Manualshelf

Leaflet

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 6509-NEB-A Switch
21222324252627282930
28
OL-11615-01
Restrict—Drops packets with unknown source addresses until you remove a sufficient number of
secure MAC addresses to drop below the maximum value and causes the SecurityViolation counter
to increment.
Shutdown—Puts the interface into the error-disabled state immediately and sends an SNMP trap
notification.
Note Ports connecting to IP phones need to be configured to allow at least three MAC addresses: one for the
workstation, one for the phone on the voice VLAN, and one for the phone on the native VLAN for CDP.
In addition, the violation action should be set to restrict so the port is not entirely taken down when a
violation occurs.
Configuring Port Security in Catalyst OS
To configure port security on a switch running Catalyst OS, perform the following steps:
Step 1 Enable port security on the desired ports using the set port security enable command. Optionally, a
secure MAC address can be specified. To enable port security on a trunk port, specify the VLANs on
which a secure MAC address is allowed:
Console> (enable) set port security
mod/port
enable [mac_addr] [vlan_list]
Step 2 Configuring the Port Security violation mode on the port using the set port security violation command:
Console> (enable) set port security
mod/port
violation {shutdown | restrict}
Step 3 Add the MAC addresses to the list of secure addresses using the set port security command:
Console> (enable) set port security
mod/port mac_addr
Step 4 Set the Maximum Number of Secure MAC Addresses set port security maximum command:
Console> (enable) set port security
mod/port
maximum
num_of_mac
Step 5 Enable Dynamically Learned MAC Addresses port security globally using the set port security
auto-configure enable command. This feature applies globally to all secure ports on the system.
Console> (enable) set port security auto-configure enable | disable
In this example, port 2/1 is configured as a secure port, a static secure MAC address entry is defined for
00-90-2b-03-34-08, and the port is configured to accept up to five dynamically learned MAC addresses.
Console> (enable) set port security 2/1 enable
Port 2/1 security enabled.
Console> (enable) set port security 2/1 enable 00-90-2b-03-34-08
Port 2/1 port security enabled with 00-90-2b-03-34-08 as the secure mac address
Trunking disabled for Port 2/1 due to Security Mode
Console> (enable)
Console> (enable) set port security 2/1 maximum 5
Maximum number of secure addresses set to 5 for port 2/1.
Console> (enable)
Console> (enable) set port security auto-configure enable
Automatic configuration of secure learnt addresses enabled.
Console> (enable)