2-635
Catalyst 3560 Switch Command Reference
78-16405-05
Chapter 2 Catalyst 3560 Switch Cisco IOS Commands
switchport port-security
Command History
Usage Guidelines A secure port has the following limitations:
• A secure port can be an access port or a trunk port; it cannot be a dynamic access port.
• A secure port cannot be a routed port.
• A secure port cannot be a protected port.
• A secure port cannot be a destination port for Switched Port Analyzer (SPAN).
• A secure port cannot be a private-VLAN port.
• A secure port cannot belong to a Fast EtherChannel or Gigabit EtherChannel port group.
• You cannot configure static secure or sticky secure MAC addresses in the voice VLAN.
• When you enable port security on an interface that is also configured with a voice VLAN, you must
set the maximum allowed secure addresses on the port to two plus the maximum number of secure
addresses allowed on the access VLAN. When the port is connected to a Cisco IP Phone, the Cisco
IP Phone requires up to two MAC addresses. The Cisco IP Phone address is learned on the voice
VLAN and might also be learned on the access VLAN. Connecting a PC to the Cisco IP Phone
requires additional MAC addresses.
• Voice VLAN is supported only on access ports and not on trunk ports.
• When you enter a maximum secure address value for an interface, if the new value is greater than
the previous value, the new value overrides the previously configured value. If the new value is less
than the previous value and the number of configured secure addresses on the interface exceeds the
new value, the command is rejected.
• The switch does not support port security aging of sticky secure MAC addresses.
A security violation occurs when the maximum number of secure MAC addresses are in the address table
and a station whose MAC address is not in the address table attempts to access the interface or when a
station whose MAC address is configured as a secure MAC address on another secure port attempts to
access the interface.
If you enable port security on a voice VLAN port and if there is a PC connected to the IP phone, you
should set the maximum allowed secure addresses on the port to more than 1.
When a secure port is in the error-disabled state, you can bring it out of this state by entering the
errdisable recovery cause psecure-violation global configuration command, or you can manually
re-enable it by entering the shutdown and no shut down interface configuration commands.
Setting a maximum number of addresses to one and configuring the MAC address of an attached device
ensures that the device has the full bandwidth of the port.
When you enter a maximum secure address value for an interface, this occurs:
• If the new value is greater than the previous value, the new value overrides the previously configured
value.
• If the new value is less than the previous value and the number of configured secure addresses on
the interface exceeds the new value, the command is rejected.
Release Modification
12.1(19)EA1 This command was introduced.
12.2(25)SEB The access and voice keywords were added.
To Next Page
Loading...
Need help?
General