SMC Networks SMC TigerStack II SMC6624M User Manual

7-12

Using Passwords, Port Security, and Authorized IP Managers To Protect Against Unauthorized Access
Configuring and Monitoring Port Security

Usi

ng P

a

sswo

rds,

P

o

rt

Se

c

u

rity,

a

n

d

A

u

th

o

riz

e

d

IP

Table 7-1.

Port Security Parameters

Parameter Description

Port List

<[ethernet] port-list>

Identifies the port or ports on which to apply a port security command.

Learn
Mode

learn-mode <static | continuous>

Specifies how the port acquires authorized addresses.

Continuous (the Default): Appears in the factory-default setting or when you execute no port-security. Allows

the port to learn addresses from inbound traffic from any device(s) to which it is connected. In this state,
the port accepts traaffic from any device(s) to which it is connected. Addresses learned this way appear
in the switch and port address tables and age out according to the Address Age Interval in the System
Information configuration screen (page 5-21).

Static: Enables you to use the

mac-address

parameter to specify the MAC addresses of the devices

authorized for a port, and the

address-limit

parameter to specify the number of MAC addresses

authorized for the port. You can authorize specific devices for the port, while still allowing the port to
accept other, non-specified devices until the device limit has been reached. That is, if you enter fewer
MAC addresses than you authorized, the port authorizes the remaining addresses in the order in which
it automatically learns them. For example, If you use

address-limit

to specify three authorized devices,

but use

mac-address

to specify only one authorized MAC address, the port adds the one specifically

authorized MAC address to its authorized-devices list and the first two additional MAC addresses it
detects. For example, suppose:
– You use

mac-address

to authorize MAC address 0060b0-880a80 for port 4.

– You use

address-limit

to allow three devices on port 4 and the port detects a series of MAC addresses

in the following order:

080090-1362f2
00f031-423fc1
080071-0c45a1
0060b0-880a80

(the address you authorized with the

mac-address

parameter)

In the above case, port four would assume the following list of authorized addresses:

080090-1362f2

(the first address the port detected)

00f031-423fc1

(the second address the port detected)

0060b0-880a80

(the address you authorized with the

mac-address

parameter)

The remaining MAC address the port detects, 080071-0c45a1, is not allowed in the list of authorized
addresses, and so is handled as an intruder.

Permanence of Authorized Addresses In Static Mode:

A MAC address that you specifically

authorize with the

mac-address

parameter cannot age-out. Instead, it remains in the port’s authorized-

devices list until you take one of the following actions: Remove it with a CLI command; Use the CLI to
disable port security on the port; Reset the switch to its default configuration; Reboot without first
executing

write memory

.

While in Static mode, if a port adds a MAC address that you have not specifically authorized (see above
example), that address remains in the Authorized list until you take one of the following actions: Remove
it with a CLI command; Remove the link and reboot the switch after device detection; Disable port
security on that port; Reset the switch to its factory-default configuration.

Caution: When you use static with a device limit greater than the number of MAC addresses you specify

with mac-address, an unwanted device can become “authorized”. This can occur because the port, in
order to fulfill the number of devices allowed by the address-limit parameter, automatically adds
devices it detects until the specified limit is reached.