Chapter 23
Configuring Port-Based Traffic Control
Table 23-1
Security Violation Mode Actions (continued)
Traffic is
Violation Mode
forwarded
shutdown
No
shutdown vlan
No
1. Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses.
2. The switch returns an error message if you manually configure an address that would cause a security violation.
3. Shuts down only the VLAN on which the violation occurred.
Default Port Security Configuration
Table 23-2
Table 23-2
Feature
Port security
Sticky address learning
Maximum number of secure
MAC addresses per port
Violation mode
Port security aging
Port Security Configuration Guidelines
Follow these guidelines when configuring port security:
•
•
•
•
OL-26520-01
Sends SNMP
1
trap
No
No
shows the default port security configuration for an interface.
Default Port Security Configuration
Port security can only be configured on static access ports or trunk ports. A secure port cannot be a
dynamic access port.
A secure port cannot be a destination port for Switched Port Analyzer (SPAN).
A secure port cannot belong to a Fast EtherChannel or a Gigabit EtherChannel port group.
Voice VLAN is only supported on access ports and not on trunk ports, even though the
Note
configuration is allowed.
When you enable port security on an interface that is also configured with a voice VLAN, set the
maximum allowed secure addresses on the port to two. When the port is connected to a Cisco IP
phone, the IP phone requires one MAC address. The Cisco IP phone address is learned on the voice
Catalyst 2960 and 2960-S Switches Software Configuration Guide, Release 15.0(1)SE
Sends syslog
Displays error
message
message
No
No
Yes
No
Default Setting
Disabled on a port.
Disabled.
1
Shutdown. The port shuts down when the maximum number of
secure MAC addresses is exceeded.
Disabled. Aging time is 0.
Static aging is disabled.
Type is absolute.
Configuring Port Security
Violation
counter
2
increments
Yes
Yes
Shuts down port
Yes
3
No
23-11