Table of Contents
Advertisement
174 Cisco LAN Switching Configuration Handbook
After you enable port security, you need to determine how many different devices
access the ports and how many addresses need to be secured. The value option
specifies the number of addresses to be secured. The default value is one address.
Each hardware platform has a limited number of addresses that can be secured, so if
you expect to secure more than 250 total addresses on the switch, check the specific
documentation for that hardware.
Note When configuring the maximum number of secure MAC addresses on a port, note
the following information:
With Release 12.2(18)SXE and later releases, the range for number_of_addresses is
■
1 to 4097.
With releases earlier than Release 12.2(18)SXE, the range for
■
number_of_addresses is 1 to 1024.
With Release 12.2(18)SXE and later releases, port security supports trunks.
■
On a trunk, you can configure the maximum number of secure MAC addresses
■
both on the trunk and for all the VLANs on the trunk.
You can configure the maximum number of secure MAC addresses on a single
■
VLAN or a range of VLANs.
For a range of VLANs, enter a dash-separated pair of VLAN numbers.
■
■
You can enter a comma-separated list of VLAN numbers and dash-separated pairs
of VLAN numbers.
Manually enter MAC addresses to be secured:
3.
(interface) switchport port-security mac-address mac_address
By default, the switches "learn" the MAC addresses of the devices that are plugged
into that port. If you want to control which devices can access the switch, use these
commands to specify which MAC addresses are secured on a port.
Specify the action to be taken by the port:
4.
(interface) switchport port-security violation {protect | restrict | shutdown}
When a violation occurs, the switch generally protects the port by dropping the traf-
fic that comes from unauthorized MAC addresses. This means that the switch does
not allow those frames through the device; if a frame comes from a device that is
configured as secure, however, those frames are allowed through. This is the default
configuration for each of the devices and is specified by the protect option. Another
option that you can configure is for the interface to move to a shutdown state. If you
configure this option, the port remains in the administratively down state until an
administrator reenables the port with a no shutdown command. A third option is to
generate an SNMP trap. If a violation occurs, the restrict option for IOS and the
trap option for the 3500XL IOS perform this function.
Hide quick links:
Advertisement
Table of Contents
