9-13
Configuring and Monitoring Port Security
Port Security Command Options and Operation
ProCurve(config)# port-security a1 learn-mode static
mac-address 0c0090-123456 action send-disable
This example configures port A5 to:
■ Allow two MAC addresses, 00c100-7fec00 and 0060b0-889e00, as the
authorized devices.
■ Send an alarm to a management station if an intruder is detected on
the port.
ProCurve(config)# port-security a5 learn-mode static
address-limit 2 mac-address 00c100-7fec00 0060b0-889e00
action send-alarm
If you manually configure authorized devices (MAC addresses) and/or an
alarm action on a port, those settings remain unless you either manually
change them or reset the switch to its factory-default configuration. You can
“turn off” device authorization on a port by configuring the port to continuous
Learn Mode, but subsequently reconfiguring the port to static Learn Mode
restores the configured device authorization.
Learn-Mode Configured. This option allows only MAC addresses specifi-
cally configured with learn-mode configured mac-address < mac-address >, and
does not automatically learn non-specified MAC addresses learned from the
network. This example configures port A1 to:
■ Allow only a MAC address of 0c0090-123456 as the authorized device
■ Reserve the option for adding two more specified MAC addresses at
a later time without having to change the address-limit setting.
■ Send an alarm to a management station if an intruder is detected on
the port.
ProCurve(config)# port-security A1 learn-mode configured
mac-address 0c0090-123456 address-limit 3 action send-
disable
Adding a MAC Address to an Existing Port List
To simply add a device (MAC address) to a port’s existing Authorized
Addresses list, enter the port number with the mac-address parameter and the
device’s MAC address. This assumes that Learn Mode is either static or
configured and the Authorized Addresses list is not already full (as deter-
mined by the current address-lmit value). For example, suppose port A1 allows
two authorized devices, but has only one device in its Authorized Address list: