12-8
Catalyst 3550 Multilayer Switch Software Configuration Guide
78-11194-03
Chapter12 Configuring Port-Based Traffic Control
Configuring Port Security
Configuring Port Security
You can use the port security feature to restrict input to an interface by limiting and identifying MAC
addresses of the stations allowed to access the port. When you assign secure MAC addresses to a secure
port, the port does not forward packets with source addresses outside the group of de fined addresses. If
you limit the number of secure MAC addresses to one and assign a single secure MAC address, the
workstation attached to that port is assured the full bandwidth of the port.
If a port is configured as a secure port and the maximum number of secure MAC addresses is reached,
when the MAC address of a station attempting to access the port is different from any of the identified
secure MAC addresses, a security violation occurs. Also, if a station with a secure MAC address
configured or learned on one secure port attempts to access another secure port, a violatio n is flagge d.

Understanding Port Security

After you have set the maximum number of secure MAC addresses on a port (the range is 1 to 128 with
a default of 128), the secure addresses are included in an address table in one of these ways:
You can configure all secure MAC addresses by using the switchport port-security mac-address
mac_address interface configuration command.
You can allow the port to dynamically c onfig ure se cure MAC a ddr esses w ith th e MAC addr esses of
connected devices.
You can configure a number of addresses and allow the rest to be dynamically configured.
Note If the port shuts down, all dynamically learned addres ses are re mo ved.
Once the maximum number of secure MAC addresses is co nfigured, they are stored in an address table.
Setting a maximum number of addresses to one and configuring the MAC address of an attached device
ensures that the device has the full bandwidth of the port.
It is a security violation when one of these situations occurs:
The maximum number of secure MAC addresses have been added to the addres s table and a station
whose MAC address is not in the address table attempts to access the interface.
A station whose MAC address is configured as a secure MAC address on another secure port
attempts to access the interface.
You can configure the interface for one of three violation modes, based on the a ct ion t o be taken i f a
violation occurs:
protectwhen the number of secure MAC addresses reaches the maximum limit allowed on the
port, packets with unknown source addresses are dropped until you remove a sufficient number of
secure MAC addresses to drop below the maximum value.
restricta port security violation causes a trap notification to be sent to the network management
station (NMS).
shutdowna port security violation causes a the interface to shut down immediately and a n SNMP
trap notification is sent. Once shut down, the interface must be manually re-enabled by usi ng the no
shutdown interface configuration command. This is the default mode.