34 configuring port security, 1 overview, 2 configurations – CANOGA PERKINS 9175 Configuration Guide User Manual
Page 233: 3 validation commands
CanogaOS Configuration Guide
34-1
34 Configuring Port Security
34.1 Overview
Port security feature is used to limit the number of “secure” MAC addresses learned on a
particular interface. The interface will forward only packets with source MAC addresses
that match these secure addresses. The secure MAC addresses can be created
manually, or learned automatcally. After the device reaches the limit for the number of
secure MAC addresses it can learn on the interface, if the interface then receives a
packet with a source MAC address that is different from any of the secure learned
addresses, it is considered a security violation.
Port security feature also binds a MAC to a port so that the port does not forward packets
with source addresses outside the group of defined addresses. If a MAC addresses
configured or learned on a secure port attempts to access another port, this is also
considered as a security violation.
Two types of secure MAC addresses are supportted:
• Static secure MAC addresses: These are manually configured by the interface
configuration command switchport port-security mac-address MAC.
• Dynamic secure MAC addresses: These are dynamiclly learned.
If a security violation occurs, the packets to be forwarded will be dropped.
34.2 Configurations
Following these steps to enable and configure port security
DUT1#configure terminal
Enter the Configure mode.
DUT1(config)#interface eth-0-1
Specify the interface (eth-0-1)to be configured and enter
the Interface mode.
DUT1(config-if)#switchport
Configure Layer2 interface.
DUT1(config-if)#switchport port-security
Enable port security on the port.
DUT1(config-if)#switchport port-security maximum
3
Set maximum secure MAC addresses for this interface.
DUT1(config-if)#switchport port-security
mac-address 0000.1111.2222 vlan 1
Add a secure MAC address 0000.1111.2222 for this
interface
DUT1(config-if)#switchport port-security
mac-address 0000.aaaa.bbbb vlan 1
Add a secure MAC address 0000.aaaa.bbbb for this
interface
DUT1(config-if)#end
Return to privileged EXEC mode.
DUT1#show port-security
Verify the configuration.
34.3 Validation Commands
DUT1#show port-security
address-table current interface maximum
DUT1#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolationMode
(Count) (Count)
--------------------------------------------------------------