55-33
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
Chapter 55 Configuring Port Security
Port Security Configuration Guidelines and Restrictions
Port Security Configuration Guidelines and Restrictions
When using (or configuring) port security, consider these guidelines and restrictions:
•
After port security is configured on a port along with a "denying" PACL, the CPU will neither see
any of the PACL packets denied from the given port nor learn the source MAC addresses from the
denied packets. Therefore, the port security feature will not be aware of such packets.
•
A secure port cannot be a destination port for the Switch Port Analyzer (SPAN).
•
A secure port and a static MAC address configuration for an interface are mutually exclusive.
•
When you enter a maximum secure address value for an interface, and the new value is greater than
the previous value, the new value overwrites the previously configured value. If the new value is less
than the previous value and the number of configured secure addresses on the interface exceeds the
new value, the command is rejected.
•
While configuring trunk port security on a trunk port, you do not need to account for the protocol
packets such as CDP and BPDU) because they are not learned and secured.
•
You cannot enable port security aging on sticky secure MAC addresses.
•
To restrict MAC spoofing using port security, you must enable 802.1X authentication.
•
You cannot configure port security on dynamic ports. You must change the mode to access before
you enable port security.
•
Port Security over EtherChannels is not supported.
•
Wired guest access does not work on Supervisor Engine 8-E, in multiple-host mode or in multi-
authentication mode.
Summary of Contents for Catalyst 4500 Series
Page 2: ......
Page 4: ......
Page 2086: ...Index IN 46 Software Configuration Guide Release IOS XE 3 9 0E and IOS 15 2 5 E ...