Mac‑Security

asternos mac security this chapter provides examples on how to use netconf to manage mac security configurations on asternos devices get interface mac limit configurations request example to get interface mac limit configuration via get config \<filter type="subtree"> \<top> \<interfaces> \<interface> \<name>ethernet11\</name> \<mac security> \<mac limit/> \</mac security> \</interface> \</interfaces> \</top> \</filter> response example \<rpc reply xmlns="urn\ ietf\ params\ xml\ ns\ netconf\ base 1 0" message id="urn\ uuid 2a8a97e1 ed16 4637 9e88 7814e21a1220"> \<data> \<top> \<interfaces xmlns="http //asterfusion com/ns/yang/asternos interfaces"> \<interface> \<name>ethernet11\</name> \<mac security xmlns="http //asterfusion com/ns/yang/asternos mac security"> \<mac limit> \<maximum>20\</maximum> \</mac limit> \</mac security> \</interface> \</interfaces> \</top> \</data> \</rpc reply> configure mac limit on interface note the maximum number of mac addresses that can be learned on the interface the default value is 0, which means no limit the mac limit can't configured on the interface which enabled mac security configure mac limit requires interface which is a vlan member request example to create vlan and add interface to vlan, then configure interface mac limit via edit config \<config> \<top> \<vlans> \<vlan operation="create"> \<vlanid>1000\</vlanid> \</vlan> \</vlans> \<interfaces> \<interface> \<name>ethernet11\</name> \<vlan config operation="create"> \<vlan> \<vlan id>1000\</vlan id> \<tagging mode>tagged\</tagging mode> \</vlan> \</vlan config> \</interface> \</interfaces> \</top> \</config> \<config> \<top> \<interfaces> \<interface> \<name>ethernet11\</name> \<mac security> \<mac limit> \<maximum>20\</maximum> \</mac limit> \</mac security> \</interface> \</interfaces> \</top> \</config> response example \<rpc reply xmlns="urn\ ietf\ params\ xml\ ns\ netconf\ base 1 0" message id="urn\ uuid\ a93d63b2 8c95 4480 86c8 60a431e7d6f2"> \<ok/> \</rpc reply> delete mac limit on interface request example to delete interface mac limit via edit config \<config> \<top> \<interfaces> \<interface> \<name>ethernet11\</name> \<mac security> \<mac limit operation="delete"> \</mac limit> \</mac security> \</interface> \</interfaces> \</top> \</config> response example \<rpc reply xmlns="urn\ ietf\ params\ xml\ ns\ netconf\ base 1 0" message id="urn\ uuid\ eea326b0 1db3 4b43 b73b ae658761e715"> \<ok/> \</rpc reply> get interface mac learning priority configurations request example to get interface mac learning priority configuration via get config \<filter type="subtree"> \<top> \<interfaces> \<interface> \<name>ethernet11\</name> \<mac security> \<mac learning priority/> \</mac security> \</interface> \</interfaces> \</top> \</filter> response example \<rpc reply xmlns="urn\ ietf\ params\ xml\ ns\ netconf\ base 1 0" message id="urn\ uuid 8e756ddd 2cbf 4155 b41b cdb79025530a"> \<data> \<top> \<interfaces xmlns="http //asterfusion com/ns/yang/asternos interfaces"> \<interface> \<name>ethernet11\</name> \<mac security xmlns="http //asterfusion com/ns/yang/asternos mac security"> \<mac learning priority> \<priority>high\</priority> \</mac learning priority> \</mac security> \</interface> \</interfaces> \</top> \</data> \</rpc reply> configure mac learning priority on interface note the default value is low request example to configure interface mac learning priority via edit config \<config> \<top> \<interfaces> \<interface> \<name>ethernet11\</name> \<mac security> \<mac learning priority> \<priority>high\</priority> \</mac learning priority> \</mac security> \</interface> \</interfaces> \</top> \</config> response