Specifications
19-6
Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide
78-11380-07
Chapter 19 Configuring Port-Based Traffic Control
Configuring Port Security
Default Port Security Configuration
Table 19-2 shows the default port security configuration for an interface.
Port Security Configuration Guidelines
Follow these guidelines when configuring port security:
• Port security can only be configured on static access ports.
• A secure port cannot be a dynamic access port or a trunk port.
• A secure port cannot be a destination port for Switched Port Analyzer (SPAN).
• A secure port cannot belong to a Fast EtherChannel or Gigabit EtherChannel port group.
• You cannot configure static secure or sticky secure MAC addresses on a voice VLAN.
• When you enable port security on an interface that is also configured with a voice VLAN, you must
set the maximum allowed secure addresses on the port to at least two. If any type of port security is
enabled on the access VLAN, dynamic port security is automatically enabled on the voice VLAN.
You cannot configure port security on a per-VLAN basis.
• To enable port security on an 802.1X port, you must first enable the 802.1X multiple-hosts mode on
the port (for switches running the enhanced software image [EI]).
• The switch does not support port security aging of sticky secure MAC addresses.
Table 19-1 Security Violation Mode Actions
Violation Mode
Traffic is
forwarded
1
1. Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses.
Sends SNMP
trap
Sends syslog
message
Displays error
message
2
2. The switch will return an error message if you manually configure an address that would cause a security violation.
Violation
counter
increments Shuts down port
protect No No No No No No
restrict No Yes Yes No Yes No
shutdown No Yes Yes No Yes Yes
Table 19-2 Default Port Security Configuration
Feature Default Setting
Port security Disabled on a port
Maximum number of secure MAC addresses One
Violation mode Shutdown