Support User Manuals

Cisco Systems 2940 Switch User Manual

Open as PDF

of 444

17-7

Catalyst 2940 Switch Software Configuration Guide

78-15507-02

Chapter 17 Configuring Port-Based Traffic Control

Configuring Port Security

Default Port Security Configuration

Table 17-2 shows the default port security configuration for an interface.

Port Security Configuration Guidelines

Follow these guidelines when configuring port security:

• Port security can only be configured on static access ports.

• A secure port cannot be a dynamic access port or a trunk port.

• A secure port cannot be a destination port for Switched Port Analyzer (SPAN).

• A secure port cannot be a destination port for Switched Port Analyzer (SPAN).

• A secure port cannot belong to a Fast EtherChannel or Gigabit EtherChannel port group.

• You cannot configure static secure or sticky secure MAC addresses on a voice VLAN.

• When you enable port security on an interface that is also configured with a voice VLAN, you must

set the maximum allowed secure addresses on the port to at least two.

• The switch does not support port security aging of sticky secure MAC addresses.

• The protect and restrict options cannot be simultaneously enabled on an interface.

Enabling and Configuring Port Security

Beginning in privileged EXEC mode, follow these steps to restrict input to an interface by limiting and

identifying MAC addresses of the stations allowed to access the port:

Table 17-2 Default Port Security Configuration

Feature Default Setting

Port security Disabled.

Maximum number of secure MAC addresses One.

Violation mode Shutdown.

Sticky address learning Disabled.

Port security aging Disabled. Aging time is 0. When enabled, the default

type is absolute.

Command Purpose

Step 1

configure terminal Enter global configuration mode.

Step 2

interface interface-id Specify the type and number of the physical interface to configure, for

example gigabitethernet0/1, and enter interface configuration mode.

Step 3

switchport mode access Set the interface mode as access; an interface in the default mode

(dynamic desirable) cannot be configured as a secure port.

Step 4

switchport port-security Enable port security on the interface.

Step 5

switchport port-security maximum

value

(Optional) Set the maximum number of secure MAC addresses for the

interface. The range is 1 to 132; the default is 1.

previous next