example \<rpc reply xmlns="urn\ ietf\ params\ xml\ ns\ netconf\ base 1 0" message id="urn\ uuid\ b1b8232e 1edf 4f21 a5d9 c51a5c3e05d2"> \<ok/> \</rpc reply> delete mac learning priority on interface request example to delete interface mac learning priority via edit config \<config> \<top> \<interfaces> \<interface> \<name>ethernet11\</name> \<mac security> \<mac learning priority operation="delete"> \</mac learning priority> \</mac security> \</interface> \</interfaces> \</top> \</config> response example \<rpc reply xmlns="urn\ ietf\ params\ xml\ ns\ netconf\ base 1 0" message id="urn\ uuid 9fbc84a4 f30a 4c8c 8988 58fc29ae92a0"> \<ok/> \</rpc reply> get interface mac learning group configurations request example to get interface mac learning group configuration via get config \<filter type="subtree"> \<top> \<interfaces> \<interface> \<name>ethernet11\</name> \<mac security> \<mac learning group/> \</mac security> \</interface> \</interfaces> \</top> \</filter> response example \<rpc reply xmlns="urn\ ietf\ params\ xml\ ns\ netconf\ base 1 0" message id="urn\ uuid 89b6b7be cf92 454a ac98 9cff05a2a14b"> \<data> \<top> \<interfaces xmlns="http //asterfusion com/ns/yang/asternos interfaces"> \<interface> \<name>ethernet11\</name> \<mac security xmlns="http //asterfusion com/ns/yang/asternos mac security"> \<mac learning group>4\</mac learning group> \</mac security> \</interface> \</interfaces> \</top> \</data> \</rpc reply> configure mac learning group on interface note the default value is 0 request example to configure interface mac learning group via edit config \<config> \<top> \<interfaces> \<interface> \<name>ethernet11\</name> \<mac security> \<mac learning group>4\</mac learning group> \</mac security> \</interface> \</interfaces> \</top> \</config> response example \<rpc reply xmlns="urn\ ietf\ params\ xml\ ns\ netconf\ base 1 0" message id="urn\ uuid 56357799 9c49 4cf8 96ef aae3d1962c46"> \<ok/> \</rpc reply> delete mac learning group on interface request example to delete interface mac learning group via edit config \<config> \<top> \<interfaces> \<interface> \<name>ethernet11\</name> \<mac security> \<mac learning group operation="delete"> \</mac learning group> \</mac security> \</interface> \</interfaces> \</top> \</config> response example \<rpc reply xmlns="urn\ ietf\ params\ xml\ ns\ netconf\ base 1 0" message id="urn\ uuid 9fbc84a4 f30a 4c8c 8988 58fc29ae92a0"> \<ok/> \</rpc reply> get interface port security configurations request example to get interface port security configuration via get config \<filter type="subtree"> \<top> \<interfaces> \<interface> \<name>ethernet11\</name> \<mac security> \<port security/> \</mac security> \</interface> \</interfaces> \</top> \</filter> response example \<rpc reply xmlns="urn\ ietf\ params\ xml\ ns\ netconf\ base 1 0" message id="urn\ uuid 3113721a 11d4 4127 b723 c38de8b389ae"> \<data> \<top> \<interfaces xmlns="http //asterfusion com/ns/yang/asternos interfaces"> \<interface> \<name>ethernet11\</name> \<mac security xmlns="http //asterfusion com/ns/yang/asternos mac security"> \<port security> \<enabled>true\</enabled> \<maximum>3\</maximum> \<secure addresses> \<secure address> \<mac address>12 34 56 78 9a\ bc\</mac address> \<vlan id>1000\</vlan id> \</secure address> \</secure addresses> \</port security> \</mac security> \</interface> \</interfaces> \</top> \</data> \</rpc reply> configure port security on interface note the default maximum is 1, and default violation action is restrict the mac security can't configured on the interface which mac limit is configured configure mac security requires interface which is a vlan member request example to