CLI Guide
Layer 2 Switching Commands 311
Static locking allows the administrator to specify a list of MAC addresses that
are allowed on a port. The behavior of packets is the same as for dynamic
learning once the dynamic limit has been reached: only packets with a known
source MAC address can be forwarded. Any packets with source MAC
addresses that are not configured are discarded. The switch treats this as
violation.
If the administrator knows the specific MAC address (or addresses) that will
be connected to a particular port, she can specify those addresses as static
entries. By setting the number of allowable dynamic entries to zero, only
packets with a source MAC address matching a MAC address in the static list
are forwarded.
Statically locked MAC addresses are not eligible for aging. If a packet arrives
on a port with a source MAC address that is statically locked on another port,
then the packet is discarded.
To configure static locking only, set the dynamic MAC limit to 0 and
configure the static MAC addresses on the interface. To configure dynamic
locking only, set the static MAC limit to 0, and set the appropriate dynamic
MAC address limit.
Source MAC addresses seen on an interface/VLAN other than the learned or
configured MAC addresses and in excess of the limit are considered violations
of port security. Trap issuance violation actions can be configured using the
snmp-server enable traps port-security command. The default action is to log
a message and send an SNMP trap. Port security can optionally error disable
an interface on which a violation occurs using the switchport port-security
violation shutdown command. Setting the port to shutdown mode also
enables the sending of port-security traps.
Enabling sticky mode configuration converts all the existing dynamically
learned MAC addresses on an interface to sticky. It also converts the last
violation MAC address to sticky, even if the dynamic limit is set to 0. These
MAC addresses will not age out and will appear in the running-config. In
addition, new addresses learned on the interface will also become sticky. Note
that sticky is not the same as static – the difference is that all sticky addresses
for an interface are removed from the running-config when the interface is
taken out of sticky mode. Static addresses must be removed from the
running-config individually. Save the running-config to ensure that sticky
addresses survive a switch boot.
Sticky MAC addresses appear in the running-config in the following form: