PurposeCommand or Action
Enable port security on the interface.switchport port-security
Example:
Switch(config-if)# switchport
Step 5
port-security
(Optional) Sets the maximum number of secure MAC addresses for the interface.
The maximum number of secure MAC addresses that you can configure on a switch
switchport port-security [maximum
value [vlan {vlan-list | {access |
voice}}]]
Step 6
or switch stack is set by the maximum number of available MAC addresses allowed
in the system. This number is set by the active Switch Database Management
Example:
Switch(config-if)# switchport
(SDM) template. This number is the total of available MAC addresses, including
those used for other Layer 2 functions and any other secure MAC addresses
configured on interfaces.
port-security maximum 20
(Optional) vlan—sets a per-VLAN maximum value
Enter one of these options after you enter the vlan keyword:
• vlan-list—On a trunk port, you can set a per-VLAN maximum value on a
range of VLANs separated by a hyphen or a series of VLANs separated by
commas. For nonspecified VLANs, the per-VLAN maximum value is used.
• access—On an access port, specifies the VLAN as an access VLAN.
• voice—On an access port, specifies the VLAN as a voice VLAN.
The voice keyword is available only if a voice VLAN is configured on a
port and if that port is not the access VLAN. If an interface is configured
for voice VLAN, configure a maximum of two secure MAC addresses.
Note
(Optional) Sets the violation mode, the action to be taken when a security violation
is detected, as one of these:
switchport port-security violation
{protect | restrict | shutdown |
shutdown vlan}
Step 7
• protect—When the number of port secure MAC addresses reaches the
maximum limit allowed on the port, packets with unknown source addresses
Example:
Switch(config-if)# switchport
are dropped until you remove a sufficient number of secure MAC addresses
to drop below the maximum value or increase the number of maximum
allowable addresses. You are not notified that a security violation has
occurred.
port-security violation restrict
We do not recommend configuring the protect mode on a trunk port.
The protect mode disables learning when any VLAN reaches its
maximum limit, even if the port has not reached its maximum limit.
Note
• restrict—When the number of secure MAC addresses reaches the limit
allowed on the port, packets with unknown source addresses are dropped
until you remove a sufficient number of secure MAC addresses or increase
the number of maximum allowable addresses. An SNMP trap is sent, a syslog
message is logged, and the violation counter increments.
Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1
342 OL-29434-01
Configuring Port-Based Traffic Control
Enabling and Configuring Port Security
To Next Page
Loading...
