HP (Hewlett-Packard) 2650 (J4899A/B) Switch User Manual


 
9-7
Configuring and Monitoring Port Security
Port Security Command Options and Operation
Syntax: port-security [e] < port-list >
learn-mode < continuous | static | configured | port-access >
Continuous
(Default): Appears in the factory-default
setting or when you execute
no port-security. Allows the port
to learn addresses from inbound traffic from any
device(s) to which it is connected. In this state, the port
accepts traffic from any device(s) to which it is
connected. Addresses learned this way appear in the
switch and port address tables and age out according to
the
MAC Age Interval in the System Information configura-
tion screen of the Menu interface or the
show system-
information
listing.
Static: The static-learn option enables you to use the mac-
address
parameter to specify the MAC addresses of the
devices authorized for a port, and the address-limit
parameter to specify the number of MAC addresses
authorized for the port. You can authorize specific
devices for the port, while still allowing the port to accept
other, non-specified devices until the port reaches the
configured address limit. That is, if you enter fewer MAC
addresses than you authorized, the port fills the
remainder of the address allowance with MAC addresses
it automatically learns. For example, if you specify three
authorized devices, but enter only one authorized MAC
address, the port adds the one specifically authorized
MAC address to its authorized-devices list and the first
two additional MAC addresses it detects. If, for example:
You authorize MAC address 0060b0-880a80 on port A4.
You allow three devices on port A4, but the port
detects these MAC addresses:
1.
080090-1362f2 3. 080071-0c45a1
2. 00f031-423fc1 4. 0060b0-880a80 (the authorized
address.)
Port A4 then has the following list of authorized
addresses:
080090-1362f2 (The first address detected.)
00f031-423fc1 (The second address detected.)
0060b0-880a80 (The authorized address.)
The remaining MAC address,
080071-0c45a1, is an intruder.
See also “Retention of Static Addresses” on page 9-10.
Caution: When you use learn-mode static with a device limit
greater than the number of MAC addresses you specify with
mac-address, an unwanted device can become “authorized”.
This can occur because the port, in order to fulfill the number of
devices allowed by address-limit, automatically adds devices it
detects until it reaches the specified limit.