34 configuring port security, 1 overview, 2 configurations – CANOGA PERKINS 9175 Configuration Guide User Manual

Page 233: 3 validation commands

Advertising
background image

CanogaOS Configuration Guide

34-1

34 Configuring Port Security

34.1 Overview

Port security feature is used to limit the number of “secure” MAC addresses learned on a
particular interface. The interface will forward only packets with source MAC addresses
that match these secure addresses. The secure MAC addresses can be created
manually, or learned automatcally. After the device reaches the limit for the number of
secure MAC addresses it can learn on the interface, if the interface then receives a
packet with a source MAC address that is different from any of the secure learned
addresses, it is considered a security violation.
Port security feature also binds a MAC to a port so that the port does not forward packets
with source addresses outside the group of defined addresses. If a MAC addresses
configured or learned on a secure port attempts to access another port, this is also
considered as a security violation.
Two types of secure MAC addresses are supportted:

• Static secure MAC addresses: These are manually configured by the interface

configuration command switchport port-security mac-address MAC.

• Dynamic secure MAC addresses: These are dynamiclly learned.

If a security violation occurs, the packets to be forwarded will be dropped.

34.2 Configurations

Following these steps to enable and configure port security

DUT1#configure terminal

Enter the Configure mode.

DUT1(config)#interface eth-0-1

Specify the interface (eth-0-1)to be configured and enter
the Interface mode.

DUT1(config-if)#switchport

Configure Layer2 interface.

DUT1(config-if)#switchport port-security

Enable port security on the port.

DUT1(config-if)#switchport port-security maximum
3

Set maximum secure MAC addresses for this interface.

DUT1(config-if)#switchport port-security
mac-address 0000.1111.2222 vlan 1

Add a secure MAC address 0000.1111.2222 for this
interface

DUT1(config-if)#switchport port-security
mac-address 0000.aaaa.bbbb vlan 1

Add a secure MAC address 0000.aaaa.bbbb for this
interface

DUT1(config-if)#end

Return to privileged EXEC mode.

DUT1#show port-security

Verify the configuration.

34.3 Validation Commands

DUT1#show port-security
address-table current interface maximum
DUT1#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolationMode
(Count) (Count)
--------------------------------------------------------------

Advertising
Popular Brands
Popular manuals