You can filter traffic based on a host MAC address, so that packets tagged with a specific source MAC address are discarded. Restricting Traffic Based on the Host MAC Address A trap is sent only if you configure the port to shut down during a security violation. An SNMP trap is not sent if you configure the port for restrictive violation mode. If a security violation occurs, the LED labeled Link for that port turns orange, and a link-down trap is sent to the Simple Network Management Protocol (SNMP) manager. The behavior of a port depends on how you configure it to respond to a security violation. If a MAC address of a device that is attached to the port differs from the list of secure addresses, the port either shuts down permanently (default mode), shuts down for the time that you have specified, or drops incoming packets from the insecure host. When a secure port receives a packet, the source MAC address of the packet is compared to the list of secure source addresses that were manually configured or autoconfigured (learned) on the port. For example, if you configure MAC-1 as the secure MAC address on port 2/1 and MAC-2 as the secure MAC address on port 2/2 and then connect the station with MAC-1 to port 2/2 when port 2/2 is configured for restrictive mode, port 2/2 shuts down instead of restricting traffic from MAC-1. Note If you configure a secure port in restrictive mode, and a station is connected to the port whose MAC address is already configured as a secure MAC address on another port on the switch, the port in restrictive mode shuts down instead of restricting traffic from that station. The restrictive mode allows you to configure the port to remain enabled during a security violation and drop only packets that are coming in from insecure hosts. The default is for the port to shut down permanently. The shutdown mode option allows you to specify whether the port is to be permanently disabled or disabled for only a specified time. If a security violation occurs, you can configure the port to go either into shutdown mode or restrictive mode. By default, all addresses on a port are secured permanently. After the age time expires, the MAC addresses on the port become insecure. For example, if you configure the port security for a port to have a maximum of ten MAC addresses but add only two MAC addresses, the next eight new source MAC addresses that are received on that port are added to the secured MAC address list for the port.Īfter you allocate a maximum number of MAC addresses on a port, you can also specify how long the addresses on the port will remain secure. When you manually change the maximum number of MAC addresses that are associated to a port greater than the default value and then manually enter the authorized MAC addresses, any remaining MAC addresses are automatically configured. Once you manually configure or autoconfigure the addresses, they are stored in nonvolatile RAM (NVRAM) and are maintained after a reset. Out of a maximum allocated number of MAC addresses on a port, you can manually configure all, allow all to be autoconfigured, or configure some manually and allow the rest to be autoconfigured. 901 (1 + 900) on one port, 101 (1 + 100) on another port, 25 (1 + 24) on a third port, and 1 address on each of the rest of the portsĪfter you allocate the maximum number of MAC addresses on a port, you can either specify the secure MAC address for the port manually or have the port dynamically configure the MAC address of the connected devices.513 (1 + 512) each on two ports in a system and 1 address each on the rest of the ports. 1025 (1 + 1024) addresses on one port and 1 address each on the rest of the ports.The following combinations are valid allocations: The maximum number of MAC addresses that you can allocate for each port depends on your network configuration. That is, the total number of MAC addresses on any port cannot exceed 1025. The total number of MAC addresses that can be specified per port is limited to the global resource of 1024 plus 1 default MAC address. Allowing Traffic Based on the Host MAC Address Alternatively, you can use port security to filter traffic that is destined to or received from a specific host that is based on the host MAC address. You can use port security to block input to an Ethernet, Fast Ethernet, or Gigabit Ethernet port when the MAC address of the station attempting to access the port is different from any of the MAC addresses that are specified for that port. Monitoring Port Security Understanding How Port Security Works.Configuring Port Security on the Switch.Note For complete syntax and usage information for the commands that are used in this chapter, refer to the Catalyst 4500 Series, Catalyst 2948G, Catalyst 2948G-GE-TX, and Catalyst 2980G Switches Command Reference.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |