Configuring Port Security
Table 21-1
security.
Table 21-1
Security Violation Mode Actions
Traffic is
Violation Mode
forwarded
protect
No
restrict
No
shutdown
No
1. Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses.
2. The switch will return an error message if you manually configure an address that would cause a security violation.
Default Port Security Configuration
Table 21-2
Table 21-2
Feature
Port security
Maximum number of secure MAC addresses
Violation mode
Sticky address learning
Port security aging
Port Security Configuration Guidelines
Follow these guidelines when configuring port security:
•
•
•
•
•
•
•
Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide
21-8
shows the violation mode and the actions taken when you configure an interface for port
Sends SNMP
1
trap
No
Yes
Yes
shows the default port security configuration for an interface.
Default Port Security Configuration
Port security can only be configured on static access ports.
A secure port cannot be a dynamic access port or a trunk port.
A secure port cannot be a destination port for Switched Port Analyzer (SPAN).
A secure port cannot belong to a Fast EtherChannel or Gigabit EtherChannel port group.
You cannot configure static secure or sticky secure MAC addresses on a voice VLAN.
When you enable port security on an interface that is also configured with a voice VLAN, you must
set the maximum allowed secure addresses on the port to at least two plus the maximum number of
secure addresses allowed on the access VLAN. When the port is connected to a Cisco IP phone, the
IP phone requires up to two MAC addresses. The address of the IP phone is learned on the voice
VLAN, and it might or might not be learned on the access VLAN. Connecting a PC to the IP phone
requires additional MAC addresses
If any type of port security is enabled on the access VLAN, dynamic port security is automatically
enabled on the voice VLAN.
Sends syslog
Displays error
message
message
No
No
Yes
No
Yes
No
Default Setting
Disabled.
One.
Shutdown.
Disabled.
Disabled. Aging time is 0. When enabled, the default
type is absolute.
Chapter 21
Configuring Port-Based Traffic Control
Violation
counter
2
increments
No
Yes
Yes
Shuts down port
No
No
Yes
78-11380-12