Catalyst 3550 Multilayer Switch Software Configuration Guide, Rel. 12.2(25)SEB
Configuring Port-Based Traffic Control
Downloads: This chapterpdf (PDF - 294.0KB) The complete bookPDF (PDF - 11.32MB) | Feedback

Configuring Port-Based Traffic Control

Table Of Contents

Configuring Port-Based Traffic Control

Configuring Storm Control

Understanding Storm Control

Default Storm Control Configuration

Configuring Storm Control and Threshold Levels

Configuring Protected Ports

Configuring Port Blocking

Blocking Flooded Traffic on an Interface

Resuming Normal Forwarding on a Port

Configuring Port Security

Understanding Port Security

Secure MAC Addresses

Security Violations

Default Port Security Configuration

Port Security Configuration Guidelines

Enabling and Configuring Port Security

Enabling and Configuring Port Security Aging

Displaying Port-Based Traffic Control Settings


Configuring Port-Based Traffic Control


This chapter describes how to configure the port-based traffic control features on your Catalyst 3550 switch.


Note For complete syntax and usage information for the commands used in this chapter, see the command reference for this release.


This chapter consists of these sections:

Configuring Storm Control

Configuring Protected Ports

Configuring Port Blocking

Configuring Port Security

Displaying Port-Based Traffic Control Settings

Configuring Storm Control

These sections include storm control configuration information and procedures:

Understanding Storm Control

Default Storm Control Configuration

Configuring Storm Control and Threshold Levels

Understanding Storm Control

Storm control prevents traffic on a LAN from being disrupted by a broadcast, a multicast, or a unicast storm on one of the physical interfaces. A LAN storm occurs when packets flood the LAN, creating excessive traffic and degrading network performance. Errors in the protocol-stack implementation or in the network configuration can cause a storm.

Storm control (or traffic suppression) monitors packets passing from an interface to the switching bus and determines if the packet is unicast, multicast, or broadcast. The switch counts the number of packets of a specified type received within the 1-second time interval and compares the measurement with a predefined suppression-level threshold.

Storm control uses one of these methods to measure traffic activity:

Bandwidth as a percentage of the total available bandwidth of the port that can be used by the broadcast, multicast, or unicast traffic

Traffic rate in packets per second at which broadcast, multicast, or unicast packets are received (Cisco IOS Release 12.1(22)EA1 or later)

With either method, the port blocks traffic when the rising threshold is reached. The port remains blocked until the traffic rate drops below the falling threshold (if one is specified) and then resumes normal forwarding. If the falling suppression level is not specified, the switch blocks all traffic until the traffic rate drops below the rising suppression level. In general, the higher the level, the less effective the protection against broadcast storms.


Note When the rate of multicast traffic exceeds a set threshold, all incoming traffic (broadcast, multicast, and unicast) is dropped until the level drops below the threshold level. Only spanning-tree packets are forwarded. When broadcast and unicast thresholds are exceeded, traffic is blocked for only the type of traffic that exceeded the threshold.


The graph in Figure 21-1 shows broadcast traffic patterns on an interface over a given period of time. The example can also be applied to multicast and unicast traffic. In this example, the broadcast traffic being forwarded exceeded the configured threshold between time intervals T1 and T2 and between T4 and T5. When the amount of specified traffic exceeds the threshold, all traffic of that kind is dropped for the next time period. Therefore, broadcast traffic is blocked during the intervals following T2 and T5. At the next time interval (for example, T3), if broadcast traffic does not exceed the threshold, it is again forwarded.

Figure 21-1 Broadcast Storm Control Example

The combination of the storm-control suppression level and the 1-second time interval control the way the storm control algorithm works. A higher threshold allows more packets to pass through.


Note Because packets do not arrive at uniform intervals, the 1-second time interval during which traffic activity is measured can affect the behavior of storm control.


You use the storm-control interface configuration commands to set the threshold value for each traffic type.


Note Before Cisco IOS Release 12.1(8)EA1, you set up storm control threshold values by using the switchport broadcast, switchport multicast, and switchport unicast interface configuration commands. These commands are now obsolete, replaced by the storm-control interface configuration commands.


Default Storm Control Configuration

By default, unicast, broadcast, and multicast storm control are disabled on the switch: that is, the suppression level is 100 percent (no limit is placed on the traffic).

Configuring Storm Control and Threshold Levels

You configure storm control on a port and enter the threshold level that you want to be used by a particular type of traffic.

