Port Security "restrict mode" seems to be discarding

Post Reply
dstrait
Member
Posts: 9
Joined: 30 Jun 2017 17:28

Port Security "restrict mode" seems to be discarding

Post by dstrait » 08 Feb 2019 15:10

I am working my way through utilizing Port-Security. I'm almost to the finish-line, but I'm having one hangup.

I am only planning on using static entries, no learning. I have two test devices being properly allowed. When I add a third, unauthorized device, it correctly throws the port in "restrict mode". My understanding of restrict mode is that it will continue allowing authorized traffic and block only the unauthorized traffic. However, it's actually discarding all traffic on the port. The two valid test devices go offline until I release the port.

Even though it's in restrict mode, it seems to be acting like it's in discard mode, instead.

silvio
Alcatel Unleashed Certified Guru
Alcatel Unleashed Certified Guru
Posts: 1297
Joined: 01 Jul 2008 10:51
Location: Germany

Re: Port Security "restrict mode" seems to be discarding

Post by silvio » 08 Feb 2019 15:24

please post your LPS config and output of "show port security". You are correct with your understanding.
regards
Silvio

dstrait
Member
Posts: 9
Joined: 30 Jun 2017 17:28

Re: Port Security "restrict mode" seems to be discarding

Post by dstrait » 08 Feb 2019 15:47

while gathering what you asked, I found the issue.

I had "max-filtering" set at zero. When I moved it to 10, to match my Maximum, it started working as expected.

Though, what exactly are the differences between max-filtering and maximum?

Also, is there a way to outright prevent port learning? Right now, I just have it set to 1 minute. Though, I don't want it at all.

silvio
Alcatel Unleashed Certified Guru
Alcatel Unleashed Certified Guru
Posts: 1297
Joined: 01 Jul 2008 10:51
Location: Germany

Re: Port Security "restrict mode" seems to be discarding

Post by silvio » 09 Feb 2019 13:55

maximum is what you realy want - this are the max count of "good" mac - f.e. 10
All next mac will be filtered (in your case the 11th and so on). This mean the 10 can work but all others are blocked.
With max-filter you say how many will be filtered before violation. With an entry of 10 - the 21th mac should be the reason for violation. And violation can be shutdown or discard (both means that all 21 clients can do anything) or restrict (similar to filter - so 10 good mac can work).
So your config with max 10 and max-filter of 0 was okay.
regards
Silvio

Post Reply

Return to “OmniSwitch 6450”