Filter
Top Products
22-17
Cisco ME 3400 Ethernet Access Switch Software Configuration Guide
OL-9639-06
Chapter 22 Configuring Port-Based Traffic Control
Configuring Port Security
This example shows how to set the aging time as 2 hours for the secure addresses on a port:
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# switchport port-security aging time 120
This example shows how to set the aging time as 2 minutes for the inactivity aging type with aging
enabled for the configured secure addresses on the interface:
Switch(config-if)# switchport port-security aging time 2
Switch(config-if)# switchport port-security aging type inactivity
Switch(config-if)# switchport port-security aging static
You can verify the previous commands by entering the show port-security interface interface-id
privileged EXEC command.
Port Security and Private VLANs
Port security allows an administrator to limit the number of MAC addresses learned on a port or to define
which MAC addresses can be learned on a port.
Beginning in privileged EXEC mode, follow these steps to configure port security on a PVLAN host and
promiscuous ports:
Switch(config)# interface GigabitEthernet 0/8
Switch(config-if)# switchport private-vlan mapping 2061 2201-2206,3101
Switch(config-if)# switchport mode private-vlan promiscuous
Switch(config-if)# switchport port-security maximum 288
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security violation restrict
Note Ports that have both port security and private VLANs configured can be labeled secure PVLAN ports.
When a secure address is learned on a secure PVLAN port, the same secure address cannot be learned
on another secure PVLAN port belonging to the same primary VLAN. However, an address learned on
unsecure PVLAN port can be learned on a secure PVLAN port belonging to same primary VLAN.
Secure addresses that are learned on host port get automatically replicated on associated primary
VLANs, and similarly, secure addresses learned on promiscuous ports automatically get replicated on
all associated secondary VLANs. Static addresses (using mac-address-table static command) cannot be
user configured on a secure port.
Command Purpose
Step 1
configure terminal Enter global configuration mode.
Step 2
interface interface-id Specify the interface to be configured, and enter interface
configuration mode.
Step 3
switchport mode private-vlan {host | promiscuous} Enable a private vlan on the interface.
Step 4
switchport port-security
Enable port security on the interface.
Step 5
end Return to privileged EXEC mode.
Step 6
show port-security [interface interface-id]
[address]
Verify your entries.
Step 7
copy running-config startup-config (Optional) Save your entries in the configuration file.