if-port-sec)#mac-learn limit violation drop • To forward the packet when a MAC address learning limit violation occurs, use the flood option. The system does not learn the MAC address. OS10(config-if-port-sec)#mac-learn limit violation forward • To shut down an interface on a MAC address learning limit violation, use the shutdown option. OS10(config-if-port-sec)#mac-learn limit violation shutdown OS10 security best practices 9

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
Port security
Use the port security feature to restrict the number of workstations that can send traffic through an interface and to control MAC
address movement. Port security is a package of the following sub features that provide added security to the system:
1.
MAC address learning limit (MLL)
2.
Sticky MAC
3.
MAC address movement control
Configure the MAC address learning limit
Rationale
: Using the MAC address learning limit method, you can to set an upper limit on the number of allowed MAC addresses on an
interface. Limiting the MAC addresses protects switches from MAC address flooding attacks. After the configured limit is reached on an
interface, by default, the system drops all traffic from any unknown device. After you enable port security on an interface, the interface
can learn one secure MAC address by default. This limit is applicable for both secure dynamic and secure static MAC addresses.
Configuration
:
1.
Enable port security on the system in CONFIGURATION mode.
OS10(config)# switchport port-security
2.
Enable port security on an interface in CONFIGURATION mode.
OS10(config)# switchport port-security
OS10(config)# no disable
3.
Configure the number of secure MAC addresses that an interface can learn in INTERFACE PORT SECURITY mode:
mac-learn {limit | no-limit}
For the
limit
keyword, the range is from 0 to 3072. To enable the interface to learn the maximum number of MAC addresses that
the hardware supports, use the
no-limit
keyword.
MAC address learning limit example
OS10# configure terminal
OS10(config)#interface ethernet 1/1/1
OS10(config-if-eth1/1/1)# switchport port-security
OS10(config-if-port-sec)# no disable
OS10(config-if-port-sec)# mac-learn limit 100
OS10(config-if-port-sec)# end
OS10# write memory
Configure MAC address learning limit violation actions
Rationale
: After the number of secure MAC addresses reaches the maximum configured, if an interface receives a frame with the source
MAC address different from any of the learned MAC addresses, the system considers this as a MAC address learning limit violation.
Configuration
:
Use the following commands in INTERFACE PORT SECURITY mode:
To display which MAC address causes a violation, use the
log
option. The system also drops the packet.
OS10(config-if-port-sec)#mac-learn limit violation log
To drop the packet when a MAC address learning limit violation occurs, use the
drop
option.
OS10(config-if-port-sec)#mac-learn limit violation drop
To forward the packet when a MAC address learning limit violation occurs, use the
flood
option. The system does not learn the MAC
address.
OS10(config-if-port-sec)#mac-learn limit violation forward
To shut down an interface on a MAC address learning limit violation, use the
shutdown
option.
OS10(config-if-port-sec)#mac-learn limit violation shutdown
OS10 security best practices
9