Port security commands

Using the CLI, you can do the following:

  • Configure port security and edit security settings.

  • Add or delete devices from the list of authorized addresses for one or more ports.

  • Clear the Intrusion flag on specific ports.

Syntax:


port-security
<port-list> <learn-mode|address-limit|mac-address|action|clear-intrusion-flag>

Options:

<port-list>

Specifies a list of one or more ports to which the port-security command applies.


learn-mode <continuous|static|port-access|configured|limited-continuous>
For the specified port:
  • Identifies the method for acquiring authorized addresses.

  • On switches covered in this guide, automatically invokes eavesdrop protection, see Eavesdrop Prevention.

continuous: (Default): Appears in the factory-default setting or when you execute no port-security. Allows the port to learn addresses from the device(s) to which it is connected. In this state, the port accepts traffic from any device(s) to which it is connected. Addresses learned in the learn continuous mode will "age out" and be automatically deleted if they are not used regularly. The default age time is five minutes.

Addresses learned this way appear in the switch and port address tables and age out according to the MAC Age Interval in the System Information configuration screen of the Menu interface or the show system information listing. You can set the MAC age out time using the CLI, SNMP, Web, or menu interfaces. For more information on the mac-age-time command see "Interface Access and System Information" in the management and configuration guide for your switch.

static: Enables you to use the mac-address parameter to specify the MAC addresses of the devices authorized for a port, and the address-limit parameter (explained below) to specify the number of MAC addresses authorized for the port. You can authorize specific devices for the port, while still allowing the port to accept other, non-specified devices until the device limit has been reached. That is, if you enter fewer MAC addresses than you authorized, the port authorizes the remaining addresses in the order in which it automatically learns them.

For example, if you use address-limit to specify three authorized devices, but use mac-address to specify only one authorized MAC address, the port adds the one specifically authorized MAC address to its authorized-devices list and the first two additional MAC addresses it detects.

If, for example:

You use mac-address to authorize MAC address 0060b0-880a80 for port A4.

You use address-limit to allow three devices on port A4 and the port detects these MAC addresses:

  • 080090-1362f2

  • 00f031-423fc1

  • 080071-0c45a1

  • 0060b0-880a80 (the address you authorized with the mac-address parameter)

In this example port A4 would assume the following list of authorized addresses:

080090-1362f2 (the first address the port detected)

00f031-423fc1 (the second address the port detected)

0060b0-880a80 (the address you authorized with the mac-address parameter)

The remaining MAC address detected by the port, 080071-0c45a1, is not allowed and is handled as an intruder. Learned addresses that become authorized do not age-out. See also Retention of static addresses.

CAUTION: Using the static parameter with a device limit greater than the number of MAC addresses specified with mac-address can allow an unwanted device to become "authorized". This is because the port, to fulfill the number of devices allowed by the address-limit

parameter (see below), automatically adds devices it detects until it reaches the specified limit.

NOTE: If 802.1X port-access is configured on a given port, then port-security learn-mode must be set to either continuous (the default) or port-access.

port-access: Enables you to use Port Security with (802.1X) Port-Based Access Control.

configured: Must specify which MAC addresses are allowed for this port. Range is 1 (default) to 64 and addresses are not ageable. Addresses are saved across reboots.

limited-continuous: Also known as MAC Secure, or "limited" mode. The limited parameter sets a finite limit to the number of learned addresses allowed per port. (You can set the range from 1, the default, to a maximum of 32 MAC addresses which may be learned by each port.)

All addresses are ageable, meaning they are automatically removed from the authorized address list for that port after a certain amount of time. Limited mode and the address limit are saved across reboots, but addresses which had been learned are lost during the reboot process.

Addresses learned in the limited mode are normal addresses learned from the network until the limit is reached, but they are not configurable. (You cannot enter or remove these addresses manually if you are using learn-mode with the limited-continuous option.)

Addresses learned this way appear in the switch and port address tables and age out according to the MAC Age Interval in the System Information configuration screen of the Menu interface or the show system information listing. You can set the MAC age out time using the CLI, SNMP, Web, or menu interfaces. For more on the mac-age-time command, see "Interface Access and System Information" in the management and configuration guide for your switch. To set the learn-mode to limited use this Command syntax:

port-security <port-list> learn-mode limited address-limit <1..64> action <none|send-alarm|send-disable>

The default address-limit is 1 but may be set for each port to learn up to 64 addresses.

The default action is none.

To see the list of learned addresses for a port use the command:

show mac <port-list>


address-limit <integer>

When learn-mode is set to static, configured, or limited-continuous, the address-limit parameter specifies how many authorized devices (MAC addresses) to allow. Range: 1 (the default) to 8 for static and configured modes. For learn-mode with the limited-continuous option, the range is 1-64 addresses.

Available for learn-mode with the, static, configured, or limited-continuous option. Allows up to eight authorized devices (MAC addresses) per port, depending on the value specified in the address-limit parameter. The mac-address limited-continuous mode allows up to 64 authorized MAC addresses per port.

If you use mac-address with static, but enter fewer devices than you specified in the address-limit field, the port accepts not only your specified devices, but also as many other devices as it takes to reach the device limit. For example, if you specify four devices, but enter only two MAC addresses, the port will accept the first two non-specified devices it detects, along with the two specifically authorized devices. Learned addresses that become authorized do not age-out. See also Retention of static addresses.


action <none|send-alarm|send-disable>

Specifies whether an SNMP trap is sent to a network management station when Learn Mode is set to static and the port detects an unauthorized device, or when Learn Mode is set to continuous and there is an address change on a port.

none: Prevents an SNMP trap from being sent. none is the default value.

send-alarm: Sends an intrusion alarm. Causes the switch to send an SNMP trap to a network management station.

send-disable: Sends alarm and disables the port. Available only in the static, port-access, configured, or limited learn modes. Causes the switch to send an SNMP trap to a network management station and disable the port. If you subsequently re-enable the port without clearing the port's intrusion flag, the port blocks further intruders, but the switch will not disable the port again until you reset the intrusion flag. See the Note on Keeping the intrusion log current by resetting alert flags.

For information on configuring the switch for SNMP management, see the management and configuration guide for your switch.


clear-intrusion-flag

Clears the intrusion flag for a specific port, see Reading intrusion alerts and resetting alert flags.


no port-security <port-list> mac-address <mac-addr>[<mac-addr> <mac-addr>]

Removes any specified learned MAC addresses from the specified port.