Port Security Configuration Guidelines And Restrictions - Cisco Catalyst 4500 series Administration Manual
Hide thumbs
Also See for Catalyst 4500 series:
- Software configuration manual (2086 pages) ,
- Configuration manual (1610 pages) ,
- Command reference manual (1230 pages)
Table of Contents
Advertisement
Chapter 49
Configuring Port Security
Port Security Configuration Guidelines and Restrictions
When using (or configuring) port security, consider these guidelines and restrictions:
•
•
•
•
•
•
•
•
•
OL_28731-01
After port security is configured on a port along with a "denying" PACL, the CPU will neither see
any of the PACL packets denied from the given port nor learn the source MAC addresses from the
denied packets. Therefore, the port security feature will not be aware of such packets.
A secure port cannot be a destination port for the Switch Port Analyzer (SPAN).
A secure port and a static MAC address configuration for an interface are mutually exclusive.
When you enter a maximum secure address value for an interface, and the new value is greater than
the previous value, the new value overwrites the previously configured value. If the new value is less
than the previous value and the number of configured secure addresses on the interface exceeds the
new value, the command is rejected.
While configuring trunk port security on a trunk port, you do not need to account for the protocol
packets such as CDP and BPDU) because they are not learned and secured.
You cannot enable port security aging on sticky secure MAC addresses.
To restrict MAC spoofing using port security, you must enable 802.1X authentication.
You cannot configure port security on dynamic ports. You must change the mode to access before
you enable port security.
Port Security over EtherChannels is not supported.
Port Security Configuration Guidelines and Restrictions
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
49-33
Advertisement
Chapters
Table of Contents
Troubleshooting
