Understanding How Port Security Works
Understanding How Port Security Works
You can use port security to block input to an Ethernet, Fast Ethernet, or Gigabit Ethernet port when the
MAC address of the station attempting to access the port is different from any of the MAC addresses that
are specified for that port. Alternatively, you can use port security to filter the traffic that is destined to
or received from a specific host that is based on the host MAC address.
These sections describe the traffic filtering methods:
•
•
•
Allowing the Traffic Based on the Host MAC Address
The total number of MAC addresses that you can specify per port is limited as follows:
•
•
Whether you allocate the maximum number of MAC addresses for each port depends on your network
configuration. These combinations are examples of the valid allocations for the software releases prior
to 8.1(1); the logic is the same for software release 8.1(1) and later releases:
•
•
•
After you allocate the maximum number of MAC addresses on a port, you can either specify the secure
MAC address for the port manually or you can have the port dynamically configure the MAC address of
the connected devices. Out of an allocated number of maximum MAC addresses on a port, you can
manually configure all, allow all to be learned dynamically, or configure some manually and allow the
rest to be learned dynamically. Once you manually configure or autoconfigure the addresses, the
addresses are stored in nonvolatile RAM (NVRAM) and maintained after a reset. The addresses that have
been learned dynamically are not saved, so after a reset of the switch, all dynamically learned addresses
are cleared.
After you allocate a maximum number of MAC addresses on a port, you can specify how long the
addresses on the port will remain secure. After the age time expires, the MAC addresses on the port
become insecure. By default, all addresses on a port are secured permanently.
If a security violation occurs, you can configure the port to go into shutdown mode or restrictive mode.
The shutdown mode allows you to specify whether the port is to be permanently disabled or disabled for
only a specified time. The default is for the port to shut down permanently. The restrictive mode allows
you to configure the port to remain enabled during a security violation and drop only the packets that are
coming in from the insecure hosts.
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
38-2
Allowing the Traffic Based on the Host MAC Address, page 38-2
Restricting the Traffic Based on the Host MAC Address, page 38-3
Blocking the Unicast Flood Packets on the Secure Ports, page 38-3
In software releases prior to 8.1(1), the total number of MAC addresses that you can specify per port
is limited to the global resource of 1024 plus 1 default MAC address. The total number of MAC
addresses on any port cannot exceed 1025.
In software release 8.1(1) and later releases, the total number of MAC addresses that you can specify
per port is limited to the global resource of 4096 plus 1 default MAC address. The total number of
MAC addresses on any port cannot exceed 4097.
1025 (1 + 1024) addresses on 1 port and 1 address each on the rest of the ports.
513 (1 + 512) each on 2 ports in a system and 1 address each on the rest of the ports.
901 (1 + 900) on 1 port, 101 (1 + 100) on another port, 25 (1 + 24) on the third port, and 1 address
each on the rest of the ports.
Chapter 38
Configuring Port Security
OL-8978-04