Cisco Catalyst 2950 Command Reference Manual page 322

switchport port-security
A security violation occurs when the maximum number of secure MAC addresses have been added to
the address table and a station whose MAC address is not in the address table attempts to access the
interface, or when a station whose MAC address is configured as a secure MAC address on another
secure port attempts to access the interface.
If you enable port security on a voice VLAN port and if there is a PC connected to the IP phone, you
should set the maximum allowed secure addresses on the port to more than 1.
You cannot configure static secure MAC addresses in the voice VLAN.
If you specify restrict or shutdown, use the snmp-server host global configuration command to
configure the Simple Network Management Protocol (SNMP) trap host to receive traps.
You can enable port security on a interface only if the port is not configured as one of these:
•
•
•
•
•
•
When a secure port is in the error-disabled state, you can bring it out of this state by entering the
errdisable recovery cause psecure-violation global configuration command, or you can manually
re-enable it by entering the shutdown and no shut down interface configuration commands.
Examples
This example shows how to enable port security:
Switch(config-if)# switchport port-security
This example shows how to set the action that the port takes when an address violation occurs:
Switch(config-if)# switchport port-security violation shutdown
This example shows how to set the maximum number of addresses that a port can learn to 20.
Switch(config-if)# switchport port-security maximum 20
Catalyst 2950 Desktop Switch Command Reference
2-298
Trunk ports—If you try to enable port security on a trunk port, an error message appears, and port
security is not enabled. If you try to change the mode of a secure port to trunk, the port mode is not
changed.
Dynamic port—A port in dynamic mode can negotiate with its neighbor to become a trunk port. If
you try to enable port security on a dynamic port, an error message appears, and port security is not
enabled. If you try to change the mode of a secure port to dynamic, the port mode is not changed.
Dynamic-access port—If you try to enable port security on a dynamic-access (VLAN Query
Protocol [VQP]) port, an error message appears, and port security is not enabled. If you try to change
a secure port to dynamic VLAN assignment, an error message appears, and the VLAN configuration
is not changed.
EtherChannel port—Before enabling port security on the port, you must first remove it from the
EtherChannel. If you try to enable port security on an EtherChannel or on an active port in an
EtherChannel, an error message appears, and port security is not enabled. If you enable port security
on a not-yet active port of an EtherChannel, the port does not join the EtherChannel.
802.1X port—You cannot configure an 802.1X port as a secure port. If you try to enable port
security on an 802.1X port, an error message appears, and port security is not enabled. If you try to
change a secure port to an 802.1X port, an error message appears, and the 802.1X settings are not
changed.
Switched Port Analyzer (SPAN) destination port—You can enable port security on a port that is a
SPAN destination port; however, port security is disabled until the port is removed as a SPAN
destination. You can enable port security on a SPAN source port.
Chapter 2 Cisco IOS Commands
78-11381-05