beautypg.com

Port security – Allied Telesis Rapier Switch User Manual

Page 37

background image

Layer 2 Switching

37

Software Release 2.5.1
C613-02025-00 REV B

Port security

The port security feature allows control over the stations connected to each
switch port, by MAC address. If enabled on a port, the switch will learn MAC
addresses up to a user-defined limit from 1 to 256, then lock out all other MAC
addresses. One of the following options can be specified for the action taken
when an unknown MAC address is detected on a locked port:

Discard the packet and take no further action,

Discard the packet and notify management with an SNMP trap,

Discard the packet, notify management with an SNMP trap and disable the
port.

To enable port security on a port, set the limit for learned MAC addresses to a
value greater than zero, and specify the action to take for unknown MAC
addresses on a locked port. To disable port security on a port, set the limit for
learned MAC addresses to zero or NONE. Port security can be enabled or
disabled on a port using the command:

SET SWITCH PORT={port-list|ALL} LEARN={NONE|0|1..256}

[INTRUSIONACTION={NONE|DISCARD|TRAP|DISABLE}]

The INTRUSIONACTION parameter specifies the action taken when the
port(s) receive packets from addresses which are not part of the learned list of
addresses as specified by the LEARN parameter. If DISCARD is specified,
packets received from MAC addresses not on the port’s learn list will be
discarded. If TRAP is specified, packets received from MAC addresses not on
the port’s learn list will be discarded and an SNMP trap will be generated. If
DISABLE is specified, the first time a packet is received from a MAC address
not on the port’s learn list, it will be discarded, an SNMP trap will be generated
and the port(s) will be disabled. To re-enable the port, disable the Port Security
function on the port. The default value for this parameter is DISCARD.

If INTRUSIONACTION is set to TRAP or DISABLE, a list of MAC addresses
for devices that are active on a port, but which are not allowed or learned for
the port, can be displayed using the command:

SHOW SWITCH PORT={port-list|ALL} INTRUSION

Table 8: Example output from the SHOW SWITCH PORT INTRUSION command.

A switch port can be manually locked before it reaches the learning limit, by
using the command:

ACTIVATE SWITCH PORT={port-list|ALL} LOCK

Switch Port Information

----------------------------------------------------------------------------

Port 2 - 13 intrusion(s) detected

00-00-c0-1d-2c-f8 00-90-27-87-a5-22 00-00-cd-01-00-4a

00-d0-b7-4d-93-c0 08-00-5a-a1-02-3f 00-d0-b7-d5-5f-a9

00-b0-d0-20-d1-01 00-90-99-0a-00-49 00-10-83-05-72-83

00-00-cd-00-45-9e 00-00-c0-ad-a3-d0 00-a0-24-8e-65-3c

00-90-27-32-ad-61

----------------------------------------------------------------------------

See also other documents in the category Allied Telesis Computer Accessories: