Catalyst 6500 Series Software Configuration Guide, 8.7 - Configuring Port Security [Cisco Catalyst 6500 Series Switches]

Table Of Contents

Configuring Port Security

Understanding How Port Security Works

Allowing the Traffic Based on the Host MAC Address

Restricting the Traffic Based on the Host MAC Address

Blocking the Unicast Flood Packets on the Secure Ports

Understanding How MAC-Address Monitoring Works

Port Security Configuration Guidelines

Configuring Port Security on the Switch

Enabling Port Security

Setting the Maximum Number of Secure MAC Addresses

Automatically Configuring Dynamically Learned MAC Addresses

Setting the Port Security Age Time

Setting the Port Security Aging Type

Clearing the MAC Addresses

Configuring Unicast Flood Blocking on the Secure Ports

Specifying the Security Violation Action

Setting the Shutdown Timeout

Disabling Port Security

Restricting the Traffic Based on a Host MAC Address

Displaying Port Security

Configuring MAC-Address Monitoring

Configuring Global MAC-Address Monitoring

Monitoring the MAC Addresses in the CAM Table

Specifying the Polling Interval for Monitoring

Specifying the Lower Threshold for MAC-Address Monitoring

Specifying the Upper Threshold for MAC-Address Monitoring

Clearing the Configuration for MAC-Address Monitoring

Displaying the Configuration for the CAM Monitor

Displaying the Global Configuration for the CAM Monitor

Configuring Port Security

This chapter describes how to configure port security and how to limit the number of MAC addresses that are learned on the Catalyst 6500 series switches.

Note For complete syntax and usage information for the commands that are used in this chapter, refer to the Catalyst 6500 Series Switch Command Reference publication.

Note For information on configuring MAC address authentication bypass, see Chapter 41, "Configuring MAC Authentication Bypass."

Note For information on configuring 802.1X authentication to restrict the unauthorized devices from connecting to a LAN through the publicly accessible ports, see Chapter 40, "Configuring 802.1X Authentication."

Note For information on configuring authentication, authorization, and accounting (AAA) to monitor and control access to the command-line interface (CLI) on the Catalyst 6500 series switches, see Chapter 39, "Configuring the Switch Access Using AAA."

Note For information on configuring network admission control, see Chapter 44, "Configuring Network Admission Control."

This chapter consists of these sections:

•Understanding How Port Security Works

•Understanding How MAC-Address Monitoring Works

•Port Security Configuration Guidelines

•Configuring Port Security on the Switch

•Configuring MAC-Address Monitoring

Understanding How Port Security Works

You can use port security to block input to an Ethernet, Fast Ethernet, or Gigabit Ethernet port when the MAC address of the station attempting to access the port is different from any of the MAC addresses that are specified for that port. Alternatively, you can use port security to filter the traffic that is destined to or received from a specific host that is based on the host MAC address.

These sections describe the traffic filtering methods:

•Allowing the Traffic Based on the Host MAC Address

•Restricting the Traffic Based on the Host MAC Address

•Blocking the Unicast Flood Packets on the Secure Ports

Allowing the Traffic Based on the Host MAC Address

The total number of MAC addresses that you can specify per port is limited as follows:

•In software releases prior to 8.1(1), the total number of MAC addresses that you can specify per port is limited to the global resource of 1024 plus 1 default MAC address. The total number of MAC addresses on any port cannot exceed 1025.

•In software release 8.1(1) and later releases, the total number of MAC addresses that you can specify per port is limited to the global resource of 4096 plus 1 default MAC address. The total number of MAC addresses on any port cannot exceed 4097.

Whether you allocate the maximum number of MAC addresses for each port depends on your network configuration. These combinations are examples of the valid allocations for the software releases prior to 8.1(1); the logic is the same for software release 8.1(1) and later releases:

•1025 (1 + 1024) addresses on 1 port and 1 address each on the rest of the ports.

•513 (1 + 512) each on 2 ports in a system and 1 address each on the rest of the ports.

•901 (1 + 900) on 1 port, 101 (1 + 100) on another port, 25 (1 + 24) on the third port, and 1 address each on the rest of the ports.

