Alcatel-Lucent 6600 Switch User Manual


 
Configuring Learned Port Security Learned Port Security Overview
OmniSwitch 6600 Family Network Configuration Guide April 2006 page 3-5
How LPS Authorizes Source MAC Addresses
When a packet is received on a port that has LPS enabled, switch software checks the following criteria to
determine if the source MAC address contained in the packet is allowed on the port:
Is the source learning time window open?
Is the number of MAC addresses learned on the port below the maximum number allowed?
Is there a configured authorized MAC address entry for the LPS port that matches the packet’s source
MAC address?
Using the above criteria, the following table shows the conditions under which a MAC address is learned
or blocked on an LPS port:
When a source MAC address violates any of the LPS conditions, the address is considered unauthorized.
The LPS violation mode determines if the unauthorized MAC address is simply blocked on the port or if
the entire port is disabled (see “Selecting the Security Violation Mode” on page 3-10). Regardless of
which mode is selected, notice is sent to the Switch Logging task to indicate that a violation has occurred.
Dynamic Configuration of Authorized MAC Addresses
Once LPS authorizes the learning of a source MAC address, an entry containing the address and the port it
was learned on is made in an LPS database table. This entry is then used as criteria for authorizing future
traffic from this source MAC on that same port. In other words, learned authorized MAC addresses
become configured criteria for an LPS port.
For example, if the source MAC address 00:da:95:00:59:0c is received on port 2/10 and meets the LPS
restrictions defined for that port, then this address and its port are recorded in the LPS table. All traffic that
is received on port 2/10 is compared to the 00:da:95:00:59:0c entry. If any traffic received on this port
consists of packets that do not contain a matching source address, the packets are then subject to the LPS
source learning time limit window and the maximum number of addresses allowed criteria.
When a dynamically configured MAC address is added to the LPS table, it does not become a configured
MAC address entry in the LPS table until the switch configuration file is saved and the switch is rebooted.
If a reboot occurs before this is done, all dynamically learned MAC addresses in the LPS table are cleared.
Time Limit Max Number Configured MAC Result
Open Below No entry No LPS violation; MAC learned
Closed Below No entry LPS violation; MAC blocked
Open Above No entry LPS violation; MAC blocked
Open Below Yes; entry matches No LPS violation; MAC learned
Closed Below Yes; entry matches No LPS violation; MAC learned
Open Above Yes; entry matches LPS violation; MAC blocked
Open Below Yes; entry doesn’t match No LPS violation; MAC learned
Closed Below Yes; entry doesn’t match LPS violation; MAC blocked
Open Above Yes; entry doesn’t match LPS violation; MAC blocked