Port Security Function

Port Security Function

1. Function Overview

Port security is a function that limits communication to only permitted terminals, preventing access from illegal terminals.

image

3. Function Details

For ports on which the port security function is enabled, you can pre-register the MAC address of a terminal for which you want to permit communication, thereby allowing communication only for permitted terminals.
Conversely, if there is access from a terminal that is not registered (an illegal terminal), this is considered illegal access, and the packets are discarded.
Depending on the settings, the corresponding port can also be shut down.

The port security function cannot be used simultaneously with the port authentication function.

3.1. Limiting the terminals that can access

Simply by enabling the port security function, and using the port-security mac-address command to register the MAC addresses of the terminals for which you want to permit communication, you can limit the terminals that are permitted access.

image

4. Related Commands

Related commands are indicated below.
For details on the commands, refer to the Command Reference.

Operations Operating commands

Set port security function

port-security enable

Register permitted MAC addresses

port-security mac-address

Set operation for when security violation occurs

port-security violation

Show port security status

show port-security status

5. Examples of Command Execution

5.1. Limiting the terminals that can access

Manually specify the MAC address so that only the permitted terminal can communicate.

  1. Enable port security on LAN port #1.

    Yamaha(config)#interface port1.1
    Yamaha(config-if)#port-security enable
  2. Register the MAC address that you want to permit.

    Yamaha(config)#port-security mac-address 00A0.DE00.0001 forward port1.1 vlan 1
    Yamaha(config)#port-security mac-address 00A0.DE00.0002 forward port1.1 vlan 1
  3. Check the port security status.

    Yamaha#show port-security status
     Port      Security  Action     Status    Last violation
     --------- --------- ---------- --------- ---------------------
     port1.1   Enabled   Discard    Normal    00A0.DE00.0003
     port1.2   Disabled  Discard    Normal
     port1.3   Disabled  Discard    Normal
     port1.4   Disabled  Discard    Normal
     port1.5   Disabled  Discard    Normal
     port1.6   Disabled  Discard    Normal
     port1.7   Disabled  Discard    Normal
     port1.8   Disabled  Discard    Normal
     port1.9   Disabled  Discard    Normal
     port1.10  Disabled  Discard    Normal

6. Points of Caution

  • Use the no shutdown command to recover the port that has shut down due to illegal access.
    The status that can be checked with the show port-security status command will not return to normal until the port links up. (The status will remain in shutdown state.)

  • If the wrong port is specified with the port-security mac-address command, traffic and violation frames will not be correctly detected.