Filter
Top Products
43-4
Software Configuration Guide—Release 15.0(2)SG
OL-23818-01
Chapter 43 Configuring Port Security
About Port Security
Secure MAC Addresses
Port security supports the following types of secure MAC addresses:
• Dynamic or Learned—Dynamic secure MAC addresses are learned when packets are received from
the host on the secure port. You might want to use this type if the user’s MAC address is not fixed
(laptop).
• Static or configured—Static secure MAC addresses are configured by the user through CLI or
SNMP. You might want to use this type if your MAC address remains fixed (PC).
• Sticky—Sticky addresses are learned such as dynamic secure MAC addresses, but persist through
switch reboots and link flaps such as static secure MAC addresses. You might want to use this type
if a large number of fixed MAC addresses exist and you do not want to configure MAC addresses
manually (100 PCs secured on their own ports).
If a port has reached its maximum number of secure MAC addresses and you try to configure a static
secure MAC address, your configuration is rejected and an error message displays. If a port has reached
its maximum number of secure MAC addresses and a new dynamic secure MAC address is added, a
violation action is triggered.
You can clear dynamic secure MAC addresses with the clear port-security command. You can clear
sticky and static secure MAC addresses one at a time with the no form of the
switchport port-security mac-address command.
Maximum Number of Secure MAC Addresses
A secure port has a default of one MAC address. You can change the default to any value between 1 and
3,000. The upper limit of 3,000 guarantees one MAC address per-port and an additional 3,000 across all
ports in the system.
After you have set the maximum number of secure MAC addresses on a port, you can include the secure
addresses in an address table in one of the following ways:
• You can configure the secure MAC addresses with the switchport port-security mac-address
mac_address interface configuration command.
• You can configure all secure MAC addresses on a range of VLANs with the port-security
mac-address VLAN range configuration command for trunk ports.
• You can allow the port to dynamically configure secure MAC addresses with the MAC addresses of
connected devices.
• You can configure some of the addresses and allow the rest to be dynamically configured.
Note If a port’s link goes down, all dynamically secured addresses on that port are no longer secure.
• You can configure MAC addresses to be sticky. These can be dynamically learned or manually
configured, stored in the address table, and added to the running configuration. After these addresses
are saved in the configuration file, the interface does not need to dynamically relearn them when the
switch restarts. Although you can manually configure sticky secure addresses, this action is not
recommended.