However, because of hardware limitations and the way in which packets of different sizes are counted, threshold percentages are approximations. Depending on the sizes of the packets making up the incoming traffic, the actual enforced threshold might differ from the configured level by several percentage points.


Note Storm control is supported only on physical interfaces; it is not supported on EtherChannel port channels or physical interfaces that are members of port channels even though the command is available in the CLI.


Beginning in privileged EXEC mode, follow these steps to configure storm control and threshold levels:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

interface interface-id

Specify the physical interface to configure, and enter interface configuration mode.

Step 3 

storm-control {broadcast | multicast | unicast} level {level [level-low] | pps pps [pps-low]}

Configure broadcast, multicast, or unicast storm control. By default, storm control is disabled.

The keywords have these meanings:

For level, specify the rising threshold level for broadcast, multicast, or unicast traffic as a percentage (up to two decimal places) of the bandwidth. The port blocks traffic when the rising threshold is reached. The range is 0.00 to 100.00.

(Optional) For level-low, specify the falling threshold level as a percentage (up to two decimal places) of the bandwidth. This value must be less than or equal to the rising suppression value. The port forwards traffic when traffic drops below this level. If you do not configure a falling suppression level, it is set to the rising suppression level. The range is 0.00 to 100.00.

If you set the threshold to the maximum value (100 percent), no limit is placed on the traffic. If you set the threshold to 0 0, all broadcast, multicast, and unicast traffic on that port is blocked.

For pps pps, specify the rising threshold level for broadcast, multicast, or unicast traffic in packets per second (up to one decimal place). The port blocks traffic when the rising threshold is reached. The range is 0.0 to 10000000000.0.

(Optional) For pps-low, specify the falling threshold level in packets per second (up to one decimal place). It can be less than or equal to the rising threshold level. The port forwards traffic when traffic drops below this level. The range is 0.0 to 10000000000.0.

For PPS settings, you can use metric suffixes such as k, m, and g for large number thresholds.

Step 4 

storm-control action {shutdown | trap}

Specify the action to be taken when a storm is detected. The default is to filter out the traffic and to not send traps.

Select the shutdown keyword to error-disable the port during a storm.

Select the trap keyword to generate an SNMP trap when a storm is detected.

Step 5 

end

Return to privileged EXEC mode.

Step 6 

show storm-control [interface-id] [broadcast | multicast | unicast]

Verify the storm control suppression levels set on the interface for the specified traffic type. If you do not enter a traffic type, broadcast storm control settings appear.

Step 7 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To disable storm control, use the no storm-control {broadcast | multicast | unicast} level interface configuration command.

This example shows how to enable unicast storm control on a port with an 87-percent rising suppression level and a 65-percent falling suppression level:

Switch# configure terminal
Switch(config)# interface fastethernet0/1
Switch(config-if)# storm-control unicast level 87 65

Configuring Protected Ports

Some applications require that no traffic be forwarded between ports on the same switch so that one neighbor does not see the traffic generated by another neighbor. In such an environment, the use of protected ports ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports on the switch.

Protected ports have these features:

A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port. Data traffic cannot be forwarded between protected ports at Layer 2; only control traffic, such as PIM packets, is forwarded because these packets are processed by the CPU and forwarded in software. All data traffic passing between protected ports must be forwarded through a Layer 3 device.

Forwarding behavior between a protected port and a nonprotected port proceeds as usual.

Protected ports are supported on IEEE 802.1Q trunks.

The default is to have no protected ports defined.


Note The protected port feature is not compatible with fallback bridging. When fallback bridging is enabled, it is possible for packets to be forwarded from one protected port on a switch to another protected port on the same switch if the ports are in different VLANs.



Note There could be times when unknown unicast or multicast traffic from a nonprotected port is flooded to a protected port because a MAC address has timed out or has not been learned by the switch. Use the switchport block unicast and switchport block multicast interface configuration commands to guarantee that no unicast or multicast traffic is flooded to the port in such a case.


You can configure protected ports on a physical interface or an EtherChannel group. When you enable protected ports for a port channel, it is enabled for all ports in the port-channel group.

Beginning in privileged EXEC mode, follow these steps to define a port as a protected port:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

interface interface-id

Specify the interface to configure, and enter interface configuration mode.

Step 3 

switchport protected

Configure the interface to be a protected port.

Step 4 

end

Return to privileged EXEC mode.

Step 5 

show interfaces interface-id switchport

Verify your entries.

Step 6 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To disable protected port, use the no switchport protected interface configuration command.

