446
Chapter 11
Access Policies
Configuring Port Security
Another form of security on an access layer switch is port security. Port secu-
rity is a way of stopping users from plugging a hub into their jack in their
office or cubicle and adding a bunch of hosts without your knowledge. By
default, 132 hardware addresses can be allowed on a single switch interface.
To change this, use the interface command port secure max-mac-count.
On a set-based switch, the command is set port security mod/port
enable mac_address
.
The following switch output shows the command port secure max-
mac-count
being set on a CLI-based switch, interface 0/2, to allow only one
entry:
Todd1900EN#config t
Enter configuration commands, one per line. End with
CNTL/Z
Todd1900EN(config)#int e0/2
Todd1900EN(config-if)#port secure ?
max-mac-count Maximum number of addresses allowed on
the port
<cr>
Todd1900EN(config-if)#port secure max-mac-count ?
<1-132> Maximum mac address count for this secure port
Todd1900EN(config-if)#port secure max-mac-count 1
The secured port or ports you create can use either static or sticky-learned
hardware addresses. If the hardware addresses on a secured port are not stat-
ically assigned, the port sticky learns the source address of incoming frames
and automatically assigns them as permanent addresses. Sticky-learn is a
term Cisco uses to refer to a port dynamically finding a source hardware
address and creating a permanent entry in the MAC filter table.
Copyright ©2000 SYBEX , Inc., Alameda, CA
www.sybex.com