6-7
Configuring and Monitoring Port Security
Port Security Command Options and Operation
Table 6-2. Port Security Parameters
Parameter Description
Port List <[ethernet] port-list> Identifies the port or ports on which to apply a port security command.
Learn
Mode
learn-mode < static | continuous | port-access > Specifies how the port acquires authorized addresses:
Continuous (Default): Appears in the factory-default setting or when you execute no port-security. Allows
the port to learn addresses from inbound traffic from any device(s) to which it is connected. In this state,
the port accepts traffic from any device(s) to which it is connected. Addresses learned this way appear
in the switch and port address tables and age out according to the MAC Age Interval in the System
Information configuration screen of the Menu interface or the show system-information listing.
Static: Enables you to use the mac-address parameter to specify the MAC addresses of the devices
authorized for a port, and the address-limit parameter to specify the number of MAC addresses author-
ized for the port. You can authorize specific devices for the port, while still allowing the port to accept
other, non-specified devices until the device limit has been reached. That is, if you enter fewer MAC ad-
dresses than you authorized, the port authorizes the remaining addresses in the order in which it automati-
cally learns them. For example, if you use address-limit to specify three authorized devices, but use mac-
address to specify only one authorized MAC address, the port adds the one specifically authorized MAC
address to its authorized-devices list and the first two additional MAC addresses it detects. If, for example:
– You use mac-address to authorize MAC address 0060b0-880a80 for port A4.
– You use address-limit to allow three devices on port A4 and the port detects these MAC addresses:
1. 080090-1362f2 3. 080071-0c45a1
2. 00f031-423fc1 4. 0060b0-880a80 (the address you authorized with the
mac-address parameter)
In the above case, port A4 would assume the following list of authorized addresses:
080090-1362f2 (the first address the port detected)
00f031-423fc1 (the second address the port detected)
0060b0-880a80 (the address you authorized with the mac-address parameter)
The remaining MAC address the port detects, 080071-0c45a1, is not allowed, and is handled as an
intruder.
See also "Retention of Static Addresses" on the next page.
Caution: When you use static with a device limit greater than the number of MAC addresses you specify
with mac-address, an unwanted device can become “authorized”. This can occur because the port, in
order to fulfill the number of devices allowed by the address-limit parameter, automatically adds devices
it detects until the specified limit is reached.
Port-Access: Enables you to use Port Security with (802.1x) Port-Based Access Control. Refer to “Config-
uring Port-Based Access Control (802.1x)” on page 5-1.
Address
Limit
address-limit <integer>
When Learn Mode is set to
Static, specifies how many authorized devices (MAC addresses) to allow. Range:
1 (the default) to 8.
MAC
Address
mac-address <mac-addr>
Available for static learn mode. Allows up to eight authorized devices (MAC addresses) per port, depending
on the value specified in the address-limit parameter.
If you use mac-address with static, but enter fewer devices than you specified in the address-limit field, the
port accepts not only your specified devices, but also as many other devices as it takes to reach the device
limit. For example, if you specify four devices, but enter only two MAC addresses, the port will accept the
first two non-specified devices it detects, along with the two specifically authorized devices.
!FishSecurity.book Page 7 Thursday, October 10, 2002 9:19 PM
To Next Page
Loading...
Need help?
General
