30-2
Software Configuration Guide—Release 12.2(25)EWA
OL-6850-03
Chapter30 Configuring Port Security and Trunk Port Security
Overview of Port Security
You can allow the port to dynamically configure secure MAC addresses with the MAC addresses of
connected devices.
You can configure a number of addresses and allow the rest to be dynamically configured.
Note If the port’s link goes down, all dynamically secured addresses are no longer secure.
You can configure MAC addresses to be sticky. These can be dynamically learned or manually
configured, stored in the address table, and added to the running configuration. If these addresses
are saved in the configuration file, the interface does not need to dynamically relearn them when the
switch restarts. Although sticky secure addresses can be manually configured, it is not
recommended.
You can configure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses
and to add them to the running configuration by enabling sticky port security. To enable sticky port
security, enter the switchport port-security mac-address sticky command. When you enter this
command, the interface converts all the dynamic secure MAC addresses, including those that were
dynamically learned before sticky learning was enabled, to sticky secure MAC addresses.
The sticky secure MAC addresses do not automatically become part of the configuration file, which is
the startup configuration used each time the switch restarts. If you save the running config file to the
configuration file, the interface does not need to relearn these addresses when the switch restarts. If you
do not save the configuration, they are lost.
If sticky port security is disabled, the sticky secure MAC addresses are converted to dynamic secure
addresses and are removed from the running configuration.
After the maximum number of secure MAC addresses is configured, they are stored in an address table.
To ensure that an attached device has the full bandwidth of the port, configure the MAC address of the
attached device and set the maximum number of addresses to one, which is the default.
Note When a Catalyst 4500 series switch port is configured to support voice as well as port security, the
maximum number of allowable MAC addresses on this port should be changed to three.
Note The address on a voice VLAN, such as a Cisco IP Phone, cannot be made sticky.
A security violation occurs if the maximum number of secure MAC addresses to a port has been added
to the address table and a workstation whose MAC address is not in the address table attempts to access
the interface.
You can configure the interface for one of these violation modes, based on the action to be taken if a
violation occurs:
Restrict—A port security violation restricts data (that is, packets are dropped in software), causes
the SecurityViolation counter to increment, and causes an SNMP Notification to be generated. The
rate at which SNMP traps are generated can be controlled by the
snmp-server enable traps port-security trap-rate command. The default value (“0”) causes an SNMP
trap to be generated for every security violation.
Shutdown—A port security violation causes the interface to shut down immediately. When a secure
port is in the error-disabled state, you can bring it out of this state by entering the
errdisable recovery cause psecure-violation global configuration command or you can manually
reenable it by entering the shutdown and no shut down interface configuration commands. This is
the default mode.