Configuring a secure port prevents unknown devices from connecting to the port without your knowledge. If you limit port access to the attached device only, the attached device is guaranteed full port bandwidth. When a port is secure, a user-specified action occurs whenever an address-security violations occurs. This action is either an SNMP trap (see SNMP Configuration help for details), a shut-down of the receiving port, or both. Address-security violations occur under the following conditions:
With the Port Security page, you can:
Fields in the port security table have these meanings:
Field | Description |
Interface | Identifies the port: FastEthernet, Gigabit Ethernet, ATM, the module or slot number (0, 1, 2), and port number. |
Security | Enables port security. |
Trap | Specifies a trap (alert) as the violation action. The trap is sent to the management station you defined as the trap manager on the SNMP Management page (select Device > SNMP Management). |
Shutdown | Specifies that the port will be disabled if a violation occurs. |
Secure Address Count | Displays the number of secure addresses that are defined for the port. This field is read only. You must configure a secure port with at least one address. You define secure addresses for the port on the Address Management page. |
Maximum Secure Address Count | Modifies the number of secure addresses that can be associated with this port. You can enter a number from 1 to 132 in this field; entering 1 means that one station has the full bandwidth of the port. By default, this field is set to 132 when security is enabled for the port. |
Security Reject Count | Displays the number of unauthorized addresses that have arrived on this port. This field is read only. When a secured port receives a packet with an address that is not associated with it, the switch does not forward the packet and can generate a trap or disable the port. |
A secured port can support up to 132 device addresses, which you specify as secure MAC addresses on the Address Management window. If you do not assign device addresses, they are sticky learned; the port learns the source address of incoming packets, automatically assigns them as secure addresses, and continues learning until the table contains the maximum number of secure addresses defined for the port. If a secure address is deleted from the address table, the port begins sticky learning again. When port security is enabled, the Maximum Addresses field is automatically set to 132.
Note: Only a static-access port can be a secure port. You cannot enable port security on a network port, an ATM port, a multi-VLAN port, a dynamic-access port, a trunk port, a port group, or a monitor port.
To enable port security and define actions for address violations:
Note: To fully secure a port, you can disable flooding to the port from the Flooding Controls page. To display this page, select Port > Flooding Controls from the menu bar.