Administrator Guide
Port and System Security 627
Configuring Port Security (CLI)
Beginning in Privileged EXEC mode, use the following commands to enable
port security on an interface to limit the number of source MAC addresses
that can be learned.
Command Purpose
configure Enter Global Configuration mode.
switchport port-security Enable port-security administrative mode. Port security
must be enabled globally in order to operate on any
interfaces.
interface
interface
Enter interface configuration mode for the specified
interface. The
interface
variable includes the interface type
and number, for example tengigabitethernet 1/0/3.
A range of interfaces can be specified using the interface
range command. For example, interface range
tengigabitethernet 1/0/8-12 configures interfaces 8, 9, 10,
11, and 12.
switchport port-security
[mac-address {
mac-
address
vlan {
vlan-id
}}]
| dynamic
value
|
maximum
value
]
Enable port security on the port. This prevents the switch
from learning new addresses on this port after the
maximum number of addresses has been learned.
•
mac-address
— configure a static MAC address on the
interface and VLAN. This command performs the same
function as the
mac address-table static
command.
•
dynamic
— set the maximum number of dynamic MAC
addresses that may be learned on the interface.
•
maximum
— set the maximum number of static MAC
addresses that may be configured on the interface. This
limit applies regardless of the port security administrative
setting.
CTRL + Z Exit to Privileged EXEC mode.
show port-security
[
interface-id
| all |
dynamic
interface-id
|
static
interface-id
|
violation
interface-id
]
View port security settings on all interfaces or the specified
interface. Use the dynamic keyword to display learned
MAC addresses and the static keyword to display
configured MAC addresses.