21-8
Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide
OL-10101-02
Chapter 21 Configuring Port-Based Traffic Control
Configuring Port Security
Table 21-1 shows the violation mode and the actions taken when you configure an interface for port
security.
Default Port Security Configuration
Table 21-2 shows the default port security configuration for an interface.
Port Security Configuration Guidelines
Follow these guidelines when configuring port security:
Port security can only be configured on static access ports.
A secure port cannot be a dynamic access port or a trunk port.
A secure port cannot be a destination port for Switched Port Analyzer (SPAN).
A secure port cannot belong to a Fast EtherChannel or Gigabit EtherChannel port group.
You cannot configure static secure or sticky secure MAC addresses on a voice VLAN.
When you enable port security on an interface that is also configured with a voice VLAN, set the
maximum allowed secure addresses on the port to two. When the port is connected to a Cisco IP
phone, the Cisco IP phone requires one MAC address. The Cisco IP phone address is learned on the
voice VLAN, but is not learned on the access VLAN. If you connect a single PC to the Cisco IP
phone, no additional MAC addresses are required. If you connect more than one PC to the Cisco IP
phone, you must configure enough secure addresses to allow one for each PC and one for the phone.
If any type of port security is enabled on the access VLAN, dynamic port security is automatically
enabled on the voice VLAN.
Tab l e 21-1 Security Violation Mode Actions
Violation Mode
Traffic is
forwarded1
1. Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses.
Sends SNMP
trap
Sends syslog
message
Displays error
message2
2. The switch will return an error message if you manually configure an address that would cause a security violation.
Violation
counter
increments Shuts down port
protect No No No No No No
restrict No Yes Yes No Ye s No
shutdown No Yes Yes No Ye s Yes
Tab l e 21-2 Default Port Security Configuration
Feature Default Setting
Port security Disabled.
Maximum number of secure MAC addresses One.
Violation mode Shutdown.
Sticky address learning Disabled.
Port security aging Disabled. Aging time is 0. When enabled, the default
type is absolute.