Configuring Port Security
Command
Step 6
switchport port-security violation
{protect | restrict | shutdown}
Step 7
switchport port-security mac-address
mac_address
Step 8
end
Step 9
show port-security interface
interface-id
show port-security address
Step 10
copy running-config startup-config
To return the interface to the default condition as not a secure port, use the no switchport port-security
interface configuration command.
To return the interface to the default number of secure MAC addresses (128), use the no switchport
port-security maximum number of addresses.
To delete a MAC address from the address table, use the no switchport port-security mac-address
mac_address command.
To return the violation mode to the default condition (shutdown mode), use the no switchport
port-security violation {protocol | restrict} command.
This example shows how to enable port security on Fast Ethernet port 12 and to set the maximum number
of secure addresses to 5. The violation mode is the default, and no secure MAC addresses are configured.
Switch# configure terminal
Enter configuration commands, one per line.
Switch(config)# interface fastethernet0/12
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 5
Switch(config-if)# end
Switch# show port-security interface fastethernet0/12
Security Enabled:Yes, Port Status:SecureUp
Violation Mode:Shutdown
Max. Addrs:5, Current Addrs:0, Configure Addrs:0
Catalyst 3550 Multilayer Switch Software Configuration Guide
12-10
Purpose
(Optional) Set the violation mode, the action to be taken when a security
violation is detected, as one of these:
•
shutdown—The interface shuts down immediately, and an SNMP
trap notification is sent. When shut down, the interface must be
manually re-enabled by using the no shutdown interface
configuration command. This is the default mode.
restrict—A trap notification is sent to the network management
•
station.
protect—When the number of port secure MAC addresses reaches
•
the maximum limit allowed on the port, packets with unknown
source addresses are dropped until you remove a sufficient number
of secure MAC addresses to drop below the maximum value.
(Optional) Enter a secure MAC address for the interface. You can use
this command to enter the maximum number of secure MAC addresses.
If you configure fewer secure MAC addresses than the maximum, the
remaining MAC addresses are dynamically learned.
Return to privileged EXEC mode.
Verify your entries.
(Optional) Save your entries in the configuration file.
End with CNTL/Z.
Chapter 12
Configuring Port-Based Traffic Control
78-11194-03