Work Principle of Port Security

If only enabling the port security, the port security drops all packets received on the port. The rules of the port security rely on the ARP packets and IP packets of the device to trigger. When the device receives the ARP packet and IP packet, the port security extracts various packet information and matches with the configured rule. The matching order is first match the MAC rule, secondly match the STICKY rule, then match the IP rule and at last match the MAX rule, and control the L2 forwarding table of the port according to the matching result, so as to control the forwarding action of the port for the packet. The valid packet matching the MAX rule or STICKY rule is forwarded. For the packet matching the MAC rule or IP rule, if the action of the rule for the packet is permit, the packet belongs to the valid packet and is forwarded. Otherwise, the packet is invalid and dropped.

The action is the permitted MAC rule and IP rule. After taking effect, write the MAC address of the rule to the L2 forwarding table so that the L2 forwarding can be performed for the packets matching the rule. If the action is the refused Mac rule and IP rule, the corresponding MAC is not written to the L2 forwarding table and the packet needs to be dropped via the port security.

After MAC rule and STICKY rule take effect, write to the MAC address entries to form the effective entries, making the packet perform the L2 forwarding. The processing for the IPv6 packet is similar.