55-4
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 55 Configuring Port Security
About Port Security
• Sticky—Sticky addresses are learned such as dynamic secure MAC addresses, but persist through
switch reboots and link flaps such as static secure MAC addresses. You might want to use this type
if a large number of fixed MAC addresses exist and you do not want to configure MAC addresses
manually (100 PCs secured on their own ports).
If a port has reached its maximum number of secure MAC addresses and you try to configure a static
secure MAC address, your configuration is rejected and an error message displays. If a port has reached
its maximum number of secure MAC addresses and a new dynamic secure MAC address is added, a
violation action is triggered.
You can clear dynamic secure MAC addresses with the clear port-security command. You can clear
sticky and static secure MAC addresses one at a time with the no form of the
switchport port-security mac-address command.
Maximum Number of Secure MAC Addresses
A secure port has a default of one MAC address. You can change the default to any value between 1 and
3,000. The upper limit of 3,000 guarantees one MAC address per-port and an additional 3,000 across all
ports in the system.
After you have set the maximum number of secure MAC addresses on a port, you can include the secure
addresses in an address table in one of the following ways:
• You can configure the secure MAC addresses with the switchport port-security mac-address
mac_address interface configuration command.
• You can configure all secure MAC addresses on a range of VLANs with the port-security
mac-address VLAN range configuration command for trunk ports.
• You can allow the port to dynamically configure secure MAC addresses with the MAC addresses of
connected devices.
• You can configure some of the addresses and allow the rest to be dynamically configured.
Note If a port’s link goes down, all dynamically secured addresses on that port are no longer secure.
• You can configure MAC addresses to be sticky. These can be dynamically learned or manually
configured, stored in the address table, and added to the running configuration. After these addresses
are saved in the configuration file, the interface does not need to dynamically relearn them when the
switch restarts. Although you can manually configure sticky secure addresses, this action is not
recommended.
Note On a trunk port, a maximum number of secure MAC addresses can be configured on both the port and
port VLAN. The port’s maximum value can be greater than or equal to the port VLAN maximum(s) but
not less than the port VLAN maximum(s). If the port’s maximum value is less than at least one of the
port VLAN’s maximum (for example, if we have max set to 3 on VLAN 10 while no “sw port max” is
set (defaults to 1)), the port shuts down when dynamic adds reaches 2 on VLAN 10 (see “Port Security
Configuration Guidelines and Restrictions” on page 33). The port VLAN maximum enforces the
maximum allowed on a given port on a given VLAN. If the maximum is exceeded on a given VLAN but
the port’s maximum is not exceeded, the port still shuts down. The entire port is shut down even if one
of the VLANs on the port has actually caused the violation.
To Next Page
Loading...
Need help?
General
