Feedback
Table Of Contents
set precedence (policy map class)
switchport port-security aging time
switchport port-security aging type
switchport port-security mac-address
switchport port-security mac-address sticky
switchport port-security maximum
switchport port-security violation
S Commands
This chapter describes the Cisco NX-OS security commands that begin with S, except for show commands, which are in Chapter 2, "Show Commands."
sap modelist
To configure the Cisco TrustSec Security Association Protocol (SAP) operation mode, use the sap modelist command. To revert to the default, use the no form of this command.
sap modelist {gcm-encrypt | gmac | no-encap | none}
no sap modelist {gcm-encrypt | gmac | no-encap | none}
Syntax Description
Defaults
gcm-encrypt
Command Modes
Cisco TrustSec 802.1X configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
After using this command, you must enable and disable the interface using the shutdown/no shutdown command sequence for the configuration to take effect.
This command requires the Advanced Services license.
Examples
This example shows how to configure Cisco TrustSec SAP operation mode on an interface:
switch# configure terminalswitch(config)# interface ethernet 2/3switch(config-if)# cts dot1xswitch(config-if-cts-dot1x)# sap modelist gmacswitch(config-if-cts-dot1x)# exitswitch(config-if)# shutdownswitch(config-if)# no shutdownThis example shows how to revert to the default Cisco TrustSec SAP operation mode on an interface:
switch# configure terminalswitch(config)# interface ethernet 2/3switch(config-if)# cts dot1xswitch(config-if-cts-dot1x)# no sap modelist gmacswitch(config-if-cts-dot1x)# exitswitch(config-if)# shutdownswitch(config-if)# no shutdownRelated Commands
sap pmk
To manually configure the Cisco TrustSec Security Association Protocol (SAP) pairwise master key (PMK), use the sap command. To remove the SAP configuration, use the no form of this command.
sap pmk [key | use-dot1x} [modelist {gcm-encrypt | gmac | no-encap | none}]
no sap
Syntax Description
Defaults
gcm-encrypt
Command Modes
Cisco TrustSec manual configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
After using this command, you must enable and disable the interface using the shutdown/no shutdown command sequence for the configuration to take effect.
This command requires the Advanced Services license.
Examples
This example shows how to manually configure Cisco TrustSec SAP on an interface:
switch# configure terminalswitch(config)# interface ethernet 2/3switch(config-if)# cts manualswitch(config-if-cts-manual)# sap pmk fedbaa modelist gmacswitch(config-if-cts-manual)# exitswitch(config-if)# shutdownswitch(config-if)# no shutdownThis example shows how to remove a manual Cisco TrustSec SAP configuration from an interface:
switch# configure terminalswitch(config)# interface ethernet 2/3switch(config-if)# cts manualswitch(config-if-cts-manual)# no sapswitch(config-if-cts-manual)# exitswitch(config-if)# shutdownswitch(config-if)# no shutdownRelated Commands
send-lifetime
To specify the time interval within which the device sends the key during key exchange with another device, use the send-lifetime command. To remove the time interval, use the no form of this command.
send-lifetime [local] start-time [duration duration-value | infinite | end-time]
Syntax Description
Defaults
infinite
Command Modes
Key configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
This command does not require a license.
By default, the device interprets all time range rules as UTC.
By default, the time interval within which the device sends a key during key exchange with another device—the send lifetime—is infinite, which means that the key is always valid.
The start-time and end-time arguments both require time and date components, in the following format:
hour[:minute[:second]] month day year
You specify the hour in 24-hour notation. For example, in 24-hour notation, 8:00 a.m. is 8:00 and 8:00 p.m. is 20:00. The minimum valid start-time is 00:00:00 Jan 1 1970, and the maximum valid start-time is 23:59:59 Dec 31 2037.
