Port Security
Defends against CAM table overflow attacks.
Can be configured on both Access or Trunk ports, but not a Dynamic port.
Can set the maximum MAC per VLAN on a trunk port.
Violation Actions
- Protect: It drops the packets with an unknown source address. It does so until you delete a sufficient number of secure MAC addresses. No logs or alerts.
- Restrict: It drops the packets with unknown source addresses until you get rid of a sufficient number of secure MAC addresses to drop below the maximum value. It causes the SecurityViolation counter to increase and generates logs and alerts.
- Shutdown: It causes the interface to enter an error-disabled state immediately. It then sends an SNMP trap notification. Default action.
- Shutdown VLAN: shuts down the entire VLAN.
Dynamic: MAC addresses are learned.
Static: MAC addresses are manually configured on the switch port
Sticky: MAC addresses are learned and put in the running config.
Port Configuration
int gi 1/0/1
switchport mode access
switchport access vlan 123
switchport port-security maximum 2
switchport port-security aging type inactivity
switchport port-security aging time 5
switchport port-security violation restrict
switchport port-security mac-address 0000.0000.0000
switchport port-security mac-address sticky
switchport port-securityVerification commands
show port-security addresses
show port-security
show port-security int gi1/0/1Automatic Recovery
Default is 300 seconds
errdisable recovery cause psecure-violation
errdisable recovery interval 300
