Security Guide for ProCurve 9300/9400 Series Routing Switches
Configuring the MAC Port Security Feature
To configure the MAC port security feature, you perform the following tasks:
•
Enable the MAC port security feature
•
Set the maximum number of secure MAC addresses for an interface
•
Set the port security age timer
•
Specify secure MAC addresses
•
Configure the device to automatically save secure MAC addresses to the startup-config file
•
Specify the action taken when a security violation occurs
Enabling the MAC Port Security Feature
By default, the MAC port security feature is disabled on all interfaces. You can enable or disable the feature
globally on all interfaces at once or on individual interfaces.
To enable the feature on all interfaces at once:
ProCurveRS(config)# port security
ProCurveRS(config-port-security)# enable
To disable the feature on all interfaces at once:
ProCurveRS(config)# port security
ProCurveRS(config-port-security)# no enable
To enable the feature on a specific interface:
ProCurveRS(config)# int e 7/11
ProCurveRS(config-if-e100-7/11)# port security
ProCurveRS(config-port-security-e100-7/11)# enable
Syntax: port security
Syntax: [no] enable
Setting the Maximum Number of Secure MAC Addresses for an Interface
When the port security feature is enabled, the interface can store 1 secure MAC address. You can increase the
number of MAC addresses that can be secured to a maximum of 64, plus the total number of global resources
available.
For example, to configure interface 7/11 to have a maximum of 10 secure MAC addresses:
ProCurveRS(config)# int e 7/11
ProCurveRS(config-if-e100-7/11)# port security
ProCurveRS(config-if-e100-7/11)# maximum 10
Syntax: maximum <number-of-addresses>
The <number-of-addresses> parameter can be set to a number from 0 – (64 + the total number of global
resources available) The total number of global resources is 2048 or 4096, depending on flash memory size.
Setting the parameter to 0 prevents any addresses from being learned. The default is 1.
Setting the Port Security Age Timer
By default, the learned MAC addresses stay secure indefinitely. You can optionally configure the device to age out
secure MAC addresses after a specified amount of time.
To set the port security age timer to 10 minutes on all interfaces:
ProCurveRS(config)# port security
ProCurveRS(config-port-security)# age 10
5 - 2
June 2005