After you allocate the maximum number of MAC addresses on a port, you can either specify the secure MAC address for the port manually or you can have the port dynamically configure the MAC address of the connected devices. Out of an allocated number of maximum MAC addresses on a port, you can manually configure all, allow all to be learned dynamically, or configure some manually and allow the rest to be learned dynamically. Once you manually configure or autoconfigure the addresses, the addresses are stored in nonvolatile RAM (NVRAM) and maintained after a reset. The addresses that have been learned dynamically are not saved, so after a reset of the switch, all dynamically learned addresses are cleared.

After you allocate a maximum number of MAC addresses on a port, you can specify how long the addresses on the port will remain secure. After the age time expires, the MAC addresses on the port become insecure. By default, all addresses on a port are secured permanently.

If a security violation occurs, you can configure the port to go into shutdown mode or restrictive mode. The shutdown mode allows you to specify whether the port is to be permanently disabled or disabled for only a specified time. The default is for the port to shut down permanently. The restrictive mode allows you to configure the port to remain enabled during a security violation and drop only the packets that are coming in from the insecure hosts.

Note If you configure a secure port in restrictive mode, and a station is connected to the port whose MAC address is already configured as a secure MAC address on another port on the switch, the port in restrictive mode shuts down instead of restricting the traffic from that station. For example, if you configure MAC-1 as the secure MAC address on port 2/1 and MAC-2 as the secure MAC address on port 2/2 and then connect the station with MAC-1 to port 2/2 when port 2/2 is configured for restrictive mode, port 2/2 shuts down instead of restricting the traffic from MAC-1.

When a secure port receives a packet, the source MAC address of the packet is compared to the list of secure source addresses that were manually configured or learned dynamically on the port. If a MAC address of a device that is attached to the port differs from the list of secure addresses, the port either shuts down permanently (default mode), shuts down for the time that you have specified, or drops the incoming packets from the insecure host. The port's behavior depends on how you configure it to respond to a security violation.

If a security violation occurs, the LED labeled "Link" for that port turns orange, and a link-down trap is sent to the Simple Network Management Protocol (SNMP) manager. An SNMP trap is not sent if you configure the port for restrictive violation mode. A trap is sent only if you configure the port to shut down during a security violation.

Restricting the Traffic Based on the Host MAC Address

You can filter the traffic that is based on a host MAC address so that the packets that are tagged with a specific source MAC address are discarded. When you specify a MAC address filter with the set cam filter command, the incoming traffic from that host MAC address is dropped and the packets that are addressed to that host are not forwarded.

Note The set cam filter command allows filtering for the unicast addresses only. You cannot filter the traffic for the multicast addresses with this command.

Blocking the Unicast Flood Packets on the Secure Ports

You can block the unicast flood packets on a secure Ethernet port by disabling the unicast flood feature. If you disable the unicast flood on a port, the port drops the unicast flood packets when it reaches the allowed maximum number of MAC addresses.

The port automatically restarts the unicast flood packet learning when the number of MAC addresses drops below the maximum number that is allowed. The learned MAC address count decreases when a configured MAC address is removed or a time to live counter (TTL) is reached.

Understanding How MAC-Address Monitoring Works

Because the Catalyst 6500 series switches learn the source MAC addresses automatically, the system is vulnerable to flooding of spoofed traffic and potential Denial of Service (DoS) attacks. To prevent the traffic flooding and the DoS attacks, you can monitor the number of MAC addresses that are learned by the system on a per-port, per-VLAN, or per-port-per-VLAN basis.

MAC-address monitoring is supported in the software.

For information on configuring MAC-address monitoring, see the "Configuring MAC-Address Monitoring" section.

Port Security Configuration Guidelines

This section describes the guidelines for configuring port security:

•Do not enable port security on a SPAN destination port and vice versa.

•Do not configure dynamic, static, or permanent CAM entries on a secure port.