Examples
This example shows how to create a send lifetime that begins at midnight on June 13, 2008, and ends at 11:59:59 p.m. on August 12, 2008:
switch# configure terminalswitch(config)# key chain glbp-keysswitch(config-keychain)# key 13switch(config-keychain-key)# send-lifetime 00:00:00 Jun 13 2008 23:59:59 Aug 12 2008switch(config-keychain-key)#Related Commands
server
To add a server to a RADIUS or TACACS+ server group, use the server command. To delete a server from a server group, use the no form of this command.
server {ipv4-address | ipv6-address | hostname}
no server {ipv4-address | ipv6-address | hostname}
Syntax Description
Defaults
None
Command Modes
RADlUS server group configuration
TACACS+ server group configurationSupported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
You can configure up to 64 servers in a server group.
Use the aaa group server radius command to enter RADIUS server group configuration mode or the aaa group server tacacs+ command to enter TACACS+ server group configuration mode.
If the server is not found, use the radius-server host command or tacacs-server host command to configure the server.
Note
You must use the feature tacacs+ command before you configure TACACS+.
This command does not require a license.
Examples
This example shows how to add a server to a RADIUS server group:
switch# configure terminalswitch(config)# aaa group server radius RadServerswitch(config-radius)# server 10.10.1.1This example shows how to delete a server from a RADIUS server group:
switch# configure terminalswitch(config)# aaa group server radius RadServerswitch(config-radius)# no server 10.10.1.1This example shows how to add a server to a TACACS+ server group:
switch# configure terminalswitch(config)# feature tacacs+switch(config)# aaa group server tacacs+ TacServerswitch(config-tacacs+)# server 10.10.2.2This example shows how to delete a server from a TACACS+ server group:
switch# configure terminalswitch(config)# feature tacacs+switch(config)# aaa group server tacacs+ TacServerswitch(config-tacacs+)# no server 10.10.2.2Related Commands
service dhcp
To enable the DHCP relay agent, use the service dhcp command. To disable the DHCP relay agent, use the no form of this command.
service dhcp
no service dhcp
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
4.2(1)
This command was deprecated and replaced with the ip dhcp relay command.
4.0(1)
This command was introduced.
Usage Guidelines
This command does not require a license.
Examples
This example shows how to globally enable DHCP snooping:
switch# configure terminalswitch(config)# service dhcpswitch(config)#Related Commands
service-policy input
To attach a control plane policy map to the control plane, use the service-policy input command. To remove a control plane policy map, use the no form of this command.
service-policy input policy-map-name
no service-policy input policy-map-name
Syntax Description
Defaults
None
Command Modes
Control plane configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
You can use this command only in the default virtual device context (VDC).
You can assign only one control place policy map to the control plane. To assign a new control plane policy map to the control plane, you must remove the old control plane policy map.
This command does not require a license.
Examples
This example shows how to assign a control plane policy map to the control plane:
switch# configure terminalswitch(config)# control-planeswitch(config-cp)# service-policy input PolicyMapAThis example shows how to remove a control plane policy map from the control plane:
switch# configure terminalswitch(config)# control-planeswitch(config-cp)# no service-policy input PolicyMapARelated Commands
set cos
To set the IEEE 802.1Q class of service (CoS) value for a control plane policy map, use the set cos command. To revert to the default, use the no form of this command.
set cos [inner] cos-value
no set cos [inner] cos-value
Syntax Description
inner
(Optional) Specifies inner 802.1Q in a Q-in-Q environment.
cos-value
Numerical value of CoS in the control plane policy map. The range is from 0 to 7.
Defaults
0
Command Modes
Policy map class configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
You can use this command only in the default virtual device context (VDC).
This command does not require a license.
Examples
This example shows how to configure the CoS value for a control plane policy map:
switch# configure terminalswitch(config)# policy-map type control-plane PolicyMapAswitch(config-pmap)# class ClassMapAswitch(config-pmap-c)# set cos 4This example shows how to revert to the default CoS value for a control plane policy map:
switch# configure terminalswitch(config)# policy-map type control-plane PolicyMapAswitch(config-pmap)# class ClassMapAswitch(config-pmap-c)# no set cos 4Related Commands
set dscp (policy map class)
To set the differentiated services code point (DSCP) value for IPv4 and IPv6 packets in a control plane policy map, use the set dscp command. To revert to the default, use the no form of this command.
set dscp [tunnel] {dscp-value | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | ef | default}
no set dscp [tunnel] {dscp-value | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | ef | default}
Syntax Description
Defaults
default
Command Modes
Policy map class configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
You can use this command only in the default virtual device context (VDC).
