Andrew,
Thanks for the correction. In case of unknown MAC receive from known interface, where set of MACIP rules are applied, what will be behavior of MACIP for new MAC. I think so, it will drop those frames. That's not what Mustafa is asking in his previous email about dropping of those frames. Thanks?, Mohsin ________________________________ From: Andrew Yourtchenko <ayour...@gmail.com> Sent: Monday, February 12, 2018 11:23 PM To: Mohsin Kazmi (sykazmi) Cc: vpp-dev@lists.fd.io Subject: Re: [vpp-dev] Port security Mohsin, Not really, macip acl only nails down the predefined known addresses. Mostafa, To implement the functionality you are looking for, you would need to write new code. --a On 12 Feb 2018, at 23:20, Mohsin Kazmi <syka...@cisco.com<mailto:syka...@cisco.com>> wrote: Hi Mostafa, Port Security functional can be implemented using ACL plugin MACIP feature. On a given interface, ACLs are applied on input traffic to permit using a mix of MAC and IP. Here you will find more detail about it: https://wiki.fd.io/view/VPP/SecurityGroups#MACIP_.28formerly_.22L2.22.29_API Cheers, Mohsin? ________________________________ From: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> <vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io>> on behalf of Mostafa Salari <msg...@gmail.com<mailto:msg...@gmail.com>> Sent: Saturday, February 10, 2018 10:55 AM To: vpp-dev@lists.fd.io<mailto:vpp-dev@lists.fd.io> Subject: [vpp-dev] Port security Hi How can i apply port-security functionality with vpp? In summary, before a new MAC come into mac-table, some special functions must be triggered. Those functions, determine whether the new mac is allowed to connect or not, and if not, what action should be performed? Actions are: increasing a violation counter, dropping the packet and (sometimes) turning the incomming interface down! Any help is appreciated. Regards
