Filter
Top Products
28-11
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-21521-01
Chapter 28 Configuring Port-Based Traffic Control
Configuring Port Security
Default Port Security Configuration
Port Security Configuration Guidelines
• Port security can only be configured on static access ports or trunk ports. A secure port cannot be a
dynamic access port.
• A secure port cannot be a destination port for Switched Port Analyzer (SPAN).
• A secure port cannot belong to a Gigabit EtherChannel port group.
Note Voice VLAN is only supported on access ports and not on trunk ports, even though the
configuration is allowed.
• A secure port cannot be a private-VLAN port.
• When you enable port security on an interface that is also configured with a voice VLAN, set the
maximum allowed secure addresses on the port to two. When the port is connected to a Cisco IP
phone, the IP phone requires one MAC address. The Cisco IP phone address is learned on the voice
Ta ble 28-1 Security Violation Mode Actions
Violation Mode
Traffic is
forwarded
1
1. Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses.
Sends SNMP
trap
Sends syslog
message
Displays error
message
2
2. The switch returns an error message if you manually configure an address that would cause a security violation.
Violation
counter
increments Shuts down port
protect No No No No No No
restrict No Yes Yes No Yes No
shutdown No Yes Yes No Yes Yes
shutdown vlan No Yes Yes No Yes No
3
3. Shuts down only the VLAN on which the violation occurred.
Ta ble 28-2 Default Port Security Configuration
Feature Default Setting
Port security Disabled on a port.
Sticky address learning Disabled.
Maximum number of secure
MA
C addresses per port
1.
Violation mode Shutdown. The port shuts down when the maximum number of
se
cure MAC addresses is exceeded.
Port security aging Disabled. Aging time is 0.
Static aging is disabled.
Type is absolute.