Port Security Function
Port Security Function
1. Function Overview
Port security is a function that limits communication to only permitted terminals, preventing access from illegal terminals.
3. Function Details
For ports on which the port security function is enabled, you can pre-register the MAC address of a terminal for which you want to permit communication, thereby allowing communication only for permitted terminals.
Conversely, if there is access from a terminal that is not registered (an illegal terminal), this is considered illegal access, and the packets are discarded.
Depending on the settings, the corresponding port can also be shut down.
The port security function cannot be used simultaneously with the port authentication function.
3.1. Limiting the terminals that can access
Simply by enabling the port security function, and using the port-security mac-address command to register the MAC addresses of the terminals for which you want to permit communication, you can limit the terminals that are permitted access.
4. Related Commands
Related commands are indicated below.
For details on the commands, refer to the Command Reference.
Operations | Operating commands |
---|---|
Set port security function |
port-security enable |
Register permitted MAC addresses |
port-security mac-address |
Set operation for when security violation occurs |
port-security violation |
Show port security status |
show port-security status |
5. Examples of Command Execution
5.1. Limiting the terminals that can access
Manually specify the MAC address so that only the permitted terminal can communicate.
-
Enable port security on LAN port #1.
Yamaha(config)#interface port1.1 Yamaha(config-if)#port-security enable
-
Register the MAC address that you want to permit.
Yamaha(config)#port-security mac-address 00A0.DE00.0001 forward port1.1 vlan 1 Yamaha(config)#port-security mac-address 00A0.DE00.0002 forward port1.1 vlan 1
-
Check the port security status.
Yamaha#show port-security status Port Security Action Status Last violation --------- --------- ---------- --------- --------------------- port1.1 Enabled Discard Normal 00A0.DE00.0003 port1.2 Disabled Discard Normal port1.3 Disabled Discard Normal port1.4 Disabled Discard Normal port1.5 Disabled Discard Normal port1.6 Disabled Discard Normal port1.7 Disabled Discard Normal port1.8 Disabled Discard Normal port1.9 Disabled Discard Normal port1.10 Disabled Discard Normal
6. Points of Caution
-
Use the no shutdown command to recover the port that has shut down due to illegal access.
The status that can be checked with the show port-security status command will not return to normal until the port links up. (The status will remain in shutdown state.) -
If the wrong port is specified with the port-security mac-address command, traffic and violation frames will not be correctly detected.