Configuring and Monitoring Port Security

Port Security

Syntax: port-security (Continued)

learn-mode < continuous static port-access configured limited- continuous > (Continued)

Caution: Using the static parameter with a device limit greater than the number of MAC addresses specified with mac-addresscan allow an unwanted device to become “authorized”. This is because the port, to fulfill the number of devices allowed by the address-limitparameter (se below), automatically adds devices it detects until it reaches the specified limit.

Note: If 802.1X port-access is configured on a given port, then port-security learn-mode must be set to either continuous (the default) or port-access.

port-access: Enables you to use Port Security with (802.1X) Port-Based Access Control. Refer to chapter 10, Configuring Port-Based and User-Based Access Control (802.1X).

configured: Must specify which MAC addresses are allowed for this port. Range is 1 (default) to 8 and addresses are not ageable. Addresses are saved across reboots.

limited-continuous: Also known as MAC Secure, or “limited” mode. The limited parameter sets a finite limit to the number of learned addresses allowed per port. (You can set the range from 1, the default, to a maximum of 32 MAC addresses which may be learned by each port.)

All addresses are ageable, meaning they are automatically removed from the authorized address list for that port after a certain amount of time. Limited mode and the address limit are saved across reboots, but addresses which had been learned are lost during the reboot process. Addresses learned in the limited mode are normal addresses learned from the network until the limit is reached, but they are not configurable. (You cannot enter or remove these addresses manually if you are using learn- mode with the limited-continuousoption.)

—Continued—

11-14