Configuration Guide Port-based Flow Control Configuration
Interface Switchport Mode Access Native Protected VLAN lists
--------- ---------- ---- ------ ----- -------- ----
GigabitEthernet 0/3 enabled Trunk 1 1 Enabled ALL
Port Security
Overview
Port security function allows the packets to enter the switch port by the source MAC address, source
MAC+IP address or source IP address. You can control the packets by setting the specific MAC
address statically, static IP+MAC binding or IP binding, or dynamically learning limited MAC
addresses. The port with port security enabled is named as secure port. Only the packets with the
source MAC address in the port security address table, or IP+MAC binding configured, or IP binding
configured, or the learned MAC address, can join the switch communication, while other packets are
dropped.
To enhance security, you can bind the MAC address with the IP address as the secure address. Of
course you can also designate the MAC address without binding the IP address.
You can add the secure addresses on the port in the following ways:
You can manually configure all the secure addresses of the port by using the commands in the
interface configuration mode.
You can also let this port automatically learn these addresses, which will become the secure
address on this port till the total number reaches the maximum value. Note that, however, the
automatically-learned secure addresses will not be bound with the IP address. On the same port,
if you have configured a secure address bound with the IP address, the port cannot be added
with any secure address by automatic learning.
Manually configure some secure addresses, and let the device to learn the rest.
The port security also supports the Sticky MAC address, which can converts the secure addresses
learned dynamiclly to the statically configured. You can use the show running-config command to
display the configuration. With the configuration saved, learning these dynamic secure addresses
after restarting the system is unnecessary. If this function is not enabled, then the dynamically learned
sercure MAC addresses should be learned again after the reboot.
When a port is configured as a secure port and the maximum number of its secure addresses is
reached, a security violation occurs if the port receives a packet whose source address is not one of
the secure addresses on the port. When security violations occur, you can set the following methods
to handle:
protect: When the maximum number of secure addresses is reached, the secure port discards
the packet of unknown addresses (none of which are among the secure addresses of the
port).This is the default method for handling exceptions.
restrict: In the case of violation, a Trap notification is sent
shutdown: In the case of violation, the port is shut down and a Trap notification is sent.
To Next Page
Loading...