Configuring Port Security on the Switch

These sections describe how to configure port security:

•Enabling Port Security

•Setting the Maximum Number of Secure MAC Addresses

•Automatically Configuring Dynamically Learned MAC Addresses

•Setting the Port Security Age Time

•Setting the Port Security Aging Type

•Clearing the MAC Addresses

•Configuring Unicast Flood Blocking on the Secure Ports

•Specifying the Security Violation Action

•Setting the Shutdown Timeout

•Disabling Port Security

•Restricting the Traffic Based on a Host MAC Address

•Displaying Port Security

Enabling Port Security

When you enable port security on a port, any static or dynamic CAM entries that are associated with the port are cleared; any currently configured permanent CAM entries are treated as secure.

To enable port security, perform this task in privileged mode:

Task

Command

Step 1

Enable port security on the desired ports. You can also specify the secure MAC address. To enable port security on a trunk port, specify the VLANs on which a secure MAC address is allowed.

set port security mod/port enable [mac_addr] [vlan_list]

Step 2

Add the MAC addresses to the list of secure addresses.

set port security mod/port mac_addr [vlan_list]

Step 3

Verify the configuration.

show port [mod[/port]] [mac_addr][vlan_list]

This example shows how to enable port security using the learned MAC address on a port and verify the configuration:
Console> (enable) set port security 2/1 enable
Port 2/1 security enabled.
Console> (enable) show port 2/1
Port  Name               Status     Vlan       Level  Duplex Speed Type
----- ------------------ ---------- ---------- ------ ------ ----- ------------
 2/1                     connected  522        normal   half   100 100BaseTX
Port  Security Secure-Src-Addr   Last-Src-Addr     Shutdown Trap     IfIndex
----- -------- ----------------- ----------------- -------- -------- -------
 2/1  enabled  00-90-2b-03-34-08 00-90-2b-03-34-08 No       disabled 1081
Port     Broadcast-Limit Broadcast-Drop
-------- --------------- --------------
 2/1                   -              0
Port  Align-Err  FCS-Err    Xmit-Err   Rcv-Err    UnderSize
----- ---------- ---------- ---------- ---------- ---------
 2/1           0          0          0          0         0
Port  Single-Col Multi-Coll Late-Coll  Excess-Col Carri-Sen Runts     Giants
----- ---------- ---------- ---------- ---------- --------- --------- ---------
 2/1           0          0          0          0         0         0         0
Last-Time-Cleared
--------------------------
Fri Jul 10 1998, 17:53:38
This example shows how to enable port security on a port and manually specify the secure MAC address:
Console> (enable) set port security 2/1 enable 00-90-2b-03-34-08
Port 2/1 port security enabled with 00-90-2b-03-34-08 as the secure mac address
Trunking disabled for Port 2/1 due to Security Mode
Console> (enable)
This example shows how to set port security on a trunk port:
Console> (enable) set port security 2/2 00-90-2b-03-34-09 1,20,30
Mac address 00-90-2b-03-34-09 set for port 2/2 on vlan 1,20,20
Console> (enable)
Setting the Maximum Number of Secure MAC Addresses

You can set the number of MAC addresses to secure on a port. By default, at least one MAC address per port can be secured. In addition to this default, a global resource is available to be shared by the ports as follows:

•In software releases prior to 8.1(1), you can configure up to 1024 MAC addresses on a port. The total number of MAC addresses on any port cannot exceed 1025.

•In software release 8.1(1) and later releases, you can configure up to 4096 MAC addresses on a port. The total number of MAC addresses on any port cannot exceed 4097.

If the entire global resource of MAC addresses is used on some ports, you can still enable port security on the rest of the ports with a maximum of one MAC per port.

If you reduce the maximum number of MAC addresses, the system clears the specified number of MAC addresses and displays the list of removed addresses.

In software releases 8. 1 and 8.2, you can configure a single MAC address on the access ports that are located on different VLANs but you cannot configure port security on them. In software release 8.3(1) and later releases, which support port security on the trunk ports, a single MAC address can be configured and secured on multiple ports that are in different VLANs. For example, a MAC address "00-00-aa-00-00-aa" can be configured or secured on port 2/1 in VLAN 10 and 2/2 in VLAN 20. If both these ports were in VLAN 10, this MAC address could be configured or secured on only one of these ports. A MAC address can be configured or secured on only one of the ports belonging to a VLAN.

