22-1
Chapter 22: Client Security Commands
This switch supports many methods of segregating traffic for clients attached to
each of the data ports, and for ensuring that only authorized clients gain access to
the network. Private VLANs and port-based authentication using IEEE 802.1X are
commonly used for these purposes. In addition to these methods, several other
options of providing client security are supported by this switch. These include
port-based authentication, which can be configured for network client access
by specifying a fixed set of MAC addresses (either by freezing a set of dynamically
learned entries or through static configuration), or by statically configured MAC/IP
address pairs. The addresses assigned to DHCP clients can also be carefully
controlled using static or dynamic bindings with the IP Source Guard and DHCP
Snooping commands.
Port Security Commands
These commands can be used to enable port security on a port. When using port
security, the switch stops learning new MAC addresses on the specified port when it
has reached a configured maximum number. Only incoming traffic with source
addresses already stored in the dynamic or static address table for this port will be
authorized to access the network. The port will drop any incoming frames with a
source MAC address that is unknown or has been previously learned from another
port. If a device with an unauthorized MAC address attempts to use the switch port,
the intrusion will be detected and the switch can automatically take action by
disabling the port and sending a trap message.
Table 22-1 Client Security Commands
Command Group Function Page
Private VLANs Configures private VLANs, including uplink and downlink ports 30-14
Port Authentication Configures host authentication on specific ports using 802.1X 21-24
Port Security
*
* The priority of execution for these filtering commands is Port Security, IP Source Guard, and then DHCP Snooping.
Configures secure addresses for a port 22-1
IP Source Guard
*
Filters IP traffic on unsecure ports for which the source address
cannot be identified via DHCP snooping nor static source bindings
22-3
DHCP Snooping
*
Filters untrusted DHCP messages on unsecure ports by building
and maintaining a DHCP snooping binding table
22-7
Table 22-2 Port Security Commands
Command Function Mode Page
port security Configures a secure port IC 22-2
mac-address-table static Maps a static address to a port in a VLAN GC 28-1
show mac-address-table Displays entries in the bridge-forwarding database PE 28-3
To Next Page
Loading...
Need help?
General