Table of Contents
Advertisement
User Guidelines
Port security allows the network administrator to secure interfaces by
specifying (or learning) the allowable MAC addresses on a given port. Packets
with a matching source MAC address are forwarded normally. All other host
packets are discarded. Port security operates on access, trunk and general
mode ports.
Two methods are used to implement port security: dynamic locking and static
locking. Static locking further has an optional sticky mode.
Dynamic locking implements a 'first arrival' mechanism for MAC locking.
The administrator specifies how many dynamic addresses may be learned on
the secure port. If the limit has not been reached, then a packet with an
unknown source MAC address is learned and forwarded normally. If the MAC
address limit has been reached, the packet is discarded, the MAC address is
not learned, and a violation is raised. The administrator can disable dynamic
learning by setting the number of allowable dynamic entries to zero. This
causes all packets with unknown MAC addresses to be considered as
violations.
When a port security enabled link goes down, all of the dynamically learned
addresses are removed from the MAC forwarding database. When the link is
restored, that port can once again learn MAC addresses up to the
administrator specified limit.
A dynamically learned MAC address is eligible to be aged out if another
packet with that MAC address is not seen within the age-out time.
Dynamically learned MAC addresses are also eligible to be re-learned on
another port if station movement occurs.
Static locking allows the administrator to specify a list of MAC addresses that
are allowed on a port. The behavior of packets is the same as for dynamic
learning once the dynamic limit has been reached: only packets with a known
source MAC address can be forwarded. Any packets with source MAC
addresses that are not configured are discarded. The switch treats this as
violation.
If the administrator knows the specific MAC address (or addresses) that will
be connected to a particular port, she can specify those addresses as static
entries. By setting the number of allowable dynamic entries to zero, only
packets with a source MAC address matching a MAC address in the static list
are forwarded.
297
Layer 2 Switching Commands
Advertisement
Table of Contents
