KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

351

352

353

354

355

356

357

358

359

360

Addresses learned this way appear in the switch and port address tables and age

out according to the MAC Age Interval in the System Information configuration

screen of the Menu interface or the show system information listing. You

can set the MAC age out time using the CLI, SNMP, Web, or menu interfaces. For

more information on the mac-age-time command see "Interface Access and

System Information" in the Management and Configuration Guide for your switch.

static

Enables you to use the mac-address parameter to specify the MAC addresses of

the devices authorized for a port, and the address-limit parameter (explained

below) to specify the number of MAC addresses authorized for the port. You can

authorize specific devices for the port, while still allowing the port to accept other,

non-specified devices until the device limit has been reached. That is, if you enter

fewer MAC addresses than you authorized, the port authorizes the remaining

addresses in the order in which it automatically learns them.

For example, if you use address-limit to specify three authorized devices, but use mac-address

to specify only one authorized MAC address, the port adds the one specifically authorized MAC

address to its authorized-devices list and the first two additional MAC addresses it detects.

If, for example:

You use mac-address to authorize MAC address 0060b0-880a80 for port A4.

You use address-limit to allow three devices on port A4 and the port detects these MAC

addresses:

1. 080090-1362f2

2. 00f031-423fc1

3. 080071-0c45a1

4. 0060b0-880a80 (the address you authorized with the mac-address parameter)

In this example port A4 would assume the following list of authorized addresses:

080090-1362f2 (the first address the port detected)

00f031-423fc1 (the second address the port detected)

0060b0-880a80 (the address you authorized with the mac-address parameter)

The remaining MAC address detected by the port, 080071-0c45a1, is not allowed and is handled

as an intruder. Learned addresses that become authorized do not age-out. See also “Retention of

static addresses” (page 399).

CAUTION: Using the static parameter with a device limit greater than the number of MAC

addresses specified with mac-address can allow an unwanted device to become "authorized".

This is because the port, to fulfill the number of devices allowed by the address-limit parameter (se

below), automatically adds devices it detects until it reaches the specified limit.

NOTE: If 802.1X port-access is configured on a given port, then port-security learn-mode must

be set to either continuous (the default) or port-access.

Syntax:

port-security

[e] <port-list> <learn-mode | address-limit | mac-address |

action | clear-intrusion-flag>

port-access

Enables you to use Port Security with (802.1X) Port-Based Access Control.

358 Port Security