Configuring and Monitoring Port Security

Port Security

Syntax: port-security (Continued)

learn-mode < continuous static port-access configured limited- continuous > (Continued)

static: Enables you to use the mac-addressparameter to specify the MAC addresses of the devices authorized for a port, and the address-limitparameter (explained below) to specify the number of MAC addresses authorized for the port. You can authorize specific devices for the port, while still allowing the port to accept other, non-specified devices until the device limit has been reached. That is, if you enter fewer MAC addresses than you authorized, the port authorizes the remaining addresses in the order in which it automatically learns them.

For example, if you use address-limit to specify three authorized devices, but use mac-addressto specify only one authorized MAC address, the port adds the one specifically authorized MAC address to its authorized-devices list and the first two additional MAC addresses it detects.

If, for example:

You use mac-addressto authorize MAC address 0060b0-880a80 for port A4.

You use address-limitto allow three devices on port

A4 and the port detects these MAC addresses:

1.080090-1362f2

2.00f031-423fc1

3.080071-0c45a1

4.0060b0-880a80(the address you authorized with the mac-addressparameter)

In this example port A4 would assume the following list of authorized addresses:

080090-1362f2(the first address the port detected)

00f031-423fc1(the second address the port detected)

0060b0-880a80(the address you authorized with the mac-addressparameter)

The remaining MAC address detected by the port, 080071-0c45a1, is not allowed and is handled as an intruder. Learned addresses that become authorized do not age-out. See also “Retention of Static Addresses” on page 11-17.

— Continued —

11-13