Configuring Port Security
|
This chapter describes the Port Security feature.
This chapter contains the following topics:
Port Security Benefits
- Allows for limiting the number of MAC addresses on a given port.
- Packets that have a matching MAC address (secure packets) are forwarded; all other packets (unsecure packets) are restricted.
- Enabled on a per port basis.
- When locked, only packets with allowable MAC address will be forwarded.
- Supports both dynamic and static.
- Implement two traffic filtering methods. These methods can be used concurrently.
- Dynamic Locking - User specifies the maximum number of MAC addresses that can be learned on a port. The maximum number of MAC addresses is platform dependent and is given in the software Release Notes. After the limit is reached, additional MAC addresses are not learned. Only frames with an allowable source MAC address are forwarded.
- Static Locking - User manually specifies a list of static MAC addresses for a port. Dynamically locked addresses can be converted to statically locked addresses.
- Helps secure network by preventing unknown devices from forwarding packets.
- When link goes down, all dynamically locked addresses are ‘freed.’
- If a specific MAC address is to be set for a port, set the dynamic entries to 0, then only allow packets with a MAC address matching the MAC address in the static list.
- Dynamically locked MAC addresses are aged out if another packet with that address is not seen within the age-out time. The user can set the time-out value.
- Dynamically locked MAC addresses are eligible to be learned by another port.
- Static MAC addresses are not eligible for aging.
- Dynamically locked addresses can be converted to statically locked addresses.
Configuring Port Security via CLI
The following are examples of the commands used in the Port Security feature.
Example 1: show port security
CODE EXAMPLE 10-1 show port security
(DTI SWITCH) #show port-security ?
<cr> Press Enter to execute the command.
all Display port-security information for all
interfaces
<slot/port> Display port security information for a
specific interface.
dynamic Display dynamically learned MAC addresses.
static Display statically locked MAC addresses.
violation Display the source MAC address of the last packet that was discarded on a locked port.
|
Example 2: show port security on a Specific Interface
CODE EXAMPLE 10-2 show port security on a Specific Interface
(LVL7 FASTPATH Routing) #show port-security 0/10
Admin Dynamic Static Violation
Intf Mode Limit Limit Trap Mode
------ ------- ---------- --------- ----------
0/10 Disabled 600 20 Disabled
|
Example 3: (Config) port security
CODE EXAMPLE 10-3 (Config) port security
(LVL7 FASTPATH Routing) (Config) #port-security ?
<cr> Press Enter to execute the command.
(LVL7 FASTPATH Routing) (Config) #port-security
|
Configuring Port Security via Web Interfaces
The following Web pages are used in the Port Security feature.
FIGURE 10-1 Port Security Administration
FIGURE 10-2 Port Security Interface Configuration
FIGURE 10-3 Port Security Dynamically Learned MAC Addresses
FIGURE 10-4 Port Security Violation Status
FIGURE 10-5
Sun Netra CP3240 Switch User’s Guide
|
820-3252-11
|
|
© 2007 Diversified Technology, Inc. All Rights Reserved. © 2009 Sun Microsystems, Inc. All rights reserved.