Port Security

Configuring a secure port prevents unknown devices from connecting to the port without your knowledge. If you limit port access to the attached device only, the attached device is guaranteed full port bandwidth. When a port is secure, a user-specified action occurs whenever an address-security violations occurs. This action is either an SNMP trap (see SNMP Configuration help for details), a shut-down of the receiving port, or both. Address-security violations occur under the following conditions:

With the Port Security page, you can:

Checking Port Security Settings

Fields in the port security table have these meanings:

Field Description
Interface Identifies the port: FastEthernet, Gigabit Ethernet, ATM, the module or slot number (0, 1, 2), and port number.
Security Enables port security.
Trap Specifies a trap (alert) as the violation action. The trap is sent to the management station you defined as the trap manager on the SNMP Management page (select Device > SNMP Management).
Shutdown Specifies that the port will be disabled if a violation occurs.
Secure Address Count Displays the number of secure addresses that are defined for the port. This field is read only. You must configure a secure port with at least one address. You define secure addresses for the port on the Address Management page.
Maximum Secure Address Count Modifies the number of secure addresses that can be associated with this port. You can enter a number from 1 to 132 in this field; entering 1 means that one station has the full bandwidth of the port. By default, this field is set to 132 when security is enabled for the port.
Security Reject Count Displays the number of unauthorized addresses that have arrived on this port. This field is read only. When a secured port receives a packet with an address that is not associated with it, the switch does not forward the packet and can generate a trap or disable the port.

Configuring a Secure Port

A secured port can support up to 132 device addresses, which you specify as secure MAC addresses on the Address Management window. If you do not assign device addresses, they are sticky learned; the port learns the source address of incoming packets, automatically assigns them as secure addresses, and continues learning until the table contains the maximum number of secure addresses defined for the port. If a secure address is deleted from the address table, the port begins sticky learning again. When port security is enabled, the Maximum Addresses field is automatically set to 132.

Note: Only a static-access port can be a secure port. You cannot enable port security on a network port, an ATM port, a multi-VLAN port, a dynamic-access port, a trunk port, a port group, or a monitor port.

To enable port security and define actions for address violations:

  1. From the port table on the Port Security window, select one or more ports to modify.
    To select multiple ports, hold down the Ctrl key and click on individual ports; or, hold down the Shift key and select the first and last ports in a range.
  2. Click Modify to display the Port Security Configuration dialog box.
  3. In the Security Status section, select Enable from the drop-down list.
  4. In the Violation Action section, make one or both of the following selections:
    Select Enable from the Send Trap drop-down menu to send an alert to the SNMP trap manager (the management station you define as the trap manager on the SNMP Configuration page).
    Select Enable from the Shutdown Port drop-down menu to disable the port if a violation occurs.
    If you enable Send Trap and Shutdown Port, the switch takes both actions if a violation occurs.
  5. Specify the Maximum Addresses, if necessary.
    Enter a number from 1 to 132. To guarantee the attached device full port bandwidth, set Maximum Addresses to 1.
    Note: You must enable port security before you can change the Maximum Addresses field.
  6. Click OK to put your changes in effect and close the Port Security Configuration dialog box.
  7. Click OK to close the Port Security window.

Note: To fully secure a port, you can disable flooding to the port from the Flooding Controls page. To display this page, select Port > Flooding Controls from the menu bar.