Table of Contents
Advertisement
Linksys
Port Security
Network security can be increased by limiting access on a port to users
with specific MAC addresses. The MAC addresses can be either dynamically
learned or statically configured.
Port security monitors received and learned packets. Access to locked ports is
limited to users with specific MAC addresses.
Port Security has the following two modes:
•
Classic Lock—All learned MAC addresses on the port are locked, and the
port does not learn any new MAC addresses. The learned addresses are
not subject to aging or relearning.
•
Limited Dynamic Lock—The device learns MAC addresses up to the
configured limit of allowed addresses. After the limit is reached, the
device does not learn additional addresses. In this mode, the addresses
are subject to aging and relearning.
When a frame from a new MAC address is detected on a port where it is not
authorized (the port is classically locked, and there is a new MAC address,
or the port is dynamically locked, and the maximum number of allowed
addresses has been exceeded), the protection mechanism is invoked, and one
of the following actions can take place:
•
Frame is discarded
•
Frame is forwarded
•
Port is shut down
To configure port security do the following:
STEP 1 Click Configuration > Security > Port Security.
STEP 2 Select an interface to be modified, and click Edit.
STEP 3 Enter the parameters.
•
Interface—Select the interface name.
•
Interface Status—Select to lock the port.
•
Learning Mode—Select the type of port locking. To configure this field, the
Interface Status must be unlocked. The Learning Mode field is enabled only
if the Interface Status field is locked. To change the Learning Mode, the Lock
Interface must be cleared. After the mode is changed, the Lock Interface
can be reinstated. The options are as follows:
Classic Lock—Locks the port immediately, regardless of the number
•
of addresses that have already been learned.
Limited Dynamic Lock—Locks the port by deleting the current
•
dynamic MAC addresses associated with the port. The port learns up
to the maximum addresses allowed on the port. Both relearning and
aging of MAC addresses are enabled.
•
Maximum Addresses—Enter the maximum number of MAC addresses
that can be learned on the port if Limited Dynamic Lock learning mode is
selected. The number 0 indicates that only static addresses are supported
on the interface.
•
Action on Violation—Select an action to be applied to packets arriving on
a locked port. The options are as follows:
Discard—Discards packets from any unlearned source.
•
Forward—Forwards packets from an unknown source without
•
learning the MAC address.
Shutdown—Discards packets from any unlearned source, and shuts
•
down the port. The port remains shut down until reactivated, or until
the device is rebooted.
•
Trap - Enable Trap and set the trap frequency
STEP 4 Click Apply. Port security is modified, and the Running Configuration
file is updated.
Storm Control
When Broadcast, Multicast, or Unknown Unicast frames are received, they are
duplicated, and a copy is sent to all possible egress ports. This means that in
practice they are sent to all ports belonging to the relevant VLAN. In this way,
one ingress frame is turned into many, creating the potential for a traffic storm.
Storm protection enables you to limit the number of frames entering the
device and to define the types of frames that are counted towards this limit.
When the rate of Broadcast, Multicast, or Unknown Unicast frames is higher than
the user-defined threshold, frames received beyond the threshold are discarded.
To define Storm Control do the following:
STEP 1 Click Configuration > Security > Storm Control.
STEP 2 Select a port and click Edit.
Table of Contents
84
Advertisement
Table of Contents
