Configuring Port Security (NSM Procedure)

Ethernet LANs are vulnerable to attacks such as address spoofing and Layer 2 denial of service (DoS) on network devices. Port security features such as DHCP snooping, DAI (dynamic ARP inspection), MAC limiting, and MAC move limiting, as well as trusted DHCP server, help protect the access ports on your switch against the losses of information and productivity that can result from such attacks.

To configure port security:

  1. In the navigation tree, select Device Manager > Devices. In Device Manager, select the device for which you want to configure port security.
  2. In the Configuration tree, expand Ethernet Switching Options.
  3. Select Secure Access Port > Interface or VLAN.
  4. Click the Add icon.
  5. Add/modify settings for the interface as specified in Table 25.

    Add/modify settings for the VLAN as specified in Table 24.

Note: After you make changes to a device configuration, you must push that updated device configuration to the physical security device for those changes to take effect. You can update multiple devices at one time. See Updating Devices for more information.

Table 24: Port Security Settings on VLANs

Option

Function

Your Action

Name

Specifies the VLAN.

Enter the VLAN name.

DHCP Snooping

Allows the switch to monitor and control DHCP messages received from untrusted devices connected to the switch. Builds and maintains a database of valid IP addresses/MAC address bindings. (By default, access ports are untrusted and trunk ports are trusted.)

Select to enable DHCP snooping on a specified VLAN or all VLANs.

ARP Inspection

Uses information in the DHCP snooping database to validate ARP packets on the LAN and protect against ARP cache poisoning.

Select to enable ARP inspection on a specified VLAN or all VLANs. (Configure any port on which you do not want ARP inspection to occur as a trusted DHCP server port.)

MAC Move Limit

Prevents hosts whose MAC addresses have not been learned by the switch from accessing the network. Specifies the number of times per second that a MAC address can move to a new interface.

Select the MAC Move Limit Option. Select the required number.

MAC Movement Action

Specifies the action to be taken if the MAC move limit is exceeded.

Select one:

  • Log—Generate a system log entry, an SNMP trap, or an alarm.
  • Drop—Drop the packets and generate a system log entry, an SNMP trap, or an alarm.
  • Shutdown—Block data traffic on the interface and generate an alarm.
  • None— No action to be taken.

Table 25: Port Security on Interfaces

Option

Function

Your Action

Interface

Specifies trusting DHCP packets on the selected interface. By default trunk ports are dhcp-trusted.

Select to enable DHCP trust.

Allowed MAC List

Specifies the MAC addresses that are allowed for the interface.

To add a MAC address:

  1. Click Add.
  2. Enter the MAC address.
  3. Click OK.

MAC Limit

Specifies the number of MAC addresses that can be learned on a single Layer 2 access port. This option is not valid for trunk ports.

Enter the required number.

MAC Limit Action

Specifies the action to be taken if the MAC limit is exceeded. This option is not valid for trunk ports.

Select one:

  • Log—Generate a system log entry, an SNMP trap, or an alarm.
  • Drop—Drop the packets and generate a system log entry, an SNMP trap, or an alarm.
  • Shutdown—Block data traffic on the interface and generate an alarm.
  • None— No action to be taken.

static ip

Specifies the static ip address for the interface.

Enter the following:

  • Name
  • Vlan
  • Mac