Cisco - Port-Security

Port-security will only allow a limited number of MAC-addressen on a switch port

There are 3 types of port-security:

switchport port-security violation protect
switchport port-security violation restrict
switchport port-security violation shutdown

All types will:

Remember all seen MAC-addresses, until a maximum
Frames from MAC-adresses above the maximum will be .... (see below)

	Protect:	- Frames from new MAC-addresses will be dropped - Dropped frames will not be logged - Dropped frames will not create security violation
	Restrict:	- Frames from new MAC-addresses will be dropped - Dropped frames will be logged - Dropped frames will create security violation
	Shutdown:	- Frames from new MAC-addresses will be dropped - Dropped frames will be logged - Dropped frames will create security violation - Dropped frames will cause a port to go in SHUTDOWN

The sticky mode will remember MAC-Addresses, even when you reboot the switch!!!

switchport port-security mac-address sticky

Example 1 - standard port configuration:

int fastethernet 0/1
  switchport port-security
  switchport port-security maximum 1
  switchport port-security violation <protect|restrict|shutdown>
  switchport port-security mac-address sticky

Example 2 - release locked port after 15 minutes (900 seonds):

! Enable recovery from a locked port
errdisable recovery cause psecure-violation
!
! Recovery will happen after 900 seconds (15 min).
errdisable recovery interval 900