To set the number of MAC addresses to be secured for a particular port, perform this task in privileged mode:

Task

Command

Set the number of MAC addresses to be secured on a port.

set port security mod/port maximum num_of_mac

This example shows how to set the number of MAC addresses to be secured:
Console> (enable) set port security 7/7 maximum 20
Maximum number of secure addresses set to 20 for port 7/7.
Console> (enable) 
This example shows how to reduce the number of MAC addresses and the list that displays the cleared MAC addresses:
Console> (enable) set port security 7/7 maximum 18
Maximum number of secure addresses set to 18 for port 7/7
00-11-22-33-44-55 cleared from secure address list for port 7/7
00-11-22-33-44-66 cleared from secure address list for port 7/7
Console> (enable)
Automatically Configuring Dynamically Learned MAC Addresses

The automatic configuration of dynamically learned MAC addresses enables dynamically learned MAC addresses to be associated with particular ports. This feature applies globally to all secure ports on the system.

The dynamically learned addresses are treated like manually configured addresses and the configuration is stored in NVRAM. The addresses are retained in the event that a secure port is shut down due to a security violation, port security is disabled, or a secure port is administratively disabled.

Note The dynamically learned addresses that have been configured using the automatic configuration option are not cleared under any circumstances. These addresses must be cleared manually by entering the clear port security command.

To enable the automatic configuration of dynamically learned MAC addresses, perform this task in privileged mode:

Task

Command

Enable automatic configuration of dynamically learned MAC addresses.

set port security auto-configure enable | disable

This example shows how to enable the automatic configuration of dynamically learned MAC addresses globally on the switch:
Console> (enable) set port security auto-configure enable  
Automatic configuration of secure learnt addresses enabled.
Console> (enable)
To view the automatic configuration, enter the show port security statistics system command.
Console> (enable) show port security statistics system 
Auto-Configure Option: Enabled
Module 2:
  Total ports: 24
  Total secure ports: 0
  Total MAC addresses: 24
  Total global address space used (out of 4096): 0
  Status: installed
Module 3:
  Total ports: 48
  Total secure ports: 0
  Total MAC addresses: 48
  Total global address space used (out of 4096): 0
  Status: installed
Module 5:
  Total ports: 2
  Total secure ports: 0
  Total MAC addresses: 2
  Total global address space used (out of 4096): 0
  Status: installed
Total secure ports in the system: 0
Total secure MAC addresses in the system: 74
Total global MAC address resource used in the system (out of 4096): 0
Console> (enable)
Setting the Port Security Age Time

The age time on a port specifies how long all addresses on that port will be secured. This age time is activated when a MAC address initiates the traffic on the port. After the age time expires for a MAC address, the entry for that MAC address on the port is removed from the secure address list. The valid range is from 1-1440 minutes. Setting the age time to zero disables the aging of the secure addresses.

To set the age time on a port, perform this task in privileged mode:

Task

Command

Set the age time for which addresses on a port will be secured.

set port security mod/port age time

This example shows how to set the age time on port 7/7:
Console> (enable) set port security 7/7 age 600
Secure address age time set to 600 minutes for port 7/7.
Console> (enable) 
Setting the Port Security Aging Type

Note The set port security mod/port timer-type {absolute | inactivity} command is supported on the Supervisor Engine 720 and Supervisor Engine 32 only.

In software release 8.2(1) and later releases, you can set the type of aging to be applied to the addresses that were learned dynamically on a per-port basis. The two types of aging are as follows:

•Absolute aging—Times out the MAC address after the age_time has been exceeded, regardless of the traffic pattern. This is the default for any secured port, and the age_time is set to 0.

•Inactivity aging—Times out the MAC address only after the age_time of inactivity from the corresponding host has been exceeded.

To set the port-security aging type for the dynamically learned addresses on a per-port basis, perform this task in privileged mode:

Task

Command

Set the port-security aging type for the addresses learned dynamically on a per-port basis.

set port security mod/port timer-type {absolute | inactivity}

This example shows how to set the different port-security aging types on port 5/1:
Console> (enable) set port security 5/1 timer-type absolute
Port 5/1 security timer type absolute.
Console> (enable) set port security 5/1 timer-type inactivity
Port 5/1 security timer type inactive.
Console> (enable) 
Clearing the MAC Addresses

Enter the clear port security command to clear the MAC addresses from a list of secure addresses on a port.

