Port Security

With the Port Security page, you can:

Only a static-access port can be a secure port. You cannot enable port security on a network port, an ATM port, a multi-VLAN port, a dynamic-access port (Enterprise Edition Software only), a trunk port (Enterprise Edition Software only), a port group, or a monitor port.

Limiting the number of devices that connect to a secure port can have the following advantages:

For more information, review the field descriptions.

Securing a Port

You can secure a port and define the action to take when address violations occur. By default, the switch sends an SNMP trap to the trap manager. Address-security violations occur under the following conditions:

To enable port security and define actions for address violations:

  1. In the Security column, select the Security check box.
  2. In the Violation Action column, select the action (Trap, Shutdown, or both) the switch takes when packets with unauthorized addresses arrive on the port.
    If you select Trap, the switch sends an alert to the management station you define as the trap manager on the SNMP Configuration page.
    If you select Shutdown, the port is disabled.
  3. Click Apply.
  4. If you want to statically assign secure addresses to the port, select Security > Address Management from the menu bar.

Note: To fully secure a port, you can disable flooding to the port from the Flooding Controls page. You can display this page by selecting Port > Flooding Controls from the menu bar.

Defining the Maximum Secure Address Count

A secured port can support up to 132 device addresses. You can manually assign the device addresses to a secured port by using the Address Management page, or they are sticky learned. Sticky-learning occurs when the address table for a secured port does not contain a full complement of secure addresses. The port sticky learns the source addresses of incoming packets, automatically assigns them as secure addresses, and continues learning until the table contains the maximum number of secure addresses defined for the port. If a secure address is deleted from the address table, the port begins sticky learning again.

To define the maximum size of the secure ports address table:

Note: You must enable port security before you can adjust the Maximum Addresses field. When port security is enabled, the Maximum Addresses field is automatically set to 132.

  1. In the Maximum Addresses field, enter a number from 1 to 132.
    Setting the Maximum Addresses field to 1 ensures that the attached device has the full bandwidth of the port.
  2. Click Apply.

Field Descriptions

Field Description
Port Displays the word "Fa" (FastEthernet), "Gi" (Gigabit Ethernet), "AT" (ATM) the module number (0, 1, 2), and port number.
Security Enables port security.
Violation Action Designates an action to take if an address violation occurs. If you select Trap, a trap (alert) is sent to the management station you defined as the trap manager on the SNMP Management page. If you select Shutdown, the port is disabled.
Secure Addresses Displays the number of secure addresses that are defined for the port. This field is read only. You must configure a secure port with at least one address. You define secure addresses for the port on the Address Management page.
Maximum Addresses Modifies the number of secure addresses that can be associated with this port. You can enter a number from 1 to 132 in this field; entering 1 means that one station has the full bandwidth of the port. By default, this field is set to 132 when security is enabled for the port.
Security Rejects Displays the number of unauthorized addresses that have arrived on this port. This field is read only. When a secured port receives a packet with an address that is not associated with it, the switch does not forward the packet and can generate a trap or disable the port.