configure interface port security via edit config \<config> \<top> \<interfaces> \<interface> \<name>ethernet11\</name> \<mac security> \<port security> \<enabled>true\</enabled> \<sticky enabled>true\</sticky enabled> \<violation action>protect\</violation action> \<maximum>3\</maximum> \</port security> \</mac security> \</interface> \</interfaces> \</top> \</config> response example \<rpc reply xmlns="urn\ ietf\ params\ xml\ ns\ netconf\ base 1 0" message id="urn\ uuid\ e21e82f5 44fb 487b 8397 29ec4ab4f784"> \<ok/> \</rpc reply> delete port security on interface request example to delete interface port security via edit config \<config> \<top> \<interfaces> \<interface> \<name>ethernet11\</name> \<mac security> \<port security operation="delete"> \</port security> \</mac security> \</interface> \</interfaces> \</top> \</config> response example \<rpc reply xmlns="urn\ ietf\ params\ xml\ ns\ netconf\ base 1 0" message id="urn\ uuid 8b8293cb bfeb 4ab1 b054 b2cd9786afc0"> \<ok/> \</rpc reply> configure static secure mac on interface note create static secure mac on interface requires port security enabled on device request example to configure interface port security via edit config \<config> \<top> \<interfaces> \<interface> \<name>ethernet11\</name> \<mac security> \<port security> \<enabled>true\</enabled> \<maximum>3\</maximum> \<secure addresses operation="create"> \<secure address> \<mac address>12 34 56 78 9a\ bc\</mac address> \<vlan id>1000\</vlan id> \</secure address> \</secure addresses> \</port security> \</mac security> \</interface> \</interfaces> \</top> \</config> response example \<rpc reply xmlns="urn\ ietf\ params\ xml\ ns\ netconf\ base 1 0" message id="urn\ uuid\ fc234ab7 0542 45c5 95ce 01bb9bcf3269"> \<ok/> \</rpc reply> delete static secure mac on interface request example to delete interface static secure mac via edit config \<config> \<top> \<interfaces> \<interface> \<name>ethernet11\</name> \<mac security> \<port security> \<secure addresses operation="delete"> \</secure addresses> \</port security> \</mac security> \</interface> \</interfaces> \</top> \</config> response example \<rpc reply xmlns="urn\ ietf\ params\ xml\ ns\ netconf\ base 1 0" message id="urn\ uuid\ c5b76a0d 3c46 4292 9b31 d70cf453afb4"> \<ok/> \</rpc reply> show mac limit note interfaces that are not displayed have a default value of 0, which means no limit request example to show interface mac limit via rpc show mac limit \<show mac limit/> response example \<rpc reply xmlns="urn\ ietf\ params\ xml\ ns\ netconf\ base 1 0" message id="urn\ uuid 21e9337e f29f 4f39 9ec0 ad4e0208157f"> \<data xmlns="http //asterfusion com/ns/yang/asternos mac security"> interface mac limit \ ethernet1 0 ethernet11 20 \</data> \</rpc reply> show mac learning priority request example to show interface mac learning priority via rpc show mac learning priority \<show mac learning priority/> response example \<rpc reply xmlns="urn\ ietf\ params\ xml\ ns\ netconf\ base 1 0" message id="urn\ uuid 9afc7076 a9ad 4c8d b773 a843091a4d98"> \<data xmlns="http //asterfusion com/ns/yang/asternos mac security"> interface priority \ ethernet1 low ethernet2 low ethernet3 low ethernet4 low ethernet5 low ethernet6 low ethernet7 low ethernet8 low ethernet9 low ethernet10 low ethernet11 high ethernet12 low ethernet13 low ethernet14 low ethernet15 low ethernet16 low ethernet17 low ethernet18 low ethernet19 low ethernet20 low ethernet21 low ethernet22 low ethernet23 low ethernet24 low ethernet25 low ethernet26 low ethernet27 low ethernet28 low ethernet29 low ethernet30 low ethernet31 low ethernet32 low ethernet33 low ethernet34 low ethernet35 low ethernet36 low