|
|
|
|
|
Port Security can be enabled on a per-port basis. When a port is locked, only packets with allowable source MAC addresses can be forwarded. All other packets are discarded. A MAC address can be defined as allowable by one of two methods: dynamically or statically. Note that both methods are used concurrently when a port is locked.
Dynamic locking implements a “first arrival” mechanism for Port Security. You specify how many addresses can be learned on the locked port. If the limit has not been reached, a packet with an unknown source MAC address is learned and forwarded normally. Once the limit is reached, no more addresses are learned on the port. Any packets with source MAC addresses that were not already learned are discarded. Note that you can effectively disable dynamic locking by setting the number of allowable dynamic entries to zero.
Static locking allows you to specify a list of MAC addresses that are allowed on a port. The behavior of packets is the same as for dynamic locking: only packets with an allowable source MAC address can be forwarded.
Disabled ports can only be activated from the Configuring Ports page.
Use the Port Security Administration page to enable or disable the port security feature on your switch.
To access the Port Security Administration page, click Switching > Port Security > Port Security Administration in the navigation menu.
Select Enable or Disable from the Port Security Mode list and click Submit.
Use this page to configure the port security feature on a selected interface.
To access the Port Security Interface Configuration page, click Switching > Port Security > Port Security Interface Configuration in the navigation menu.
Port Security Interface Configuration Fields
Field |
Description |
|---|---|
Interface |
Select the physical interface or the LAG on which to configure port security information. |
Port Security |
Determines whether port security is enabled. The default mode is Disable.
|
Maximum Number of Dynamically Learned MAC Addresses Allowed |
Sets the maximum number of dynamically learned MAC addresses on the selected interface. Once the limit is reached, no more addresses are learned on the port. Any packets with source MAC addresses that were not already learned are discarded. You can effectively disable dynamic locking by setting the number of allowable dynamic entries to zero. |
Maximum Number of Statically Locked MAC Addresses Allowed |
Sets the maximum number of statically locked MAC addresses on the selected interface. |
Add a Static MAC Address |
Adds a MAC address to the list of statically locked MAC addresses for the selected interface. Only packets with an allowable source MAC address can be forwarded. |
VLAN ID |
Adds a corresponding VLAN ID for the MAC Address being added to the list of statically locked MAC addresses for the selected interface. |
Enable Violation Traps |
Enables or disables the sending of new violation traps designating when a packet with a disallowed MAC address is received on a locked port. Value is No by default. |
If you make any changes to the page, click Submit to apply the new settings to the system.
Use the Port Security Statically Configured MAC Addresses page to view static MAC addresses configured on an interface. From this page, you can delete statically configured MAC addresses.
To access the Port Security Static page, click Switching > Port Security > Statically Configured MAC Addresses in the navigation menu.
Port Security Statically Configured MAC Address Fields
Field |
Description |
|---|---|
Interface |
Select the physical interface or the LAG on which to view the dynamically learned MAC addresses. |
MAC Address |
This column lists the static MAC addresses, if any, configured on the selected port. |
VLAN ID |
Displays the VLAN ID corresponding to the statically configured MAC address. |
Delete a static MAC Address |
Enter the address of the statically configured MAC address to delete. All MAC addresses that are available to be deleted appear in the MAC Address – VLAN ID table. |
VLAN ID |
Enter the VLAN ID that corresponds to the statically configured MAC address to delete. |
After you enter the MAC address and VLAN ID of the statically configured MAC address to delete, click Submit to remove the MAC address from the port and apply the new settings to the system. The screen refreshes, and the MAC address no longer appears in the table on the page.
Use the Port Security Dynamically Learned MAC Addresses page to view a table with the dynamically learned MAC addresses on an interface. With dynamic locking, MAC addresses are learned on a “first arrival” basis. You specify how many addresses can be learned on the locked port.
To access the Port Security Dynamic page, click Switching > Port Security > Dynamically Learned MAC Addresses in the navigation menu.
Port Security Dynamic Fields
Field |
Description |
|---|---|
Interface |
Select the physical interface or the LAG on which to view the dynamically learned MAC addresses. |
MAC Address |
This column lists the dynamically learned MAC addresses, if any, on the selected port. |
VLAN ID |
Displays the VLAN ID corresponding to the dynamically learned MAC address. |
Use the Port Security Violation Status page to enable or disable the port security feature on your switch.
To access the Port Security Violation Status page, click Switching > Port Security > Violation Status in the navigation menu.
Port Security Violation Status Fields
Field |
Description |
|---|---|
Interface |
Select the physical interface or the LAG on which to view security violation information. |
Last Violation MAC Address |
Displays the source MAC address of the last packet that was discarded at a locked port. |
VLAN ID |
Displays the VLAN ID corresponding to the Last Violation MAC address. |