12-10
Catalyst 3550 Multilayer Switch Software Configuration Guide
78-11194-03
Chapter 12 Configuring Port-Based Traffic Control
Configuring Port Security
To return the interface to the default condition as not a secure port, use the no switchport port-security
interface configuration command.
To return the interface to the default number of secure MAC addresses (128), use the no switchport
port-security maximum number of addresses.
To delete a MAC address from the address table, use the no switchport port-security mac-address
mac_address command.
To return the violation mode to the default condition (shutdown mode), use the no switchport
port-security violation {protocol | restrict} command.
This example shows how to enable port security on Fast Ethernet port 12 and to set the maximum number
of secure addresses to 5. The violation mode is the default, and no secure MAC addresses are configured.
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface fastethernet0/12
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 5
Switch(config-if)# end
Switch# show port-security interface fastethernet0/12
Security Enabled:Yes, Port Status:SecureUp
Violation Mode:Shutdown
Max. Addrs:5, Current Addrs:0, Configure Addrs:0
Step 6
switchport port-security violation
{protect | restrict | shutdown}
(Optional) Set the violation mode, the action to be taken when a security
violation is detected, as one of these:
•
shutdown—The interface shuts down immediately, and an SNMP
trap notification is sent. When shut down, the interface must be
manually re-enabled by using the no shutdown interface
configuration command. This is the default mode.
•
restrict—A trap notification is sent to the network management
station.
•
protect—When the number of port secure MAC addresses reaches
the maximum limit allowed on the port, packets with unknown
source addresses are dropped until you remove a sufficient number
of secure MAC addresses to drop below the maximum value.
Step 7
switchport port-security mac-address
mac_address
(Optional) Enter a secure MAC address for the interface. You can use
this command to enter the maximum number of secure MAC addresses.
If you configure fewer secure MAC addresses than the maximum, the
remaining MAC addresses are dynamically learned.
Step 8
end
Return to privileged EXEC mode.
Step 9
show port-security interface
interface-id
show port-security address
Verify your entries.
Step 10
copy running-config startup-config
(Optional) Save your entries in the configuration file.
Command
Purpose