This command does not require a license.
Examples
This example shows how to configure the DSCP value for a control plane policy map:
switch# configure terminalswitch(config)# policy-map type control-plane PolicyMapAswitch(config-pmap)# class ClassMapAswitch(config-pmap-c)# set dscp 4This example shows how to revert to the default DSCP value for a control plane policy map:
switch# configure terminalswitch(config)# policy-map type control-plane PolicyMapAswitch(config-pmap)# class ClassMapAswitch(config-pmap-c)# no set dscp 4Related Commands
set precedence (policy map class)
To set the precedence value for IPv4 and IPv6 packets in a control plane policy map, use the set precedence command. To revert to the default, use the no form of this command.
set precedence [tunnel] {prec-value | critical | flash | flash-override | immediate | internet | network | priority | routine}
no set precedence [tunnel] {prec-value | critical | flash | flash-override | immediate | internet | network | priority | routine}
Syntax Description
Defaults
0 or routine
Command Modes
Policy map class configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
You can use this command only in the default virtual device context (VDC).
This command does not require a license.
Examples
This example shows how to configure the CoS value for a control plane policy map:
switch# configure terminalswitch(config)# policy-map type control-plane PolicyMapAswitch(config-pmap)# class ClassMapAswitch(config-pmap-c)# set precedence criticalThis example shows how to revert to the default CoS value for a control plane policy map:
switch# configure terminalswitch(config)# policy-map type control-plane PolicyMapAswitch(config-pmap)# class ClassMapAswitch(config-pmap-c)# no set precedence criticalRelated Commands
source-interface
To assign a source interface for a specific RADIUS or TACACS+ server group, use the source-interface command. To revert to the default, use the no form of this command.
source-interface interface
no source-interface
Syntax Description
Defaults
The default is the global source interface.
Command Modes
RADIUS configuration
TACACS+ configurationSupported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
The source-interface command to override the global source interface assigned by the ip radius source-interface command or ip tacacs source-interface command.
You must use the feature tacacs+ command before you configure TACACS+.
This command does not require a license.
Examples
This example shows how to enter IP access list configuration mode for an IPv4 ACL named ip-acl-01:
switch# configure terminalswitch(config)# ip radius source-interface mgmt 0switch(config-radius)# source-interface ethernet 2/1Related Commands
ssh
To create a Secure Shell (SSH) session using IPv4 on the NX-OS device, use the ssh command.
ssh [username@]{ipv4-address | hostname} [vrf vrf-name]
Syntax Description
Defaults
Default VRF
Command Modes
Any command mode
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
The NX-OS software supports SSH version 2.
To use IPv6 addressing for an SSH session, use the ssh6 command.
The Cisco NX-OS software supports a maximum of 60 concurrent SSH and Telnet sessions.
This command does not require a license.
Examples
This example shows how to start an SSH session using IPv4:
switch# ssh 10.10.1.1 vrf managementThe authenticity of host '10.10.1.1 (10.10.1.1)' can't be established.RSA key fingerprint is 9b:d9:09:97:f6:40:76:89:05:15:42:6b:12:48:0f:d6.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '10.10.1.1' (RSA) to the list of known hosts.User Access VerificationPassword:Related Commands
clear ssh session
Clears SSH sessions.
feature ssh
Enables the SSH server.
ssh6
Starts an SSH session using IPv6 addressing.
ssh key
To create a Secure Shell (SSH) server key for a virtual device context (VDC), use the ssh key command. To remove the SSH server key, use the no form of this command.
ssh key {dsa [force] | rsa [length [force]]}
no ssh key [dsa | rsa]
Syntax Description
Defaults
1024-bit length
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
The NX-OS software supports SSH version 2.
If you want to remove or replace an SSH server key, you must first disable the SSH server using the no feature ssh command.
