Foundry NetIron M2404C and M2404F Metro Access Switches Configuring VLANs (Rev.03)
Port Security
© 2008 Foundry Networks, Inc.
Page 35 of 73
Port Security
Port security can be used to block input to an Ethernet port when the MAC address of the station
attempting to access the port does not match any of the MAC addresses specified for that port.
Alternatively, the user can use port security to filter traffic destined to or received from a specific
host based on the host MAC address.
After establishing the maximum number of MAC addresses on a port, the secure MAC addresses
can be configured manually or learned dynamically. The user can manually configure all or only
part of the secure MAC addresses.
When a secured port receives a packet, the MAC address of the packet source is compared to the
list of secure source addresses that were manually configured or dynamically learned on the
receiving port. If the MAC address is not in the list of secure addresses, the port either shuts down
permanently or drops incoming packets from the insecure host and sends a trap message to the
Simple Network Management Protocol (SNMP) manager. The port behavior depends on the
configuration that determined its response to a security violation.
Port security can also be configured per VLAN. In this case only packets with MAC addresses
specified as secure for this port/VLAN are permitted to access the port.
Overview
If the port security option is activated on a port, only
secure
MAC addresses that are configured to
this port/VLAN are permitted to access this port. The
secure
MAC addresses can also be learned
dynamically. The maximum number of
secure
MAC addresses allowed to connect to the port is
determined by the system administrator.
NOTE
The secure MAC addresses do not age out of the MAC address table.
An attempt to exceed the maximum allowed
secure
MAC addresses on the port will produce an
address violation
event.
After a secured port has been shut down due to a security violation, the user can re-enable it by
using the
port security enable-shutdown-port
command
in Interface Configuration mode. This
command can be used if the cause for the security violation has been terminated and the system
administrator wants to re-enable the secured port. The first packet that will cause a security
violation will cause the port to be shut down again.
When
trap
action is configured, a
trap
message will be sent whenever an
address violation
event
occurs. This means that after an
address violation
event, the first packet from each unknown
source MAC address will cause a
trap
to be sent. For information on how to set the SNMP
configuration so that the switch will send trap messages, see chapter “
Configuring Simple Network
Management Protocol (SNMP)
”.
The sent
trap
following a
security violation
will contain the following parameters:
•
The MAC address of the sender.
•
The port on which the packet arrived.