Table of Contents
Advertisement
Understanding How Port Security Works
Allocation of the maximum number of MAC addresses for each port depends on your network
configuration. The following combinations are examples of valid allocations:
•
1025 (1 + 1024) addresses on 1 port and 1 address each on the rest of the ports.
•
513 (1 + 512) each on 2 ports in a system and 1 address each on the rest of the ports.
•
901 (1 + 900) on one port, 101 (1 + 100) on another port, 25 (1 + 24) on a third port, and 1 address
each on the rest of the ports.
After you allocate the maximum number of MAC addresses on a port, you can either specify the secure
MAC address for the port manually or have the port dynamically configure the MAC address of the
connected devices. Out of a maximum allocated number of MAC addresses on a port, you can manually
configure all, allow all to be autoconfigured, or configure some manually and allow the rest to be
autoconfigured. Once you manually configure or autoconfigure the addresses, they are stored in
NVRAM and are maintained after a reset.
When you manually change the maximum number of MAC addresses associated with a port greater than the
default value (1) and then manually enter the authorized MAC addresses, any remaining MAC addresses
automatically configure. For example, if you configure the port security for a port to have a maximum of ten
MAC addresses but only add two MAC addresses, the next eight new source MAC addresses received on that
port are added to the secured MAC address list for the port.
After you allocate a maximum number of MAC addresses on a port, you can also specify how long the
addresses on the port will remain secure. After the age time expires, the MAC addresses on the port
become insecure. By default, all addresses on a port are secured permanently.
If a security violation occurs, you can configure the port to go either into shutdown mode or restrictive
mode. The shutdown mode option allows you to specify whether the port is permanently disabled or
disabled for only a specified time. The default is for the port to shut down permanently. The restrictive
mode allows you to configure the port to remain enabled during a security violation and drop only
packets that are coming in from insecure hosts.
If you configure a secure port in restrictive mode, and a station is connected to the port whose MAC
Note
address is already configured as a secure MAC address on another port on the switch, the port in
restrictive mode shuts down instead of restricting traffic from that station. For example, if you configure
MAC-1 as the secure MAC address on port 2/1 and MAC-2 as the secure MAC address on port 2/2 and
then connect the station with MAC-1 to port 2/2 when port 2/2 is configured for restrictive mode,
port 2/2 shuts down instead of restricting traffic from MAC-1.
When a secure port receives a packet, the source MAC address of the packet is compared to the list of
secure source addresses that were manually configured or autoconfigured (learned) on the port. If a MAC
address of a device attached to the port differs from the list of secure addresses, the port either shuts
down permanently (default mode), shuts down for the time you have specified, or drops incoming
packets from the insecure host.
The behavior of a port depends on how you configure it to respond to a security violation. If a security
violation occurs, the Link LED for that port turns orange, and a link-down trap is sent to the Simple
Network Management Protocol (SNMP) manager. An SNMP trap is not sent if you configure the port
for restrictive violation mode. A trap is sent only if you configure the port to shut down during a security
violation.
Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4
16-2
Chapter 16
Configuring Port Security
78-12647-02
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
