Use the Security > Port Security page to configure the maximum number of device MAC addresses that can be learned by a switch port, stored in the address table, and authorized to access the network.
When port security is enabled on a port, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number. Only incoming traffic with source addresses already stored in the address table will be authorized to access the network through that port. If a device with an unauthorized MAC address attempts to use the switch port, the intrusion will be detected and the switch can automatically take action by disabling the port and sending a trap message.
Command Usage
The default maximum number of MAC addresses allowed on a secure port is zero (that is, disabled). To use port security, you must configure the maximum number of addresses allowed on a port.
To configure the maximum number of address entries which can be learned on a port, specify the maximum number of dynamic addresses allowed. The switch will learn up to the maximum number of allowed address pairs <source MAC address, VLAN> for frames received on the port. Note that you can manually add additional secure addresses to a port using the Static Address Table. When the port has reached the maximum number of MAC addresses, the port will stop learning new addresses. The MAC addresses already in the address table will be retained and will not be aged out.
When the port security state is changed from enabled to disabled, all dynamically learned entries are cleared from the address table.
If port security is enabled, and the maximum number of allowed addresses are set to a non-zero value, any device not in the address table that attempts to use the port will be prevented from accessing the switch.
If a port is disabled (shut down) due to a security violation, it must be manually re-enabled from the Interface > Port > General page.
A secure port has the following restrictions:
It cannot be used as a member of a static or dynamic trunk.
It should not be connected to a network interconnection device.
RSPAN and port security are mutually exclusive functions. If port security is enabled on a port, that port cannot be set as an RSPAN uplink port. Also, when a port is configured as an RSPAN uplink port, source port, or destination port, port security cannot be enabled on that port.
Parameters
Port identifier.
Enables or disables port security on a port. (Default: Disabled)
The operational status:
Port security is disabled.
Port security is enabled.
Port is shut down due to a response to a port security violation.
Indicates the action to be taken when a port security violation is detected:
No action should be taken. (This is the default.)
Send an SNMP trap message.
Disable the port.
Send an SNMP trap message and disable the port.
The maximum number of MAC addresses that can be learned on a port. (Range: 0 - 1024, where 0 means disabled)
The number of MAC addresses currently associated with this interface.
Shows if MAC address filtering has been set under Security > Network Access (Configure MAC Filter).
The identifier for a MAC address filter.
The last unauthorized MAC address detected.
The last time an unauthorized MAC address was detected.