Sun Netra CP3240 Switch User’s Guide

This chapter describes the Port Security feature.

This chapter contains the following topics:

• Section , Port Security Benefits
• Section , Configuring Port Security via CLI
• Section , Configuring Port Security via Web Interfaces

---

Port Security Benefits

• Allows for limiting the number of MAC addresses on a given port.
• Packets that have a matching MAC address (secure packets) are forwarded; all other packets (unsecure packets) are restricted.
• Enabled on a per port basis.
• When locked, only packets with allowable MAC address will be forwarded.
• Supports both dynamic and static.
• Implement two traffic filtering methods. These methods can be used concurrently.
• Dynamic Locking - User specifies the maximum number of MAC addresses that can be learned on a port. The maximum number of MAC addresses is platform dependent and is given in the software Release Notes. After the limit is reached, additional MAC addresses are not learned. Only frames with an allowable source MAC address are forwarded.
• Static Locking - User manually specifies a list of static MAC addresses for a port. Dynamically locked addresses can be converted to statically locked addresses.

• Helps secure network by preventing unknown devices from forwarding packets.
• When link goes down, all dynamically locked addresses are ‘freed.’
• If a specific MAC address is to be set for a port, set the dynamic entries to 0, then only allow packets with a MAC address matching the MAC address in the static list.
• Dynamically locked MAC addresses are aged out if another packet with that address is not seen within the age-out time. The user can set the time-out value.
• Dynamically locked MAC addresses are eligible to be learned by another port.
• Static MAC addresses are not eligible for aging.
• Dynamically locked addresses can be converted to statically locked addresses.

---

Configuring Port Security via CLI

The following are examples of the commands used in the Port Security feature.

Example 1: show port security

(DTI SWITCH) #show port-security ?
 
<cr>                     Press Enter to execute the command.
all                      Display port-security information for all
                 interfaces
<slot/port>	Display port security information for a
                 specific interface.
dynamic                  Display dynamically learned MAC addresses.
static                   Display statically locked MAC addresses.
violation                Display the source MAC address of the last                  packet that was discarded on a locked port.

Example 2: show port security on a Specific Interface

(LVL7 FASTPATH Routing) #show port-security 0/10
 
         Admin    Dynamic     Static    Violation
 Intf    Mode      Limit      Limit     Trap Mode
------  -------  ----------  ---------  ----------
0/10	Disabled 600         20         Disabled
 

Example 3: (Config) port security

(LVL7 FASTPATH Routing) (Config)					#port-security ?
 
<cr>	Press Enter to execute the command.
 
(LVL7 FASTPATH Routing) (Config)					#port-security
 

---

Configuring Port Security via Web Interfaces

The following Web pages are used in the Port Security feature.

FIGURE 10-1 Port Security Administration

FIGURE 10-2 Port Security Interface Configuration

FIGURE 10-3 Port Security Dynamically Learned MAC Addresses

FIGURE 10-4 Port Security Violation Status

FIGURE 10-5

Sun Netra CP3240 Switch User’s Guide

820-3252-11

© 2007 Diversified Technology, Inc. All Rights Reserved. © 2009 Sun Microsystems, Inc. All rights reserved.