Configuring and Monitoring Port Security
Port Security
Phys cal Topology
i
Switch A
Port Security
Configured
Switch B
MAC Address
Author zed by
i
Switch A
Switch C
MAC Address
NOT
Authorized
by Switch A
Figure 11-1. Example of How Port Security Controls Access
N o t e
11-6
Blocking Unauthorized Traffic
Unless you configure the switch to disable a port on which a security violation
is detected, the switch security measures block unauthorized traffic without
disabling the port. This implementation enables you to apply the security
configuration to ports on which hubs, switches, or other devices are
connected, and to maintain security while also maintaining network access to
authorized users. For example:
PC 1
MAC Address
Authorized by Switch A
PC 2
MAC Address NOT
Authorized by Switch A
PC 3
MAC Address NOT
Author zed by Switch A
i
Broadcast and Multicast traffic is always allowed, and can be read by intruders
connected to a port on which you have configured port security.
Trunk Group Exclusion
Port security does not operate on either a static or dynamic trunk group. If
you configure port security on one or more ports that are later added to a trunk
group, the switch will reset the port security parameters for those ports to the
factory-default configuration. (Ports configured for either Active or Passive
LACP, and which are not members of a trunk, can be configured for port
security.)
Logi
cal Topo ogy for Access to Switch A
l
Switch A
Port Security
Configured
Switch B
MAC Address
Author zed by
i
Switch A
•
PC1 can access Sw tch A.
i
•
PCs 2 and 3 can access Switch B and Switch C, but are
blocked from accessing switch A by the port security
settings in switch A.
•
Switch C is not author zed to access Switch A.
i
PC 1
MAC Address
Authorized by Switch A