In this chapter, exmples are provided for the following topics:
•
"Port Security"
•
"Protected Ports" on page 16-6
•
"802.1x Port Security" on page 16-13
Port Security
This section describes the Port Security feature. Port Security:
•
Allows for limiting the number of MAC addresses on a given port
•
Packets that have a matching MAC address (secure packets) are forwarded; all other packets (unsecure
packets) are restricted
•
Enabled on a per port basis
•
When locked, only packets with allowable MAC address will be forwarded
•
Supports both dynamic and static
•
Implement two traffic filtering methods
–
Dynamic Locking - User specifies the maximum number of MAC addresses that can be learned on
a port. The maximum number of MAC addresses is platform dependent and is given in the software
Release Notes. After the limit is reached, additional MAC addresses are not learned. Only frames
with an allowable source MAC address are forwarded.
–
Static Locking - User manually specifies a list of static MAC addresses for a port. Dynamically
locked addresses can be converted to statically locked addresses.
These methods can be used concurrently
Port Security:
•
Helps secure network by preventing unknown devices from forwarding packets
•
When link goes down, all dynamically locked addresses are 'freed'
•
If a specific MAC address is to be set for a port, set the dynamic entries to 0, then only allow packets
with a MAC address matching the MAC address in the static list
•
Dynamically locked MAC addresses are aged out if another packet with that address is not seen within
the age-out time. The user can set the time-out value.
Security Management
v1.0, November 2008
Chapter 16
16-1