Port Security for Ethernet Switches

The port security feature enables you to block input to an Ethernet, Fast Ethernet, or Gigabit Ethernet port when the MAC address of the station attempting to access the port differs from any of the MAC addresses specified for that port. This functionality is also referred to as MAC address lockdown.

The global resource for the system varies based on the switch platform and amount of memory available. For example, the 2900 series XL switch has a global resource limitation of 1024 MAC addresses. In addition to this global resource space, there is space for one default MAC address per port to be secured. The total number of MAC addresses that can be specified per port is limited to the global resource of 1024 plus 1 default MAC address. The total number of MAC addresses on any port cannot exceed 1025.

The maximum number of MAC addresses for each port is determined by your network configuration. The following combinations are examples of valid allocations:

• 1025 (1 + 1024) addresses on 1 port and 1 address each on the rest of the ports

• 513 (1 + 512) addresses each on 2 ports in a system and 1 address each on the rest of the ports

• 901 (1 + 900) addresses on 1 port, 101 (1 + 100) addresses on another port, 25 (1 + 24) addresses on the third port, and 1 address each on the rest of the ports

After you allocate the maximum number of MAC addresses on a port, you can either specify the secure MAC address for the port manually or you can have the port dynamically configure the MAC address of the connected devices. Out of an allocated number of maximum MAC addresses on a port, you can manually configure all, allow all to be autoconfigured, or configure some manually and allow the rest to be autoconfigured. After addresses have been manually configured or autoconfigured, they are stored in nonvolatile RAM (NVRAM) and maintained after a reset.

After you allocate a maximum number of MAC addresses on a port, you can specify how long addresses on the specified port will remain secure. After the age time expires, the MAC addresses on the port become insecure. By default, all addresses on a port are secured permanently.

In the event of a security violation, you can configure the port to go into shutdown, protect, or restrictive mode. The shutdown mode option enables you to specify whether the port is permanently disabled or disabled for only a specified time. The default is for the port to shut down permanently. The protect mode option sets a maximum number of allowed MAC addresses per port. If the maximum number of MAC addresses is reached, the switch drops the packets with unknown source addresses until the number drops below the maximum value. The restrictive mode option enables you to configure the port to remain enabled during a security violation and drop only packets that are coming in from insecure hosts.

When a secure port receives a packet, the source MAC address of the packet is compared to the list of secure source addresses that were manually configured or autoconfigured (learned) on the port. If a MAC address of a device attached to the port differs from the list of secure addresses, the port shuts down permanently (default mode), shuts down for the time you have specified, or drops incoming packets from the insecure host. The port's behavior depends on how you configure it to respond to a security violation.

When a security violation occurs, the light-emitting diode (LED) link for that port turns orange, and a link-down trap is sent to the SNMP manager. An SNMP trap is not sent if you configure the port for restrictive violation mode. A trap is sent only if you configure the port to shut down during a security violation.

Configuring Port Security

Consider the following when configuring port security:

• You cannot configure port security on a trunk port.

• You cannot enable port security on a Switched Port Analyzer (SPAN) destination port and vice versa.

• You cannot configure dynamic, static, or permanent CAM entries on a secure port.

• When you enable port security on a port, any static or dynamic content-addressable memory (CAM) entries associated with the port are cleared; any currently configured permanent CAM entries are treated as secure.

0 0

Post a comment