Parameter
d escription:
System
C onfiguration
Mode:
Indicates
if
Limit
Control
is
globally
enabled
or
disabled
on
the
switch.
If
globally
disabled,
other
modules
may
still
use
the
underlying
functionality,
but
limit
checks
and
corresponding
actions
are
disabled.
Aging
E nabled:
If
c hecked,
s ecured
M AC
a ddresses
a re
s ubject
t o
a ging
a s
d iscussed
u nder
A ging
P eriod
.
Aging
P eriod:
If
A ging
E nabled
i s
c hecked,
t hen
t he
a ging
p eriod
i s
c ontrolled
w ith
t his
i nput.
I f
o ther
m odules
a re
using
the
underlying
port
security
for
securing
MAC
addresses,
they
may
have
other
requirements
for
t he
a ging
p eriod.
T he
u nderlying
p ort
s ecurity
w ill
u se
t he
s horter
r equested
a ging
p eriod
o f
a ll
modules
t hat
u se
t he
f unctionality.
The
A ging
P eriod
c an
b e
s et
t o
a
n umber
b etween
1 0
a nd
1 0,000,000
s econds.
To
understand
why
aging
may
be
desired,
consider
the
following
scenario:
Suppose
an
end-‐host
is
connected
to
a
3rd
party
switch
or
hub,
which
is
connected
to
a
port
on
this
switch
that
has
Limit
Control
e nabled.
T he
e nd-‐host
w ill
b e
a llowed
t o
f orward
i f
t he
l imit
i s
n ot
e xceeded.
N ow
s uppose
that
the
end-‐host
logs
off
or
powers
down.
If
it
wasn't
for
aging,
the
end-‐host
would
still
take
up
resources
on
this
switch
and
will
be
allowed
to
forward.
To
overcome
this
situation,
enable
aging.
With
a ging
e nabled,
a
t imer
i s
s tarted
o nce
t he
e nd-‐host
g ets
s ecured.
W hen
t he
t imer
e xpires,
t he
switch
s tarts
l ooking
f or
f rames
f rom
t he
e nd-‐host,
a nd
i f
s uch
f rames
a re
n ot
s een
w ithin
t he
n ext
Aging
Period,
the
end-‐host
is
assumed
to
be
disconnected,
and
the
corresponding
resources
are
freed
o n
t he
s witch.
Port
C onfiguration
The
t able
h as
o ne
r ow
f or
e ach
p ort
o n
t he
s elected
s witch
a nd
a
n umber
o f
c olumns,
w hich
a re:
Port:
The
p ort
n umber
t hat
t he
c onfiguration
b elow
a pplies
t o.
Mode:
Controls
w hether
L imit
C ontrol
i s
e nabled
o n
t his
p ort.
B oth
t his
a nd
t he
G lobal
M ode
m ust
b e
s et
to
E nabled
f or
L imit
C ontrol
t o
b e
i n
e ffect.
N otice
t hat
o ther
m odules
m ay
s till
u se
t he
u nderlying
port
s ecurity
f eatures
w ithout
e nabling
L imit
C ontrol
o n
a
g iven
p ort.
Limit:
The
maximum
number
of
MAC
addresses
that
can
be
secured
on
this
port.
This
number
cannot
exceed
1 024.
I f
t he
l imit
i s
e xceeded,
t he
c orresponding
a ction
i s
t aken.
The
switch
is
"born"
with
a
total
number
of
MAC
addresses
from
which
all
ports
draw
whenever
a
new
M AC
a ddress
i s
s een
o n
a
P ort
S ecurity-‐enabled
p ort.
S ince
a ll
p orts
d raw
f rom
t he
s ame
p ool,
a
c onfigured
m aximum
m ight
n ot
b e
g ranted
i f
t he
r emaining
p orts
h ave
a lready
u sed
a ll
a vailable
MAC
a ddresses.
Action:
If
L imit
i s
r eached,
t he
s witch
c an
t ake
o ne
o f
t he
f ollowing
a ctions:
None:
D o
n ot
a llow
m ore
t han
L imit
M AC
a ddresses
o n
t he
p ort,
b ut
t ake
n o
f urther
a ction.
Trap:
If
Limit
+
1
MAC
addresses
is
seen
on
the
port,
send
an
SNMP
trap.
If
Aging
is
disabled,
only
one
SNMP
trap
will
be
sent,
but
with
Aging
enabled,
new
SNMP
traps
will
be
sent
every
time
the
limit
g ets
e xceeded.
Shutdown:
I f
L imit
+
1
M AC
a ddresses
i s
s een
o n
t he
p ort,
s hut
d own
t he
p ort.
T his
i mplies
t hat
a ll
secured
M AC
a ddresses
w ill
b e
r emoved
f rom
t he
p ort,
a nd
n o
n ew
a ddress
w ill
b e
l earned.
E ven
i f
the
link
is
physically
disconnected
and
reconnected
on
the
port
(by
disconnecting
the
cable),
the
port
w ill
r emain
s hut
d own.
T here
a re
t hree
w ays
t o
r e-‐open
t he
p ort:
63
Publication date: Sept, 2015
Revision A1