Chapter 26 Configuring Port-Based Traffic Control

Configuring Port Security

To disable port security aging for all secure addresses on a port, use the no switchport port-security aging time interface configuration command. To disable aging for only statically configured secure addresses, use the no switchport port-security aging static interface configuration command.

This example shows how to set the aging time as 2 hours for the secure addresses on a port:

Switch(config)# interface gigabitethernet1/0/1

Switch(config-if)#switchport port-security aging time 120

This example shows how to set the aging time as 2 minutes for the inactivity aging type with aging enabled for the configured secure addresses on the interface:

Switch(config-if)#switchport port-security aging time 2

Switch(config-if)#switchport port-security aging type inactivity

Switch(config-if)#switchport port-security aging static

You can verify the previous commands by entering the show port-security interface interface-idprivileged EXEC command.

Port Security and Switch Stacks

When a switch joins a stack, the new switch will get the configured secure addresses. All dynamic secure addresses are downloaded by the new stack member from the other stack members.

When a switch (either the stack master or a stack member) leaves the stack, the remaining stack members are notified, and the secure MAC addresses configured or learned by that switch are deleted from the secure MAC address table. For more information about switch stacks, see Chapter 5, “Managing Switch Stacks.”

Port Security and Private VLANs

Port security allows an administrator to limit the number of MAC addresses learned on a port or to define which MAC addresses can be learned on a port.

Beginning in privileged EXEC mode, follow these steps to configure port security on a PVLAN host and promiscuous ports:

 

Command

Purpose

Step 1

 

 

configure terminal

Enter global configuration mode.

Step 2

 

 

interface interface-id

Specify the interface to be configured, and enter interface

 

 

configuration mode.

Step 3

 

 

switchport mode private-vlan {host

Enable a private vlan on the interface.

 

promiscuous}

 

Step 4

 

 

switchport port-security

Enable port security on the interface.

Step 5

 

 

end

Return to privileged EXEC mode.

Step 6

 

 

show port-security [interface interface-id]

Verify your entries.

 

[address]

 

Step 7

 

 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

 

 

 

 

 

Switch(config)# interface GigabitEthernet 1/0/8

 

 

Switch(config-if)#switchport private-vlan mapping 2061 2201-2206,3101

 

 

Catalyst 3750-E and 3560-E Switch Software Configuration Guide

 

 

 

 

 

 

 

 

 

 

 

 

OL-9775-02

 

 

26-17

 

 

 

 

 

Page 613
Image 613
Cisco Systems 3750E manual Port Security and Switch Stacks, Port Security and Private VLANs, 26-17