Table of Contents
Advertisement
Statically locked MAC addresses are not eligible for aging. If a packet arrives
on a port with a source MAC address that is statically locked on another port,
then the packet is discarded.
To configure static locking only, set the dynamic MAC limit to 0 and
configure the static MAC addresses on the interface. To configure dynamic
locking only, set the static MAC limit to 0, and set the appropriate dynamic
MAC address limit.
MAC addresses seen on an interface other than the learned or configured
MAC addresses and in excess of the limit are considered violations of port
security. Trap issuance violation actions can be configured using the snmp-
server enable traps port-security command. The default action is to log a
message and send an SNMP trap. Port security can optionally error disable an
interface on which a violation occurs using the switchport port-security
violation shutdown command.
Enabling mode configuration converts all the existing dynamically learned
MAC addresses on an interface to sticky. It also converts the last violation
MAC address to sticky, even if the dynamic limit is set to 0. These MAC
addresses will not age out and will appear in the running-config. In addition,
new addresses learned on the interface will also become sticky. Note that
sticky is not the same as static – the difference is that all sticky addresses for
an interface are removed from the running-config when the interface is taken
out of sticky mode. Static addresses must be removed from the running-
config individually.
Sticky MAC addresses appear in the running-config in the following form:
switchport port-security mac-address sticky 0011.2233.4455 vlan 33
Statically locked MAC addresses appear in the running-config in the
following form:
switchport port-security mac-address 0011.2233.4455 vlan 33
In order for sticky or static MAC addresses to survive a reboot, the
configuration must be saved.
Port security must be enabled globally and on the interface in order to be
active.
Port security should only be enabled on access mode ports and not on trunk
mode ports. This recommendation is not enforced by the switch.
298
Layer 2 Switching Commands
Advertisement
Table of Contents
