Specifications

ManualsBrandsCisco ManualsComputer equipmentIE 2000

131

132

133

134

135

136

137

138

139

140

9-6

System Management Software Configuration Guide for Cisco IE 2000U and Connected Grid Switches

Chapter 9 Configuring Port-Based Traffic Control

Guidelines and Limitations

counted, threshold percentages are approximations. Depending on the sizes of the packets making

up the incoming traffic, the actual enforced threshold might differ from the configured level by

several percentage points.

• Storm control is supported on physical interfaces. You can also configure storm control on an

EtherChannel. When storm control is configured on an EtherChannel, the storm control settings

propagate to the EtherChannel physical interfaces.

Protected Ports

• You can configure protected ports on a physical interface that is configured as an NNI (for example,

Gigabit Ethernet port 1) or an EtherChannel group (for example, port-channel 5).

• When you enable protected ports for a port channel, it is enabled for all ports in the port-channel

group.

• Do not configure a private-VLAN port as a protected port. Do not configure a protected port as a

private-VLAN port. A private-VLAN isolated port does not forward traffic to other isolated ports or

community ports.

For more information about private VLANs, see the “Configuring Private VLANs chapter in the

Layer 2 Switching Software Configuration Guide for Cisco IE 2000U and Connected Grid Switches.

Port Blocking

• With multicast traffic, the port blocking feature blocks only pure Layer 2 packets. Multicast packets

that contain IPv4 or IPv6 information in the header are not blocked.

• The interface can be a physical interface or an EtherChannel group. When you block multicast or

unicast traffic for a port channel, it is blocked on all ports in the port-channel group.

Port Security

• Port security can only be configured on static access ports or trunk ports. A secure port cannot be a

dynamic access port.

• A secure port cannot be a destination port for Switched Port Analyzer (SPAN).

• A secure port cannot belong to a Fast EtherChannel or a Gigabit EtherChannel port group.

• A secure port cannot be a private-VLAN port.

• When a trunk port configured with port security and assigned to an access VLAN for data traffic and

to a voice VLAN for voice traffic, entering the switchport voice and switchport priority extend

interface configuration commands has no effect.

When a connected device uses the same MAC address to request an IP address for the access VLAN

and then an IP address for the voice VLAN, only the access VLAN is assigned an IP address.

• When you enter a maximum secure address value for an interface, and the new value is greater than

the previous value, the new value overwrites the previously configured value. If the new value is less

than the previous value and the number of configured secure addresses on the interface exceeds the

new value, the command is rejected.

• The switch does not support port security aging of sticky secure MAC addresses.

Table 9-2 summarizes port security compatibility with other port-based features.