Note If you enter the clear command on a MAC address that is in use, that MAC address may be learned and made secure again. We recommend that you disable port security before you clear the MAC addresses.

To clear all or a particular MAC address from the list of secure MAC addresses, perform this task in privileged mode:

Task

Command

Clear all or a particular MAC address from the list of secure MAC addresses.

Note On the trunk ports, you can clear a MAC address from the list for one or more specific VLANs by using the VLAN list parameter. If you specify the all keyword, the MAC address is cleared from the list of secure MAC addresses for all the VLANs on the trunk port.

clear port security mod/port all | mac_addr [all | vlan_list]

This example shows how to clear one MAC address from the secure address list on port 3/37:
Console> (enable) clear port security 3/37 00-00-aa-00-00-aa 20,30
Secure MAC address 00-00-aa-00-00-aa cleared for port 3/37 and Vlan 20.
Secure MAC address 00-00-aa-00-00-aa cleared for port 3/37 and Vlan 30.
Console> (enable)
This example shows how to clear all the MAC addresses from ports 3/37:
Console> (enable) clear port security 3/37 00-00-aa-00-00-aa all
Secure MAC address 00-00-aa-00-00-aa cleared for port 3/37 and Vlan 1.
Secure MAC address 00-00-aa-00-00-aa cleared for port 3/37 and Vlan 20.
Secure MAC address 00-00-aa-00-00-aa cleared for port 3/37 and Vlan 30.
Console> (enable)
This example shows how to clear a MAC address from VLAN 1 on trunk port 2/2:
Console> (enable) clear port security 2/2  00-90-2b-03-34-09 1
Secure MAC address 00-90-2b-03-34-09 cleared for port 2/2 and Vlan 1.
Console> (enable)
Configuring Unicast Flood Blocking on the Secure Ports

To configure unicast flood blocking on a secure port, you must disable the unicast flood feature.

Note The port disables the unicast flooding once the MAC-address limit is reached.

To configure unicast flood blocking on a secure port, perform this procedure in privileged mode:

Task

Command

Step 1

Disable unicast flood blocking on the desired secure ports.

set port security mod/port unicast-flood disable

Step 2

Verify the configuration of the unicast flood.

show port security mod/port

Step 3

Verify the status of unicast flood blocking.

show port unicast-flood mod/port

This example shows how to configure the switch to disable the unicast flood packets on a port and how to verify its configuration:
Console> (enable) set port security 4/1 unicast-flood disable
Port 4/1 security flood mode set to disable. 
Console> (enable) show port security 4/1 
Port  Security Violation Shutdown-Time Age-Time Max-Addr Trap     IfIndex
----- -------- --------- ------------- -------- -------- -------- -------
 4/1  disabled  shutdown             0        0        1 disabled      50
Port  Num-Addr Secure-Src-Addr   Age-Left Last-Src-Addr     Shutdown/Time-Left
----- -------- ----------------- -------- ----------------- ------------------
 4/1        0                 -        -                 -        -         -
Port Flooding on Address Limit
---- -------------------------
 4/1                  Disabled
Console> (enable) show port unicast-flood 4/1
Port      Unicast Flooding
----      ----------------
4/1       Disabled
Console> (enable) 
Note The show port unicast-flood command displays the run-time status of the unicast flood blocking. The output can show the unicast flooding as either enabled or disabled depending if the port has exceeded its address limitation.

Specifying the Security Violation Action

You can set the port for the following two modes to handle a security violation:

•Shutdown—Shuts down the port permanently or for a specified time. Permanent shutdown is the default mode.

•Restrictive—Drops all packets from the insecure hosts but remains enabled.

