D-Link DGS-1250 Emulator - Page 346

DGS-1250 Series Gigabit Ethernet Smart Managed Switch CLI Reference Guide Usage Guideline When port security is enabled, if the port mode is configured as delete-on-timeout, the port will automatically learn the dynamic secured entry which will be timed out. These entries will be aged out based on the setting specified by the switchport port-security aging command. If the port mode is permanent, the port will automatically learn permanent secured entries which will not be timed out. The auto-learned permanent secured entry will be stored in the running configuration. As the port mode-security state is changed, the violation counts will be cleared, and the auto-permanent entries will be converted to corresponding dynamic entries. As the port-security state is changed to disabled, the auto-learned secured entries, either dynamic or permanent with its violation counts are cleared. As the related VLAN configuration is changed, the auto-learned dynamic secured entries are cleared. Permanent secured entry will be kept in the running configuration and can be stored to the NVRAM by using the copy command. The user configured secure MAC addresses are counted in the maximum number of MAC addresses on a port. As a permanent secured entry of a port security enabled port, the MAC address cannot be moved to another port. When the maximum setting is changed, the learned address will remain unchanged when the maximum number increases. If the maximum number is changed to a lower value which is lower than the existing entry number, the command is rejected. A port-security enabled port has the following restrictions.  The port security function cannot be enabled simultaneously with 802.1X and IMPB, that provides more advanced security capabilities.  If a port is specified as the destination port for the mirroring function, the port security function cannot be enabled.  If the port is a link aggregation member port, the port security function cannot be enabled. When the maximum number of secured users is exceeded, one of the following actions can occur:  Protect - When the number of port secure MAC addresses reaches the maximum number of users that is allowed on the port, the packets with the unknown source address is dropped until some secured entry is removed to release the space.  Restrict - A port security violation restricts data and causes the security violation counter to increment.  Shutdown - The interface is disabled, based on errors, when a security violation occurs. Example This example shows how to configure the port security mode to be permanent, specifying that a maximum of 5 secure MAC addresses are allowed on the port. Switch# configure terminal Switch(config)# interface eth1/0/1 Switch(config-if)# switchport port-security mode permanent Switch(config-if)# switchport port-security maximum 5 Switch(config-if)# This example shows how to manually add the secure MAC addresses 00-00-12-34-56-78 with VID 5 on port 1. Switch# configure terminal Switch(config)# interface eth1/0/1 Switch(config-if)# switchport port-security mac-address 00-00-12-34-56-78 vlan 5 Switch(config-if)# This example shows how to configure the Switch to drop all packets from the insecure hosts at the port-security process level and increment the security violation counter if a security violation is detected. Switch# configure terminal Switch(config)# interface eth1/0/1 Switch(config-if)# switchport port-security violation restrict Switch(config-if)# 343