|
|
This chapter consists of these sections:
You can use secure port filtering to block input to an Ethernet or Fast Ethernet port when the Media Access Control (MAC) address of the station attempting to access the port is different from the MAC address specified for that port.
When a secure port receives a packet, the source MAC address of the packet is compared to the secure source address configured for the port. If the MAC address of the device attached to the port differs from the secure address, the port is disabled, the Link LED for that port turns orange, and a link-down trap is sent to the Simple Network Management Protocol (SNMP) manager.
You can specify the secure MAC address for the port manually or you can have the port dynamically learn the MAC address of the connected device. Once the address is specified or learned, it is stored in nonvolatile RAM (NVRAM) and maintained even after a reset.
These guidelines apply when configuring secure port filtering:
These sections describe how to configure secure port filtering:
To enable secure port filtering, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Enable port security on the desired ports. If desired, specify the secure MAC address. | set port security mod_num/port_num enable [mac_addr] |
Step 2 Verify the configuration. | show port [mod_num[/port_num]] |
This example shows how to enable secure port filtering on a port using the learned MAC address on a port and verify the configuration:
Console> (enable) set port security 2/1 enable Port 2/1 port security enabled with the learned mac address. Trunking disabled for Port 2/1 due to Security Mode Console> (enable) show port 2/1 Port Name Status Vlan Level Duplex Speed Type ----- ------------------ ---------- ---------- ------ ------ ----- ------------ 2/1 connected 522 normal half 100 100BaseTX Port Security Secure-Src-Addr Last-Src-Addr Shutdown Trap IfIndex ----- -------- ----------------- ----------------- -------- -------- ------- 2/1 enabled 00-90-2b-03-34-08 00-90-2b-03-34-08 No disabled 1081 Port Broadcast-Limit Broadcast-Drop -------- --------------- -------------- 2/1 - 0 Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize ----- ---------- ---------- ---------- ---------- --------- 2/1 0 0 0 0 0 Port Single-Col Multi-Coll Late-Coll Excess-Col Carri-Sen Runts Giants ----- ---------- ---------- ---------- ---------- --------- --------- --------- 2/1 0 0 0 0 0 0 0 Last-Time-Cleared -------------------------- Fri Jul 10 1998, 17:53:38 Console> (enable)
This example shows how to enable secure port filtering on a port and manually specify the secure MAC address:
Console> (enable) set port security 2/1 enable 00-90-2b-03-34-08 Port 2/1 port security enabled with 00-90-2b-03-34-08 as the secure mac address Trunking disabled for Port 2/1 due to Security Mode Console> (enable)
To disable secure port filtering, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Disable port security on the desired ports. | set port security mod_num/port_num disable |
Step 2 Verify the configuration. | show port [mod_num[/port_num]] |
This example shows how to disable secure port filtering on a port:
Console> (enable) set port security 2/1 disable Port 2/1 port security disabled. Console> (enable)
Posted: Mon Jul 19 12:52:13 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.