26-11
Cisco IE 3000 Switch Software Configuration Guide
OL-13018-03
Chapter 26 Configuring Port-Based Traffic Control
Configuring Port Security
Default Port Security Configuration
Table 26-2
shows the default port security configuration for an interface.
Port Security Configuration Guidelines
Follow these guidelines when configuring port security:
•
Port security can only be configured on static access ports or trunk ports. A secure port cannot be a
dynamic access port.
•
A secure port cannot be a destination port for Switched Port Analyzer (SPAN).
•
A secure port cannot belong to a Fast EtherChannel or a Gigabit EtherChannel port group.
Note
Voice VLAN is only supported on access ports and not on trunk ports, even though the
configuration is allowed.
•
When you enable port security on an interface that is also configured with a voice VLAN, set the
maximum allowed secure addresses on the port to two. When the port is connected to a Cisco IP
phone, the IP phone requires one MAC address. The Cisco IP phone address is learned on the voice
VLAN, but is not learned on the access VLAN. If you connect a single PC to the Cisco IP phone,
no additional MAC addresses are required. If you connect more than one PC to the Cisco IP phone,
you must configure enough secure addresses to allow one for each PC and one for the phone.
•
When a trunk port configured with port security and assigned to an access VLAN for data traffic
and to a voice VLAN for voice traffic, entering the
switchport voice
and
switchport priority
extend
interface configuration commands has no effect.
When a connected device uses the same MAC address to request an IP address for the access VLAN
and then an IP address for the voice VLAN, only the access VLAN is assigned an IP address.
•
When you enter a maximum secure address value for an interface, and the new value is greater than
the previous value, the new value overwrites the previously configured value. If the new value is
less than the previous value and the number of configured secure addresses on the interface exceeds
the new value, the command is rejected.
•
The switch does not support port security aging of sticky secure MAC addresses.
Table 26-2
Default Port Security Configuration
Feature
Default Setting
Port security
Disabled on a port.
Sticky address learning
Disabled.
Maximum number of secure
MAC addresses per port
1
Violation mode
Shutdown. The port shuts down when the maximum number of
secure MAC addresses is exceeded.
Port security aging
Disabled. Aging time is 0.
Static aging is disabled.
Type is absolute.