5.9.2.1.2 Network Port Security Details

The Port Security Port Status All Ports page shows the MAC addresses secured by the Port Security module. Port Security may be configured both administratively and indirectly through other software modules—the user modules. When a user module has enabled port security on a port, then the port is set-up for software-based learning. In this mode, frames from unknown MAC addresses are passed on to the Port Security module, which in turn asks all user modules whether to allow this new MAC address to forward or block it. For a MAC address to be set in the forwarding state, all enabled user modules must unanimously agree on allowing the MAC address to forward. If only one chooses to block it, it is blocked until that user module decides otherwise.

Note: If you have added static or sticky MAC addresses, then they show up on this page only if Port Security is enabled on the interface to which they pertain.
Figure 5-24. Port Security Port Status All Ports

The Port Security Port Status All Ports page has the following parameters:

  • Delete: Click to remove this MAC address from MAC address table. The button is only clickable if the entry type is Dynamic. Use the Configuration > Security > Port Security > MAC Addresses page to remove Static and Sticky entries.
  • Port: If all ports are shown (can be selected through the drop-down box on the top right), this one shows the port to which the MAC address is bound
  • VLAN ID and MAC Address: The VLAN ID and MAC address that is seen on this port. If no MAC addresses are learned, a single row stating No MAC addresses attached is displayed.
  • Type: Indicates the type of entry. Takes one of three values:
    • Dynamic: The entry is learned through learn frames coming to the Port Security module while the port in question is not in sticky mode
    • Static: The entry is entered by the end-user through management. Entry is not subject to aging.
    • Sticky: When the port is in sticky mode, all entries that would otherwise have been learned as dynamic are learned as sticky. Sticky entries are part of the running-config and can therefore be saved to startup-config. An important aspect of sticky MAC addresses is that they survive link changes (in contrast to Dynamic, which is learned again). They also survive reboots if running-config is saved to startup-config.
  • State: Indicates whether the corresponding MAC address is violating (administrative user has configured the interface in the Restrict mode and the MAC address is blocked), blocked, or forwarding.
  • Age/Hold: If at least one user module has decided to block this MAC address, it stays in the blocked state until the hold time (measured in seconds) expires. If all user modules have decided to allow this MAC address to forward, and aging is enabled, then the Port Security module periodically checks that this MAC address still forwards traffic. If the age period (measured in seconds) expires and no frames have been seen, then the MAC address is removed from the MAC address table. Otherwise, a new age period begins. If aging is disabled or a user module has decided to hold the MAC address indefinitely, a dash (-) is shown.