450
Configuring Port-Based Traffic Control
Information About Port-Based Traffic Control
Static secure MAC addresses—These are manually configured by using the switchport port-security mac-address
mac-address interface configuration command, stored in the address table, and added to the switch running
configuration.
Dynamic secure MAC addresses—These are dynamically configured, stored only in the address table, and removed
when the switch restarts.
Sticky secure MAC addresses—These can be dynamically learned or manually configured, stored in the address
table, and added to the running configuration. If these addresses are saved in the configuration file, when the switch
restarts, the interface does not need to dynamically reconfigure them.
You can configure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses and to add them
to the running configuration by enabling sticky learning. To enable sticky learning, enter the switchport port-security
mac-address sticky interface configuration command. When you enter this command, the interface converts all the
dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to
sticky secure MAC addresses. All sticky secure MAC addresses are added to the running configuration.
The sticky secure MAC addresses do not automatically become part of the configuration file, which is the startup
configuration used each time the switch restarts. If you save the sticky secure MAC addresses in the configuration file,
when the switch restarts, the interface does not need to relearn these addresses. If you do not save the sticky secure
addresses, they are lost.
If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses and are
removed from the running configuration.
The maximum number of secure MAC addresses that you can configure on a switch is set by the maximum number of
available MAC addresses allowed in the system. This number is determined by the active Switch Database Management
(SDM) template. This number is the total of available MAC addresses, including those used for other Layer 2 functions
and any other secure MAC addresses configured on interfaces.
Security Violations
It is a security violation when one of these situations occurs:
The maximum number of secure MAC addresses have been added to the address table, and a station whose MAC
address is not in the address table attempts to access the interface.
An address learned or configured on one secure interface is seen on another secure interface in the same VLAN and
on the same switch.
You can configure the interface for one of four violation modes, based on the action to be taken if a violation occurs:
protect—When the number of secure MAC addresses reaches the maximum limit allowed on the port, packets with
unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop
below the maximum value or increase the number of maximum allowable addresses. You are not notified that a
security violation has occurred.
We do not recommend configuring the protect violation mode on a trunk port. The protect mode disables learning
when any VLAN reaches its maximum limit, even if the port has not reached its maximum limit.
restrict—When the number of secure MAC addresses reaches the maximum limit allowed on the port, packets with
unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop
below the maximum value or increase the number of maximum allowable addresses. In this mode, you are notified
that a security violation has occurred. An SNMP trap is sent, a syslog message is logged, and the violation counter
increments.
shutdown—A port security violation causes the interface to become error-disabled and to shut down immediately,
and the port LED turns off. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.
When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable
recovery cause psecure-violation global configuration command, or you can manually reenable it by entering the
shutdown and no shut down interface configuration commands. This is the default mode.
To Next Page
Loading...
Need help?
General