Chapter 9
| General Security Measures
Port Security
– 262 –
Command Usage
â—†
The default maximum number of MAC addresses allowed on a secure port is
zero (that is, port security is disabled). To use port security, you must configure
the maximum number of addresses allowed on a port using the
port security
max-mac-count
command.
â—†
When port security is enabled using the
port security
command, or the
maximum number or allowed addresses is set to a value lower than the current
limit after port security has been enabled, the switch first clears all dynamically
learned entries from the address table. It then starts learning new MAC
addresses on the specified port, and stops learning addresses when it reaches a
configured maximum number. Only incoming traffic with source addresses
already stored in the dynamic or static address table will be accepted.
â—†
To configure the maximum number of address entries which can be learned on
a port, specify the maximum number of dynamic addresses allowed. The switch
will learn up to the maximum number of allowed address pairs <source MAC
address, VLAN> for frames received on the port. (The specified maximum
address count is effective when port security is enabled or disabled.) Note that
you can manually add additional secure addresses to a port using the mac-
address-table static
command. When the port has reached the maximum
number of MAC addresses, the port will stop learning new addresses. The MAC
addresses already in the address table will be retained and will not be aged out.
â—†
If port security is enabled, and the maximum number of allowed addresses are
set to a non-zero value, any device not in the address table that attempts to use
the port will be prevented from accessing the switch.
â—†
If a port is disabled due to a security violation, it must be manually re-enabled
using the no
shutdown command.
â—†
A secure port has the following restrictions:
â–
Cannot be connected to a network interconnection device.
â–
Cannot be a trunk port.
â–
RSPAN and port security are mutually exclusive functions. If port security is
enabled on a port, that port cannot be set as an RSPAN uplink port. Also,
when a port is configured as an RSPAN uplink port, source port, or
destination port, port security cannot be enabled on that port.
Example
The following example enables port security for port 5, and sets the response to a
security violation to issue a trap message:
Console(config)#interface ethernet 1/5
Console(config-if)#port security action trap
To Next Page
Loading...
Need help?
General