Filter
Top Products
17-6
Catalyst 2950 Desktop Switch Software Configuration Guide
78-11380-05
Chapter 17 Configuring Port-Based Traffic Control
Configuring Port Security
If port security is disabled, the sticky secure MAC addresses remain in the running configuration.
To disable sticky learning, enter the no switchport port-security mac-address sticky interface
configuration command. If sticky learning is disabled or the running configuration is removed, the sticky
secure MAC addresses remain part of the running configuration but are removed from the address table.
The addresses that were removed can be dynamically reconfigured and added to the address table as
dynamic addresses.
Note If sticky learning is disabled, when the switch restarts or the interface shuts down, all the addresses that
were dynamically learned are removed.
Security Violations
It is a security violation when one of these situations occurs:
• The maximum number of secure MAC addresses have been added to the address table, and a station
whose MAC address is not in the address table attempts to access the interface.
• An address learned or configured on one secure interface is seen on another secure interface in the
same VLAN.
You can configure the interface for one of three violation modes, based on the action to be taken if a
violation occurs:
• protect—when the number of secure MAC addresses reaches the maximum limit allowed on the
port, packets with unknown source addresses are dropped until you remove a sufficient number of
secure MAC addresses to drop below the maximum value.
• restrict—a port security violation restricts data and causes the SecurityViolation counter to
increment. It also sends an SNMP trap when an address-security violation occurs.
• shutdown—the interface is error-disabled when a security violation occurs. When a secure port is in
the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause
psecure-violation global configuration command, or you can manually re-enable it by entering the
shutdown and no shutdown interface configuration commands. This is the default mode.
Default Port Security Configuration
Table 17-1 shows the default port security configuration for an interface.
Table 17-1 Default Port Security Configuration
Feature Default Setting
Port security Disabled on a port
Maximum number of secure MAC addresses 1
Violation mode Shutdown. The interface is error-disabled when a
security violation occurs. When a secure port is in the
error-disabled state, you can bring it out of this state by
entering the errdisable recovery cause
psecure-violation global configuration command, or
you can manually re-enable it by entering the
shutdown and no shutdown interface configuration
commands.