Cisco ME 3400 Command Reference Manual page 711

Chapter 2 Cisco ME 3400 Ethernet Access Switch Cisco IOS Commands
A secure port has the following limitations:
A secure port can be an access port or a trunk port; it cannot be a dynamic access port.
•
A secure port cannot be a routed port.
•
A secure port cannot be a protected port.
•
A secure port cannot be a destination port for Switched Port Analyzer (SPAN).
•
A secure port cannot belong to a Fast EtherChannel or Gigabit EtherChannel port group.
•
When you enter a maximum secure address value for an interface, if the new value is greater than
•
the previous value, the new value overrides the previously configured value. If the new value is less
than the previous value and the number of configured secure addresses on the interface exceeds the
new value, the command is rejected.
• The switch does not support port security aging of sticky secure MAC addresses.
A security violation occurs when the maximum number of secure MAC addresses are in the address table
and a station whose MAC address is not in the address table attempts to access the interface or when a
station whose MAC address is configured as a secure MAC address on another secure port attempts to
access the interface.
When a secure port is in the error-disabled state, you can bring it out of this state by entering the
errdisable recovery cause psecure-violation global configuration command, or you can manually
re-enable it by entering the shutdown and no shut down interface configuration commands.
Setting a maximum number of addresses to one and configuring the MAC address of an attached device
ensures that the device has the full bandwidth of the port.
When you enter a maximum secure address value for an interface, this occurs:
If the new value is greater than the previous value, the new value overrides the previously configured
•
value.
If the new value is less than the previous value and the number of configured secure addresses on
•
the interface exceeds the new value, the command is rejected.
Sticky secure MAC addresses have these characteristics:
When you enable sticky learning on an interface by using the switchport port-security
•
mac-address sticky interface configuration command, the interface converts all the dynamic secure
MAC addresses, including those that were dynamically learned before sticky learning was enabled,
to sticky secure MAC addresses and adds all sticky secure MAC addresses to the running
configuration.
If you disable sticky learning by using the no switchport port-security mac-address sticky
•
interface configuration command or the running configuration is removed, the sticky secure MAC
addresses remain part of the running configuration but are removed from the address table. The
addresses that were removed can be dynamically reconfigured and added to the address table as
dynamic addresses.
• When you configure sticky secure MAC addresses by using the switchport port-security
mac-address sticky mac-address interface configuration command, these addresses are added to the
address table and the running configuration. If port security is disabled, the sticky secure MAC
addresses remain in the running configuration.
If you save the sticky secure MAC addresses in the configuration file, when the switch restarts or
•
the interface shuts down, the interface does not need to relearn these addresses. If you do not save
the sticky secure addresses, they are lost. If sticky learning is disabled, the sticky secure MAC
addresses are converted to dynamic secure addresses and are removed from the running
configuration.
OL-9640-10
Cisco ME 3400 Ethernet Access Switch Command Reference
switchport port-security
2-683