To specify the security violation action to be taken, perform this task in privileged mode:

Task

Command

Specify the violation action on a port.

set port security mod/port violation {shutdown | restrict}

This example shows how to specify that port 7/7 drop all packets from the insecure hosts:
Console> (enable) set port security 7/7 violation restrict
Port security violation on port 7/7 will cause insecure packets to be dropped.
Console> (enable)
Note If you restrict the number of secure MAC addresses on a port to one and additional hosts attempt to connect to that port, port security prevents these additional hosts from connecting to that port and to any other port in the same VLAN for the duration of the VLAN aging time. By default, the VLAN aging time is 5 minutes. If a host is blocked from joining a port in the same VLAN as the secured port, allow the VLAN aging time to expire before you attempt to connect the host to the port again.

Setting the Shutdown Timeout

You can set the time that a port remains disabled in case of a security violation. By default, the port is shut down permanently. The valid range is from 1-1440 minutes.

If the time is set to zero, the shutdown is disabled for this port.

Note When the shutdown timeout expires, the port is reenabled and all port security-related configuration is maintained.

To set the shutdown timeout, perform this task in privileged mode:

Task

Command

Set the shutdown timeout on a port.

set port security mod/port shutdown time

This example shows how to set the shutdown timeout to 600 minutes on port 7/7:
Console> (enable) set port security 7/7 shutdown 600
Secure address shutdown time set to 600 minutes for port 7/7.
Console> (enable)
Disabling Port Security

To disable port security, perform this task in privileged mode:

Task

Command

Step 1

Disable port security on the desired ports.

set port security mod/port disable

Step 2

Verify the configuration.

show port security [mod/port]

This example shows how to disable port security:
Console> (enable) set port security 2/1 disable
Port 2/1 port security disabled.
Console> (enable)
Console> (enable) show port security 2/1
Port  Security Violation Shutdown-Time Age-Time Max-Addr Trap     IfIndex
----- -------- --------- ------------- -------- -------- -------- -------
 3/24 disabled  restrict            20      300       10 disabled     921
Port  Num-Addr Secure-Src-Addr   Age-Left Last-Src-Addr     Shutdown/Time-Left
----- -------- ----------------- -------- ----------------- ------------------
 3/24        1 00-e0-4f-ac-b4-00        -                 -        -         -
Console> (enable) 
Restricting the Traffic Based on a Host MAC Address

To restrict the traffic for a specific MAC address, perform this task in privileged mode:

Task

Command

Step 1

Restrict the traffic destined to or originating from a specific MAC address.

set cam {static | permanent} filter unicast_mac vlan

Step 2

Remove the filter.

clear cam mac_address vlan

Step 3

Verify the configuration.

show cam {static | permanent}

This example shows how to create a filter that restricts the traffic for a specific MAC address:
Console> (enable) set cam static filter 00-02-03-04-05-06 1
Filter entry added to CAM table.
Console> (enable)
This example shows how to clear the filter:
Console> (enable) clear cam 00-02-03-04-05-06 1 
CAM entry cleared.
Console> (enable)
This example shows how to display the static CAM entries:
Console> show cam static 
VLAN  Dest MAC/Route Des    [CoS]  Destination Ports or VCs / [Protocol Type] 
----  ------------------    -----  -------------------------------------------
3     04-04-05-06-07-08   *          FILTER
Displaying Port Security

The show port security command displays the following information:

•List of secure MAC addresses for a port

•Maximum number of secure addresses that are allowed on a port

•Total number of secure MAC addresses

•Age

•Age left and shutdown timeout left

•Shutdown/security mode

•Statistics that are related to port security

To display the port security configuration information and statistics, perform this task in privileged mode:

Task

Command

Step 1

Display the configuration.

show port security [statistics] mod/port

Step 2

Display the port security statistics.

show port security statistics [system] [mod/port]

