Port security commands
Using the CLI, you can do the following:
Configure port security and edit security settings.
Add or delete devices from the list of authorized addresses for one or more ports.
Clear the Intrusion flag on specific ports.
Syntax
port-security
<port-list> <learn-mode|address-limit|mac-address|action|clear-intrusion-flag>
Parameter
<port-list>
Specifies a list of one or more ports to which the port-security command applies.
learn-mode <continuous|static|port-access|configured|limited-continuous>
Identifies the method for acquiring authorized addresses.
On switches covered in this guide, automatically invokes eavesdrop protection, see Eavesdrop Prevention.
continuous
: (Default): Appears in the factory-default setting or when you execute
no port-security
. Allows the port to learn addresses from the device(s) to which it is connected. In this state, the port accepts traffic from any device(s) to which it is connected. Addresses learned in the learn continuous mode will "age out" and be automatically deleted if they are not used regularly. The default age time is five minutes.
Addresses learned this way appear in the switch and port address tables and age out according to the
MAC Age Interval
in the System Information configuration screen of the Menu interface or the
show system information
listing. You can set the MAC age out time using the CLI, SNMP, Web, or menu interfaces. For more information on the
mac-age-time
command see "Interface Access and System Information" in the
management and configuration guide for your switch.
static
: Enables you to use the
mac-address
parameter to specify the MAC addresses of the devices authorized for a port, and the
address-limit
parameter (explained below) to specify the number of MAC addresses authorized for the port. You can authorize specific devices for the port, while still allowing the port to accept other, non-specified devices until the device limit has been reached. That is, if you enter fewer MAC addresses than you authorized, the port authorizes the remaining addresses in the order in which it automatically learns them.
For example, if you use address-limit to specify three authorized devices, but use
mac-address
to specify only one authorized MAC address, the port adds the one specifically authorized MAC address to its authorized-devices list and the first two additional MAC addresses it detects.
If, for example:
You use
mac-address
to authorize MAC address 0060b0-880a80 for port A4.
You use
address-limit
to allow three devices on port A4 and the port detects these MAC addresses:
080090-1362f2
00f031-423fc1
080071-0c45a1
0060b0-880a80 (the address you authorized with the
mac-address
parameter)
In this example port A4 would assume the following list of authorized addresses:
080090-1362f2 (the first address the port detected)
00f031-423fc1 (the second address the port detected)
0060b0-880a80 (the address you authorized with the
mac-address
parameter)
The remaining MAC address detected by the port, 080071-0c45a1, is not allowed and is handled as an intruder. Learned addresses that become authorized do not age-out. See also Retention of static addresses.
static
parameter with a device limit greater than the number of MAC addresses specified with
mac-address
can allow an unwanted device to become "authorized". This is because the port, to fulfill the number of devices allowed by the
address-limit
parameter (see below), automatically adds devices it detects until it reaches the specified limit.
continuous
(the default) or
port-access
.
port-access
: Enables you to use Port Security with (802.1X) Port-Based Access Control.
configured
: Must specify which MAC addresses are allowed for this port. Range is 1 (default) to 64 and addresses are not ageable. Addresses are saved across reboots.
limited-continuous
: Also known as MAC Secure, or "limited" mode. The limited parameter sets a finite limit to the number of learned addresses allowed per port. (You can set the range from 1, the default, to a maximum of 32 MAC addresses which may be learned by each port.)
All addresses are ageable, meaning they are automatically removed from the authorized address list for that port after a certain amount of time. Limited mode and the address limit are saved across reboots, but addresses which had been learned are lost during the reboot process.
Addresses learned in the limited mode are normal addresses learned from the network until the limit is reached, but they are not configurable. (You cannot enter or remove these addresses manually if you are using learn-mode with the limited-continuous option.)
Addresses learned this way appear in the switch and port address tables and age out according to the MAC Age Interval in the System Information configuration screen of the Menu interface or the show system information listing. You can set the MAC age out time using the CLI, SNMP, Web, or menu interfaces. For more on the mac-age-time command, see "Interface Access and System Information" in the management and configuration guide for your switch. To set the learn-mode to limited use this Command syntax:
port-security <port-list> learn-mode limited address-limit <1..64> action <none|send-alarm|send-disable>
The default address-limit is
1
but may be set for each port to learn up to 64 addresses.
The default action is none.
To see the list of learned addresses for a port use the command:
show mac <port-list>
address-limit <integer>
When
learn-mode
is set to
static
,
configured
, or
limited-continuous
, the
address-limit
parameter specifies how many authorized devices (MAC addresses) to allow. Range: 1 (the default) to 8 for static and configured modes. For
learn-mode
with the
limited-continuous
option, the range is 1-64 addresses.
Available for
learn-mode
with the,
static
,
configured
, or
limited-continuous
option. Allows up to eight authorized devices (MAC addresses) per port, depending on the value specified in the
address-limit
parameter. The
mac-address limited-continuous
mode allows up to 64 authorized MAC addresses per port.
If you use
mac-address
with
static
, but enter fewer devices than you specified in the
address-limit
field, the port accepts not only your specified devices, but also as many other devices as it takes to reach the device limit. For example, if you specify four devices, but enter only two MAC addresses, the port will accept the first two non-specified devices it detects, along with the two specifically authorized devices. Learned addresses that become authorized do
not age-out. See also
Retention of static addresses.
action <none|send-alarm|send-disable>
Specifies whether an SNMP trap is sent to a network management station when Learn Mode is set to static and the port detects an unauthorized device, or when Learn Mode is set to continuous and there is an address change on a port.
none
: Prevents an SNMP trap from being sent.
none
is the default value.
send-alarm
: Sends an intrusion alarm. Causes the switch to send an SNMP trap to a network management station.
send-disable
: Sends alarm and disables the port. Available only in the
static
,
port-access
,
configured
, or
limited learn
modes. Causes the switch to send an SNMP trap to a network management station and disable the port. If you subsequently re-enable the port without clearing the port's intrusion flag, the port blocks further intruders, but the switch will not disable the port again until you reset the intrusion flag. See the Note on
Keeping the intrusion log current by resetting alert flags.
For information on configuring the switch for SNMP management, see the management and configuration guide for your switch.
clear-intrusion-flag
Clears the intrusion flag for a specific port, see Reading intrusion alerts and resetting alert flags.
no port-security <port-list> mac-address <mac-addr>[<mac-addr> <mac-addr>]
Removes any specified learned MAC addresses from the specified port.