21-12
Catalyst 2960 Switch Software Configuration Guide
78-16881-01
Chapter 21 Configuring Port-Based Traffic Control
Configuring Port Security
Step 6
switchport port-security
[maximum value [vlan {vlan-list |
{access | voice}}]]
(Optional) Set the maximum number of secure MAC addresses for the
interface. The maximum number of secure MAC addresses that you can
configure on a switch is set by the maximum number of available MAC
addresses allowed in the system. This number is the total of available MAC
addresses, including those used for other Layer 2 functions and any other
secure MAC addresses configured on interfaces.
(Optional) vlan—set a per-VLAN maximum value
Enter one of these options after you enter the vlan keyword:
• vlan-list—On a trunk port, you can set a per-VLAN maximum value on
a range of VLANs separated by a hyphen or a series of VLANs separated
by commas. For nonspecified VLANs, the per-VLAN maximum value is
used.
• access—On an access port, specify the VLAN as an access VLAN.
• voice—On an access port, specify the VLAN as a voice VLAN.
Note The voice keyword is available only if voice VLAN is configured on
a port and if that port is not the access VLAN.
Step 7
switchport port-security violation
{protect | restrict | shutdown}
(Optional) Set the violation mode, the action to be taken when a security
violation is detected, as one of these:
• protect—When the number of port secure MAC addresses reaches the
maximum limit allowed on the port, packets with unknown source
addresses are dropped until you remove a sufficient number of secure
MAC addresses to drop below the maximum value or increase the
number of maximum allowable addresses. You are not notified that a
security violation has occurred.
Note We do not recommend configuring the protect mode on a trunk port.
The protect mode disables learning when any VLAN reaches its
maximum limit, even if the port has not reached its maximum limit.
• restrict—When the number of secure MAC addresses reaches the limit
allowed on the port, packets with unknown source addresses are dropped
until you remove a sufficient number of secure MAC addresses or
increase the number of maximum allowable addresses. An SNMP trap is
sent, a syslog message is logged, and the violation counter increments.
• shutdown—The interface is error-disabled when a violation occurs, and
the port LED turns off. An SNMP trap is sent, a syslog message is logged,
and the violation counter increments.
Note When a secure port is in the error-disabled state, you can bring it out
of this state by entering the errdisable recovery cause
psecure-violation global configuration command, or you can
manually re-enable it by entering the shutdown and no shutdown
interface configuration commands.
Command Purpose