This command does not require a license.
Examples
This example shows how to create an SSH server key using DSA:
switch# configure terminalswitch(config)# ssh key dsagenerating dsa key(1024 bits).......generated dsa keyThis example shows how to create an SSH server key using RSA with the default key length:
switch# configure terminalswitch(config)# ssh key rsagenerating rsa key(1024 bits)......generated rsa keyThis example shows how to create an SSH server key using RSA with a specified key length:
switch# configure terminalswitch(config)# ssh key rsa 768generating rsa key(768 bits)......generated rsa keyThis example shows how to replace an SSH server key using DSA with the force option:
switch# configure terminalswitch(config)# no feature sshswitch(config)# ssh key dsa forcedeleting old dsa key.....generating dsa key(1024 bits)......generated dsa keyswitch(config)# feature sshThis example shows how to remove the DSA SSH server key:
switch# configure terminalswitch(config)# no feature sshXML interface to system may become unavailable since ssh is disabledswitch(config)# no ssh key dsaswitch(config)# feature sshThis example shows how to remove all SSH server keys:
switch# configure terminalswitch(config)# no feature sshXML interface to system may become unavailable since ssh is disabledswitch(config)# no ssh keyswitch(config)# feature sshRelated Commands
show ssh key
Displays the SSH server key information.
feature ssh
Enables the SSH server.
ssh server enable
To enable the Secure Shell (SSH) server for a virtual device context (VDC), use the ssh server enable command. To disable the SSH server, use the no form of this command.
ssh server enable
no ssh server enable
Syntax Description
This command has no arguments or keywords.
Defaults
Enabled
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
4.1(2)
This command was deprecated and replaced with the feature ssh command.
4.0(1)
This command was introduced.
Usage Guidelines
The NX-OS software supports SSH version 2.
This command does not require a license.
Examples
This example shows how to enable the SSH server:
switch# config tswitch(config)# ssh server enableThis example shows how to disable the SSH server:
switch# config tswitch(config)# no ssh server enableXML interface to system may become unavailable since ssh is disabledRelated Commands
ssh6
To create a Secure Shell (SSH) session using IPv6 on the NX-OS device, use the ssh6 command.
ssh6 [username@]{ipv6-address | hostname} [vrf vrf-name]
Syntax Description
Defaults
Default VRF
Command Modes
Any command mode
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
The NX-OS software supports SSH version 2.
To use IPv4 addressing to start an SSH session, use the ssh command.
The Cisco NX-OS software supports a maximum of 60 concurrent SSH and Telnet sessions.
This command does not require a license.
Examples
This example shows how to start an SSH session using IPv6:
switch# ssh host2 vrf managementRelated Commands
clear ssh session
Clears SSH sessions.
ssh
Starts an SSH session using IPv4 addressing.
feature ssh
Enables the SSH server.
statistics per-entry
To start recording statistics for how many packets are permitted or denied by each entry in an IP, a MAC access control list (ACL), or a VLAN access-map entry, use the statistics per-entry command. To stop recording per-entry statistics, use the no form of this command.
statistics per-entry
no statistics per-entry
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
IP access-list configuration
IPv6 access-list configuration
MAC access-list configuration
VLAN access-map configurationSupported User Rolesnetwork-admin
vdc-adminCommand History
4.0(1)
This command was introduced.
4.0(3)
Changed command from statistics to statistics per-entry.
Usage Guidelines
When the device determines that an IPv4, IPv6, MAC, or VLAN ACL applies to a packet, it tests the packet against the conditions of all entries in the ACLs. ACL entries are derived from the rules that you configure with the applicable permit and deny commands. The first matching rule determines whether the packet is permitted or denied. Enter the statistics per-entry command to start recording how many packets are permitted or denied by each entry in an ACL.
Statistics are not supported if the DHCP snooping feature is enabled.
