Specifications

ManualsBrandsCisco ManualsDocking StationAccess Registrar 3.5

911

912

913

914

915

916

917

918

919

920

2-861

Catalyst 4500 Se ries S wit ch C is co IO S C om mand R efer ence —Re lease I OS XE 3 .3.0 XO(1 5.1 (1)XO)

OL_28738 -01

Chapter 2 Cisco IOS Commands for the Catalyst 4500 Series Switches

switchport port-sec urity

Defaults The default settings are as follows:

• Port security is disabled.

• When port securi ty is en abled and no keyword s are ente red, the de fault maxi mum numbe r of secur e

MAC addresses is 1.

• Aging is disa bled.

• Aging time is 0 minutes.

• All secure addresses on this port age out immediately after they are removed from the secure address

list.

Command Modes Interface configur ation mode

Usage Guidelines After you set the maximum number of secure MAC addresses that are al lowed on a port, you can add

secure addresses to the address table by manually configuring them, by allowing the port to dynamically

configure them, or by configuring some MAC addresses and allowing the rest to be dynamically

configured.

The packets are dropped into the hardware when the maximum number of secure MAC addresses are in

the address table and a station that does not have a MAC address in the address table attempts to access

the interface.

If you enable port security on a voice VLAN port and if there is a PC connected to the IP phone, you set

the maximum allowed secure addresses on the port to more than 1.

You cannot configure static secure MAC addres ses in the voice VLAN.

A secure port has the following limitations:

• A secure port cannot be a dyna mic access port or a trunk port.

• A secure port cannot be a route d port.

• A secure port cannot be a prote cted port.

• A secure port cannot be a destina tion port for Switch ed Port Analyzer (SPAN).

• A secure port cannot belon g to a Fast EtherChannel or Gigabit EtherChannel port group.

When a secure port is in the error-disabled state, you can remove it from this state by entering the

errdisa ble reco very caus e psecure-violatio n global configuration command, or you can manually

re-enable it by entering the shutdown and no shut down interface configuration commands. If a port is

is disabled, you can also use the clear errdisable command to re-enable the offending VLAN on the

port.

To enable secure address aging for a particular port, set the aging time to a value other than 0 for that

port.

shutdown (Optional) Sets the security violation shutdown mode. In this mode, a

port security violation causes the interface to immediately become error

disabled.

shutdown vlan (Optional) Set the security violation mode to per-VLAN shutdown. In

this mode, only the VLAN on which the violation occurred is

error-disabled.