Table of Contents
Advertisement
Understanding How Port Security Works
After you allocate the maximum number of MAC addresses on a port, you can either specify the secure
MAC address for the port manually or you can have the port dynamically configure the MAC address of
the connected devices. Out of an allocated number of maximum MAC addresses on a port, you can
manually configure all, allow all to be autoconfigured, or configure some manually and allow the rest to
be autoconfigured. Once you manually configure or autoconfigure the addresses, they are stored in
NVRAM and maintained after a reset.
After you allocate a maximum number of MAC addresses on a port, you can specify how long addresses
on the port will remain secure. After the age time expires, the MAC addresses on the port become
insecure. By default, all addresses on a port are secured permanently.
If a security violation occurs, you can configure the port to go into shutdown mode or restrictive mode.
The shutdown mode option allows you to specify whether the port is permanently disabled or disabled
for only a specified time. The default is for the port to shut down permanently. The restrictive mode
allows you to configure the port to remain enabled during a security violation and drop only packets that
are coming in from insecure hosts.
If you configure a secure port in restrictive mode, and a station is connected to the port whose MAC
Note
address is already configured as a secure MAC address on another port on the switch, the port in
restrictive mode shuts down instead of restricting traffic from that station. For example, if you
configure MAC-1 as the secure MAC address on port 2/1 and MAC-2 as the secure MAC address on
port 2/2 and then connect the station with MAC-1 to port 2/2 when port 2/2 is configured for
restrictive mode, port 2/2 shuts down instead of restricting traffic from MAC-1.
When a secure port receives a packet, the source MAC address of the packet is compared to the list of
secure source addresses that were manually configured or autoconfigured (learned) on the port. If a
MAC address of a device attached to the port differs from the list of secure addresses, the port either
shuts down permanently (default mode), shuts down for the time you have specified, or drops incoming
packets from the insecure host. The port's behavior depends on how you configure it to respond to a
security violation.
If a security violation occurs, the Link LED for that port turns orange, and a link-down trap is sent to the
Simple Network Management Protocol (SNMP) manager. An SNMP trap is not sent if you configure the
port for restrictive violation mode. A trap is sent only if you configure the port to shut down during a
security violation.
Restricting Traffic Based on the Host MAC Address
You can filter traffic based on a host MAC address so that packets that are tagged with a specific source
MAC address are discarded. When you specify a MAC address filter with the set cam filter command,
incoming traffic from that host MAC address is dropped and packets addressed to that host are not
forwarded.
The set cam filter command allows filtering for unicast addresses only. You cannot filter traffic for
Note
multicast addresses with this command.
Catalyst 6000 Family Software Configuration Guide—Releases 6.3 and 6.4
35-2
Chapter 35
Configuring Port Security
78-13315-02
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
