33 configuring port security, 1 configuring port security – CANOGA PERKINS CanogaOS Configuration Guide User Manual

Page 292

Advertising
background image

CanogaOS Configuration Guide

Proprietary & Confidential Canoga Perkins Metro Ethernet Switches

Page 292 of 350

33 Configuring Port Security

Port security feature is used to limit the number of “secure” MAC addresses learned on a
particular interface. The interface will forward only packets with source MAC addresses that
match these secure addresses. The secure MAC addresses can be created manually, or learned
automatcally. After the device reaches the limit for the number of secure MAC addresses it can
learn on the interface, if the interface then receives a packet with a source MAC address that is
different from any of the secure learned addresses, it is considered a security violation.
Port security feature also binds a MAC to a port so that the port does not forward packets with
source addresses outside the group of defined addresses. If a MAC addresses configured or
learned on a secure port attempts to access another port, this is also considered as a security
violation.
Two types of secure MAC addresses are supportted:
z

Static secure MAC addresses: These are manually configured by the interface configuration

command switchport port-security mac-address MAC.

z

Dynamic secure MAC addresses: These are dynamiclly learned.

If a security violation occurs, the packets to be forwarded will be dropped.

33.1 Configuring port security

Following these steps to enable and configure port security

33.1.1 Configurations

DUT1#configure terminal

Enter the Configure mode.

DUT1(config)#interface eth-0-1

Specify the interface (eth-0-1)to be configured and enter the
Interface mode.

DUT1(config-if)#switchport

Configure Layer2 interface.

DUT1(config-if)#switchport port-security

Enable port security on the port.

DUT1(config-if)#switchport port-security maximum 3

Set maximum secure MAC addresses for this interface.

DUT1(config-if)#switchport

port-security mac-address

0000.1111.2222 vlan 1

Add a secure MAC address 0000.1111.2222 for this interface

DUT1(config-if)#switchport

port-security mac-address

0000.aaaa.bbbb vlan 1

Add a secure MAC address 0000.aaaa.bbbb for this interface

DUT1(config-if)#end

Return to privileged EXEC mode.

DUT1#show port-security

Verify the configuration.

Advertising
Popular Brands
Popular manuals