2-941
Catalyst 3750-X and 3560-X Switch Command Reference
OL-29704-01
Chapter 2 Catalyst 3750-X and 3560-X Switch Cisco IOS Commands
switchport port-security
Command History
Usage Guidelines A secure port has the following limitations:
• A secure port can be an access port or a trunk port; it cannot be a dynamic access port.
• A secure port cannot be a routed port.
• A secure port cannot be a protected port.
• A secure port cannot be a destination port for Switched Port Analyzer (SPAN).
• A secure port cannot belong to a Gigabit or 10-Gigabit EtherChannel port group.
• You cannot configure static secure or sticky secure MAC addresses in the voice VLAN.
• When you enable port security on an interface that is also configured with a voice VLAN, set the
maximum allowed secure addresses on the port to two. When the port is connected to a Cisco IP
phone, the IP phone requires one MAC address. The Cisco IP phone address is learned on the voice
VLAN, but is not learned on the access VLAN. If you connect a single PC to the Cisco IP phone,
no additional MAC addresses are required. If you connect more than one PC to the Cisco IP phone,
you must configure enough secure addresses to allow one for each PC and one for the Cisco IP
phone.
• Voice VLAN is supported only on access ports and not on trunk ports.
• When you enter a maximum secure address value for an interface, if the new value is greater than
the previous value, the new value overrides the previously configured value. If the new value is less
than the previous value and the number of configured secure addresses on the interface exceeds the
new value, the command is rejected.
• The switch does not support port security aging of sticky secure MAC addresses.
A security violation occurs when the maximum number of secure MAC addresses are in the address table
and a station whose MAC address is not in the address table attempts to access the interface or when a
station whose MAC address is configured as a secure MAC address on another secure port attempts to
access the interface.
When a secure port is in the error-disabled state, you can bring it out of this state by entering the
errdisable recovery cause psecure-violation global configuration command. You can manually
re-enable the port by entering the shutdown and no shut down interface configuration commands or by
using the clear errdisable interface privileged EXEC command.
Setting a maximum number of addresses to one and configuring the MAC address of an attached device
ensures that the device has the full bandwidth of the port.
When you enter a maximum secure address value for an interface, this occurs:
• If the new value is greater than the previous value, the new value overrides the previously configured
value.
• If the new value is less than the previous value and the number of configured secure addresses on
the interface exceeds the new value, the command is rejected.
Release Modification
12.2(53)SE2 This command was introduced.
To Next Page
Loading...
Need help?
General
