Q: How do I configure port security on my ASW (3550s or 3750s)?
A: First, make sure your IOS supports port security. You can use the Software Advisor tool on CCO to show you what versions of IOS support port security.
Port security is set at the interface level. First, you set the maximum number of MAC addresses for the switchport (default is 1, so if you set it to this you will see nothing in sho run).
sw(config-if)# switchport port-secu max 1
Then, choose between the three ways of learning MACs.
- static - manually configured. command is
switchport port-sec mac-add 0011.2233.4455
- dynamic - port will learn MAC addresses as usual, but stop learning more addresses when it has reached the max.
- sticky - converts dynamic address to static addresses in the running config only. To use this, wait until your switchport has learned the MACs you want, then issue the interface command
switchport port-sec mac sticky
. As soon as you do this, these MACs become static commands, but in the running config only. You then have tocopy run start
to make these settings survive a reload.
- protect - silently drop the packets from the excess MAC addresses.
- restrict - drop the packets over the max, and log the event.
- shutdown - err-disable the port. This is the default.
port-security ena
. Check the settings with sho port sec int f1/0/11
.
<< Home