Table of Contents
Advertisement
Chapter 38
Configuring Port Security
If you configure a secure port in restrictive mode, and a station is connected to the port whose MAC
Note
address is already configured as a secure MAC address on another port on the switch, the port in
restrictive mode shuts down instead of restricting the traffic from that station. For example, if you
configure MAC-1 as the secure MAC address on port 2/1 and MAC-2 as the secure MAC address on
port 2/2 and then connect the station with MAC-1 to port 2/2 when port 2/2 is configured for restrictive
mode, port 2/2 shuts down instead of restricting the traffic from MAC-1.
When a secure port receives a packet, the source MAC address of the packet is compared to the list of
secure source addresses that were manually configured or learned dynamically on the port. If a MAC
address of a device that is attached to the port differs from the list of secure addresses, the port either
shuts down permanently (default mode), shuts down for the time that you have specified, or drops the
incoming packets from the insecure host. The port's behavior depends on how you configure it to
respond to a security violation.
If a security violation occurs, the LED labeled "Link" for that port turns orange, and a link-down trap is
sent to the Simple Network Management Protocol (SNMP) manager. An SNMP trap is not sent if you
configure the port for restrictive violation mode. A trap is sent only if you configure the port to shut down
during a security violation.
Restricting the Traffic Based on the Host MAC Address
You can filter the traffic that is based on a host MAC address so that the packets that are tagged with a
specific source MAC address are discarded. When you specify a MAC address filter with the set cam
filter command, the incoming traffic from that host MAC address is dropped and the packets that are
addressed to that host are not forwarded.
The set cam filter command allows filtering for the unicast addresses only. You cannot filter the traffic
Note
for the multicast addresses with this command.
Blocking the Unicast Flood Packets on the Secure Ports
You can block the unicast flood packets on a secure Ethernet port by disabling the unicast flood feature.
If you disable the unicast flood on a port, the port drops the unicast flood packets when it reaches the
allowed maximum number of MAC addresses.
The port automatically restarts the unicast flood packet learning when the number of MAC addresses
drops below the maximum number that is allowed. The learned MAC address count decreases when a
configured MAC address is removed or a time to live counter (TTL) is reached.
Understanding How MAC-Address Monitoring Works
Because the Catalyst 6500 series switches learn the source MAC addresses automatically, the system is
vulnerable to flooding of spoofed traffic and potential Denial of Service (DoS) attacks. To prevent the
traffic flooding and the DoS attacks, you can monitor the number of MAC addresses that are learned by the
system on a per-port, per-VLAN, or per-port-per-VLAN basis.
MAC-address monitoring is supported in the software.
OL-8978-04
Understanding How MAC-Address Monitoring Works
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
38-3
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