This example shows how to display the port security configuration information and statistics:
Console> (enable) show port security 4/1
* = Configured MAC Address 
Port  Security Violation Shutdown-Time Age-Time Maximum-Addrs Trap     IfIndex 
----- -------- --------- ------------- -------- ------------- -------- ------- 
 4/1  enabled  shutdown  120           1440     25            disabled 3 
Port Secure-Src-Addrs  Age-Left Last-Src-Addr     Shutdown Shutdown-Time-Left 
---- ----------------- -------- ----------------- -------- ------------------ 
 4/1 00-11-22-33-44-55 4        00-11-22-33-44-55 No       - 
     00-10-14-da-77-f1 100      
Port  Flooding on Address Limit 
----- ------------------------- 
 4/1                    Enabled 
Console> (enable) show port security statistics 4/1
Port  Total-Addrs Maximum-Addrs
----- ----------- -------------
 4/1            4            10
Console> (enable) 
This example shows how to display the port security statistics on a module:
Console> (enable) show port security statistics 7
Port  Total-Addrs Maximum-Addrs
----- ----------- -------------
 7/1            0             1
 7/2            0             1
 7/3            0             1
 7/4            0             1
 7/5            0             1
 7/6            0             1
 7/7            0             1
 7/8            0             1
 7/9            0             1
 7/10           0           200
 7/11           0             1
 7/12           0             1
 7/13           0             1
 7/14           0             1
 7/15           0             1
 7/16           0             1
 7/17           0             1
 7/18           0             1
 7/19           0             1
 7/20           0             1
 7/21           0             1
 7/22           0             1
 7/23           0             1
 7/24           0             1
Module 7:
  Total ports: 24
  Total secure ports: 0
  Total MAC address(es): 223
  Total global address space used (out of 4096): 199
  Status: installed
Console> (enable) 
This example shows how to display the port security statistics on the system:
Console> (enable) show port security statistics system
Auto-Configure Option: Enabled
Module 2:
  Total ports: 24
  Total secure ports: 0
  Total MAC addresses: 24
  Total global address space used (out of 4096): 0
  Status: installed
Module 3:
  Total ports: 48
  Total secure ports: 0
  Total MAC addresses: 48
  Total global address space used (out of 4096): 0
  Status: installed
Module 5:
  Total ports: 2
  Total secure ports: 0
  Total MAC addresses: 2
  Total global address space used (out of 4096): 0
  Status: installed
Total secure ports in the system: 0
Total secure MAC addresses in the system: 74
Total global MAC address resource used in the system (out of 4096): 0
Console> (enable) 
Configuring MAC-Address Monitoring

These sections describe how to configure MAC-address monitoring:

•Configuring Global MAC-Address Monitoring

•Monitoring the MAC Addresses in the CAM Table

•Specifying the Polling Interval for Monitoring

•Specifying the Lower Threshold for MAC-Address Monitoring

•Specifying the Upper Threshold for MAC-Address Monitoring

•Clearing the Configuration for MAC-Address Monitoring

•Displaying the Configuration for the CAM Monitor

•Displaying the Global Configuration for the CAM Monitor

Configuring Global MAC-Address Monitoring

You can enable or disable MAC-address monitoring globally. Globally disabling MAC-address monitoring does not clear any configuration.

To enable or disable MAC-address monitoring globally, perform this task in privileged mode:

Task

Command

Enable or disable MAC-address monitoring globally.

Note Monitoring is enabled globally by default.

set cam monitor {disable | enable}

This example shows how to disable and enable the global MAC-address monitoring configuration:
Console> (enable) set cam monitor disable 
Cam monitor disabled
Console> (enable) set cam monitor enable 
Cam monitor enabled
Console> (enable)
Monitoring the MAC Addresses in the CAM Table

To monitor the MAC addresses that are learned and stored in the CAM table, perform this task in privileged mode:

Task

Command

Monitor the MAC addresses that are learned and stored in the CAM table on a per-port basis, per-VLAN basis, or on a per-port- per-VLAN basis.

Note MAC-address monitoring is disabled by default on an interface (port, VLAN, or port/VLAN basis).

set cam monitor {disable | enable} [mod/port | {mod/port vlan} | vlan]

This example shows how to monitor the MAC addresses that are learned on a specific port and stored in the CAM table:
Console> (enable) set cam monitor enable 3/1
Successfully enabled cam monitor on 3/1
Console> (enable)
This example shows how to disable monitoring of the MAC addresses that are learned on a specific port:
Console> (enable) set cam monitor disable 3/1
Successfully disabled cam monitor on 3/1
Console> (enable)
Specifying the Polling Interval for Monitoring

MAC-address monitoring is supported in the software. If there are a large number of MAC addresses in the CAM table and a large number of configured interfaces (ports, VLANs, or port-VLANs), the CPU usage might go up. You can reduce the load on the CPU by entering the set cam monitor interval command to adjust the software polling interval.

