21-10
Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide
OL-10101-02
Chapter 21 Configuring Port-Based Traffic Control
Configuring Port Security
To return the interface to the default condition as not a secure port, use the no switchport port-security
interface configuration command. If you enter this command when sticky learning is enabled, the sticky
secure addresses remain part of the running configuration but are removed from the address table. All
addresses are now dynamically learned.
To return the interface to the default number of secure MAC addresses, use the no switchport
port-security maximum value interface configuration command.
To return the violation mode to the default condition (shutdown mode), use the no switchport
port-security violation {protect | restrict} interface configuration command.
Step 6 switchport port-security violation
{protect | restrict | shutdown}
(Optional) Set the violation mode, the action to be taken when a security
violation is detected, as one of these:
protect—When the number of secure MAC addresses reaches the
limit allowed on the port, packets with unknown source addresses
are dropped until you remove a sufficient number of secure MAC
addresses or increase the number of maximum allowable addresses.
You are not notified that a security violation has occurred.
restrict—When the number of secure MAC addresses reaches the
limit allowed on the port, packets with unknown source addresses
are dropped until you remove a sufficient number of secure MAC
addresses or increase the number of maximum allowable addresses.
In this mode, you are notified that a security violation has occurred.
Specifically, an SNMP trap is sent, a syslog message is logged, and
the violation counter increments.
shutdown—In this mode, a port security violation causes the
interface to immediately become error-disabled, and turns off the
port LED. It also sends an SNMP trap, logs a syslog message, and
increments the violation counter.
Note When a secure port is in the error-disabled state, you can bring
it out of this state by entering the errdisable recovery cause
psecure-violation global configuration command, or you can
manually re-enable it by entering the shutdown and no
shutdown interface configuration commands.
Step 7 switchport port-security mac-address
mac-address
(Optional) Enter a static secure MAC address for the interface, repeating
the command as many times as necessary. You can use this command to
enter the maximum number of secure MAC addresses. If you configure
fewer secure MAC addresses than the maximum, the remaining MAC
addresses are dynamically learned.
Note If you enable sticky learning after you enter this command, the
secure addresses that were dynamically learned are converted to
sticky secure MAC addresses and are added to the running
configuration.
Step 8 switchport port-security mac-address
sticky
(Optional) Enable sticky learning on the interface.
Step 9 end Return to privileged EXEC mode.
Step 10 show port-security Verify your entries.
Step 11 copy running-config startup-config (Optional) Save your entries in the configuration file.
Command Purpose