6509 port security

Unanswered Question
Apr 8th, 2007

When implementing port security on ports that have Cisco IP phones and workstations connected,

Will these commands be all that is needed and will there be any momentary loss of connectivity when done (allowing dynamic learning of three mac-addresses)?:

switchport port-security

switchport port-security maximum 3

The current config is as follows:

interface FastEthernet3/3


switchport access vlan 40

switchport mode access

switchport voice vlan 250

no ip address

wrr-queue cos-map 1 1 1

wrr-queue cos-map 1 2 0

wrr-queue cos-map 2 1 2 3 4 6 7

wrr-queue cos-map 2 2 5

mls qos trust cos

spanning-tree portfast

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
balajitvk Sun, 04/08/2007 - 20:49


The loss is depends upon the violation mode configured.

You can configure the interface for one of three violation modes, based on the action to be taken if a violation occurs:

protect?when the number of secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value.

restrict?a port security violation restricts data and causes the SecurityViolation counter to increment. It also sends an SNMP trap when an address-security violation occurs.

shutdown?the interface is error-disabled when a security violation occurs. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shutdown interface configuration commands. This is the default mode.

You can set the required mode by,

switchport port-security violation {protect | restrict | shutdown

Default is in shutdown mode. The interface is error-disabled when a security violation occurs

Rate if it does,



This Discussion