22-10
Catalyst2950 and Catalyst2955 Switch Software Configuration Guide
78-11380-10
Chapter22 Configuring Port-Based Traffic Control
Configuring Port Security
Enabling and Configuring Port Security
Beginning in privileged EXEC mode, follow these steps to restrict input to an interface by limiting and
identifying MAC addresses of the stations allowed to access the port:
Command Purpose
Step1 configure terminal Enter global configuration mode.
Step2 interface interface-id Specify the interface to configure and enter interface configuration
mode.
Step3 switchport mode access Set the interface mode as access; an interface in the default mode
(dynamic desirable) cannot be configured as a secure port.
Step4 switchport port-security Enable port security on the interface.
Step5 switchport port-security maximum
value (Optional) Set the maximum number of secure MAC addresses for the
interface. The range is 1 to 132; the default is 1.
Step6 switchport port-security violation
{protect | restrict | shutdown}(Optional) Set the violation mode, the action to be taken when a security
violation is detected, as one of these:
protectWhen the number of secure MAC addresses reaches the
limit allowed on the port, packets with unknown source addresses
are dropped until you remove a sufficient number of secure MAC
addresses or increase the number of maximum allowable addresses.
You are not notified that a security violation has occurred.
restrictWhen the number of secure MAC addresses reaches the
limit allowed on the port, packets with unknown source addresses
are dropped until you remove a sufficient number of secure MAC
addresses or increase the number of maximum allowable addresses.
In this mode, you are notified that a security violation has occurred.
Specifically, an SNMP trap is sent, a syslog message is logged, and
the violation counter increments.
shutdownIn this mode, a port security violation causes the
interface to immediately become error-disabled, and turns off the
port LED. It also sends an SNMP trap, logs a syslog message, and
increments the violation counter.
Note When a secure port is in the error-disabled state, you can bring
it out of this state by entering the errdisable recovery cause
psecure-violation global configuration command, or you can
manually re-enable it by entering the shutdown and no
shutdown interface configuration commands.
Step7 switchport port-security mac-address
mac-address (Optional) Enter a static secure MAC address for the interface, repeating
the command as many times as necessary. You can use this command to
enter the maximum number of secure MAC addresses. If you configure
fewer secure MAC addresses than the maximum, the remaining MAC
addresses are dynamically learned.
Note If you enable sticky learning after you enter this command, the
secure addresses that were dynamically learned are con v erted to
sticky secure MAC addresses and are added to the running
configuration.