43-7
Software Configuration Guide—Release 15.0(2)SG
OL-23818-01
Chapter 43 Configuring Port Security
Configuring Port Security on Access Ports
Invalid Packet Handling
You might want to rate limit invalid source MAC address packets on a secure port if you anticipate
that a device will send invalid packets (such as traffic generator, sniffer, and bad NICs).
The port security feature considers the following as “invalid frames”:
–
Packets with a source or destination MAC address that is all zero
–
Packets with a multicast or broadcast source MAC address
–
Packets from an address either learned or configured on a secure interface that are observed on
another secure interface in the same VLAN
You can chose to rate limit these packets. If the rate is exceeded, you can trigger a violation action
for the port.
Configuring Port Security on Access Ports
These sections describe how to configure port security:
• Configuring Port Security on Access Ports, page 43-7
• Examples of Port Security on Access Ports, page 43-10
Note Port security can be enabled on a Layer 2 port channel interface configured in access mode. The port
security configuration on an EtherChannel is independent of the configuration of any member ports.
Configuring Port Security on Access Ports
To restrict traffic through a port by limiting and identifying MAC addresses of the stations allowed to
the port, perform this task:
Command Purpose
Step 1
Switch(config)# interface interface_id
interface port-channel port_channel_number
Enters interface configuration mode and specifies the
interface to configure.
Note The interface can be a Layer 2 port channel
logical interface.
Step 2
Switch(config-if)# switchport mode access
Sets the interface mode.
Note An interface in the default mode (dynamic auto)
cannot be configured as a secure port.
Step 3
Switch(config-if)# [no] switchport port-security
Enables port security on the interface.
To return the interface to the default condition as not
secured, use the no switchport port-security command.
