Configuring and Monitoring Port Security
Port Security
Syntax: port-security (Continued)
learn-mode < continuous | static | port-access | configured | limited-
continuous > (Continued)
Caution: Using the
static parameter with a device limit
greater than the number of MAC addresses specified
with mac-address can allow an un-wanted device to
become “authorized”. This is because the port, to fulfill
the number of devices allowed by the address-limit
parameter (se below), automatically adds devices it
detects until it reaches the specified limit.
Note: If 802.1X port-access is configured on a given port,
then port-security learn-mode must be set to either
continuous (the default) or port-access.
port-access: Enables you to use Port Security with (802.1X)
Port-Based Access Control. Refer to chapter 10,
Configuring Port-Based and Client-Based Access Control
(802.1X).
configured: Must specify which MAC addresses are allowed
for this port. Range is 1 (default) to 8 and addresses are
not ageable. Addresses are saved across reboots.
limited-continuous: Also known as MAC Secure, or “limited”
mode. The limited parameter sets a finite limit to the
number of learned addresses allowed per port. (You can
set the range from 1, the default, to a maximum of 32 MAC
addresses which may be learned by each port.)
All addresses are ageable, meaning they are automatically
removed from the authorized address list for that port
after a certain amount of time. Limited mode and the
address limit are saved across reboots, but addresses
which had been learned are lost during the reboot process.
Addresses learned in the limited mode are normal
addresses learned from the network until the limit is
reached, but they are not configurable. (You cannot enter
or remove these addresses manually if you are using learn-
mode with the limited-continuous option.)
Addresses learned this way appear in the switch and port
address tables and age out according to the MAC Age Interval
in the System Information configuration screen of the
Menu interface or the show system-information
listing. You
can set the MAC age out time using the CLI, SNMP, Web,
or menu interfaces. For more on the mac-age-time
command,
— Continued —
11-13
To Next Page
Loading...
