Port security overview – Allied Telesis AT-S41 User Manual

Page 60

background image

AT-S41 User’s Guide

60

Port Security Overview

The port security feature can enhance the security of your network. You
can use the feature to control the number of MAC addresses learned on
the ports, and so control the number of network devices that can
forward frames through the stack.

An AT-8350GB stack has three levels of port security: Normal (default),
Limited, and Secure. You can set the security level on a per port basis.
The security levels are briefly described below.

Normal
This is the default port security setting and indicates that port security is
disabled on the port. The switch learns and adds addresses to its
dynamic MAC address table as it receives frames on the port.

Limited
You use this security level to specify the maximum number of dynamic
MAC addresses a port can learn. Once a port has learned its maximum
limit of MAC addresses, it will discard any frames that it receives with a
source MAC address not already learned and stored in the MAC address
table. When a port is set to Limited security, any MAC addresses it
learned prior to being set to Limited security are retained in the MAC
address table and included in the threshold count. The threshold levels
apply only to dynamic MAC addresses. You can continue to add static
MAC addresses to a port operating under Limited security.

This security level can prevent unauthorized individuals from
connecting to your network and gaining access to network resources.
For example, if an AT-8350GB port is connected to an Ethernet hub with
four workstations attached, you can configure the switch port to learn
only four MAC addresses. Once those addresses are learned, any one
else attempting to connect to the network through the Ethernet hub
would be denied access.

The MAC aging time for the port remains active under this security level.
Inactive dynamic MAC addresses learned on the port are aged out from
the MAC address table.

Secure
This security level causes the port to immediately stop learning new
dynamic MAC addresses. The port forwards frames based on the
dynamic MAC addresses that it has already learned and any static MAC
addresses that the network administrator enters.