Configuring and Monitoring Port Security

Overview

 

 

Physical Topology

 

 

 

Logical Topology for Access to Switch A

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Switch A

 

 

 

 

 

 

Switch A

 

 

 

 

 

 

 

 

 

 

Port Security

 

 

 

 

 

 

Port Security

 

 

 

 

 

 

 

 

 

 

Configured

 

 

PC 1

 

 

 

Configured

 

PC 1

 

 

 

 

MAC Address Authorized

 

 

 

 

 

 

MAC Address Authorized

 

 

 

 

 

 

 

 

 

 

 

 

 

 

by Switch A

 

 

 

 

 

 

by Switch A

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Switch B

 

 

PC 2

 

 

 

Switch B

 

 

 

MAC Address

 

 

MAC Address NOT

 

 

 

MAC Address

 

 

Authorized by

 

 

 

 

 

 

 

 

 

Authorized by Switch A

 

 

 

Authorized by

 

 

 

 

 

 

 

 

 

Switch A

 

 

 

 

 

 

Switch A

 

 

 

 

 

 

 

 

 

 

 

 

 

 

PC 3

Switch C

 

MAC Address NOT

 

Authorized by Switch A

MAC Address NOT

 

 

 

Authorized by

 

 

Switch A

 

 

 

 

 

PC1 can access Switch A.

PCs 2 and 3 can access Switch B and Switch C, but are blocked from accessing switch A by the port security settings in switch A.

Switch C is not authorized to access Switch A.

Figure 9-1. Example of How Port Security Controls Access

Note

Broadcast and Multicast traffic is not “unauthorized” traffic, and can be read

 

by intruders connected to a port on which you have configured port security.

 

 

Trunk Group Exclusion

Port security does not operate on either a static or dynamic trunk group. If you configure port security on one or more ports that are later added to a trunk group, the switch will reset the port security parameters for those ports to the factory-default configuration. (Ports configured for either Active or Passive LACP, and which are not members of a trunk, can be configured for port security.)

9-4