55-21
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 55 Configuring Port Security
Configuring Port Security on Trunk Ports
Switch# show port-security interface g1/1 address vlan 2-4
Secure Mac Address Table
------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
2 0001.0001.0001 SecureConfigured Gi1/1 -
2 0001.0001.0002 SecureSticky Gi1/1 -
2 0001.0001.0003 SecureSticky Gi1/1 -
3 0001.0001.0001 SecureConfigured Gi1/1 -
3 0001.0001.0002 SecureSticky Gi1/1 -
3 0001.0001.0003 SecureSticky Gi1/1 -
4 0001.0001.0001 SecureConfigured Gi1/1 -
4 0001.0001.0002 SecureSticky Gi1/1 -
4 0001.0001.0003 SecureSticky Gi1/1 -
------------------------------------------------------------------------
Total Addresses: 9
Switch#
Trunk Port Security Configuration Guidelines and Restrictions
When configuring port security related parameters on a per-port per-VLAN basis, consider these
guidelines and restrictions:
• A secure MAC-address cannot be configured on a VLAN that is not allowed on a regular trunk port.
• The configuration on the primary VLAN on the private VLAN trunk is not allowed. The CLI is
rejected and an error message is displayed.
• If a specific VLAN on a port is not configured with a maximum value (directly or indirectly), the
maximum configured for the port is used for that VLAN. In this situation, the maximum number of
addresses that can be secured on this VLAN is limited to the maximum value configured on the port.
Each VLAN can be configured with a maximum count that is greater than the value configured on
the port. Also, the sum of the maximum configured values for all the VLANs can exceed the
maximum configured for the port. In either of these situations, the number of MAC addresses
secured on each VLAN is limited to the lesser of the VLAN configuration maximum and the port
configuration maximum. Also, the number of addresses secured on the port across all VLANs
cannot exceed a maximum that is configured on the port.
• For private VLAN trunk ports, the VLAN on which the configuration is being performed must be in
either the allowed VLAN list of the private VLAN trunk or the secondary VLAN list in the
association pairs. (The CLI is rejected if this condition is not met.) The allowed VLAN list on a
private VLAN trunk is intended to hold the VLAN-IDs of all the regular VLANs that are allowed
on the private VLAN trunk.
• Removal of an association pair from a PVLAN trunk causes all static and sticky addresses associated
with the secondary VLAN of the pair to be removed from the running configuration. Dynamic
addresses associated with the secondary VLAN are deleted from the system.
Similarly, when a VLAN is removed from the list of allowed PVLAN trunks, the addresses
associated with that VLAN are removed.
Note For a regular or private VLAN trunk port, if the VLAN is removed from the allowed VLAN list, all the
addresses associated with that VLAN are removed.
To Next Page
Loading...
Need help?
General
