DGS-6604
m
switchport port-security
CLI Reference Guide
888
If a port-security command is issued without specifying any arguments, then the
port security feature will be enabled with the default settings for the maximum
and mode parameters.
As the port-security state is changed from disabled to enabled or vice versa, the
auto-learned MAC entries are cleared,
If no arguments are specified when issuing the no port-security command, then
the port security feature will be disabled.
If the no port-security command, without any options, is applied in global
configuration mode, then it will set the port-security to disabled for all ports.
When the mode setting is changed, the addresses, both originally learned and
configured entries on the port, will be cleared.
When the maximum setting is changed, the learned address will remain
unchanged when the maximum number increases; the learned address will be
cleared when the number is decreased.
A port-security enabled port has the following restrictions.
• The port security function cannot be enabled simultaneously with dot1x
which provides more advanced secure capability.
• A port which is in private-vlan mode can not enable port-security.
• If a port is specified as the destination port for the mirroring feature, then
the port-security function can not be enabled.
• If a port is the member port of a channel group, then it cannot be enabled
with the port-security function.
The system will periodically check whether the secured count is changed within 1
minute intervals.
When a security violation is detected, one of the following actions occurs:
•
Protect
- When the number of port-secure addresses reaches the maxi-
mum limit that is allowed on the port, the packets with unknown source
addresses are dropped until they have a sufficient number of secure MAC
addresses manually removed.
•
Shutdown
- The interface is error disabled when a security violation
occurs
The security-violation count is accumulated and based on the different number of
MAC addresses which violate the secured port.
Note
- When a secure port is in the error-disabled state, it can be manually re-
enabled by entering
no shutdown
commands in interface-configuration mode