This example shows how to configure a port as a protected port:

Switch# configure terminal
Switch(config)# interface fastethernet0/1
Switch(config-if)# switchport protected
Switch(config-if)# end

Configuring Port Blocking

By default, the switch floods packets with unknown destination MAC addresses to all ports. If unknown unicast and multicast traffic is forwarded to a protected port, there could be security issues.

To prevent unknown unicast or multicast traffic from being forwarded from one port to another, you can configure a port (protected or nonprotected) to block unknown unicast or multicast packets.


Note Blocking unicast or multicast traffic is not automatically enabled on protected ports; you must explicitly configure it.


Blocking Flooded Traffic on an Interface


Note The interface can be a physical interface or an EtherChannel group. When you block multicast or unicast traffic for a port channel, it is blocked on all ports in the port channel group.


Beginning in privileged EXEC mode, follow these steps to disable the flooding of multicast and unicast packets to an interface:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

interface interface-id

Specify the interface to configure, and enter interface configuration mode.

Step 3 

switchport block multicast

Block unknown multicast forwarding to the port.

Step 4 

switchport block unicast

Block unknown unicast forwarding to the port.

Step 5 

end

Return to privileged EXEC mode.

Step 6 

show interfaces interface-id switchport

Verify your entries.

Step 7 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To return the interface to the default condition where no traffic is blocked, use the no switchport block {multicast | unicast} interface configuration commands.

This example shows how to block unicast and multicast flooding on a port:

Switch# configure terminal
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# switchport block multicast
Switch(config-if)# switchport block unicast
Switch(config-if)# end

Resuming Normal Forwarding on a Port

Beginning in privileged EXEC mode, follow these steps to resume normal forwarding on a port:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

interface interface-id

Specify the interface to configure, and enter interface configuration mode.

Step 3 

no switchport block multicast

Enable unknown multicast flooding to the port.

Step 4 

no switchport block unicast

Enable unknown unicast flooding to the port.

Step 5 

end

Return to privileged EXEC mode

Step 6 

show interfaces interface-id switchport

Verify your entries.

Step 7 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

Configuring Port Security

You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses.

This section includes information about these topics:

Understanding Port Security

Default Port Security Configuration

Port Security Configuration Guidelines

Enabling and Configuring Port Security

Enabling and Configuring Port Security Aging

Understanding Port Security

This section includes information about:

Secure MAC Addresses

Security Violations

Secure MAC Addresses

You can configure these types of secure MAC addresses:

Static secure MAC addresses—These are manually configured by using the switchport port-security mac-address mac-address interface configuration command, stored in the address table, and added to the switch running configuration.

Dynamic secure MAC addresses—These are dynamically learned, stored only in the address table, and removed when the switch restarts.

Sticky secure MAC addresses—These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, the interface does not need to dynamically relearn them when the switch restarts. Although sticky secure addresses can be manually configured, we do not recommend it.

You can configure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses and to add them to the running configuration by enabling sticky learning. To enable sticky learning, enter the switchport port-security mac-address sticky interface configuration command. When you enter this command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses.

The sticky secure MAC addresses do not automatically become part of the configuration file, which is the startup configuration used each time the switch restarts. If you save the sticky secure MAC addresses in the configuration file, when the switch restarts, the interface does not need to relearn these addresses. If you do not save the configuration, they are lost.

If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses and are removed from the running configuration.

The maximum number of available MAC addresses on a secure port or VLAN is determined by the active Switch Database Management (SDM) template. See the "Optimizing System Resources for User-Selected Features" section for more information about configuring an SDM template.

Security Violations

It is a security violation when one of these situations occurs:

The maximum number of secure MAC addresses have been added to the address table, and a station whose MAC address is not in the address table attempts to access the interface.

An address learned or configured on one secure interface is seen on another secure interface in the same VLAN.

You can configure the interface for one of three violation modes, based on the action to be taken if a violation occurs:

protect—When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred.


Note We do not recommend enabling the protect mode on a trunk port. The protect mode disables learning when any VLAN reaches its maximum limit, even if the port has not reached its maximum limit.


restrict—When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred. Specifically, an SNMP trap is sent, a syslog message is logged, and the violation counter increments.

shutdown—In this mode, a port security violation causes the interface to immediately become error-disabled, and turns off the port LED. It also sends an SNMP trap, logs a syslog message, and increments the violation counter. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shutdown interface configuration commands. This is the default mode.

Table 21-1 shows the violation mode and the actions taken when you configure an interface for port security.

