Configuring and Monitoring Port Security

Port Security Command Options and Operation

Syntax: port-security [e] < port-list>

learn-mode < continuous static configured port-access >

Continuous (Default): Appears in the factory-default setting or when you execute no port-security.Allows the port to learn addresses from inbound traffic from any device(s) to which it is connected. In this state, the port accepts traffic from any device(s) to which it is connected. Addresses learned this way appear in the switch and port address tables and age out according to the MAC Age Interval in the System Information configuration screen of the Menu interface or the show system- information listing.

Static: The static-learn option enables you to use the mac- address parameter to specify the MAC addresses of the devices authorized for a port, and the address-limitparameter to specify the number of MAC addresses authorized for the port. You can authorize specific devices for the port, while still allowing the port to accept other, non-specified devices until the port reaches the configured address limit. That is, if you enter fewer MAC addresses than you authorized, the port fills the remainder of the address allowance with MAC addresses it automatically learns. For example, if you specify three authorized devices, but enter only one authorized MAC address, the port adds the one specifically authorized MAC address to its authorized-devices list and the first two additional MAC addresses it detects. If, for example:

You authorize MAC address 0060b0-880a80on port A4.

You allow three devices on port A4, but the port detects these MAC addresses:

1. 080090-1362f2

3. 080071-0c45a1

2.00f031-423fc1 4. 0060b0-880a80 (the authorized address.)

Port A4 then has the following list of authorized addresses:

080090-1362f2(The first address detected.)

00f031-423fc1(The second address detected.)

0060b0-880a80(The authorized address.)

The remaining MAC address, 080071-0c45a1, is an intruder. See also “Retention of Static Addresses” on page 9-10.

Caution: When you use learn-mode static with a device limit greater than the number of MAC addresses you specify with mac-address, an unwanted device can become “authorized”. This can occur because the port, in order to fulfill the number of devices allowed by address-limit, automatically adds devices it detects until it reaches the specified limit.

9-7