Mohsin, Yes. I think what he had in mind is something along the lines of https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html
Which we don’t have in VPP code. --a > On 12 Feb 2018, at 23:51, Mohsin Kazmi <[email protected]> wrote: > > Andrew, > > Thanks for the correction. In case of unknown MAC receive from known > interface, where set of MACIP rules are applied, what will be behavior of > MACIP for new MAC. I think so, it will drop those frames. > > That's not what Mustafa is asking in his previous email about dropping of > those frames. > > Thanks, > Mohsin > From: Andrew Yourtchenko <[email protected]> > Sent: Monday, February 12, 2018 11:23 PM > To: Mohsin Kazmi (sykazmi) > Cc: [email protected] > Subject: Re: [vpp-dev] Port security > > Mohsin, > > Not really, macip acl only nails down the predefined known addresses. > > Mostafa, > > To implement the functionality you are looking for, you would need to write > new code. > > --a > > On 12 Feb 2018, at 23:20, Mohsin Kazmi <[email protected]> wrote: > >> Hi Mostafa, >> >> Port Security functional can be implemented using ACL plugin MACIP feature. >> On a given interface, ACLs are applied on input traffic to permit using a >> mix of MAC and IP. >> >> >> Here you will find more detail about it: >> >> https://wiki.fd.io/view/VPP/SecurityGroups#MACIP_.28formerly_.22L2.22.29_API >> >> Cheers, >> Mohsin >> From: [email protected] <[email protected]> on behalf of Mostafa Salari >> <[email protected]> >> Sent: Saturday, February 10, 2018 10:55 AM >> To: [email protected] >> Subject: [vpp-dev] Port security >> >> Hi >> >> How can i apply port-security functionality with vpp? In summary, before a >> new MAC come into mac-table, some special functions must be triggered. Those >> functions, determine whether the new mac is allowed to connect or not, and >> if not, what action should be performed? Actions are: increasing a violation >> counter, dropping the packet and (sometimes) turning the incomming interface >> down! >> >> Any help is appreciated. >> Regards > >
