21-10
Catalyst 2960 Switch SoftwareConfiguration Guide
78-16881-01
Chapter21 Configuring Port-Based Traffic Control
Configuring Port Security
Default Port Security Configuration
Table21-2 shows the default port security configuration for an interface.
Port Security Configuration Guidelines
Follow these guidelines when configuring port security:
Port security can only be configured on static access ports or trunk ports. A secure port cannot be a
dynamic access port.
A secure port cannot be a destination port for Switched Port Analyzer (SPAN).
A secure port cannot belong to a Fast EtherChannel or a Gigabit EtherChannel port group.
Note Voice VLAN is only supported on access ports and not on trunk ports, even though the
configuration is allowed.
When you enable port security on an interface that is also configured with a voice VLAN, you must
set the maximum allowed secure addresses on the port to two plus the maximum number of secure
addresses allowed on the access VLAN. When the port is connected to a Cisco IP Phone, the IP
phone requires up to two MAC addresses. The IP phone address is learned on the voice VLAN and
might also be learned on the access VLAN. Connecting a PC to the IP phone requires additional
MAC addresses.
When you enter a maximum secure address value for an interface, and the new value is greater than
the previous value, the new value overwrites the previously configured value. If the new value is less
than the previous value and the number of configured secure addresses on the interface exceeds the
new value, the command is rejected.
The switch does not support port security aging of sticky secure MAC addresses.
Table21-2 Default Port Security Configuration
Feature Default Setting
Port security Disabled on a port.
Sticky address learning Disabled.
Maximum number of secure
MAC addresses per port
1.
Violation mode Shutdown. The port shuts down when the maximum number of
secure MAC addresses is exceeded.
Port security aging Disabled. Aging time is 0.
Static aging is disabled.
Type is absolute.