- This feature controls the number of MAC addresses per port.
- The maximum number of MAC addresses per port can be configured (default is 1).
- The MAC addresses can be configured on each port as follows:
- Static: By entering the MAC addresses.
- Dynamic: The interface learns the MAC addresses until the maximum allowed value is reached. The sticky command can be added so that they are added to the configuration file.
- There are several violation methods:
- shutdown: The interface is changed to errdisable (Default).
- Restrict: Packets from MAC addresses exceeding the maximum number are not processed. An SNMP and Syslog message is sent.
- Protect: Packets from MAC addresses exceeding the maximum number are not processed, but no SNMP and Syslog messages are sent.
Enable port-security on the port:
Switch(config-if)# switchport port-security
Specify the maximum number of MAC addresses that can be learned per port:
Switch(config-if)# switchport port-security maximum max-addr
To make the learned addresses persistent during a switch reboot, you can enable sticky MAC address learning with the following command:
Switch(config-if)# switchport port-security mac-address sticky
Define a static MAC address:
Switch(config-if)# switchport port-security mac-address mac-addr
Define how each interface using port-security should react if a MAC address violates port-security:
Switch(config-if)# switchport port-security violation {shutdown | restrict | protect}
Example:
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 5
Switch(config-if)# switchport port-seecurity mac-address sticky
Switch(config-if)# switchport port-seecurity violation restrict
Verification commands:
Switch# show port-security
Switch# show port-security interface fa0/1
Switch# show interface status err-disabled
To remove err-disabled status is necessary to shut down and restart the interface (shut/no shut).
