Security
Port Security
Cisco 350, 350X and 550X Series Managed Switches, Firmware Release 2.4, ver 0.4 353
17
Port Security
NOTE Port security cannot be enabled on ports on which 802.1X is enabled or on ports that defined
as SPAN destination
.
Network security can be increased by limiting access on a port to users with specific MAC
addresses. The MAC addresses can be either dynamically learned or statically configured.
Port security monitors received and learned packets. Access to locked ports is limited to users
with specific MAC addresses.
Port Security has four modes:
• Classic Lock—All learned MAC addresses on the port are locked, and the port does
not learn any new MAC addresses. The learned addresses are not subject to aging or
re-learning.
• Limited Dynamic Lock—The device learns MAC addresses up to the configured
limit of allowed addresses. After the limit is reached, the device does not learn
additional addresses. In this mode, the addresses are subject to aging and re-learning.
• Secure Permanent—Keeps the current dynamic MAC addresses associated with the
port (as long as the configuration was saved to the Start configuration file). New MAC
addresses can be learned as Permanent Secure ones up to the maximum addresses
allowed on the port. Relearning and aging are disabled.
• Secure Delete on Reset—Deletes the current dynamic MAC addresses associated with
the port after reset. New MAC addresses can be learned as Delete-On-Reset ones up to
the maximum addresses allowed on the port. Relearning and aging are disabled.
When a frame from a new MAC address is detected on a port where it is not authorized (the
port is classically locked, and there is a new MAC address, or the port is dynamically locked,
and the maximum number of allowed addresses has been exceeded), the protection mechanism
is invoked, and one of the following actions can take place:
• Frame is discarded
• Frame is forwarded
• Port is shut down
When the secure MAC address is seen on another port, the frame is forwarded, but the MAC
address is not learned on that port.
In addition to one of these actions, you can also generate traps, and limit their frequency and
number to avoid overloading the devices.
To Next Page
Loading...
Need help?
General
