HP ProCurve series 2500 Management And Configuration Manual page 154

Using Passwords, Port Security, and Authorized IP Managers To Protect Against Unauthorized Access
Configuring and Monitoring Port Security
Table 7-1.
Parameter Description
<[ethernet] port-list>
Port List
Learn learn-mode <static | continuous>
Mode
Continuous (the Default): Appears in the factory-default setting or when you execute no port-security. Allows
the port to learn addresses from inbound traffic from any device(s) to which it is connected. In this state,
the port accepts traaffic from any device(s) to which it is connected. Addresses learned this way appear
in the switch and port address tables and age out according to the Address Age Interval in the System
Information configuration screen (page 5-22).
Static: Enables you to use the
authorized for a port, and the
authorized for the port. You can authorize specific devices for the port, while still allowing the port to
accept other, non-specified devices until the device limit has been reached. That is, if you enter fewer
MAC addresses than you authorized, the port authorizes the remaining addresses in the order in which
it automatically learns them. For example, If you use
mac-address
but use
authorized MAC address to its authorized-devices list and the first two additional MAC addresses it
detects. For example, suppose:
mac-address
– You use
address-limit
– You use
in the following order:
080090-1362f2
00f031-423fc1
080071-0c45a1
0060b0-880a80
In the above case, port four would assume the following list of authorized addresses:
080090-1362f2
00f031-423fc1
0060b0-880a80
The remaining MAC address the port detects, 080071-0c45a1, is not allowed in the list of authorized
addresses, and so is handled as an intruder.
Permanence of Authorized Addresses In Static Mode:
authorize with the
devices list until you take one of the following actions: Remove it with a CLI command; Use the CLI to
disable port security on the port; Reset the switch to its default configuration; Reboot without first
executing
While in Static mode, if a port adds a MAC address that you have not specifically authorized (see above
example), that address remains in the Authorized list until you take one of the following actions: Remove
it with a CLI command; Remove the link and reboot the switch after device detection; Disable port
security on that port; Reset the switch to its factory-default configuration.
Caution: When you use static with a device limit greater than the number of MAC addresses you specify
with mac-address , an unwanted device can become "authorized". This can occur because the port,
in order to fulfill the number of devices allowed by the address-limit parameter, automatically adds
devices it detects until the specified limit is reached.
7-14
Port Security Parameters
Identifies the port or ports on which to apply a port security command.
mac-address
address-limit
to specify only one authorized MAC address, the port adds the one specifically
to authorize MAC address 0060b0-880a80 for port 4.
to allow three devices on port 4 and the port detects a series of MAC addresses
(the address you authorized with the
(the first address the port detected)
(the second address the port detected)
(the address you authorized with the
mac-address
parameter cannot age-out. Instead, it remains in the port's authorized-
write memory
.
Specifies how the port acquires authorized addresses.
parameter to specify the MAC addresses of the devices
parameter to specify the number of MAC addresses
address-limit
to specify three authorized devices,
mac-address
mac-address
A MAC address that you specifically
parameter)
parameter)