Cisco 4500M Software Manual page 452
Software guide
Hide thumbs
Also See for 4500M:
- Command reference manual (578 pages) ,
- Hardware installation and maintenance manual (143 pages) ,
- Upgrade manual (24 pages)
Table of Contents
Advertisement
Overview of Port Security
If the port shuts down, all dynamically learned addresses are removed.
Note
•
You can configure MAC addresses to be sticky. These can be dynamically learned or manually
configured, stored in the address table, and added to the running configuration. If these addresses
are saved in the configuration file, the interface does not need to dynamically relearn them when the
switch restarts. Although sticky secure addresses can be manually configured, it is not
recommended.
You can configure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses
and to add them to the running configuration by enabling sticky learning. To enable sticky learning, enter
the switchport port-security mac-address sticky command. When you enter this command, the
interface converts all the dynamic secure MAC addresses, including those that were dynamically learned
before sticky learning was enabled, to sticky secure MAC addresses.
The sticky secure MAC addresses do not automatically become part of the configuration file, which is
the startup configuration used each time the switch restarts. If you save the sticky secure MAC addresses
in the configuration file, when the switch restarts, the interface does not need to relearn these addresses.
If you do not save the configuration, they are lost.
If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure
addresses and are removed from the running configuration.
After the maximum number of secure MAC addresses is configured, they are stored in an address table.
To ensure that an attached device has the full bandwidth of the port, configure the MAC address of the
attached device and set the maximum number of addresses to one, which is the default.
When a Catalyst 4500 series switch port is configured to support voice as well as port security, the
Note
maximum number of allowable MAC addresses on this port should be changed to three.
A security violation occurs if the maximum number of secure MAC addresses has been added to the
address table and a workstation whose MAC address is not in the address table attempts to access the
interface.
You can configure the interface for one of these violation modes, based on the action to be taken if a
violation occurs:
Restrict—A port security violation restricts data, causes the SecurityViolation counter to increment,
•
and causes an SNMP Notification to be generated. The rate at which SNMP traps are generated can be
controlled by the snmp-server enable traps port-security trap-rate command. The default value ("0")
causes an SNMP trap to be generated for every security violation.
•
Shutdown—A port security violation causes the interface to shut down immediately. When a secure
port is in the error-disabled state, you can bring it out of this state by entering the errdisable
recovery cause psecure-violation global configuration command or you can manually reenable it
by entering the shutdown and no shut down interface configuration commands. This is the default
mode.
You can also customize the time to recover from the specified error disable cause (default is 300
seconds) by entering the errdisable recovery interval interval command.
Software Configuration Guide—Release 12.2(25)EW
32-2
Chapter 32
Configuring Port Security
OL-6696-01
Advertisement
Table of Contents
