Configuring and Monitoring Port Security

Port Security Command Options and Operation

Table 7-1. Port Security Parameters

Parameter Description

Port List

<[ethernet] port-list>Identifies the port or ports on which to apply a port security command.

Learn

learn-mode < static continuous port-access > Specifies how the port acquires authorized addresses:

Mode

Continuous (Default): Appears in the factory-default setting or when you execute no port-security.Allows

 

 

the port to learn addresses from inbound traffic from any device(s) to which it is connected. In this state,

 

the port accepts traffic from any device(s) to which it is connected. Addresses learned this way appear

 

in the switch and port address tables and age out according to the MAC Age Interval in the System

 

Information configuration screen of the Menu interface or the show system-informationlisting.

Static: Enables you to use the mac-addressparameter to specify the MAC addresses of the devices authorized for a port, and the address-limitparameter to specify the number of MAC addresses author­ ized for the port. You can authorize specific devices for the port, while still allowing the port to accept other, non-specified devices until the device limit has been reached. That is, if you enter fewer MAC ad­ dresses than you authorized, the port authorizes the remaining addresses in the order in which it automati­ cally learns them. For example, if you use address-limitto specify three authorized devices, but use mac­ address to specify only one authorized MAC address, the port adds the one specifically authorized MAC address to its authorized-devices list and the first two additional MAC addresses it detects. If, for example:

You use mac-addressto authorize MAC address 0060b0-880a80 for port A4.

You use address-limitto allow three devices on port A4 and the port detects these MAC addresses:

1. 080090-1362f2 3. 080071-0c45a1

2.00f031-423fc1 4. 0060b0-880a80 (the address you authorized with the mac-addressparameter) In the above case, port A4 would assume the following list of authorized addresses:

080090-1362f2 (the first address the port detected)

00f031-423fc1 (the second address the port detected)

0060b0-880a80 (the address you authorized with the mac-addressparameter)

The remaining MAC address the port detects, 080071-0c45a1, is not allowed, and is handled as an intruder.

See also "Retention of Static Addresses" on the next page.

Caution: When you use static with a device limit greater than the number of MAC addresses you specify with mac-address, an unwanted device can become “authorized”. This can occur because the port, in order to fulfill the number of devices allowed by the address-limitparameter, automatically adds devices it detects until the specified limit is reached.

Port-Access:Enables you to use Port Security with (802.1x) Port-Based Access Control. Refer to “Config­ uring Port-Based Access Control (802.1x)” on page 6-1.

Address address-limit <integer>

Limit When Learn Mode is set to Static, specifies how many authorized devices (MAC addresses) to allow. Range: 1 (the default) to 8.

MAC Address

mac-address <mac-addr>

Available for static learn mode. Allows up to eight authorized devices (MAC addresses) per port, depending on the value specified in the address-limitparameter.

If you use mac-addresswith static, but enter fewer devices than you specified in the address-limitfield, the port accepts not only your specified devices, but also as many other devices as it takes to reach the device limit. For example, if you specify four devices, but enter only two MAC addresses, the port will accept the first two non-specified devices it detects, along with the two specifically authorized devices.

7-7