Users Guide

Table Of Contents
802.1X port access control
802.1x defines access control that prevents unauthorized devices or users from connecting to a network. For more information
about 802.1X, see 802.1X.
Port security
Use the port security feature to restrict the number of workstations that can send traffic through an interface and to control
MAC address movement.
Port security is a package of the following sub features that provide added security to the system:
1. MAC address learning limit (MLL)
2. Sticky MAC
3. MAC address movement control
Use the port security feature to define the number of workstations that can send traffic through an interface. MAC addresses
that are learnt or statically configured on a port security enabled interface are called secure MAC addresses.
NOTE: Port security features are not supported in a VLT setup.
There are three types of Secure MAC addresses :
1. Static secure MAC addresses are configured manually. These MAC addresses are stored both in the MAC address table
and in the running configuration of the switch. Similar to static MAC addresses, when the system reloads, the system
does not remove the static secure MAC addresses. When you enable port security on an interface, all existing static MAC
addresses become static secure MAC addresses. These static secure MAC addresses remain in the system until you remove
them.
2. Dynamic secure MAC addresses are dynamically-learned by the switch and stored in the MAC address table. These MAC
addresses are removed from the MAC address table when the switch restarts. By default, dynamic secure MAC addresses
do not age out.
3. Sticky secure MAC addresses are learned dynamically but are saved in the running configuration. Secure sticky MAC
addresses never age out.
After you enable port security on an interface, by default, the maximum number of MAC address that the interface can learn
is one. This is applicable for both dynamic and static secure MAC addresses. After you enable port security on an interface, by
default, sticky MAC addresses and MAC movement are disabled on the interface.
MAC address learning limit
Using the MAC address learning limit method, you can set an upper limit on the number of allowed MAC addresses on an
interface. Limiting the MAC addresses protects switches from MAC address flooding attacks. After the configured limit is
reached on an interface, by default, the system drops all traffic from any unknown device.
When you configure MAC address learning limit, ensure that the number of static MAC addresses present on the system is not
greater than the MAC address learning limit that you configure. If the number of dynamically-learned MAC addresses is greater
than your MAC address limit, the system flushes all dynamically-learned MAC addresses.
You can configure an interface to learn a maximum of 3072 MAC addresses. You can also disable the MAC address learning
limit feature so that the interface can learn the maximum number MAC addresses that the system supports. Disabling the MAC
address learning limit feature does not remove the previously learned or configured secure MAC addresses.
MAC address movement
A MAC address movement happens when the system detects the same MAC address on an interface which it has already
learned through another port security-enabled interface on the same broadcast domain. MAC address movement is not allowed
for secure static and sticky MAC addresses. By default, MAC address movement for dynamically-learned MAC address is
disabled on the system.
Secure dynamic MAC address movement is allowed between port-security-enabled and port-security-disabled interfaces.
Sticky MAC addresses
When you reload the system, port security removes the dynamically learned secure MAC addresses. You can use the sticky
feature to make the dynamically learned secure MAC addresses persist even after a system reboot so that the interface
does not have to learn these MAC addresses again. Use the copy running-configuration startup-configuration
command to save the sticky secure MAC addresses.
When you enable sticky MAC address learning on an interface, all existing dynamically-learned MAC addresses and MAC
addresses that are learned in the future are converted to sticky MAC addresses.
1186
Security