Filter
Top Products
7-14
Using Passwords, Port Security, and Authorized IP Managers To Protect Against Unauthorized Access
Configuring and Monitoring Port Security
Using Passwords, Port
Security, and Authorized IP
Table 7-1. Port Security Parameters
Parameter Description
Port List
<[ethernet] port-list> Identifies the port or ports on which to apply a port security command.
Learn
Mode
learn-mode <static | continuous> Specifies how the port acquires authorized addresses.
Continuous (the Default): Appears in the factory-default setting or when you execute no port-security. Allows
the port to learn addresses from inbound traffic from any device(s) to which it is connected. In this state,
the port accepts traaffic from any device(s) to which it is connected. Addresses learned this way appear
in the switch and port address tables and age out according to the Address Age Interval in the System
Information configuration screen (page 5-22).
Static: Enables you to use the
mac-address parameter to specify the MAC addresses of the devices
authorized for a port, and the
address-limit parameter to specify the number of MAC addresses
authorized for the port. You can authorize specific devices for the port, while still allowing the port to
accept other, non-specified devices until the device limit has been reached. That is, if you enter fewer
MAC addresses than you authorized, the port authorizes the remaining addresses in the order in which
it automatically learns them. For example, If you use
address-limit to specify three authorized devices,
but use
mac-address to specify only one authorized MAC address, the port adds the one specifically
authorized MAC address to its authorized-devices list and the first two additional MAC addresses it
detects. For example, suppose:
– You use mac-address to authorize MAC address 0060b0-880a80 for port 4.
– You use
address-limit to allow three devices on port 4 and the port detects a series of MAC addresses
in the following order:
080090-1362f2
00f031-423fc1
080071-0c45a1
0060b0-880a80 (the address you authorized with the
mac-address parameter)
In the above case, port four would assume the following list of authorized addresses:
080090-1362f2 (the first address the port detected)
00f031-423fc1 (the second address the port detected)
0060b0-880a80 (the address you authorized with the
mac-address parameter)
The remaining MAC address the port detects, 080071-0c45a1, is not allowed in the list of authorized
addresses, and so is handled as an intruder.
Permanence of Authorized Addresses In Static Mode: A MAC address that you specifically
authorize with the
mac-address parameter cannot age-out. Instead, it remains in the port’s authorized-
devices list until you take one of the following actions: Remove it with a CLI command; Use the CLI to
disable port security on the port; Reset the switch to its default configuration; Reboot without first
executing
write memory.
While in Static mode, if a port adds a MAC address that you have not specifically authorized (see above
example), that address remains in the Authorized list until you take one of the following actions: Remove
it with a CLI command; Remove the link and reboot the switch after device detection; Disable port
security on that port; Reset the switch to its factory-default configuration.
Caution: When you use static with a device limit greater than the number of MAC addresses you specify
with mac-address , an unwanted device can become “authorized”. This can occur because the port,
in order to fulfill the number of devices allowed by the address-limit parameter, automatically adds
devices it detects until the specified limit is reached.