Cisco Systems 4500 Switch User Manual


  Open as PDF
of 1504
 
43-17
Software Configuration Guide—Release 15.0(2)SG
OL-23818-01
Chapter 43 Configuring Port Security
Configuring Port Security on Trunk Ports
Example of Port Security on a Private VLAN Promiscuous Port
The following example shows how to configure port security on a private VLAN promiscuous port, Fast
Ethernet interface 3/12:
Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# vlan 6
Switch(config-vlan)# private-vlan isolated
Switch(config-vlan)# exit
Switch(config)# vlan 3
Switch(config-vlan)# private-vlan primary
Switch(config-vlan)# private-vlan association add 6
Switch(config-vlan)# exit
Switch(config)# interface fastethernet 3/12
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport mode private-vlan mapping 3 6
Switch(config-if)# switchport port-security
Switch(config-if)# end
Configuring Port Security on Trunk Ports
You might want to configure port security on trunk ports in metro aggregation to limit the number of
MAC addresses per-VLAN. Trunk port security extends port security to trunk ports. It restricts the
allowed MAC addresses or the maximum number of MAC addresses to individual VLANs on a trunk
port. Trunk port security enables service providers to block the access from a station with a different
MAC address than the ones specified for that VLAN on that trunk port. Trunk port security is also
supported on private VLAN trunk ports.
Note Port security can be enabled on a Layer 2 port channel interface configured in mode. The port security
configuration on an EtherChannel is kept independent of the configuration of any physical member
ports.
These sections describe how to configure trunk port security:
Configuring Trunk Port Security, page 43-17
Examples of Trunk Port Security, page 43-19
Trunk Port Security Configuration Guidelines and Restrictions, page 43-21
Configuring Trunk Port Security
Trunk port security is used when a Catalyst 4500 series switch has a dot1q or isl trunk attached to a
neighborhood Layer 2 switch. This may be used, for example, in metro aggregation networks
(Figure 43-2).
 previous next