Cisco Catalyst 4500 Series Configuration Manual page 1159

Chapter 2
•
•
When a secure port is in the error-disabled state, you can remove it from this state by entering the
errdisable recovery cause psecure-violation global configuration command, or you can manually
re-enable it by entering the shutdown and no shut down interface configuration commands. If a port is
is disabled, you can also use the clear errdisable command to re-enable the offending VLAN on the
port.
To enable secure address aging for a particular port, set the aging time to a value other than 0 for that
port.
To allow limited time access to particular secure addresses, set the aging type as absolute. When the
aging time lapses, the secure addresses are deleted.
To allow continuous access to a limited number of secure addresses, set the aging type as inactivity. This
action removes the secure address when it becomes inactive, and other addresses can become secure.
To allow unlimited access to a secure address, configure it as a secure address, and disable aging for the
statically configured secure address by using the no switchport port-security aging static interface
configuration command.
If the sticky command is executed without a MAC address specified, all MAC addresses that are learned
on that port will be made sticky. You can also specify a specific MAC address to be a sticky address by
entering the sticky keyword next to it.
You can configure the sticky feature even when port security is not enabled on the interface. The feature
becomes operational when you enable port security on the interface.
You can use the no form of the sticky command only if the sticky feature is already enabled on the
interface.
Examples The following example shows how to set the aging time to 2 hours (120 minutes) for the secure addresses
on the Fast Ethernet port 12:
Switch(config)# interface fastethernet 0/12
Switch(config-if)# switchport port-security aging time 120
Switch(config-if)#
The following example shows how to set the aging timer type to Inactivity for the secure addresses on
the Fast Ethernet port 12:
Switch(config)# interface fastethernet 0/12
Switch(config-if)# switch port-security aging type inactivity
Switch(config-if)#
The following example shows how to configure rate limit for invalid source packets on Fast Ethernet
port 12:
Switch(config)# interface fastethernet 0/12
Switch(config-if)# switchport port-security limit rate invalid-source-mac 100
Switch(config-if)#
The following example shows how to configure rate limit for invalid source packets on Fast Ethernet
port 12:
Switch(config)# interface fastethernet 0/12
Switch(config-if)# switchport port-security limit rate invalid-source-mac none
Switch(config-if)#
A secure port cannot be a destination port for Switched Port Analyzer (SPAN).
A secure port cannot belong to a Fast EtherChannel or Gigabit EtherChannel port group.
Catalyst 4500 Series Switch Cisco IOS Command Reference—Release XE 3.9.xE and 15.2(5)Ex
switchport port-security
2-1109