Port MAC security overview

Port MAC security (PMS) feature allows you to configure the device to learn a limited number of secure MAC addresses on an interface. The interface forwards only packets with source MAC addresses that match these secure addresses.

The secure MAC addresses can be specified statically or learned dynamically. If the device reaches the maximum limit for the number of secure MAC addresses allowed on the interface and if the interface receives a packet with a source MAC address that is different from any of the secure learned addresses, it is considered a security violation.

If a violation occurs, the switch responds according to one of three modes, as summarized in the following table.

Table 1. Switch responses to security violations
Response Description
Shutdown The default. The physical port is shut immediately and drops all traffic. A RASlog, SNMP trap, or both is sent. All logical interface operations on the physical port are disabled.
Restrict Traffic in violation is silently dropped until the number of secure address configures drops below the maximum. Learning is disabled. All logical interface operations on the physical port are disabled.
Note

Note

If a source MAC address is learned on one secured port, and if the same MAC address ingresses on another secured port, a MAC move is allowed and is not considered a violation.

To avoid having to intervene manually every time a port-security violation forces an interface into the shutdown state, the user can enable autorecovery for port security violations. A recovery interval is configured in seconds. After this time period the port transitions automatically to the operational state. An age limit can be set globally for all secure addresses on a port. This feature effectively removes inactive secure addresses.

There are three types of secure MAC addresses that are used in port MAC security:

If a MAC address already learned on a secured port is ingressing on a nonsecured port or through another secured port, this is not considered a security violation. In this case the MAC move occurs if the MAC is learned dynamically. If the MAC is static or sticky, then the MAC move does not occur. However, the traffic will still be switched according to the destination MAC.

Note

Note

Secure MAC addresses age out based on the device MAC age value that is configured for the device.
Note

Note

The maximum MAC address limit for sticky MAC address and static MAC address depends on the device limit. For dynamically learned MAC addresses, the maximum limit is 8192 per port.