Cisco Systems EA6500 Manual De Usuario
26-3
Catalyst 6500 Series Switch Cisco IOS Software Configuration Guide—Release 12.1 E
78-14099-04
Chapter 26 Configuring Port Security
Configuring Port Security
Configuring Port Security on an Interface
To restrict traffic through a port by limiting and identifying MAC addresses of the stations allowed to
access the port, perform this task:
access the port, perform this task:
When configuring port security, note the following syntax information about port security violation
modes:
modes:
•
protect—Drops packets with unknown source addresses until you remove a sufficient number of
secure MAC addresses to drop below the maximum value.
secure MAC addresses to drop below the maximum value.
•
restrict—Drops packets with unknown source addresses until you remove a sufficient number of
secure MAC addresses to drop below the maximum value and causes the SecurityViolation counter
to increment.
secure MAC addresses to drop below the maximum value and causes the SecurityViolation counter
to increment.
•
shutdown—Puts the interface into the error-disabled state immediately and sends an SNMP trap
notification.
notification.
Note
When port security is enabled, if an address learned or configured on one secure interface is seen on
another secure interface in the same VLAN, port security puts the interface into the error-disabled state
immediately.
another secure interface in the same VLAN, port security puts the interface into the error-disabled state
immediately.
To bring a secure port out of the error-disabled state, enter the errdisable recovery cause
psecure_violation global configuration command or you can manually reenable it by entering the
shutdown and no shut down interface configuration commands.
psecure_violation global configuration command or you can manually reenable it by entering the
shutdown and no shut down interface configuration commands.
Command
Purpose
Step 1
Router(config)# interface interface_id
Enters interface configuration mode and enters the
physical interface to configure, for example,
gigabitethernet 3/1.
physical interface to configure, for example,
gigabitethernet 3/1.
Step 2
Router(config-if)# switchport mode access
Sets the interface mode as access; an interface in the
default mode (dynamic desirable) cannot be configured as
a secure port.
default mode (dynamic desirable) cannot be configured as
a secure port.
Step 3
Router(config-if)# switchport port-security
Enables port security on the interface.
Step 4
Router(config-if)# switchport port-security
maximum
value
(Optional) Sets the maximum number of secure MAC
addresses for the interface. The range is 1 to 128; the
default is 128.
addresses for the interface. The range is 1 to 128; the
default is 128.
Step 5
Router(config-if)# switchport port-security
violation
{protect | restrict | shutdown}
(Optional) Sets the violation mode and the action to be
taken when a security violation is detected.
taken when a security violation is detected.
Step 6
Router(config-if)# switchport port-security
mac-address
mac_address
(Optional) Enters a secure MAC address for the interface.
You can use this command to enter the maximum number
of secure MAC addresses. If you configure fewer secure
MAC addresses than the maximum, the remaining MAC
addresses are dynamically learned.
You can use this command to enter the maximum number
of secure MAC addresses. If you configure fewer secure
MAC addresses than the maximum, the remaining MAC
addresses are dynamically learned.
Step 7
Router(config-if)# end
Returns to privileged EXEC mode.
Step 8
Router# show port-security interface interface_id
Router# show port-security address
Verifies your entries.