The device does not record statistics for implicit rules. To record statistics for these rules, you must explicitly configure an identical rule for each implicit rule. For more information about implicit rules, see the following commands:
•
•
•
To view per-entry statistics, use the show access-lists command or the applicable following command:
•
•
•
To clear per-entry statistics, use the clear access-list counters command or the applicable following command:
•
•
•
•
This command does not require a license.
Examples
This example shows how to start recording per-entry statistics for an IPv4 ACL named ip-acl-101:
switch(config)# ip access-list ip-acl-101switch(config-acl)# statistics per-entryswitch(config-acl)#This example shows how to stop recording per-entry statistics for an IPv4 ACL named ip-acl-101:
switch(config)# ip access-list ip-acl-101switch(config-acl)# no statistics per-entryswitch(config-acl)#This example shows how to start recording per-entry statistics for the ACLs in entry 20 in a VLAN access-map named vlan-map-01:
switch(config)# vlan access-map vlan-map-01 20switch(config-access-map)# statistics per-entryswitch(config-access-map)#This example shows how to stop recording per-entry statistics for the ACLs in entry 20 in a VLAN access-map named vlan-map-01:
switch(config)# vlan access-map vlan-map-01 20switch(config-access-map)# no statistics per-entryswitch(config-access-map)#Related Commands
storm-control level
To set the suppression level for traffic storm control, use the storm-control level command. To turn off the suppression mode or revert to the default, use the no form of this command.
storm-control {broadcast | multicast | unicast} level percentage [. fraction]
no storm-control {broadcast | multicast | unicast} level
Syntax Description
Defaults
All packets are passed
Command Modes
Interface configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
Enter the storm-control level command to enable traffic storm control on the interface, configure the traffic storm-control level, and apply the traffic storm-control level to all traffic storm-control modes that are enabled on the interface.
Only one suppression level is shared by all three suppression modes. For example, if you set the broadcast level to 30 and set the multicast level to 40, both levels are enabled and set to 40.
The period (.) is required when you enter the fractional-suppression level.
The suppression level is a percentage of the total bandwidth. A threshold value of 100 percent means that no limit is placed on traffic. A threshold value of 0 or 0.0 (fractional) percent means that all specified traffic is blocked on a port.
Use the show interfaces counters broadcast command to display the discard count.
Use one of the follow methods to turn off suppression for the specified traffic type:
•
•
This command does not require a license.
Examples
This example shows how to enable suppression of broadcast traffic and set the suppression threshold level:
switch# configure terminalswitch(config)# interface ethernet 1/1switch(config-if)# storm-control broadcast level 30This example shows how to disable the suppression mode for multicast traffic:
switch# configure terminalswitch(config)# interface ethernet 1/1switch(config-if)# no storm-control multicast levelRelated Commands
show interface
Displays the storm-control suppression counters for an interface.
show running-config
Displays the configuration of the interface.
switchport port-security
To enable port security on a Layer 2 Ethernet interface or Layer 2 port-channel interface, use the switchport port-security command. To remove port security configuration, use the no form of this command.
switchport port-security
no switchport port-security
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Interface configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
4.2(1)
Support for Layer 2 port-channel interfaces was added.
4.0(1)
This command was introduced.
Usage Guidelines
Per interface, port security is disabled by default.
You must configure the interface as a Layer 2 interface by using the switchport command before you can use the switchport port-security command.
You must enable port security by using the feature port-security command before you can use the switchport port-security command.
If port security is enabled on any member port of the Layer 2 port-channel interface, the device does not allow you to disable port security on the port-channel interface. To do so, remove all secure member ports from the port-channel interface first. After disabling port security on a member port, you can add it to the port-channel interface again, as needed.
Enabling port security on an interface also enables the default method for learning secure MAC addresses, which is the dynamic method. To enable the sticky learning method, use the switchport port-security mac-address sticky command.
This command does not require a license.
