Allied Telesis 2.6.1 manual Port security

To send packets that match particular criteria to the mirror port, first create a classifier or classifiers using the command:

CREATE CLASSIFIER

Then create a hardware filter with the ACTION parameter set to

SENDMIRROR, using the command:

ADD SWITCH HWFILTER CLASSIFIER=classifier-list

ACTION=SENDMIRROR

By default mirroring is disabled, no mirror port is set, and no source ports are set to be mirrored. Mirroring can only be enabled after the switch mirror port has been set to a valid port. If mirroring has been enabled but the switch mirror port is set to NONE, then mirroring will be disabled. Mirroring is enabled and disabled using the commands:

ENABLE SWITCH MIRROR

DISABLE SWITCH MIRROR

The SHOW SWITCH PORT and SHOW SWITCH commands display the switch and port mirroring settings.

Port security

The port security feature allows control over the stations connected to each switch port, by MAC address. If enabled on a port, the switch will learn MAC addresses up to a user-defined limit from 1 to 256, then lock out all other MAC addresses. One of the following options can be specified for the action taken when an unknown MAC address is detected on a locked port:

■Discard the packet and take no further action,

■Discard the packet and notify management with an SNMP trap,

■Discard the packet, notify management with an SNMP trap and disable the port.

To enable port security on a port, set the limit for learned MAC addresses to a value greater than zero, and specify the action to take for unknown MAC addresses on a locked port. To disable port security on a port, set the limit for learned MAC addresses to zero or NONE. Port security can be enabled or disabled on a port using the command:

SET SWITCH PORT={port-listALL} LEARN={NONE01..256}

[INTRUSIONACTION={NONEDISCARDTRAPDISABLE}]

The INTRUSIONACTION parameter specifies the action taken when the port(s) receive packets from addresses which are not part of the learned list of addresses as specified by the LEARN parameter. If DISCARD is specified, packets received from MAC addresses not on the port’s learn list will be discarded. If TRAP is specified, packets received from MAC addresses not on the port’s learn list will be discarded and an SNMP trap will be generated. If DISABLE is specified, the first time a packet is received from a MAC address not on the port’s learn list, it will be discarded, an SNMP trap will be generated and the port(s) will be disabled. To re-enable the port, disable the Port Security function on the port. The default value for this parameter is DISCARD.

If INTRUSIONACTION is set to TRAP or DISABLE, a list of MAC addresses for devices that are active on a port, but which are not allowed or learned for the port, can be displayed using the command:

SHOW SWITCH PORT={port-listALL} INTRUSION

Software Release 2.6.1 C613-02039-00 REV A