Users Guide
Layer 2 Switching Commands 305
Default Configuration
Port security is disabled by default.
No MAC addresses are learned or configured by default.
Command Mode
Global Configuration mode
User Guidelines
Port security must be enabled globally and on the interface or VLAN in order
to be active. Disabling port security globally does not remove sticky MAC
address configuration from the running-config.
Port security allows the network administrator to secure interfaces or VLANs
by specifying (or learning) the allowable MAC addresses on a given port.
Packets with a matching source MAC address are forwarded normally. All
other host packets are discarded. Port security operates on access, trunk and
general mode ports.
Two methods are used to implement Port MAC locking: dynamic locking and
static locking. Static locking further has an optional sticky mode.
Dynamic locking implements a ‘first arrival’ mechanism for MAC locking.
The administrator specifies how many dynamic addresses may be learned on
the locked port. If the limit has not been reached, then a packet with an
unknown source MAC address is learned and forwarded normally. If the MAC
address limit has been reached, the packet is discarded. The administrator can
disable dynamic locking (learning) by setting the number of allowable
dynamic entries to zero.
When a MAC locking enabled link goes down, all of the dynamically locked
addresses are ‘freed.’ When the link is restored, that port can once again learn
MAC addresses up to the administrator specified limit.
A dynamically locked MAC address is eligible to be aged out if another packet
with that MAC address is not seen within the age-out time. Dynamically
locked MAC addresses are also eligible to be relearned on another port if
station movement occurs. Statically locked MAC addresses are not eligible for
aging. If a packet arrives on a port with a source MAC address that is statically
locked on another port, then the packet is discarded.