Examples
This example shows how to enable port security on the Ethernet 2/1 interface:
switch# configure terminalswitch(config)# interface ethernet 2/1switch(config-if)# switchport port-securityswitch(config-if)#This example shows how to enable port security on the port-channel 10 interface:
switch# configure terminalswitch(config)# interface port-channel 10switch(config-if)# switchport port-securityswitch(config-if)#Related Commands
switchport port-security aging time
To configure the aging time for dynamically learned, secure MAC addresses, use the switchport port-security aging time command. To return to the default aging time of 1440 minutes, use the no form of this command.
switchport port-security aging time minutes
no switchport port-security aging time minutes
Syntax Description
minutes
Length of time that a dynamically learned, secure MAC address must age before the device drops the address. Valid values are from 1 to 1440.
Defaults
None
Command Modes
Interface configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
4.2(1)
Support for Layer 2 port-channel interfaces was added.
4.0(1)
This command was introduced.
Usage Guidelines
The default aging time is 1440 minutes.
You must enable port security by using the feature port-security command before you can use the switchport port-security aging time command.
Before using this command, you must use the switchport command to configure the interface to operate as a Layer 2 interface.
This command does not require a license.
Examples
This example shows how to configure an aging time of 120 minutes on the Ethernet 2/1 interface:
switch# configure terminalswitch(config)# interface ethernet 2/1switch(config-if)# switchport port-security aging time 120switch(config-if)#Related Commands
switchport port-security aging type
To configure the aging type for dynamically learned, secure MAC addresses, use the switchport port-security aging type command. To return to the default aging type, which is absolute aging, use the no form of this command.
switchport port-security aging type {absolute | inactivity}
no switchport port-security aging type {absolute | inactivity}
Syntax Description
Defaults
absolute
Command Modes
Interface configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
4.2(1)
Support for Layer 2 port-channel interfaces was added.
4.0(1)
This command was introduced.
Usage Guidelines
The default aging type is absolute aging.
You must enable port security by using the feature port-security command before you can use the switchport port-security aging type command.
Before using this command, you must use the switchport command to configure the interface to operate as a Layer 2 interface.
This command does not require a license.
Examples
This example shows how to configure the aging type to be "inactivity" on the Ethernet 2/1 interface:
switch# configure terminalswitch(config)# interface ethernet 2/1switch(config-if)# switchport port-security aging type inactivityswitch(config-if)#Related Commands
switchport port-security mac-address
To configure a static, secure MAC address on an interface, use the switchport port-security mac-address command. To remove a static, secure MAC address from an interface, use the no form of this command.
switchport port-security mac-address address [vlan vlan-ID]
no switchport port-security mac-address address [vlan vlan-ID]
Syntax Description
Defaults
None
Command Modes
Interface configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
4.2(1)
Support for Layer 2 port-channel interfaces was added.
4.0(1)
This command was introduced.
Usage Guidelines
There are no default static, secure MAC addresses.
You must enable port security by using the feature port-security command before you can use the switchport port-security mac-address command.
Before using this command, you must use the switchport command to configure the interface to operate as a Layer 2 interface.
This command does not require a license.
Examples
This example shows how to configure 0019.D2D0.00AE as a static, secure MAC address on the Ethernet 2/1 interface:
switch# configure terminalswitch(config)# interface ethernet 2/1switch(config-if)# switchport port-security mac-address 0019.D2D0.00AEswitch(config-if)#Related Commands
switchport port-security mac-address sticky
To enable the sticky method for learning secure MAC addresses on a Layer 2 Ethernet interface or Layer 2 port-channel interface, use the switchport port-security mac-address sticky command. To disable the sticky method and return to the dynamic method, use the no form of this command.
switchport port-security mac-address sticky
no switchport port-security mac-address sticky
Syntax Description
This command has no arguments or keywords.
Defaults
The sticky method of secure MAC address learning is disabled by default.
Command Modes
Interface configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
4.2(1)
Support for Layer 2 port-channel interfaces was added.
4.0(1)
This command was introduced.
Usage Guidelines
You must enable port security by using the feature port-security command before you can use the switchport port-security mac-address sticky command.
Before using this command, you must use the switchport command to configure the interface to operate as a Layer 2 interface.
This command does not require a license.
