|
|
This chapter describes how to configure secure port filtering on the Catalyst 6000 family switches.
This chapter consists of these sections:
You can use secure port filtering to block input to an Ethernet port when the MAC address of the station attempting to access the port is different from the MAC address specified for that port.
When a secure port receives a packet, the source MAC address of the packet is compared to the secure source address configured for the port. If the MAC address of the device attached to the port differs from the secure address, the port is disabled, the Link LED for that port turns orange, and a link-down trap is sent to the Simple Network Management Protocol (SNMP) manager.
You can specify the secure MAC address for the port manually or you can have the port dynamically learn the MAC address of the connected device. Once the address is specified or learned, it is stored in NVRAM and maintained even after a reset.
These sections describe how to configure secure port filtering:
To enable secure port filtering, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Enable port security on the desired ports. If desired, specify the secure MAC address. | set port security mod_num/port_num enable [mac_addr] |
Step 2 Verify the configuration. | show port [mod_num[/port_num]] |
This example shows how to enable secure port filtering on a port using the learned MAC address on a port and verify the configuration:
Console> (enable) set port security 2/1 enable Port 2/1 port security enabled with the learned mac address. Trunking disabled for Port 2/1 due to Security Mode Console> (enable) show port 2/1 Port Name Status Vlan Duplex Speed Type ----- ------------------ ---------- ---------- ------ ----- ------------ 2/1 connected 1 full 1000 1000BaseSX Port Security Secure-Src-Addr Last-Src-Addr Shutdown Trap IfIndex ----- -------- ----------------- ----------------- -------- -------- ------- 2/1 enabled No disabled 3 . . . Last-Time-Cleared -------------------------- Fri Feb 25 2000, 20:41:52 Console> (enable)
This example shows how to enable secure port filtering on a port and manually specify the secure MAC address:
Console> (enable) set port security 2/1 enable 00-90-2b-03-34-08 Port 2/1 port security enabled with 00-90-2b-03-34-08 as the secure mac address Trunking disabled for Port 2/1 due to Security Mode Console> (enable)
To disable secure port filtering, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Disable port security on the desired ports. | set port security mod_num/port_num disable |
Step 2 Verify the configuration. | show port [mod_num[/port_num]] |
This example shows how to disable secure port filtering on a port:
Console> (enable) set port security 2/1 disable Port 2/1 port security disabled. Console> (enable)
Posted: Wed Nov 10 13:16:24 PST 1999
Copyright 1989-1999©Cisco Systems Inc.