Cisco Catalyst 3550 Command Reference Manual page 495

Chapter 2 Cisco IOS Commands
You can set the maximum number of MAC addresses that can be learned on a VLAN by using the
switchport port-security maximum value vlan vlan-list interface configuration command. Any VLAN
seen on the port not specifically listed by this command defaults to the value set by using switchport
port-security maximum value vlan interface configuration command.
After you have set the maximum number of secure MAC addresses allowed on a port or VLAN, you can
add secure addresses to the address table by manually configuring them, by allowing the port to
dynamically configure them, or by configuring some MAC addresses and allowing the rest to be
dynamically configured.
You can enable sticky learning on an interface by using the switchport port-security mac-address
sticky interface configuration command. When you enter this command, the interface converts all the
dynamic secure MAC addresses, including those that were dynamically learned before sticky learning
was enabled, to sticky secure MAC addresses. It adds all the sticky secure MAC addresses to the running
configuration.
If you disable sticky learning, the sticky secure MAC addresses are converted to dynamic secure
addresses and are removed from the running configuration.
If you save the sticky secure MAC addresses in the configuration file, when the switch restarts or the
interface shuts down, the interface does not need to relearn these addresses. If you do not save the
configuration, they are lost.
For secure trunk ports, you can set the VLAN on which a MAC address can exist by entering the
switchport port-security mac-address mac-address vlan vlan-id interface configuration command. If
no VLAN is specified, the default is the trunk port native VLAN.
It is a security violation when one of these situations occurs:
The maximum number of secure MAC addresses have been added to the address table, and a station
•
whose MAC address is not in the address table attempts to access the interface.
An address learned or configured on one secure interface is seen on another secure interface in the
•
same VLAN.
When a secure port is in the error-disabled state, you can bring it out of this state by entering the
errdisable recovery cause psecure-violation global configuration command, or you can manually
re-enable it by entering the shutdown and no shut down interface configuration commands.
A secure port has these limitations:
Port security can only be configured on static access ports, trunk ports, or 802.1Q tunnel ports.
•
A secure port cannot be a dynamic access port.
•
A secure port cannot be a destination port for Switched Port Analyzer (SPAN).
•
A secure port cannot belong to a Fast EtherChannel or Gigabit EtherChannel port group.
•
• You cannot configure static secure or sticky secure MAC addresses on a voice VLAN.
• When you enable port security on an interface that is also configured with a voice VLAN, you must
set the maximum allowed secure addresses on the port to at least two.
• If any type of port security is enabled on the access VLAN, dynamic port security is automatically
enabled on the voice VLAN.
• When a voice VLAN is configured on a secure port that is also configured as a sticky secure port,
all addresses seen on the voice VLAN are learned as dynamic secure addresses while all addresses
seen on the access VLAN (to which the port belongs) are learned as sticky secure addresses.
The switch does not support port security aging of sticky secure MAC addresses.
•
78-11195-09
Catalyst 3550 Multilayer Switch Command Reference
switchport port-security
2-469