Configuring Port Security
Network security can be increased by limiting access on a port to users with specific MAC addresses. The MAC addresses can be either dynamically learned or statically configured.
Port security monitors received and learned packets. Access to locked ports is limited to users with specific MAC addresses.
Port Security has two modes:
- Classic Lock--All learned MAC addresses on the port are locked, and the port does not learn any new MAC addresses. The learned addresses are not subject to aging or re-learning.
- Limited Dynamic Lock--The switch learns MAC addresses up to the configured limit of allowed addresses. After the limit is reached, the switch does not learn additional addresses. In this mode, the addresses are subject to aging and re-learning.
When a frame from a new MAC address is detected on a port where it is not authorized (the port is classically locked, and there is a new MAC address, or the port is dynamically locked, and the maximum number of allowed addresses has been exceeded), the protection mechanism is invoked, and one of the following actions can take place:
When the secure MAC address is seen on another port, the frame is forwarded, but the MAC address is not learned on that port.
In addition to one of these actions, you can also generate traps, and limit their frequency and number to avoid overloading the devices.
NOTE If you want to use 802.1X on a port, it must be in multiple host mode (see the 802.1x, Host and Session Authentication page).
To configure port security:
- Click Security > Port Security. The Port Security page displays.
- Select an interface to be modified, and click Edit. The Edit Port Security Interface Settings page displays.
- Enter the parameters.
- Interface--Select the interface name.
- Interface Status--Select to lock the port.
- Learning Mode--Select the type of port locking. To configure this field, the Interface Status must be unlocked. The Learning Mode field is enabled only if the Interface Status field is locked. To change the Learning Mode, the Lock Interface must be cleared. After the mode is changed, the Lock Interface can be reinstated. The options are:
- Classic Lock--Locks the port immediately, regardless of the number of addresses that have already been learned.
- Limited Dynamic Lock--Locks the port by deleting the current dynamic MAC addresses associated with the port. The port learns up to the maximum addresses allowed on the port. Both re-learning and aging of MAC addresses are enabled.
- Max No. of Addresses Allowed--Enter the maximum number of MAC addresses that can be learned on the port if Limited Dynamic Lock learning mode is selected. The number 0 indicates that only static addresses are supported on the interface.
- Action on Violation--Select an action to be applied to packets arriving on a locked port. The options are:
- Trap--Select to enable traps when a packet is received on a locked port. This is relevant for lock violations. For Classic Lock, this is any new address received. For Limited Dynamic Lock, this is any new address that exceeds the number of allowed addresses.
- Trap Frequency--Enter minimum time (in seconds) that elapses between traps.
- Click Apply. Port security is modified, and the Running Configuration file is updated.