Configuring Learned Port Security
How LPS Authorizes Source MAC Addresses
When a packet is received on a port that has LPS enabled, switch software checks the following criteria to
determine if the source MAC address contained in the packet is allowed on the port:
•
Is the source learning time window open?
•
Is the number of MAC addresses learned on the port below the maximum number allowed?
•
Is there a configured authorized MAC address entry for the LPS port that matches the packet's source
MAC address?
Using the above criteria, the following table shows the conditions under which a MAC address is learned
or blocked on an LPS port:
Time Limit
Max Number
Open
Below
Closed
Below
Open
Above
Open
Below
Closed
Below
Open
Above
Open
Below
Closed
Below
Open
Above
When a source MAC address violates any of the LPS conditions, the address is considered unauthorized.
The LPS violation mode determines if the unauthorized MAC address is simply blocked (filtered) on the
port or if the entire port is disabled (see
less of which mode is selected, notice is sent to the Switch Logging task to indicate that a violation has
occurred.
Dynamic Configuration of Authorized MAC Addresses
Once LPS authorizes the learning of a source MAC address, an entry containing the address and the port it
was learned on is made in an LPS database table. This entry is then used as criteria for authorizing future
traffic from this source MAC on that same port. In other words, learned authorized MAC addresses
become configured criteria for an LPS port.
For example, if the source MAC address 00:da:95:00:59:0c is received on port 2/10 and meets the LPS
restrictions defined for that port, then this address and its port are recorded in the LPS table. All traffic that
is received on port 2/10 is compared to the 00:da:95:00:59:0c entry. If any traffic received on this port
consists of packets that do not contain a matching source address, the packets are then subject to the LPS
source learning time limit window and the maximum number of addresses allowed criteria.
When a dynamically configured MAC address is added to the LPS table, it does not become a configured
MAC address entry in the LPS table until the switch configuration file is saved and the switch is rebooted.
If a reboot occurs before this is done, all dynamically learned MAC addresses in the LPS table are cleared.
OmniSwitch AOS Release 6 Network Configuration Guide
Configured MAC
No entry
No entry
No entry
Yes; entry matches
Yes; entry matches
Yes; entry matches
Yes; entry doesn't match
Yes; entry doesn't match
Yes; entry doesn't match
"Selecting the Security Violation Mode" on page
September 2009
Learned Port Security Overview
Result
No LPS violation; MAC learned
LPS violation; MAC blocked
LPS violation; MAC blocked
No LPS violation; MAC learned
No LPS violation; MAC learned
LPS violation; MAC blocked
No LPS violation; MAC learned
LPS violation; MAC blocked
LPS violation; MAC blocked
3-11). Regard-
page 3-5