Step 1
|
enable
|
Enables privileged EXEC mode.
|
Step 2
|
configure
terminal
Device# configure terminal
|
Enters global configuration mode.
|
Step 3
|
port-security mac-address forbidden
mac
address
Device(config)# port-security mac-address forbidden 2.2.2
|
Specifies a
MAC address that should be forbidden by port-security on all the interfaces.
|
Step 4
|
interface
interface-id
Device(config)# interface gigabitethernet1/0/1
|
Specifies the
interface to be configured, and enter interface configuration mode.
|
Step 5
|
switchport mode {access |
trunk}
Device(config-if)# switchport mode access
|
Sets the interface
switchport mode as access or trunk; an interface in the default mode (dynamic
auto) cannot be configured as a secure port.
|
Step 6
|
switchport voice
vlan
vlan-id
Device(config-if)# switchport voice vlan 22
|
Enables voice VLAN
on a port.
vlan-id—Specifies
the VLAN to be used for voice traffic.
|
Step 7
|
switchport
port-security
Device(config-if)# switchport port-security
|
Enable port
security on the interface.
Note
|
Under certain conditions, when port security is enabled on the
member ports in a switch stack, the DHCP and ARP packets would be dropped. To
resolve this, configure a shut and no shut on the interface.
|
|
Step 8
|
switchport port-security
[maximum
value [vlan {vlan-list | {access |
voice}}]]
Device(config-if)# switchport port-security maximum 20
|
(Optional) Sets
the maximum number of secure MAC addresses for the interface. The maximum
number of secure MAC addresses that you can configure on a switch or switch
stack is set by the maximum number of available MAC addresses allowed in the
system.
This number is set by the
active Switch Database Management (SDM) template.
This number is the total of available MAC addresses, including
those used for other Layer 2 functions and any other secure MAC addresses
configured on interfaces.
(Optional)
vlan —sets a per-VLAN maximum value
Enter one of these
options after you enter the
vlan keyword:
-
vlan-list —On a trunk port, you can set a per-VLAN
maximum value on a range of VLANs separated by a hyphen or a series of VLANs
separated by commas. For nonspecified VLANs, the per-VLAN maximum value is
used.
-
access —On an access port, specifies the VLAN as an
access VLAN.
-
voice —On an access port, specifies the VLAN as a
voice VLAN.
Note
|
The
voice keyword is available only if a voice VLAN is
configured on a port and if that port is not the access VLAN. If an interface
is configured for voice VLAN, configure a maximum of two secure MAC addresses.
|
|
Step 9
|
switchport port-security
violation {protect |
restrict |
shutdown |
shutdown vlan}
Device(config-if)# switchport port-security violation restrict
|
(Optional) Sets
the violation mode, the action to be taken when a security violation is
detected, as one of these:
-
protect —When the number of port secure MAC
addresses reaches the maximum limit allowed on the port, packets with unknown
source addresses are dropped until you remove a sufficient number of secure MAC
addresses to drop below the maximum value or increase the number of maximum
allowable addresses. You are not notified that a security violation has
occurred.
Note
|
We do not recommend
configuring the protect mode on a trunk port. The protect mode disables
learning when any VLAN reaches its maximum limit, even if the port has not
reached its maximum limit.
|
-
restrict —When the number of secure MAC addresses
reaches the limit allowed on the port, packets with unknown source addresses
are dropped until you remove a sufficient number of secure MAC addresses or
increase the number of maximum allowable addresses. An SNMP trap is sent, a
syslog message is logged, and the violation counter increments.
-
shutdown —The interface is error-disabled when a
violation occurs, and the port LED turns off. An SNMP trap is sent, a syslog
message is logged, and the violation counter increments.
-
shutdown
vlan —Use to set the security violation mode per VLAN. In this
mode, the VLAN is error disabled instead of the entire port when a violation
occurs.
Note
|
When a secure port is in the
error-disabled state, you can bring it out of this state by entering the
errdisable recovery cause psecure-violation global
configuration command. You can manually re-enable it by entering the
shutdown and
no shutdown interface configuration commands or by
using the
clear errdisable interface vlan privileged EXEC
command.
|
|
Step 10
|
switchport port-security
[mac-address
mac-address [vlan {vlan-id | {access |
voice}}]
Device(config-if)# switchport port-security mac-address 00:A0:C7:12:C9:25 vlan 3 voice
|
(Optional)
Enters a secure MAC address for the interface. You can use this command to
enter the maximum number of secure MAC addresses. If you configure fewer secure
MAC addresses than the maximum, the remaining MAC addresses are dynamically
learned.
Note
|
If you enable
sticky learning after you enter this command, the secure addresses that were
dynamically learned are converted to sticky secure MAC addresses and are added
to the running configuration.
|
(Optional)
vlan —sets a per-VLAN maximum value.
Enter one of
these options after you enter the
vlan keyword:
-
vlan-id —On a trunk port, you can specify the VLAN
ID and the MAC address. If you do not specify a VLAN ID, the native VLAN is
used.
-
access —On an access port, specifies the VLAN as an
access VLAN.
-
voice —On an access port, specifies the VLAN as a
voice VLAN.
Note
|
The
voice keyword is available only if a voice VLAN is
configured on a port and if that port is not the access VLAN. If an interface
is configured for voice VLAN, configure a maximum of two secure MAC addresses.
|
|
Step 11
|
switchport
port-security mac-address sticky
Device(config-if)# switchport port-security mac-address sticky
|
(Optional)
Enables sticky learning on the interface.
|
Step 12
|
switchport port-security
mac-address sticky [mac-address |
vlan {vlan-id | {access |
voice}}]
Device(config-if)# switchport port-security mac-address sticky 00:A0:C7:12:C9:25 vlan voice
|
(Optional)
Enters a sticky secure MAC address, repeating the command as many times as
necessary. If you configure fewer secure MAC addresses than the maximum, the
remaining MAC addresses are dynamically learned, are converted to sticky secure
MAC addresses, and are added to the running configuration.
Note
|
If you do not
enable sticky learning before this command is entered, an error message
appears, and you cannot enter a sticky secure MAC address.
|
(Optional)
vlan —sets a per-VLAN maximum value.
Enter one of
these options after you enter the
vlan keyword:
-
vlan-id —On a trunk port, you can specify the VLAN
ID and the MAC address. If you do not specify a VLAN ID, the native VLAN is
used.
-
access —On an access port, specifies the VLAN as an
access VLAN.
-
voice —On an access port, specifies the VLAN as a
voice VLAN.
Note
|
The
voice keyword is available only if a voice VLAN is
configured on a port and if that port is not the access VLAN.
|
|
Step 13
|
switchport port-security
mac-address forbidden
mac
address
Device(config-if)# switchport port-security mac-address forbidden 2.2.2
|
Specifies a
MAC address that should be forbidden by port-security on the particular
interface.
|
Step 14
|
end
|
Returns to
privileged EXEC mode.
|
Step 15
|
show
port-security
Device# show port-security
|
|
Step 16
|
show running-config
Device# show running-config
|
|
Step 17
|
copy running-config
startup-config
Device# copy running-config startup-config
|
(Optional) Saves your entries
in the configuration file.
|