32
Configuring the MAC Port Security feature
Specifying static secure MAC addresses
Static secure MAC addresses can be specified only on an interface. The number of static secure
MAC addresses you can add depends on the maximum number of MAC addresses allowed on an
interface. The maximum is 64.
To specify a secure MAC address on an interface, enter commands such as the following.
BigIron RX(config)# int e 7/11
BigIron RX(config-if-e100-7/11)# port security
BigIron RX(config-port-security-e100-7/11)# secure-mac-address 0050.DA18.747C
Syntax: [no]secure-mac-address <mac-address>
For mac-address, enter the MAC address that you want to allow to access the interface.
Enabling dynamic MAC address learning
To allow the device to dynamically learn secure MAC addresses from packets received on an
interface, enter commands such as the following:
BigIron RX(config)# int e 7/11
BigIron RX(config-if-e100-7/11)# port security
BigIron RX(config-port-security-e100-7/11)# dynamic-learn
Syntax: [no] dynamic-learn
Denying specific MAC addresses
If there are specific MAC addresses that you want to block, you can add those addresses to a deny
MAC address table by entering commands such as the following:
BigIron RX(config)# int e 7/11
BigIron RX(config-if-e100-7/11)# port security
BigIron RX(config-port-security-e100-7/11)# deny-mac-address 124a.3cad.01a3
Syntax: [no]deny-mac-address <mac-address>
There can be up to 64 denied MAC addresses for an interface, and up to 512 on a global level.
The MAC address in the deny MAC address table is removed if it ages out or if the violation action is
changed from deny to shutdown or restrict.
Autosaving secure MAC addresses to the startup-config
The autosave attribute allows the device to learn secure MAC addresses dynamically then add
them to the list of secure MAC addresses. The learned MAC addresses are automatically saved to
the startup-config file at specified intervals. These addresses remain persistent after a reboot.
For example, to specify the device to save dynamically learned secure MAC addresses every twenty
minutes, enter the following commands.
BigIron RX(config)# int e 7/11
BigIron RX(config-if-e100-7/11)# port security
BigIron RX(config-port-security-e100-7/11)# autosave 20
Syntax: [no] autosave <minutes>
934
BigIron RX Series Configuration Guide
53-1001986-01