21-7
Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide
OL-10101-02
Chapter 21 Configuring Port-Based Traffic Control
Configuring Port Security
Sticky secure MAC addresses—These can be dynamically learned or manually configured, stored in
the address table, and added to the running configuration. If these addresses are saved in the
configuration file, the interface does not need to dynamically relearn them when the switch restarts.
Although sticky secure addresses can be manually configured, we do not recommend it.
You can configure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses
and to add them to the running configuration by enabling sticky learning. To enable sticky learning, enter
the switchport port-security mac-address sticky interface configuration command. When you enter
this command, the interface converts all the dynamic secure MAC addresses, including those that were
dynamically learned before sticky learning was enabled, to sticky secure MAC addresses.
The sticky secure MAC addresses do not automatically become part of the configuration file, which is
the startup configuration used each time the switch restarts. If you save the sticky secure MAC addresses
in the configuration file, when the switch restarts, the interface does not need to relearn these addresses.
If you do not save the configuration, they are lost.
If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure
addresses and are removed from the running configuration.
A secure port can have from 1 to 132 associated secure addresses. The total number of available secure
addresses on the switch is 1024.
Security Violations
It is a security violation when one of these situations occurs:
The maximum number of secure MAC addresses have been added to the address table, and a station
whose MAC address is not in the address table attempts to access the interface.
An address learned or configured on one secure interface is seen on another secure interface in the
same VLAN.
You can configure the interface for one of three violation modes, based on the action to be taken if a
violation occurs:
protect—When the number of secure MAC addresses reaches the limit allowed on the port, packets
with unknown source addresses are dropped until you remove a sufficient number of secure MAC
addresses or increase the number of maximum allowable addresses. You are not notified that a
security violation has occurred.
restrict—When the number of secure MAC addresses reaches the limit allowed on the port, packets
with unknown source addresses are dropped until you remove a sufficient number of secure MAC
addresses or increase the number of maximum allowable addresses. In this mode, you are notified
that a security violation has occurred. Specifically, an SNMP trap is sent, a syslog message is
logged, and the violation counter increments.
shutdown—In this mode, a port security violation causes the interface to immediately become
error-disabled, and turns off the port LED. It also sends an SNMP trap, logs a syslog message, and
increments the violation counter. When a secure port is in the error-disabled state, you can bring it
out of this state by entering the errdisable recovery cause psecure-violation global configuration
command, or you can manually re-enable it by entering the shutdown and no shutdown interface
configuration commands. This is the default mode.