Chapter 47
Configuring Port Security
Example 7: Displaying Secured MAC Addresses for a VLAN Range on an Interface
This example shows how to display all secure MAC addresses configured on VLANs 2 and 3 on
Gigabit Ethernet interface 1/1 with aging information for each address:
Switch# show port-security interface g1/1 address vlan 2-3
------------------------------------------------------------------------
Vlan
----
2
2
2
3
3
3
------------------------------------------------------------------------
Total Addresses: 12
Switch#
Configuring Port Security with Other Features/Environments
The following topics are discussed:
•
•
•
DHCP and IP Source Guard
You might want to configure port security with DHCP and IP Source Guard to prevent IP spoofing by
unsecured MAC addresses. IP Source Guard supports two levels of IP traffic filtering:
•
•
When used in source IP and MAC address filtering, IP Source Guard uses private ACLs to filter traffic
based on the source IP address, and uses port security to filter traffic based on the source MAC address.
Port security must be enabled on the access port in this mode.
When both features are enabled, the following limitations apply:
•
•
OL-25340-01
Secure Mac Address Table
Mac Address
Type
-----------
----
0001.0001.0001
SecureConfigured
0001.0001.0002
SecureSticky
0001.0001.0003
SecureSticky
0001.0001.0001
SecureConfigured
0001.0001.0002
SecureSticky
0001.0001.0003
SecureSticky
DHCP and IP Source Guard, page 47-31
802.1X Authentication, page 47-32
Configuring Port Security in a Wireless Environment, page 47-32
Source IP address filtering
Source IP and MAC address filtering
The DHCP packet is not subject to port security dynamic learning.
If multiple IP clients are connected to a single access port, port security cannot enforce exact binding
of source IP and MAC address for each client.
For example, these clients reside on an access port with the following IP and MAC address:
–
client1: MAC1 <---> IP1
–
client2: MAC2 <---> IP2e bAny combination of the source MAC and IP address traffic will be
allowed as shown here:
–
MAC1 <---> IP1, valid
–
MAC2 <---> IP2, valid
Configuring Port Security with Other Features/Environments
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
Ports
Remaining Age(mins)
-----
-------------
Gi1/1
-
Gi1/1
-
Gi1/1
-
Gi1/1
-
Gi1/1
-
Gi1/1
-
47-31