To specify the polling interval for the CAM table, perform this task in privileged mode:

Task

Command

Specify the polling interval in seconds for monitoring the CAM table. The valid range is from 5-30 seconds.

Note The default polling interval is 5 seconds.

set cam monitor interval time_s

This example shows how to specify the polling interval for the CAM table:
Console> (enable) set cam monitor interval 20
Cam monitor interval set to 20 sec
Console> (enable)
Specifying the Lower Threshold for MAC-Address Monitoring

To specify the lower threshold for MAC-address monitoring, perform this task in privileged mode:

Task

Command

Specify the lower threshold for MAC-address monitoring and the action to be taken when the system exceeds this threshold. The valid range for the lower threshold is 5-32000.

Note If you specify the no-learn keyword, and the configuration is a port/VLAN configuration, the violation action stops learning the MAC addresses on the port from all the VLANs. If you specify the warning keyword, the system displays a system message when the low threshold is exceeded.

set cam monitor low-threshold value [action {no-learn | warning}] {mod/port | {mod/port vlan} | vlan}

This example shows how to specify the low threshold for a port and the action to be taken when this threshold is exceeded:
Console> (enable) set cam monitor low-threshold 500 action warning 3/1
Successfully configured cam monitor on 3/1
Console> (enable)
Specifying the Upper Threshold for MAC-Address Monitoring

To specify the upper threshold for MAC-address monitoring, perform this task in privileged mode:

Task

Command

Specify the upper threshold or MAC-address monitoring and the action to be taken when the system exceeds this threshold. The valid range for the high threshold is 5-32000.

Note If you specify the no-learn keyword, and the configuration is a port/VLAN combination, the violation action stops learning the MAC addresses on the port from all the VLANs. If you specify the shutdown keyword, and the configuration is a port/VLAN combination, the violation action error disables the port. If you specify the warning keyword, the system displays a system message when the high threshold is exceeded.

set cam monitor high-threshold value [action {no-learn | shutdown | warning}] {mod/port | {mod/port vlan} | vlan}

This example shows how to specify the high threshold for a port and the action to be taken when this threshold is exceeded:
Console> (enable) set cam monitor high-threshold 28000 action shutdown 3/1
Successfully configured cam monitor on 3/1
Console> (enable) 
Clearing the Configuration for MAC-Address Monitoring

To clear the configuration for the MAC-address monitoring and actions, perform this task in privileged mode:

Task

Command

Clear the configuration for MAC-address monitoring.

clear cam monitor mod/port | mod/port vlan | vlan

clear cam monitor all

clear cam monitor high-threshold mod/port | mod/port vlan | vlan

clear cam monitorlow-threshold mod/port | mod/port vlan | vlan

This example shows how to clear the high threshold on port 3/1:
Console> (enable) clear cam monitor high-threshold 3/1
Successfully cleared high-threshold on 3/1
This example shows how to clear all CAM table monitoring and MAC-address monitoring configurations from all ports:
Console> (enable) clear cam monitor all
Cleared all cam monitor configuration
Console> (enable)
Displaying the Configuration for the CAM Monitor

To display the configuration for the CAM monitor, perform this task in privileged mode:

Task

Command

Display the configuration for the CAM monitor.

show cam monitor [mod/port | mod/port vlan | vlan | all]

This example shows how to display the configuration for the CAM monitor:
Console> (enable) show cam monitor all 
Cam monitor global configuration:
status : enabled
interval : 5 seconds
* = violation occured
Port Status Low Low High High No. of 
Threshold Action Threshold Action mac addrs
------ -------- --------- -------- --------- -------- ---------
3/1 enabled 500 warning 32000 warning 0
4/2 enabled 500 warning* 32000 warning 0
Total port entries = 2
Console> (enable)
Displaying the Global Configuration for the CAM Monitor

To display the global CAM monitor configuration, perform this task in privileged mode:

Task

Command

Display the global configuration for the CAM monitor.

show cam monitor
Console> (enable) show cam monitor 
Cam monitor global configuration:
status : enabled
interval : 5 seconds
Console> (enable)