Port Security
This section describes the Port Security feature.
Overview
Port Security:
•
Allows for limiting the number of MAC addresses on a given port.
•
Packets that have a matching MAC address (secure packets) are forwarded; all other packets (unsecure
packets) are restricted.
•
Enabled on a per port basis.
•
When locked, only packets with allowable MAC address will be forwarded.
•
Supports both dynamic and static.
•
Implement two traffic filtering methods. These methods can be used concurrently.
–
Dynamic Locking: User specifies the maximum number of MAC addresses that can be learned on
a port. The maximum number of MAC addresses is 100. After the limit is reached, additional
MAC addresses are not learned. Only frames with an allowable source MAC address are forwarded.
–
Static Locking: User manually specifies a list of static MAC addresses for a port.
Operation
Port Security:
•
Helps secure network by preventing unknown devices from forwarding packets.
•
When link goes down, all dynamically locked addresses are 'freed.'
•
If a specific MAC address is to be set for a port, set the dynamic entries to 0, then only allow packets
with a MAC address matching the MAC address in the static list.
•
Dynamically locked MAC addresses are aged out if another packet with that address is not seen within
the age-out time. The user can set the time-out value.
•
Dynamically locked MAC addresses are eligible to be learned by another port.
•
Static MAC addresses are not eligible for aging.
CLI Examples
The following are examples of the commands used in the Port Security feature.
Example #1: Enable Port Security on an Interface
console(config)#interface ethernet 1/g18
console(config-if-1/g18)#port security ?
<cr>
Press enter to execute the command.
Switching Configuration
39