Configuration Guidelines

■ Only on static access ports

■ Not on trunk or dynamic access ports

■ Not on EtherChannel port

■ Voice VLAN assigned dynamic secure addresses

■ On port with voice VLAN, set maximum MAC addresses to two plus maximum number of MAC addresses

■ Dynamic port security enabled on voice VLAN when security enables on access VLAN

■ Not configurable on per-VLAN basis

■ No aging of sticky addresses

■ No simultaneous enabling of protect and restrict options

© 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0—1-7

Here are some guidelines to use when configuring port security:

■ Port security can only be configured on static access ports.

■ A secure port cannot be a dynamic access port or a trunk port.

■ A secure port cannot be a destination port for Switched Port Analyzer (SPAN).

■ A secure port cannot belong to a Fast EtherChannel or Gigabit EtherChannel port group.

■ You cannot configure static secure or sticky secure MAC addresses on a voice VLAN.

■ When you enable port security on an interface that is also configured with a voice VLAN, set the maximum allowed secure addresses on the port to two. When the port is connected to a Cisco IP phone, the IP phone requires one MAC address. The Cisco IP phone address is learned on the voice VLAN, but is not learned on the access VLAN. If you connect a single PC to the Cisco IP phone, no additional MAC addresses are required. If you connect more than one PC to the Cisco IP phone, you must configure enough secure addresses to allow one for each PC and one for the phone.

■ If any type of port security is enabled on the access VLAN, dynamic port security is automatically enabled on the voice VLAN.

■ When a voice VLAN is configured on a secure port that is also configured as a sticky secure port, all addresses seen on the voice VLAN are learned as dynamic secure addresses, and all addresses seen on the access VLAN (to which the port belongs) are learned as sticky secure addresses.

■ You cannot configure port security on a per-VLAN basis.

■ The switch does not support port security aging of sticky secure MAC addresses.

1-18 Securing Networks with Cisco Routers and Switches (SNRS) v2.0 © 2007 Cisco Systems, Inc.

0 0

Post a comment