About Port Security - Cisco Catalyst 4500 Series Software Configuration Manual

Chapter 55 Configuring Port Security
Command
no switchport port-security violation
switchport trunk encapsulation dot1q Sets the encapsulation mode to

About Port Security

Port security enables you to restrict the number of MAC addresses (termed secure MAC addresses) on a
port, allowing you to prevent access by unauthorized MAC addresses. It also allows you to configure a
maximum number of secure MAC addresses on a given port (and optionally for a VLAN for trunk ports).
When a secure port exceeds the maximum, a security violation is triggered, and a violation action is
performed based on the violation action mode configured on the port.
If you configure the maximum number of secure MAC addresses as 1 on the port, the device attached to
the secure port is assured sole access to the port.
If a secure MAC address is secured on a port, that MAC address is not allowed to enter on any other port
off that VLAN. If it does, the packet is dropped unnoticed in the hardware. Other than using the interface
or port counters, you do not receive a log message reflecting this fact. Be aware that this condition does
not trigger a violation. Dropping these packets in the hardware is more efficient and can be done without
putting additional load on the CPU.
Port security has the following characteristics:
•
•
•
This overview contains the following topics:
•
•
•
•
•
Secure MAC Addresses
Port security supports the following types of secure MAC addresses:
•
•
Purpose
Sets the violation mode.
dot1q.
It allows you to age out secure MAC addresses. Two types of aging are supported: inactivity and
absolute.
It supports a sticky feature whereby the secure MAC addresses on a port are retained through switch
reboots and link flaps.
It can be configured on various types of ports such as access, voice, trunk, EtherChannel, and private
VLAN ports.
Secure MAC Addresses, page 55-3
Maximum Number of Secure MAC Addresses, page 55-4
Aging Secure MAC Addresses, page 55-5
Sticky Addresses on a Port, page 55-5
Violation Actions, page 55-6
Dynamic or Learned—Dynamic secure MAC addresses are learned when packets are received from
the host on the secure port. You might want to use this type if the user's MAC address is not fixed
(laptop).
Static or configured—Static secure MAC addresses are configured by the user through CLI or
SNMP. You might want to use this type if your MAC address remains fixed (PC).
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
About Port Security
Navigation
Configuring Port Security on Access
Ports, page 55-7
Example 1: Configuring a Maximum
Limit of Secure MAC Addresses for
All VLANs, page 55-19
55-3