Table of Contents
Advertisement
Port security allows the network administrator to secure interfaces by
specifying (or learning) the allowable MAC addresses on a given port. Packets
with a matching source MAC address are forwarded normally. All other host
packets are discarded. Port security operates on access, trunk and general
mode ports.
Two methods are used to implement Port MAC locking: dynamic locking and
static locking. Static locking further has an optional sticky mode.
Dynamic locking implements a 'first arrival' mechanism for MAC locking.
The administrator specifies how many dynamic addresses may be learned on
the locked port. If the limit has not been reached, then a packet with an
unknown source MAC address is learned and forwarded normally. If the MAC
address limit has been reached, the packet is discarded. The administrator can
disable dynamic locking (learning) by setting the number of allowable
dynamic entries to zero.
When a MAC locking enabled link goes down, all of the dynamically locked
addresses are 'freed.' When the link is restored, that port can once again learn
MAC addresses up to the administrator specified limit.
A dynamically locked MAC address is eligible to be aged out if another packet
with that MAC address is not seen within the age-out time. Dynamically
locked MAC addresses are also eligible to be relearned on another port if
station movement occurs. Statically locked MAC addresses are not eligible for
aging. If a packet arrives on a port with a source MAC address that is statically
locked on another port, then the packet is discarded.
Static locking allows the administrator to specify a list of host MAC addresses
that are allowed on a port. The behavior of packets is the same as for dynamic
locking: only packets with a known source MAC address can be forwarded.
Any packets with source MAC addresses that are not configured are
discarded. The switch treats this as violation and supports send a SNMP port-
security trap.
If the administrator knows the specific MAC address (or addresses) that will
be connected to a particular port, she can specify those addresses as static
entries. By setting the number of allowable dynamic entries to zero, only
packets with a source MAC address matching a MAC address in the static list
are forwarded.
To configure static locking only, set the dynamic MAC limit to 0. To configure
dynamic locking only, set the static MAC limit to 0.
293
Layer 2 Switching Commands
Advertisement
Table of Contents
