Table of Contents
Advertisement
Understanding How Port Security Works
After you allocate the maximum number of MAC addresses on a port, you can either specify the secure
MAC address for the port manually or have the port dynamically configure the MAC address of the
connected devices. Out of a maximum allocated number of MAC addresses on a port, you can manually
configure all, allow all to be autoconfigured, or configure some manually and allow the rest to be
autoconfigured. Once you manually configure or autoconfigure the addresses, they are stored in
nonvolatile RAM (NVRAM) and are maintained after a reset.
When you manually change the maximum number of MAC addresses that are associated to a port greater
than the default value and then manually enter the authorized MAC addresses, any remaining MAC addresses
are automatically configured. For example, if you configure the port security for a port to have a maximum
of ten MAC addresses but add only two MAC addresses, the next eight new source MAC addresses that are
received on that port are added to the secured MAC address list for the port.
After you allocate a maximum number of MAC addresses on a port, you can also specify how long the
addresses on the port will remain secure. After the age time expires, the MAC addresses on the port
become insecure. By default, all addresses on a port are secured permanently.
If a security violation occurs, you can configure the port to go either into shutdown mode or restrictive
mode. The shutdown mode option allows you to specify whether the port is to be permanently disabled
or disabled for only a specified time. The default is for the port to shut down permanently. The restrictive
mode allows you to configure the port to remain enabled during a security violation and drop only
packets that are coming in from insecure hosts.
If you configure a secure port in restrictive mode, and a station is connected to the port whose MAC
Note
address is already configured as a secure MAC address on another port on the switch, the port in
restrictive mode shuts down instead of restricting traffic from that station. For example, if you configure
MAC-1 as the secure MAC address on port 2/1 and MAC-2 as the secure MAC address on port 2/2 and
then connect the station with MAC-1 to port 2/2 when port 2/2 is configured for restrictive mode,
port 2/2 shuts down instead of restricting traffic from MAC-1.
When a secure port receives a packet, the source MAC address of the packet is compared to the list of
secure source addresses that were manually configured or autoconfigured (learned) on the port. If a MAC
address of a device that is attached to the port differs from the list of secure addresses, the port either
shuts down permanently (default mode), shuts down for the time that you have specified, or drops
incoming packets from the insecure host.
The behavior of a port depends on how you configure it to respond to a security violation. If a security
violation occurs, the LED labeled Link for that port turns orange, and a link-down trap is sent to the
Simple Network Management Protocol (SNMP) manager. An SNMP trap is not sent if you configure the
port for restrictive violation mode. A trap is sent only if you configure the port to shut down during a
security violation.
Restricting Traffic Based on the Host MAC Address
You can filter traffic based on a host MAC address, so that packets tagged with a specific source MAC
address are discarded. When you specify a MAC address filter with the set cam filter command,
incoming traffic from that host MAC address is dropped, and packets that are addressed to that host are
not forwarded. You cannot filter traffic for multicast addresses with this command.
The set cam filter command allows filtering for unicast addresses only.
Note
Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide
16-2
Chapter 16
Configuring Port Security
—
Release 8.1
78-15486-01
- Quick Links:
- Configuration Guide
- Catalyst 2980G Switch
Hide quick links:
Advertisement
Table of Contents