Table 21-1 Security Violation Mode Actions 

Violation Mode
Traffic is forwarded 1
Sends SNMP trap
Sends syslog message
Displays error message 2
Violation counter increments
Shuts down port

protect

No

No

No

No

No

No

restrict

No

Yes

Yes

No

Yes

No

shutdown

No

Yes

Yes

No

Yes

Yes

1 Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses.

2 The switch will return an error message if you manually configure an address that would cause a security violation.


Default Port Security Configuration

Table 21-2 shows the default port security configuration for an interface.

Table 21-2 Default Port Security Configuration 

Feature
Default Setting

Port security

Disabled.

Maximum number of secure MAC addresses

One.

Violation mode

Shutdown.

Sticky address learning

Disabled.

Port security aging

Disabled. Aging time is 0. When enabled, the default type is absolute.


Port Security Configuration Guidelines

Follow these guidelines when configuring port security:

Port security can only be configured on static access ports, trunk ports, or IEEE 802.1Q tunnel ports.

A secure port cannot be a dynamic access port.

A secure port cannot be a destination port for Switched Port Analyzer (SPAN).

A secure port cannot belong to a Fast EtherChannel or a Gigabit EtherChannel port group.


Note Voice VLAN is only supported on access ports and not on trunk ports, even though the configuration is allowed.


When you enable port security on an interface that is also configured with a voice VLAN, you must set the maximum allowed secure addresses on the port to two plus the maximum number of secure addresses allowed on the access VLAN. When the port is connected to a Cisco IP Phone, the IP phone requires up to two MAC addresses. The IP phone address is learned on the voice VLAN and might also be learned on the access VLAN. Connecting a PC to the IP phone requires additional MAC addresses.

When you enter a maximum secure address value for an interface, and the new value is greater than the previous value, the new value overwrites the previously configured value. If the new value is less than the previous value and the number of configured secure addresses on the interface exceeds the new value, the command is rejected.

The switch does not support port security aging of sticky secure MAC addresses.

Table 21-3 summarizes port security compatibility with other features configured on a port.

Table 21-3 Port Security Compatibility with Other Catalyst 3550 Features 

Type of Port
Compatible with Port Security

DTP1 port2

No

Trunk port

Yes

Dynamic-access port3

No

Routed port

No

SPAN source port

Yes

SPAN destination port

No

EtherChannel

No

Tunneling port

Yes

Protected port

Yes

Voice VLAN port4

Yes

IP source guard

Yes

Dynamic ARP5 inspection

Yes

Flex Links

Yes

1 DTP = Dynamic Trunking Protocol

2 A port configured with the switchport mode dynamic interface configuration command.

3 A VLAN Query Protocol (VQP) port configured with the switchport access vlan dynamic interface configuration command.

4 You must set the maximum allowed secure addresses on the port to two plus the maximum number of secure addresses allowed on the access VLAN.

5 ARP = Address Resolution Protocol


Enabling and Configuring Port Security

Beginning in privileged EXEC mode, follow these steps to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

interface interface-id

Specify the interface to be configured, and enter interface configuration mode.

Step 3 

switchport mode {access | trunk}

Set the interface switchport mode as access or trunk. An interface in the default mode (dynamic auto) cannot be configured as a secure port.

Step 4 

switchport voice vlan vlan-id

Enable voice VLAN on a port.

vlan-id—Specify the VLAN to be used for voice traffic.

Step 5 

switchport port-security

Enable port security on the interface.

Step 6 

switchport port-security [maximum value [vlan {vlan-list | {access | voice}}]]

(Optional) Set the maximum number of secure MAC addresses for the interface. The maximum number of available addresses is determined by the active Switch Database Management (SDM) template. The default is 1.

(Optional) vlan—Set a per-VLAN maximum value.

Enter one of these options after you enter the vlan keyword:

vlan-list—On a trunk port, you can set a per-VLAN maximum value on a range of VLANs separated by a hyphen or a series of VLANs separated by commas. For nonspecified VLANs, the per-VLAN maximum value is used.

access—On an access port, specify the VLAN as an access VLAN.

voice—On an access port, specify the VLAN as a voice VLAN.

Note The voice keyword is available only if voice VLAN is configured on a port and if that port is not the access VLAN.

Step 7 

switchport port-security violation {protect | restrict | shutdown}

(Optional) Set the violation mode, the action to be taken when a security violation is detected, as one of these:

protect—When the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred.

