Cisco Support Community
The Port Security page is used to increase security on the switch. Ports can be configured to be locked with port security. Access to the locked port is limited to users with specific MAC addresses. These MAC addresses are either statically defined on the port or learned on the port up to the maximum amount of MAC addresses allowed. When a packet from an unknown MAC address arrives on a locked port, port security can forward the packet, discard the packet with no trap, discard the packet with a trap, or shut down the port.
This article explains how to configure port security on the SFE / SGE Stackable Managed Switches.
• SFE / SGE Stackable Managed Switches
Step 1. Log in to the web configuration utility and choose Security Suite > Traffic Control > Port Security. The Port Security page opens:
Step 2. Click the radio button that corresponds to the desired interfaces that you want to edit.
• Ports — Displays the port security configuration of the ports.
• LAGs — Displays the port security configuration of the LAGs.
Step 3. Click Edit to edit the interface. The Edit Port Security window appears.
Step 4. (Optional) Click the radio button that corresponds to the desired interface that you want to edit in the Interface field.
• Port — From the Port drop-down list choose the port to configure. This will only affect the single port chosen.
• LAG — From the LAG drop-down list choose the LAG to configure. This will affect the group of ports defined in the LAG configuration.
Step 5. Check Lock Interface to lock the interface.
Step 6. From the Learning Mode drop-down list choose a learning mode. The learning mode defines the locked port type.
• Classic Lock — The port is locked regardless of the number of addresses that have already been learned.
• Limited Dynamic Lock — Deletes the current dynamic MAC addresses associated with the port to lock the port. The port learns up to the maximum addresses allowed on the port.
Note: The interface must be unlocked to change the learning mode.
Step 7. Enter the maximum number of MAC addresses that can be learned on the interface in the Max Entries field.
Step 8. From the Action on Violation drop-down list choose an action to be taken when a packet arrives on a locked port.
• Discard — Discards the packet from any unlearned source.
• Forward — Forwards the packet from an unknown source withouth learning the MAC address.
• Shutdown — Discards the packet from any unlearned source and shuts down the port. The port will remain shut down until it is reactivated or the switch is reset.
Step 9. Check Enable Trap to send a trap when a packet is received on a locked port. Traps are generated SNMP messages used to report system events. The trap will force the connected device to send a SNMP message to the single host that a violation has occurred
Step 10. Enter the desired time allowed between sent traps in the Trap Frequency field.
Step 11. Click Apply.
Caution: This only saves your configuration to the running configuration file. This means any changes made will be lost if the device is rebooted. If you wish to save these changes even after a system reboot, you need to copy the running configuration file to the startup configuration file. See Copy Configuration File on SFE/SGE Series Managed Switches for more information on how to do this.