Examples
This example shows how to enable the sticky method of learning secure MAC addresses on the Ethernet 2/1 interface:
switch# configure terminalswitch(config)# interface ethernet 2/1switch(config-if)# switchport port-security mac-address stickyswitch(config-if)#Related Commands
switchport port-security maximum
To configure the interface maximum or a VLAN maximum of secure MAC addresses on a Layer 2 Ethernet interface or Layer 2 port-channel interface, use the switchport port-security maximum command. To remove port security configuration, use the no form of this command.
switchport port-security maximum number [vlan vlan-ID]
no switchport port-security maximum number [vlan vlan-ID]
Syntax Description
Defaults
None
Command Modes
Interface configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
4.2(1)
Support for Layer 2 port-channel interfaces was added.
4.0(1)
This command was introduced.
Usage Guidelines
The default interface maximum is one secure MAC address.
Enabling port security on an interface also enables the default method for learning secure MAC addresses, which is the dynamic method. To enable the sticky learning method, use the switchport port-security mac-address sticky command.
You must enable port security by using the feature port-security command before you can use the switchport port-security maximum command.
Before using this command, you must use the switchport command to configure the interface to operate as a Layer 2 interface.
There is no default VLAN maximum.
There is a system-wide, nonconfigurable maximum of 4096 secure MAC addresses.
This command does not require a license.
Maximums for Access Ports and Trunk Ports
For an interface used as an access port, we recommend that you use the default interface maximum of one secure MAC address.
For an interface used as a trunk port, set the interface maximum to a number that reflects the actual number of hosts that could use the interface.
Interface Maximums, VLAN Maximums, and the Device Maximum
The sum of all VLAN maximums that you configure on an interface cannot exceed the interface maximum. For example, if you configure a trunk-port interface with an interface maximum of 10 secure MAC addresses and a VLAN maximum of 5 secure MAC addresses for VLAN 1, the largest maximum number of secure MAC addresses that you can configure for VLAN 2 is also 5. If you tried to configure a maximum of 6 secure MAC addresses for VLAN 2, the device would not accept the command.
Examples
This example shows how to configure an interface maximum of 10 secure MAC addresses on the Ethernet 2/1 interface:
switch# configure terminalswitch(config)# interface ethernet 2/1switch(config-if)# switchport port-security maximum 10switch(config-if)#Related Commands
switchport port-security violation
To configure the action that the device takes when a security violation event occurs on an interface, use the switchport port-security violation command. To remove the port security violation action configuration, use the no form of this command.
switchport port-security violation {protect | restrict | shutdown}
no switchport port-security violation {protect | restrict | shutdown}
Syntax Description
Defaults
None
Command Modes
Interface configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
4.2(1)
Support for Layer 2 port-channel interfaces was added.
4.0(1)
This command was introduced.
Usage Guidelines
The default security violation action is to shut down the interface.
You must enable port security by using the feature port-security command before you can use the switchport port-security violation command.
Before using this command, you must use the switchport command to configure the interface to operate as a Layer 2 interface.
Port security triggers security violations when either of the two following events occur:
•
When an interface has both a VLAN maximum and an interface maximum configured, a violation occurs when either maximum is exceeded. For example, consider the following on a single interface configured with port security:
–
–
The device detects a violation when any of the following occurs:
–
–
•
Note
When a security violation occurs, the device takes the action specified by the port security configuration of the applicable interface. The possible actions are as follows:
•
You can use the errdisable global configuration command to configure the device to reenable the interface automatically if a shutdown occurs, or you can manually reenable the interface by entering the shutdown and no shut down interface configuration commands.
•
After 100 security violations occur, the device disables learning on the interface and drops all ingress traffic from nonsecure MAC addresses. In addition, the device generates an SNMP trap for each security violation.
•
If a violation occurs because ingress traffic from a secure MAC address arrives at a different interface than the interface on which the address is secure, the device applies the action on the interface that received the traffic.
This command does not require a license.
Examples
This example shows how to configure an interface to respond to a security violation event with the protect action:
switch# configure terminalswitch(config)# interface ethernet 2/1switch(config-if)# switchport port-security violation protectswitch(config-if)#Related Commands
