38-10
Catalyst 6500 Series Switch Software Configuration Guide—Release 8.7
OL-8978-04
Chapter 38 Configuring Port Security
Configuring Port Security on the Switch
This example shows how to configure the switch to disable the unicast flood packets on a port and how
to verify its configuration:
Console> (enable) set port security 4/1 unicast-flood disable
Port 4/1 security flood mode set to disable.
Console> (enable) show port security 4/1
Port Security Violation Shutdown-Time Age-Time Max-Addr Trap IfIndex
----- -------- --------- ------------- -------- -------- -------- -------
4/1 disabled shutdown 0 0 1 disabled 50
Port Num-Addr Secure-Src-Addr Age-Left Last-Src-Addr Shutdown/Time-Left
----- -------- ----------------- -------- ----------------- ------------------
4/10-----
Port Flooding on Address Limit
---- -------------------------
4/1 Disabled
Console> (enable) show port unicast-flood 4/1
Port Unicast Flooding
---- ----------------
4/1 Disabled
Console> (enable)
Note The show port unicast-flood command displays the run-time status of the unicast flood blocking. The
output can show the unicast flooding as either enabled or disabled depending if the port has exceeded its
address limitation.
Specifying the Security Violation Action
You can set the port for the following two modes to handle a security violation:
• Shutdown—Shuts down the port permanently or for a specified time. Permanent shutdown is the
default mode.
• Restrictive—Drops all packets from the insecure hosts but remains enabled.
To specify the security violation action to be taken, perform this task in privileged mode:
This example shows how to specify that port 7/7 drop all packets from the insecure hosts:
Console> (enable) set port security 7/7 violation restrict
Port security violation on port 7/7 will cause insecure packets to be dropped.
Console> (enable)
Note If you restrict the number of secure MAC addresses on a port to one and additional hosts attempt to
connect to that port, port security prevents these additional hosts from connecting to that port and to any
other port in the same VLAN for the duration of the VLAN aging time. By default, the VLAN aging time
is 5 minutes. If a host is blocked from joining a port in the same VLAN as the secured port, allow the
VLAN aging time to expire before you attempt to connect the host to the port again.
Task Command
Specify the violation action on a port. set port security mod/port violation {shutdown
| restrict}
To Next Page
Loading...
Need help?
General