Port Security With Dynamically Learned And Static Mac Addresses - Cisco 7604 Configuration Manual
Ios software configuration guide
Hide thumbs
Also See for 7604:
- Configuration manual (742 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Understanding Port Security
Port Security with Dynamically Learned and Static MAC Addresses
You can use port security with dynamically learned and static MAC addresses to restrict a port's ingress
traffic by limiting the MAC addresses that are allowed to send traffic into the port. When you assign
secure MAC addresses to a secure port, the port does not forward ingress traffic that has source addresses
outside the group of defined addresses. If you limit the number of secure MAC addresses to one and
assign a single secure MAC address, the device attached to that port has the full bandwidth of the port.
A security violation occurs in either of these situations:
•
•
See the
information about the violation modes.
After you have set the maximum number of secure MAC addresses on a port, port security includes the
secure addresses in the address table in one of these ways:
•
•
•
If the port has a link-down condition, all dynamically learned addresses are removed.
Following bootup, a reload, or a link-down condition, port security does not populate the address table
with dynamically learned MAC addresses until the port receives ingress traffic.
A security violation occurs if the maximum number of secure MAC addresses have been added to the
address table and the port receives traffic from a MAC address that is not in the address table.
You can configure the port for one of three violation modes: protect, restrict, or shutdown. See the
"Configuring Port Security" section on page
To ensure that an attached device has the full bandwidth of the port, set the maximum number of
addresses to one and configure the MAC address of the attached device.
Cisco 7600 Series Router Cisco IOS Software Configuration Guide, Release 12.2SX
47-2
When the maximum number of secure MAC addresses is reached on a secure port and the source
MAC address of the ingress traffic is different from any of the identified secure MAC addresses, port
security applies the configured violation mode.
If traffic with a secure MAC address that is configured or learned on one secure port attempts to
access another secure port in the same VLAN, port security responds to the violation in one of these
ways:
–
In Release 12.2(18)SXF5 and later releases, port security applies the configured violation
mode.
In releases earlier than Release 12.2(18)SXF5, port security applies the shutdown violation
–
mode.
After a secure MAC address is configured or learned on one secure port, the sequence of
Note
events that occurs when port security detects that secure MAC address on a different port in
the same VLAN is known as a MAC move violation.
"Configuring the Port Security Violation Mode on a Port" section on page 47-6
You can statically configure all secure MAC addresses by using the switchport port-security
mac-address mac_address interface configuration command.
You can allow the port to dynamically configure secure MAC addresses with the MAC addresses of
connected devices.
You can statically configure a number of addresses and allow the rest to be dynamically configured.
Chapter 47
47-4.
Configuring Port Security
for more
OL-4266-08
- Quick Links:
- Supported Hardware and Software
Hide quick links:
Advertisement
Chapters
Table of Contents
