Cisco Systems OL-6244-01

2-529

Catalyst 6500 Series Switch Command Reference—Release8.4

OL-6244-01

Chapter2 Catalyst 6500 Series Switch and ROM Monitor Commands set port security

Defaults The default port security configuration is as follows:

•Port security is disabled.

•Number of secure addresses per port is one.

•Violation action is shutdown.

•Age is permanent. (Addresses are not aged out.)

•Shutdown time is indefinite.

•Timer type is set to absolute aging.

•Unicast flooding is enabled.

•The automatic configuration feature is disabled.

Command Types Switch command.

Command Modes Privileged.

Usage Guidelines This command is not supported by the NAM.

If you enter the set port security enable command but do not specify a MAC address, the first MAC

address seen on the port becomes the secure MAC address.

You can specify the number of MAC addresses to secure on a port. You can add MAC addresses to this

list of secure addresses. If you change the number of addresses to a value that is less than the current

value, some configured addresses might be cleared. A warning message displays whe n y ou at te mpt to

reduce the number of addresses.

The set port security violation command allows you to specify whether you w ant t he por t to sh ut do w n

or to restrict access to insecure MAC addresses only. The shutdown time allows you to specify the

duration of shutdown in the event of a security violation.

We recommend that you configure the age timer and the shutdown timer if you want to move a host from

one port to another when port security is enabled on th ose po rt s. If the ag e_time value is less than or

equal to the shutdown_time value, the moved host will function again in an amount of time equal to the

shutdown_time value. The age timer begins upon learning the first MAC address, and the disable timer

begins when there is a security violation.

If you disable unicast flooding on a port, the port will drop unicast flood packets when it reaches the

maximum number of MAC addresses allowed.

You can secure only unicast MAC addresses through the CLI. Unicast MAC addresses can also be

learned dynamically. Multicast MAC addresses cannot be secured.

You can apply one of two types of aging for automatically learned addresses on a se cure p ort:

•Absolute aging times out the MAC address after the age_time has been exceeded, regardless of the

traffic pattern. This is the default for any secured port, and the age_time is set to 0.

•Inactivity aging times out the MAC address only after the age_time of inactivity from the

corresponding host has been exceeded.