Cisco Catalyst 2950 Command Reference Manual page 530

switchport port-security
You can delete a sticky secure MAC addresses from the address table by using the clear port-security
sticky mac-addr privileged EXEC command. To delete all the sticky addresses on an interface, use the
clear port-security sticky interface-id privileged EXEC command.
If you disable sticky learning, the sticky secure MAC addresses are converted to dynamic secure
addresses and are removed from the running configuration.
If you save the sticky secure MAC addresses in the configuration file, when the switch restarts or the
interface shuts down, the interface does not need to relearn these addresses. If you do not save the
configuration, they are lost.
If you specify restrict or shutdown, use the snmp-server host global configuration command to
configure the Simple Network Management Protocol (SNMP) trap host to receive traps.
It is a security violation when one of these situations occurs:
•
•
When a secure port is in the error-disabled state, you can bring it out of this state by entering the
errdisable recovery cause psecure-violation global configuration command, or you can manually
re-enable it by entering the shutdown and no shut down interface configuration commands.
A secure port has these limitations:
•
•
•
•
•
•
•
•
•
•
Examples
This example shows how to enable port security:
Switch(config-if)# switchport port-security
This example shows how to set the action that the port takes when an address violation occurs:
Switch(config-if)# switchport port-security violation shutdown
Catalyst 2950 and Catalyst 2955 Switch Command Reference
2-502
The maximum number of secure MAC addresses have been added to the address table, and a station
whose MAC address is not in the address table attempts to access the interface.
An address learned or configured on one secure interface is seen on another secure interface in the
same VLAN.
Port security can only be configured on static access ports.
A secure port cannot be a dynamic port, a dynamic access port or a trunk port.
A secure port cannot be a destination port for Switched Port Analyzer (SPAN).
A secure port cannot belong to a Fast EtherChannel or Gigabit EtherChannel port group.
You cannot configure static secure or sticky secure MAC addresses on a voice VLAN.
When you enable port security on an interface that is also configured with a voice VLAN, set the
maximum allowed secure addresses on the port to two. When the port is connected to a Cisco IP
phone, the IP phone requires one MAC address. The Cisco IP phone address is learned on the voice
VLAN, but is not learned on the access VLAN. If you connect a single PC to the Cisco IP phone,
no additional MAC addresses are required. If you connect more than one PC to the Cisco IP phone,
you must configure enough secure addresses to allow one for each PC and one for the phone
If any type of port security is enabled on the access VLAN, dynamic port security is automatically
enabled on the voice VLAN.
You cannot configure port security on a per-VLAN basis.
When a voice VLAN is configured on a secure port that is also configured as a sticky secure port,
all addresses detected on the voice VLAN are learned as dynamic secure addresses while all
addresses detected on the access VLAN (to which the port belongs) are learned as sticky secure
addresses.
The switch does not support port security aging of sticky secure MAC addresses.
Chapter 2 Catalyst 2950 and 2955 Cisco IOS Commands
0L-10102-01