ethernet37 low ethernet38 low ethernet39 low ethernet40 low ethernet41 low ethernet42 low ethernet43 low ethernet44 low ethernet45 low ethernet46 low ethernet47 low ethernet48 low ethernet49 low ethernet53 low ethernet57 low ethernet61 low ethernet65 low ethernet69 low ethernet73 low ethernet77 low portchannel0001 low \</data> \</rpc reply> show mac learning group request example to show interface mac learning group via rpc show mac learning group \<show mac learning group/> response example \<rpc reply xmlns="urn\ ietf\ params\ xml\ ns\ netconf\ base 1 0" message id="urn\ uuid 3cfe03ca 8083 4305 87cc e764976e7dcd"> \<data xmlns="http //asterfusion com/ns/yang/asternos mac security"> interface group id \ ethernet1 0 ethernet2 0 ethernet3 0 ethernet4 0 ethernet5 0 ethernet6 0 ethernet7 0 ethernet8 0 ethernet9 0 ethernet10 0 ethernet11 4 ethernet12 0 ethernet13 0 ethernet14 0 ethernet15 0 ethernet16 0 ethernet17 0 ethernet18 0 ethernet19 0 ethernet20 0 ethernet21 0 ethernet22 0 ethernet23 0 ethernet24 0 ethernet25 0 ethernet26 0 ethernet27 0 ethernet28 0 ethernet29 0 ethernet30 0 ethernet31 0 ethernet32 0 ethernet33 0 ethernet34 0 ethernet35 0 ethernet36 0 ethernet37 0 ethernet38 0 ethernet39 0 ethernet40 0 ethernet41 0 ethernet42 0 ethernet43 0 ethernet44 0 ethernet45 0 ethernet46 0 ethernet47 0 ethernet48 0 ethernet49 0 ethernet53 0 ethernet57 0 ethernet61 0 ethernet65 0 ethernet69 0 ethernet73 0 ethernet77 0 portchannel0001 0 \</data> \</rpc reply> show port security status request example to show interface mac port security via rpc show port security \<show port security/> response example \<rpc reply xmlns="urn\ ietf\ params\ xml\ ns\ netconf\ base 1 0" message id="urn\ uuid\ db3c9b93 7cee 4235 a410 3b85328eb4fa"> \<data xmlns="http //asterfusion com/ns/yang/asternos mac security"> interface port security sticky mac max secure addr violation action \ ethernet11 enable disable 3 restrict \</data> \</rpc reply> show port security addresses note both static and dynamic learned secure mac addresses will be retrieved request example to show interface mac port security addresses via rpc show port security address \<show port security address/> response example \<rpc reply xmlns="urn\ ietf\ params\ xml\ ns\ netconf\ base 1 0" message id="urn\ uuid\ b59ae792 b2f8 4ce9 a17a 783b2688bf3f"> \<data> \<mac address info> \<vlan id>vlan1000\</vlan id> \<mac address>12 34 56 78 9a\ bc\</mac address> \<type>static\</type> \<port>ethernet11\</port> \<index>1\</index> \</mac address info> \<mac address info> \<vlan id>vlan10\</vlan id> \<mac address>60\ eb 5a 01 1c\ e4\</mac address> \<type>dynamic\</type> \<port>ethernet1\</port> \<index>2\</index> \</mac address info> \</data> \</rpc reply> clear all port security addresses note both static and dynamic learned secure mac addresses will be deleted request example to clear interface mac port security addresses via rpc clear port security address \<clear port security address/> response example \<rpc reply xmlns="urn\ ietf\ params\ xml\ ns\ netconf\ base 1 0" message id="urn\ uuid\ a9cdd8de 9722 41f9 911f 297301d36a7e"> \<data xmlns="http //asterfusion com/ns/yang/asternos mac security"> success \</data> \</rpc reply> clear single port security addresses request example to clear interface mac port security addresses via rpc clear port security address \<clear port security address> \<interface>ethernet11\</interface> \</clear port security address> response example \<rpc reply xmlns="urn\ ietf\ params\ xml\ ns\ netconf\ base 1 0" message id="urn\ uuid 5c9a8281 8e6a 44bd 938f 55987af27e75"> \<data xmlns="http //asterfusion com/ns/yang/asternos mac security"> success \</data> \</rpc reply>