Setting The Mac Port Security Age Timer; Defining Security Violation Actions - Dell PowerConnect B-RX Configuration Manual

You can specify 15 – 1440 minutes. By default, secure MAC addresses are not autosaved to the
startup-config file.

Setting the MAC Port Security age timer

By default, the learned MAC addresses stay secure indefinitely. The entries are cleared only when
MAC Port Security is disabled or a clear port-secure command is issued.
You can optionally configure the device to age out secure MAC addresses after a specified amount
of time.
To set the MAC Port Security age timer to 10 minutes globally, enter commands such as the
following.
BigIron RX(config)# global-port-security
BigIron RX(config-port-security)# age 10
To set the MAC Port Security age timer to 10 minutes on a specific interface, enter commands such
as the following.
BigIron RX(config)# int e 7/11
BigIron RX(config-if-e100-7/11)# port security
BigIron RX(config-port-security-e100-7/11)# age 10
Syntax: [no] age <minutes>
The default is 0 (never age out secure MAC addresses).
Secure MAC addresses and deny MAC addresses are removed from the MAC address table after
the age timer elapses and no traffic is received from those MAC addresses on an interface.
However, if traffic from the MAC address is received, the following occurs:
•
•

Defining security violation actions

A MAC Port Security violation can occur when any of the following occurs:
•
•
When a MAC Port Security violation occurs, an SNMP trap and Syslog message are generated. Also,
you can configure the device to take any of the following actions when a MAC Port Security violation
occurs:
•
•
BigIron RX Series Configuration Guide
53-1002253-01
Secure MAC addresses on an interface and at the global level remain in the MAC table as long
as traffic with that address is received. However, it is removed from the MAC table and the
running-config if the age timer elapses and no traffic has been received from the MAC address.
Deny MAC addresses are removed from the MAC address table globally after the age timer
elapses, even if traffic from the interface is received. Once traffic with the MAC address stops,
then the deny MAC address is removed from the running-config after the next age timer
elapses.
The maximum number of secure MAC addresses has been exceeded.
The MAC address received is in the deny MAC address list.
Shutdown the interface, either permanently or for a specified amount of time. This is the
default violation action if no violation action is configured at the global and interface levels.
Restrict packets. With this action, packets from the unauthorized MAC address are dropped,
but packets from the secure MAC addresses are allowed. The interface remains enabled.
Defining security violation actions
32
951