3.10.10 Port Security Configuration

Use this command to configure the Port Security global settings. If aging is enabled, secured MAC addresses are subject to aging with a specified period and hold time (how long a MAC address is held in the MAC table if it has been found to violate the limit).

Command Syntax:

port-security aging 
port-security aging time <aging_time>
port-security hold time <hold_time>

Table 3-51. Command Description
	Argument	Description
Parameter	`<aging_time>`	The Aging Period can be set to a number between 10 and 10000000 seconds with a default of 3600 seconds.
	`<hold_time>`	Valid range is between 10 and 10000000 seconds with a default of 300 seconds.
Default	N.A
Mode	Global Configuration mode
Usage	Enable port security aging. To disable port security aging or revert to the default aging period and hold time, use the ‘no’ version of the command.
Example	Example 1: Enable aging. `(config)# port-security aging` Example 2: Set the aging period and hold time to 600 seconds. `(config)# port-security aging time 600 (config)# port-security hold time 600`

Use this command to configure Port Security settings. Port Security limits the number of users on a given port. A user is identified by a MAC address and VLAN ID. If Port Security is enabled on a port, the limit specifies the maximum number of users on the port. If this number is exceeded, an action is taken depending on the Violation mode. The Violation mode can be:

Protect: Do not allow more than the Limit MAC addresses on the port, but take no further action.
Restrict: If the Limit is reached, subsequent MAC addresses on the port are counted and marked as violating. Such MAC addresses are removed from the MAC table when the hold time expires. At most Violation Limit MAC addresses can be marked as violating at any given time.
Shutdown: If the Limit is reached, one additional MAC address causes the port to be shut down.

Command Syntax:

port-security 
port-security maximum <limit>
port-security maximum-violation <violate_limit>
port-security violation { protect | restrict | shutdown }
port-security mac-address { [ sticky ] [ <mac> [ vlan <vlan_id> ] ] }
no port-security mac-address { [ sticky ] [ <mac> [ vlan <vlan_id> ] ] }

Table 3-52. Command Description
	Argument	Description
Parameter	`<limit>`	The maximum number of MAC addresses that can be secured on this port. This number cannot exceed 1023. The default value is 4.
	`<violate_limit>`	The maximum number of MAC addresses that can be marked as violating on this port. This number cannot exceed 1023. Default is 4. It is only used when Violation mode is Restrict.
	`<mac>`	MAC address in the format XX:XX:XX:XX:XX:XX
Default	N.A
Mode	Port List Interface mode
Usage	Enable port security. To disable port security or revert to the default values, use the ‘no’ version of the command.
Example	Example 1: Enable security on port 2. `(config)# interface GigabitEthernet 1/2 (config-if)#port security` Example 2: Set the violation mode to Restrict and set the violation limit to 100. `(config-if)# port-security violation restrict (config-if)# port-security maximum violation 100`