|
|
|
|
This section describes the command you use to configure Port Security on the switch. Port security, which is also known as port MAC locking, allows you to secure the network by locking allowable MAC addresses on a given port. Packets with a matching source MAC address are forwarded normally, and all other packets are discarded.
Note: To enable the SNMP trap specific to port security, see "snmp-server enable traps violation" on page 139.
This command enables port locking on an interface, a range of interfaces, or at the system level.
This command disables port locking for one (Interface Config) or all (Global Config) ports.
This command sets the maximum number of dynamically locked MAC addresses allowed on a specific port.
This command resets the maximum number of dynamically locked MAC addresses allowed on a specific port to its default value.
This command sets the maximum number of statically locked MAC addresses allowed on a port.
This command sets maximum number of statically locked MAC addresses to the default value.
This command adds a MAC address to the list of statically locked MAC addresses for an interface or range of interfaces. The vid is the VLAN ID.
This command removes a MAC address from the list of statically locked MAC addresses.
This command converts dynamically locked MAC addresses to statically locked addresses for an interface or range of interfaces.
This command enables sticky mode Port MAC Locking on a port. If accompanied by a MAC address and a VLAN id (for interface config mode only), it adds a sticky MAC address to the list of statically locked MAC addresses. These sticky addresses are converted back to dynamically locked addresses if sticky mode is disabled on the port. The <vid> is the VLAN ID. The Global command applies the "sticky" mode to all valid interfaces (physical and LAG). There is no global sticky mode as such.
Sticky addresses that are dynamically learned will appear in show running config as "port-security mac-address sticky <mac> <vid>" entries. This distinguishes them from static entries.
The no form removes the sticky mode. The sticky MAC address can be deleted by using the command "no port- security mac-address <mac-address> <vid>".
This command displays the port-security settings for the port(s). If you do not use a parameter, the command displays the Port Security Administrative mode. Use the optional parameters to display the settings on a specific interface or on all interfaces.
The display parameters for above command are:
For each interface, or for the interface you specify, the following information appears:
This command displays the dynamically locked MAC addresses for the port.
The display parameters for above command are:
This command displays the statically locked MAC addresses for port.
The display parameters for above command are:
This command displays the source MAC address of the last packet discarded on a locked port.
The display parameters for above command are:
This command will set the action to be taken on PML security violation. Violation occurs when number of dynamically learnt entry on some interface crosses the max-dynamic limit configured on that interface. Action can be restrict or shutdown. When it is set to restrict then the packet is dropped and when it is set to shutdown then the interface is moved to admin disable. Default action is shutdown.
This command set the violation action to default value, shutdown.
This command displays the violation settings for the interface to restrict or shutdown. It also displays the source MAC address of the last packet discarded on a locked port.