28-11
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-21521-01
Chapter 28 Configuring Port-Based Traffic Control Configuring Port Security
Default Port Security ConfigurationPort Security Configuration Guidelines
Port security can only be configured on static access ports or trunk ports. A secure port cannot be a
dynamic access port.
A secure port cannot be a destination port for Switched Port Analyzer (SPAN).
A secure port cannot belong to a Gigabit EtherChannel port group.
Note Voice VLAN is only supported on access ports and not on trunk ports, even though the
configuration is allowed.
A secure port cannot be a private-VLAN port.
When you enable port security on an interface that is also configured with a voice VLAN, set the
maximum allowed secure addresses on the port to two. When the port is connected to a Cisco IP
phone, the IP phone requires one MAC address. The Cisco IP phone address is learned on the voice
Tab le 28-1 Security Violation Mode Actions
Violation Mode Traffic is
forwarded1
1. Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses.
Sends SNMP
trap Sends syslog
message Displays error
message2
2. The switch returns an error message if you manually configure an address that would cause a security violation.
Violation
counter
increments Shuts down port
protect No No No No No No
restrict No Yes Yes No Ye s No
shutdown No Yes Yes No Ye s Yes
shutdown vlan No Yes Yes No Ye s No3
3. Shuts down only the VLAN on which the violation occurred.
Tab le 28-2 Default Port Security Configuration
Feature Default Setting
Port security Disabled on a port.
Sticky address learning Disabled.
Maximum number of secure
MAC addresses per port
1.
Violation mode Shutdown. The port shuts down when the maximum number of
secure MAC addresses is exceeded.
Port security aging Disabled. Aging time is 0.
Static aging is disabled.
Type is absolute.