Configuring port security

Using the CLI, you can:
  • Configure port security and edit security settings.

  • Add or delete devices from the list of authorized addresses for one or more ports.

  • Clear the Intrusion flag on specific ports.

Syntax

port-security


[e] <port-list> {<learn-mode | address-limit | mac-address | action | clear-intrusion-flag>}

<port-list>

Specifies a list of one or more ports to which the port-security command applies.


learn-mode {<continuous | static | configured | limited-continuous>}
For the specified port:
  • Identifies the method for acquiring authorized addresses.

  • On switches covered in this guide, automatically invokes eavesdrop protection, see Eavesdrop prevention.

continuous

(Default): Appears in the factory-default setting or when you execute no port-security. Allows the port to learn addresses from the devices to which it is connected. In this state, the port accepts traffic from any devices to which it is connected. Addresses learned in the learn continuous mode "age out" and be automatically deleted if they are not used regularly. The default age time is five minutes.

Addresses learned this way appear in the switch and port address tables and age out according to the MAC Age Interval in the System Information configuration screen of the Menu interface or the show system information listing. You can set the MAC age out time using the CLI, SNMP, Web, or menu interfaces. For more information on the mac-age-time command see "Interface Access and System Information" in the management and configuration guide for your switch.

static

Enables you to use the mac-address parameter to specify the MAC addresses of the devices authorized for a port, and the address-limit parameter (explained below) to specify the number of MAC addresses authorized for the port. You can authorize specific devices for the port, while still allowing the port to accept other, non-specified devices until the device limit has been reached. That is, if you enter fewer MAC addresses than you authorized, the port authorizes the remaining addresses in the order in which it automatically learns them.

For example, if you use address-limit to specify three authorized devices, but use mac-address to specify only one authorized MAC address, the port adds the one specifically authorized MAC address to its authorized-devices list and the first two additional MAC addresses it detects.

If, for example:

You use mac-address to authorize MAC address 0060b0-880a80 for port A4.

You use address-limit to allow three devices on port A4 and the port detects these MAC addresses:

Procedure
  1. 080090-1362f2
  2. 00f031-423fc1
  3. 080071-0c45a1
  4. 0060b0-880a80 (the address you authorized with the mac-address parameter)

In this example port A4 would assume the following list of authorized addresses:

080090-1362f2 (the first address the port detected)

00f031-423fc1 (the second address the port detected)

0060b0-880a80 (the address you authorized with the mac-address parameter)

The remaining MAC address detected by the port, 080071-0c45a1, is not allowed and is handled as an intruder. Learned addresses that become authorized do not age-out. See also Retention of static addresses.

CAUTION:

Using the static parameter with a device limit greater than the number of MAC addresses specified with mac-address can allow an unwanted device to become "authorized". This is because the port, to fulfill the number of devices allowed by the address-limit parameter (se below), automatically adds devices it detects until it reaches the specified limit.

NOTE:

If 802.1X port-access is configured on a given port, then port-security learn-mode must be set to either continuous (the default) or port-access.

Syntax

port-security


[e] <port-list> {<learn-mode | address-limit | mac-address | action | clear-intrusion-flag>}

port-access

Enables you to use Port Security with (802.1X) Port-Based Access Control.

configured

Specifies which MAC addresses are allowed for this port. Range is 1 (default) to 64 and addresses do not age. Addresses are saved across reboots.

limited-continuous

Also known as MAC Secure, or "limited" mode. The limited parameter sets a finite limit to the number of learned addresses allowed per port. (You can set the range from 1, the default, to a maximum of 32 MAC addresses which may be learned by each port.)

All addresses age, meaning they are automatically removed from the authorized address list for that port after a certain amount of time. Limited mode and the address limit are saved across reboots, but addresses which had been learned are lost during the reboot process.

Addresses learned in the limited mode are normal addresses learned from the network until the limit is reached, but they are not configurable. (You cannot enter or remove these addresses manually if you are using learn-mode with the limited-continuous option.)

Addresses learned this way appear in the switch and port address tables and age out according to the MAC Age Interval in the System Information configuration screen of the Menu interface or the show system information listing. You can set the MAC age out time using the CLI, SNMP, Web, or menu interfaces. For more on the mac-age-time command, see "Interface Access and System Information" in the management and configuration guide for your switch. To set the learn-mode to limited use this command syntax:


port-security <port-list> learn-mode limited addresslimit <1..32> action {<none | send-alarm | send-disable>}

The default address-limit is 1 but may be set for each port to learn up to 64 addresses.

The default action is none.

To see the list of learned addresses for a port use the command:


show mac port-list

address-limit <integer>

When learn-mode is set to static, configured, or limited-continuous, the address-limit parameter specifies how many authorized devices (MAC addresses) to allow. Range: 1 (the default) to 8 for static and configured modes. For learn-mode with the limited-continuous option, the range is 1-32 addresses.

Available for learn-mode with the, static, configured, or limited-continuous option. Allows up to eight authorized devices (MAC addresses) per port, depending on the value specified in the address-limit parameter. The mac-address limited-continuous mode allows up to 32 authorized MAC addresses per port. If you use mac-address with static, but enter fewer devices than you specified in the address-limit field, the port accepts not only your specified devices, but also as many other devices as it takes to reach the device limit. For example, if you specify four devices, but enter only two MAC addresses, the port accepts the first two non-specified devices it detects, along with the two specifically authorized devices. Learned addresses that become authorized do not age-out. See also Retention of static addresses.


action {<none | send-alarm | send-disable>}

Specifies whether an SNMP trap is sent to a network management station when Learn Mode is set to static and the port detects an unauthorized device, or when Learn Mode is set to continuous and there is an address change on a port.

none

Prevents an SNMP trap from being sent. none is the default value.

send-alarm

Sends an intrusion alarm. Causes the switch to send an SNMP trap to a network management station.

send-disable

Sends alarm and disables the port. Available only in the static, port-access, configured, or limited learn modes. Causes the switch to send an SNMP trap to a network management station and disable the port. If you subsequently re-enable the port without clearing the port's intrusion flag, the port blocks further intruders, but the switch does not disable the port again until you reset the intrusion flag. See the Note on Keeping the intrusion log current by resetting alert flags.

For information on configuring the switch for SNMP management, see the management and configuration guide for your switch.


clear-intrusion-flag

Clears the intrusion flag for a specific port, see Reading intrusion alerts and resetting alert flags.


no port-security port-list mac-address <mac-addr> mac-addr mac-addr

Removes any specified learned MAC addresses from the specified port.