Cisco Systems DOC-7814982 Understanding Port Security

18-5

Catalyst 2950 Desktop Switch Software Configuration Guide

78-14982-01

Chapter 18 Configuring Port -Based Traffic Control Configuring Port Security

Understanding Port Security

This sect ion conta ins infor mation ab out th ese topi cs:

•Secure MAC Addresses, page 18-5

•Securi ty Violations, pa ge 1 8-6

A secure port can have from 1 to 132 associ ated sec ure addre sses. Afte r you have set the ma ximum

number of secure MAC addresses on a port, the secure addresses are included in an address table in one

of the se ways:

•You can co nfigure all sec ure MAC addresses by using the switchport port-security mac-address

mac-address interface configuration command.

•You can allow the port to dynamically configure secure MAC addresses with the MAC addresses of

connec ted devices.

•You can co nfigure a num ber of addr esses an d allow the rest to be dy namica lly configure d.

Once the maximum number of secure MAC addresses is configured, they are stored in an address table.

Setting a m aximu m num ber o f ad dresse s to one a nd co n figuring th e M AC address of an attached dev ic e

ensures th at the device has the full ban dwidt h of the port.

The switch supports these types of secure MAC addresses:

•Stati c se cure M AC addres ses —T hes e a re man ua lly c onfigured by us in g th e switchport

port-security mac-address mac-address interface configuration command, stored in the address

table, and ad ded to the swit ch r unn ing co nfigurat ion.

•Dynamic secure MAC addresses—These are dynamically configured, stored only in the address

table, and removed when the switch restarts.

•Sticky secure MAC addresses—Th ese ar e dyn ami cal l y co nfigure d, st or ed in t he a ddr es s t a ble, a nd

added t o the run ning co nfigurat ion. If t hes e a ddr esses a re saved in t he c onfigurat ion file, when the

switch restarts, the interface does not need to dynamically reconfigure them.

You ca n configure an int erface to c onvert the dynamic MAC addresses to sticky secure MAC addresses

and to a dd them to the running c onfiguration by enablin g sticky learning. To enable stick y learning, enter

the switchport port-security mac-address sticky i nter face configur ation c om mand. W he n y ou en t er

this command, the interface converts all the dynamic secure MAC addresses, including those that were

dynamically lea rned b efor e sticky learning was enabled , to stic k y secure MAC addresses. The inter fa ce

adds al l the sticky secu re MAC a ddresses to the running co nfiguration .

The sticky secure MAC addres ses do not automatically becom e part of the configuration file, which is

the startu p co nf iguration used each time the switch r estarts. If you sa ve the stick y sec ure MAC ad dresses

in the con fig uration fi le, whe n the swit ch restart s, the inter fa ce does not need to relear n these ad dresse s.

If you do not save the sticky secure addresses, they are lost.