Configuring and Monitoring Port Security
Port Security Command Options and Operation
Table 7-1. Port Security ParametersParameter Description
Port List | <[ethernet] port-list>Identifies the port or ports on which to apply a port security command. |
Learn | learn-mode < static continuous port-access > Specifies how the port acquires authorized addresses: |
Mode | Continuous (Default): Appears in the factory-default setting or when you execute no port-security.Allows |
|
| the port to learn addresses from inbound traffic from any device(s) to which it is connected. In this state, |
| the port accepts traffic from any device(s) to which it is connected. Addresses learned this way appear |
| in the switch and port address tables and age out according to the MAC Age Interval in the System |
| Information configuration screen of the Menu interface or the show system-informationlisting. |
Static: Enables you to use the mac-addressparameter to specify the MAC addresses of the devices authorized for a port, and the address-limitparameter to specify the number of MAC addresses author ized for the port. You can authorize specific devices for the port, while still allowing the port to accept other, non-specified devices until the device limit has been reached. That is, if you enter fewer MAC ad dresses than you authorized, the port authorizes the remaining addresses in the order in which it automati cally learns them. For example, if you use address-limitto specify three authorized devices, but use mac address to specify only one authorized MAC address, the port adds the one specifically authorized MAC address to its authorized-devices list and the first two additional MAC addresses it detects. If, for example:
–You use mac-addressto authorize MAC address 0060b0-880a80 for port A4.
–You use address-limitto allow three devices on port A4 and the port detects these MAC addresses:
1. 080090-1362f2 3. 080071-0c45a1
2.00f031-423fc1 4. 0060b0-880a80 (the address you authorized with the mac-addressparameter) In the above case, port A4 would assume the following list of authorized addresses:
080090-1362f2 (the first address the port detected)
00f031-423fc1 (the second address the port detected)
0060b0-880a80 (the address you authorized with the mac-addressparameter)
The remaining MAC address the port detects, 080071-0c45a1, is not allowed, and is handled as an intruder.
See also "Retention of Static Addresses" on the next page.
Caution: When you use static with a device limit greater than the number of MAC addresses you specify with mac-address, an unwanted device can become “authorized”. This can occur because the port, in order to fulfill the number of devices allowed by the address-limitparameter, automatically adds devices it detects until the specified limit is reached.
Port-Access:Enables you to use Port Security with (802.1x) Port-Based Access Control. Refer to “Config uring Port-Based Access Control (802.1x)” on page 6-1.
Address address-limit <integer>
Limit When Learn Mode is set to Static, specifies how many authorized devices (MAC addresses) to allow. Range: 1 (the default) to 8.