Note We do not recommend configuring the protect mode on a trunk port. The protect mode disables learning when any VLAN reaches its maximum limit, even if the port has not reached its maximum limit.

restrict—When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.

shutdown—The interface is error-disabled when a violation occurs, and the port LED turns off. An SNMP trap is sent, a syslog message is logged, and the violation counter increments.

Note When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shutdown interface configuration commands.

Step 8 

switchport port-security [mac-address mac-address [vlan {vlan-id | {access | voice}}]

(Optional) Enter a secure MAC address for the interface. You can use this command to enter the maximum number of secure MAC addresses. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned.

Note If you enable sticky learning after you enter this command, the secure addresses that were dynamically learned are converted to sticky secure MAC addresses and are added to the running configuration.

(Optional) vlan—set a per-VLAN maximum value.

Enter one of these options after you enter the vlan keyword:

vlan-id—On a trunk port, you can specify the VLAN ID and the MAC address. If you do not specify a VLAN ID, the native VLAN is used.

access—On an access port, specify the VLAN as an access VLAN.

voice—On an access port, specify the VLAN as a voice VLAN.

Note The voice keyword is available only if voice VLAN is configured on a port and if that port is not the access VLAN.

Step 9 

switchport port-security mac-address sticky

(Optional) Enable sticky learning on the interface.

Step 10 

switchport port-security mac-address sticky [mac-address | vlan {vlan-id | {access | voice}}]

(Optional) Enter a sticky secure MAC address, repeating the command as many times as necessary. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned, are converted to sticky secure MAC addresses, and are added to the running configuration.

Note If you do not enable sticky learning before this command is entered, an error message appears, and you cannot enter a sticky secure MAC address.

(Optional) vlan—set a per-VLAN maximum value.

Enter one of these options after you enter the vlan keyword:

vlan-id—On a trunk port, you can specify the VLAN ID and the MAC address. If you do not specify a VLAN ID, the native VLAN is used.

access—On an access port, specify the VLAN as an access VLAN.

voice—On an access port, specify the VLAN as a voice VLAN.

Note The voice keyword is available only if voice VLAN is configured on a port and if that port is not the access VLAN.

Step 11 

end

Return to privileged EXEC mode.

Step 12 

show port-security

Verify your entries.

Step 13 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To return the interface to the default condition as not a secure port, use the no switchport port-security interface configuration command. If you enter this command when sticky learning is enabled, the sticky secure addresses remain part of the running configuration but are removed from the address table. All addresses are now dynamically learned.

To return the interface to the default number of secure MAC addresses, use the no switchport port-security maximum value interface configuration command.

To return the violation mode to the default condition (shutdown mode), use the no switchport port-security violation {protect | restrict} interface configuration command.

To disable sticky learning on an interface, use the no switchport port-security mac-address sticky interface configuration command. The interface converts the sticky secure MAC addresses to dynamic secure addresses.

To delete a static secure MAC address from the address table, use the clear port-security configured address mac-address privileged EXEC command. To delete all the static secure MAC addresses on an interface or a VLAN, use the clear port-security configured interface interface-id privileged EXEC command.

To delete a dynamic secure MAC address from the address table, use the clear port-security dynamic address mac-address privileged EXEC command. To delete all the dynamic addresses on an interface or a VLAN, use the clear port-security dynamic interface interface-id privileged EXEC command.

To delete a sticky secure MAC addresses from the address table, use the clear port-security sticky address mac-address privileged EXEC command. To delete all the sticky addresses on an interface or a VLAN, use the clear port-security sticky interface interface-id privileged EXEC command.

This example shows how to enable port security on a port and to set the maximum number of secure addresses to 50. The violation mode is the default, no static secure MAC addresses are configured, and sticky learning is enabled.

Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface fastethernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 50
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# end

This example shows how to configure a static secure MAC address on a port and enable sticky learning:

Switch# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# interface fastethernet0/2
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security mac-address 0000.02000.0004
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# end

This example shows how to configure a maximum of eight secure MAC addresses on VLAN 5 on a port:

Switch(config-if)# switchport port-security maximum 8 vlan 5
Switch(config-if)# end

This example shows how to enable sticky port security on a port, to manually configure MAC addresses for data VLAN and voice VLAN, and to set the total maximum number of secure addresses to 20 (10 for data VLAN and 10 for voice VLAN).


