30-4
Software Configuration Guide—Release 12.2(25)EWA
OL-6850-03
Chapter30 Configuring Port Security and Trunk Port Security
Configuring Port Security
A secure port and static MAC address configuration for an interface are mutually exclusive.
Port security cannot be enabled on dynamic access ports.
Port security cannot be enabled on Ether Channels.
When you enable port security on an interface that is also configured with a voice VLAN, you must
set the maximum allowed secure addresses on the port to two plus the maximum number of secure
addresses allowed on the access VLAN. When the port is connected to a Cisco IP phone, the IP
phone requires up to two MAC addresses. The IP phone address is learned on the voice VLAN and
might also be learned on the access VLAN. Connecting a PC to the IP phone requires additional
MAC addresses.
When you enter a maximum secure address value for an interface, and the new value is greater than
the previous value, the new value overwrites the previously configured value. If the new value is less
than the previous value and the number of configured secure addresses on the interface exceeds the
new value, the command is rejected.
The switch does not support port security aging of sticky secure MAC addresses.
Configuring Port Security
These sections describe how to configure port security:
Configuring Port Security on an Interface, page 30-4
Configuring Trunk Port Security, page 30-7
Configuring Port Security Aging, page 30-9

Configuring Port Security on an Interface

To restrict traffic through a port by limiting and identifying MAC addresses of the stations allowed to
the port, perform this task:
Command Purpose
Step1 Switch(config)# interface
interface_id
Enters interface configuration mode and specifies the
physical interface to configure.
Step2 Switch(config-if)# switchport mode {access |
private vlan host | private vlan promiscuous}
Sets the interface mode.
Note An interface in the default mode (dynamic
desirable) cannot be configured as a secure port.
Step3 Switch(config-if)# switchport port-security Enables port security on the interface.
Step4 Switch(config-if)# switchport port-security
maximum
value
(Optional) Sets the maximum number of secure MAC
addresses for the interface. The range is 1 to 3072; the
default is 1.