How Lps Authorizes Source Mac Addresses; Dynamic Configuration Of Authorized Mac Addresses - Alcatel-Lucent OmniSwitch AOS Release 7 Manual

Learned Port Security Overview

How LPS Authorizes Source MAC Addresses

When a packet is received on a port that has LPS enabled, switch software checks the following criteria to
determine if the source MAC address contained in the packet is allowed on the port:
•
Is the source learning time window open?
•
Is the number of MAC addresses learned on the port below the maximum number allowed?
•
Is there a configured authorized MAC address entry for the LPS port that matches the source MAC
address of the packet?
Using the above criteria, the following table shows the conditions under which a MAC address is learned
or blocked on an LPS port:
Time Limit Max Number
Open Below
Closed Below
Open Above
Open Below
Closed Below
Open Above
Open Below
Closed Below
Open Above
When a source MAC address violates any of the LPS conditions, the address is considered unauthorized.
The LPS violation mode determines if the unauthorized MAC address is blocked (filtered) on the port or if
the entire port is disabled (see
Regardless of which mode is selected, a notice is sent to the switch log to indicate that a violation has
occurred.

Dynamic Configuration of Authorized MAC Addresses

When LPS is configured on a switch port, the learning of source MAC addresses is initiated. An entry
containing the address and the port that learns the MAC address is made in an LPS database table. This
entry is used as a criteria for authorizing future traffic from the source MAC address on that same port. In
other words, the learned MAC addresses are authorized to send traffic through the LPS port.
For example, if the source MAC address 00:da:95:00:59:0c is received on port 2/10 and meets the LPS
restrictions defined for that port, then this address and its port are recorded in the LPS table. All traffic that
is received on port 2/10 is compared to the 00:da:95:00:59:0c entry. If any traffic received on this port
consists of packets that do not contain a matching source address, the packets are then subject to the LPS
source learning time limit window and the criteria for maximum number of addresses allowed.
When a dynamically configured MAC address is added to the LPS table, it does not become a configured
MAC address entry in the LPS table until the switch configuration file is saved and the switch is rebooted.
If a reboot occurs before this is done, all dynamically learned MAC addresses in the LPS table are cleared.
page 25-6
Configured MAC
No entry
No entry
No entry
Yes; entry matches
Yes; entry matches
Yes; entry matches
Yes; entry doesn't match
Yes; entry doesn't match
Yes; entry doesn't match
"Selecting the Security Violation Mode" on page
OmniSwitch AOS Release 7 Network Configuration Guide
Configuring Learned Port Security
Result
No LPS violation; MAC learned
LPS violation; MAC blocked
LPS violation; MAC blocked
No LPS violation; MAC learned
No LPS violation; MAC learned
LPS violation; MAC blocked
No LPS violation; MAC learned
LPS violation; MAC blocked
LPS violation; MAC blocked
25-12).
March 2011