Chapter 16
Configuring Port Security
Note
If you restrict the number of secure MAC addresses on a port to one and additional hosts attempt to
connect to that port, port security blocks these additional hosts from being connected to that port as well
as to any other port in the same VLAN for the duration of the VLAN aging time. By default, the VLAN
aging time is five minutes. If a host is blocked from joining a port in the same VLAN as the secured port,
allow the VLAN aging time to expire before you attempt to connect the host to the port again.
Specifying Shutdown Time
You can specify how long a port remains disabled in case of a security violation. By default, the port is
shut down permanently. The valid range is 10 to 1440 minutes.
If the time is set to zero, the shutdown is disabled for this port.
When the shutdown timeout expires, the port is reenabled and all port security-related configuration is
Note
maintained.
To set the shutdown timeout, perform this task in privileged mode:
Task
Set the shutdown timeout on a port.
This example sets the shutdown time to 600 minutes on port 4/7:
Console> (enable) set port security 4/7 shutdown 600
Secure address shutdown time set to 600 minutes for port 4/7.
Console> (enable)
Disabling Port Security
To disable port security, perform this task in privileged mode:
Task
Step 1
Disable port security on the desired ports.
Step 2
Verify the configuration.
This example shows how to disable security on a port:
Console> (enable) set port security 2/1 disable
Port 2/1 port security disabled.
Console> (enable)
Console> (enable) show port security 2/1
Port
----- -------- --------- ------------- -------- -------- -------- -------
3/24 disabled
Port
----- -------- ----------------- -------- ----------------- ------------------
78-12647-02
Security Violation Shutdown-Time Age-Time Max-Addr Trap
restrict
Num-Addr Secure-Src-Addr
Software Configuration Guide—Catalyst 4000 Family, Catalyst 2948G, Catalyst 2980G, Releases 6.3 and 6.4
Command
set port security mod_num/port_num shutdown
time
Command
set port security mod_num/port_num disable
show port security [mod_num/port_num]
20
300
10 disabled
Age-Left Last-Src-Addr
Configuring Port Security
IfIndex
921
Shutdown/Time-Left
16-7