IBM 12.1(22)EA6 User Manual
15-5
Cisco Systems Intelligent Gigabit Ethernet Switch Modules for the IBM BladeCenter, Software Configuration Guide
24R9746
Chapter 15 Configuring Port-Based Traffic Control
Configuring Port Security
Secure MAC Addresses
You can configure these types of secure MAC addresses:
•
Static secure MAC addresses—These are manually configured by using the switchport
port-security mac-address mac-address interface configuration command, stored in the address
table, and added to the switch running configuration.
port-security mac-address mac-address interface configuration command, stored in the address
table, and added to the switch running configuration.
•
Dynamic secure MAC addresses—These are dynamically learned, stored only in the address table,
and removed when the switch restarts.
and removed when the switch restarts.
•
Sticky secure MAC addresses—These can be dynamically learned or manually configured, stored in
the address table, and added to the running configuration. If these addresses are saved in the
configuration file, the interface does not need to dynamically relearn them when the switch restarts.
Although sticky secure addresses can be manually configured, we do not recommend it.
the address table, and added to the running configuration. If these addresses are saved in the
configuration file, the interface does not need to dynamically relearn them when the switch restarts.
Although sticky secure addresses can be manually configured, we do not recommend it.
You can configure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses
and to add them to the running configuration by enabling sticky learning. To enable sticky learning, enter
the switchport port-security mac-address sticky interface configuration command. When you enter
this command, the interface converts all the dynamic secure MAC addresses, including those that were
dynamically learned before sticky learning was enabled, to sticky secure MAC addresses.
and to add them to the running configuration by enabling sticky learning. To enable sticky learning, enter
the switchport port-security mac-address sticky interface configuration command. When you enter
this command, the interface converts all the dynamic secure MAC addresses, including those that were
dynamically learned before sticky learning was enabled, to sticky secure MAC addresses.
The sticky secure MAC addresses do not automatically become part of the configuration file, which is
the startup configuration used each time the switch restarts. If you save the sticky secure MAC addresses
in the configuration file, when the switch restarts, the interface does not need to relearn these addresses.
If you do not save the configuration, they are lost.
the startup configuration used each time the switch restarts. If you save the sticky secure MAC addresses
in the configuration file, when the switch restarts, the interface does not need to relearn these addresses.
If you do not save the configuration, they are lost.
If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure
addresses and are removed from the running configuration.
addresses and are removed from the running configuration.
A secure port can have from 1 to 132 associated secure addresses. The total number of available secure
addresses on the switch is 1024.
addresses on the switch is 1024.
Security Violations
It is a security violation when one of these situations occurs:
•
The maximum number of secure MAC addresses have been added to the address table, and a station
whose MAC address is not in the address table attempts to access the interface.
whose MAC address is not in the address table attempts to access the interface.
•
An address learned or configured on one secure interface is seen on another secure interface in the
same VLAN.
same VLAN.
You can configure the interface for one of three violation modes, based on the action to be taken if a
violation occurs:
violation occurs:
•
protect—When the number of secure MAC addresses reaches the limit allowed on the port, packets
with unknown source addresses are dropped until you remove a sufficient number of secure MAC
addresses or increase the number of maximum allowable addresses. You are not notified that a
security violation has occurred.
with unknown source addresses are dropped until you remove a sufficient number of secure MAC
addresses or increase the number of maximum allowable addresses. You are not notified that a
security violation has occurred.
•
restrict—When the number of secure MAC addresses reaches the limit allowed on the port, packets
with unknown source addresses are dropped until you remove a sufficient number of secure MAC
addresses or increase the number of maximum allowable addresses. In this mode, you are notified
that a security violation has occurred. Specifically, an SNMP trap is sent, a syslog message is
logged, and the violation counter increments.
with unknown source addresses are dropped until you remove a sufficient number of secure MAC
addresses or increase the number of maximum allowable addresses. In this mode, you are notified
that a security violation has occurred. Specifically, an SNMP trap is sent, a syslog message is
logged, and the violation counter increments.
•
shutdown—In this mode, a port security violation causes the interface to immediately become
error-disabled, and turns off the port LED. It also sends an SNMP trap, logs a syslog message, and
increments the violation counter. When a secure port is in the error-disabled state, you can bring it
error-disabled, and turns off the port LED. It also sends an SNMP trap, logs a syslog message, and
increments the violation counter. When a secure port is in the error-disabled state, you can bring it