Using Passwords, Port Security, and Authorized IP

Using Passwords, Port Security, and Authorized IP Managers To Protect Against Unauthorized Access

Configuring and Monitoring Port Security

Table 7-1. Port Security Parameters

Parameter

Description

 

Port List

<[ethernet] port-list>

Identifies the port or ports on which to apply a port security command.

 

 

 

Learn

learn-mode <static continuous>

Specifies how the port acquires authorized addresses.

Mode

Continuous (the Default): Appears in the factory-default setting or when you execute no port-security.Allows the port to learn addresses from inbound traffic from any device(s) to which it is connected. In this state, the port accepts traaffic from any device(s) to which it is connected. Addresses learned this way appear in the switch and port address tables and age out according to the Address Age Interval in the System Information configuration screen (page 5-22).

Static: Enables you to use the mac-addressparameter to specify the MAC addresses of the devices authorized for a port, and the address-limitparameter to specify the number of MAC addresses authorized for the port. You can authorize specific devices for the port, while still allowing the port to accept other, non-specified devices until the device limit has been reached. That is, if you enter fewer MAC addresses than you authorized, the port authorizes the remaining addresses in the order in which it automatically learns them. For example, If you use address-limitto specify three authorized devices, but use mac-addressto specify only one authorized MAC address, the port adds the one specifically authorized MAC address to its authorized-devices list and the first two additional MAC addresses it detects. For example, suppose:

You use mac-addressto authorize MAC address 0060b0-880a80 for port 4.

You use address-limitto allow three devices on port 4 and the port detects a series of MAC addresses in the following order:

080090-1362f2

00f031-423fc1

080071-0c45a1

0060b0-880a80

(the address you authorized with the mac-addressparameter)

In the above case, port four would assume the following list of authorized addresses:

080090-1362f2

(the first address the port detected)

00f031-423fc1

(the second address the port detected)

0060b0-880a80

(the address you authorized with the mac-addressparameter)

The remaining MAC address the port detects, 080071-0c45a1, is not allowed in the list of authorized addresses, and so is handled as an intruder.

Permanence of Authorized Addresses In Static Mode: A MAC address that you specifically authorize with the mac-address parameter cannot age-out. Instead, it remains in the port’s authorized- devices list until you take one of the following actions: Remove it with a CLI command; Use the CLI to disable port security on the port; Reset the switch to its default configuration; Reboot without first executing write memory.

While in Static mode, if a port adds a MAC address that you have not specifically authorized (see above example), that address remains in the Authorized list until you take one of the following actions: Remove it with a CLI command; Remove the link and reboot the switch after device detection; Disable port security on that port; Reset the switch to its factory-default configuration.

Caution: When you use static with a device limit greater than the number of MAC addresses you specify with mac-address , an unwanted device can become “authorized”. This can occur because the port, in order to fulfill the number of devices allowed by the address-limitparameter, automatically adds devices it detects until the specified limit is reached.

7-14