Configuring and Monitoring Port Security

Port Security

Syntax: port-security (Continued)

mac-address [<mac-addr>] [<mac-addr>] . . . [<mac-addr>]

Available for learn-mode with the, static, configured, or limited-continuous option. Allows up to eight authorized devices (MAC addresses) per port, depending on the value specified in the address-limit parameter. The mac-address limited-continuous mode allows up to 32 authorized MAC addresses per port.

If you use mac-addresswith static, but enter fewer devices than you specified in the address-limitfield, the port accepts not only your specified devices, but also as many other devices as it takes to reach the device limit. For example, if you specify four devices, but enter only two MAC addresses, the port will accept the first two non- specified devices it detects, along with the two specifically authorized devices. Learned addresses that become authorized do not age-out. See also “Retention of Static Addresses” on page 11-17.

action < none send-alarm send-disable >

Specifies whether an SNMP trap is sent to a network management station when Learn Mode is set to static and the port detects an unauthorized device, or when Learn Mode is set to continuous and there is an address change on a port.

none: Prevents an SNMP trap from being sent. none is the default value.

send-alarm: Sends an intrusion alarm. Causes the switch to send an SNMP trap to a network management station.

send-disable:Sends alarm and disables the port. Available only in the static, port-access, configured, or limited learn modes. Causes the switch to send an SNMP trap to a network management station and disable the port. If you subsequently re-enable the port without clearing the port’s intrusion flag, the port blocks further intruders, but the switch will not disable the port again until you reset the intrusion flag. See the Note on 11-32.

For information on configuring the switch for SNMP management, refer to the Management and Configuration Guide for your switch.

—Continued—

11-16