Switch(config)# interface FastEthernet0/1
Switch(config-if)# switchport access vlan 21
Switch(config-if)# switchport mode access
Switch(config-if)# switchport voice vlan 22
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 20
Switch(config-if)# switchport port-security violation restrict
Switch(config-if)# switchport port-security mac-address sticky
Switch(config-if)# switchport port-security mac-address sticky 0000.0000.0002
Switch(config-if)# switchport port-security mac-address 0000.0000.0003
Switch(config-if)# switchport port-security mac-address sticky 0000.0000.0001 vlan voice
Switch(config-if)# switchport port-security mac-address 0000.0000.0004 vlan voice
Switch(config-if)# switchport port-security maximum 10 vlan access
Switch(config-if)# switchport port-security maximum 10 vlan voice

This example shows how to configure a maximum of eight secure MAC addresses on VLAN 5 on a port:

Switch(config-if)# switchport port-security maximum 8 vlan 5
Switch(config-if)# end

Enabling and Configuring Port Security Aging

You can use port security aging to set the aging time for static and dynamic secure addresses on a port. Two types of aging are supported per port:

Absolute—The secure addresses on the port are deleted after the specified aging time.

Inactivity—The secure addresses on the port are deleted only if the secure addresses are inactive for the specified aging time.

Use this feature to remove and add PCs on a secure port without manually deleting the existing secure MAC addresses and to still limit the number of secure addresses on a port. You can enable or disable the aging of statically configured secure addresses on a per-port basis.

Beginning in privileged EXEC mode, follow these steps to configure port security aging:

 
Command
Purpose

Step 1 

configure terminal

Enter global configuration mode.

Step 2 

interface interface-id

Specify the port on which you want to enable port security aging, and enter interface configuration mode.

Note The switch does not support port security aging of sticky secure addresses.

Step 3 

switchport port-security aging {static | time time | type {absolute | inactivity}}

Enable or disable static aging for the secure port, or set the aging time or type.

Enter static to enable aging for statically configured secure addresses on this port.

For time, specify the aging time for this port. The valid range is from 0 to 1440 minutes. If the time is equal to 0, aging is disabled for this port.

For type, select one of these keywords:

absolute—Sets the aging type as absolute aging. All the secure addresses on this port age out after the specified time (minutes) lapses and are removed from the secure address list.

Note The absolute aging time could vary by 1 minute, depending on the sequence of the system timer.

inactivity—Sets the aging type as inactivity aging. The secure addresses on this port age out only if there is no data traffic from the secure source addresses for the specified time period.

Step 4 

end

Return to privileged EXEC mode.

Step 5 

show port-security [interface interface-id] [address]

Verify your entries.

Step 6 

copy running-config startup-config

(Optional) Save your entries in the configuration file.

To disable port security aging for all secure addresses on a port, use the no switchport port-security aging time interface configuration command. To disable aging for only statically configured secure addresses, use the no switchport port-security aging static interface configuration command.

This example shows how to set the aging time as 2 hours for the secure addresses on a port:

Switch(config)# interface fastethernet0/1 
Switch(config-if)# switchport port-security aging time 120

This example shows how to set the aging time as 2 minutes for the inactivity aging type with aging enabled for the configured secure addresses on the interface:

Switch(config-if)# switchport port-security aging time 2 
Switch(config-if)# switchport port-security aging type inactivity 
Switch(config-if)# switchport port-security aging static

You can verify the previous commands by entering the show port-security interface interface-id privileged EXEC command.

Displaying Port-Based Traffic Control Settings

The show interfaces interface-id switchport privileged EXEC command displays (among other characteristics) the interface traffic suppression and control configuration. The show storm-control and show port-security privileged EXEC commands display those features.

To display traffic control information, use one or more of the privileged EXEC commands in Table 21-4.

Table 21-4 Commands for Displaying Traffic Control Status and Configuration

Command
Purpose

show interfaces [interface-id] switchport

Displays the administrative and operational status of all switching (nonrouting) ports or the specified port, including port blocking and port protection settings.

show storm-control [interface-id] [broadcast | multicast | unicast]

Displays storm control suppression levels set on all interfaces or the specified interface for the specified traffic type or for broadcast traffic if no traffic type is entered.

show port-security [interface interface-id]

Displays port security settings for the switch or for the specified interface, including the maximum allowed number of secure MAC addresses for each interface, the number of secure MAC addresses on the interface, the number of security violations that have occurred, and the violation mode.

show port-security [interface interface-id] address

Displays all secure MAC addresses configured on all switch interfaces or on a specified interface with aging information for each address.

show port-security [interface interface-id] vlan

Displays the maximum allowed number of secure MAC addresses for each VLAN and the number of secure MAC addresses on the VLAN.