Cisco WS-C4003 Software Guide - Page 250
If you con a secure port in restrictive mode, and a station is connected to the port whose MAC
View all Cisco WS-C4003 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 250 highlights
Understanding How Port Security Works Chapter 16 Configuring Port Security Allocation of the maximum number of MAC addresses for each port depends on your network configuration. The following combinations are examples of valid allocations: • 1025 (1 + 1024) addresses on 1 port and 1 address each on the rest of the ports. • 513 (1 + 512) each on 2 ports in a system and 1 address each on the rest of the ports. • 901 (1 + 900) on one port, 101 (1 + 100) on another port, 25 (1 + 24) on a third port, and 1 address each on the rest of the ports. After you allocate the maximum number of MAC addresses on a port, you can either specify the secure MAC address for the port manually or have the port dynamically configure the MAC address of the connected devices. Out of a maximum allocated number of MAC addresses on a port, you can manually configure all, allow all to be autoconfigured, or configure some manually and allow the rest to be autoconfigured. Once you manually configure or autoconfigure the addresses, they are stored in NVRAM and are maintained after a reset. When you manually change the maximum number of MAC addresses associated with a port greater than the default value (1) and then manually enter the authorized MAC addresses, any remaining MAC addresses automatically configure. For example, if you configure the port security for a port to have a maximum of ten MAC addresses but only add two MAC addresses, the next eight new source MAC addresses received on that port are added to the secured MAC address list for the port. After you allocate a maximum number of MAC addresses on a port, you can also specify how long the addresses on the port will remain secure. After the age time expires, the MAC addresses on the port become insecure. By default, all addresses on a port are secured permanently. If a security violation occurs, you can configure the port to go either into shutdown mode or restrictive mode. The shutdown mode option allows you to specify whether the port is permanently disabled or disabled for only a specified time. The default is for the port to shut down permanently. The restrictive mode allows you to configure the port to remain enabled during a security violation and drop only packets that are coming in from insecure hosts. Note If you configure a secure port in restrictive mode, and a station is connected to the port whose MAC address is already configured as a secure MAC address on another port on the switch, the port in restrictive mode shuts down instead of restricting traffic from that station. For example, if you configure MAC-1 as the secure MAC address on port 2/1 and MAC-2 as the secure MAC address on port 2/2 and then connect the station with MAC-1 to port 2/2 when port 2/2 is configured for restrictive mode, port 2/2 shuts down instead of restricting traffic from MAC-1. When a secure port receives a packet, the source MAC address of the packet is compared to the list of secure source addresses that were manually configured or autoconfigured (learned) on the port. If a MAC address of a device attached to the port differs from the list of secure addresses, the port either shuts down permanently (default mode), shuts down for the time you have specified, or drops incoming packets from the insecure host. The behavior of a port depends on how you configure it to respond to a security violation. If a security violation occurs, the Link LED for that port turns orange, and a link-down trap is sent to the Simple Network Management Protocol (SNMP) manager. An SNMP trap is not sent if you configure the port for restrictive violation mode. A trap is sent only if you configure the port to shut down during a security violation. 16-2 Software Configuration Guide-Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4 78-12647-02