Filter
Top Products
18-6
Catalyst 2950 Desktop Switch Software Configuration Guide
78-14982-01
Chapter 18 Configuring Port-Based Traffic Control
Configuring Port Security
This is an example of text from the running configuration when sticky learning is enabled on an
interface:
<output truncated>
!
interface FastEthernet0/2
switchport mode access
switchport port-security
switchport port-security maximum 6
switchport port-security aging time 5
switchport port-security aging static
switchport port-security mac-address sticky
switchport port-security mac-address 0000.0000.000b
switchport port-security mac-address sticky 0000.0000.4141
switchport port-security mac-address sticky 0000.0000.5050
no ip address
<output truncated>
If port security is disabled, the sticky secure MAC addresses remain in the running configuration.
To disable sticky learning, enter the no switchport port-security mac-address sticky interface
configuration command. If sticky learning is disabled or the running configuration is removed, the sticky
secure MAC addresses remain part of the running configuration but are removed from the address table.
The addresses that were removed can be dynamically reconfigured and added to the address table as
dynamic addresses.
Note If sticky learning is disabled, when the switch restarts or the interface shuts down, all the addresses that
were dynamically learned are removed.
Security Violations
It is a security violation when one of these situations occurs:
• The maximum number of secure MAC addresses have been added to the address table, and a station
whose MAC address is not in the address table attempts to access the interface.
• An address learned or configured on one secure interface is seen on another secure interface in the
same VLAN.
You can configure the interface for one of three violation modes, based on the action to be taken if a
violation occurs:
• protect—when the number of secure MAC addresses reaches the maximum limit allowed on the
port, packets with unknown source addresses are dropped until you remove a sufficient number of
secure MAC addresses to drop below the maximum value.
• restrict—a port security violation restricts data and causes the SecurityViolation counter to
increment. It also sends an SNMP trap when an address-security violation occurs.
• shutdown—the interface is error-disabled when a security violation occurs. When a secure port is
in the error-disabled state, you can bring it out of this state by entering the errdisable recovery
cause psecure-violation global configuration command, or you can manually re-enable it by
entering the shutdown and no shutdown interface configuration commands. This is the default
mode.