I'm trying to implement Port Security on a Cisco 4503 switch. The network consists of two VLANs and 100+ users.
What I basically want to do is to allow all the already learned MAC addresses to communicate over the network and block any new introduced MAC addresses unless I manually enter them in the allowed list of MAC addresses.
I will use the "sticky" option so any learned or manually entered MAC addresses is saved and never lost or re-learned.
I have the following scenario in mind:
interface gigabitEthernet 0/1
switchport mode access
switchport port-security mac-address sticky
### After the already learned MAC addresses are converted to sticky, I will do a count on each interface and if for example I have 25 learned MAC on interface G0/1, I will next enter the following command ###
switchport port-security maximum 25
switchport port-security viloation restrict
1- Is this the correct way to transition to Port Security? Any remarks on the usage of âstickyâ and the counting thing?
2- In case of a violation, the command "switchport port-security violation restrict", does it restrict the flow of data on the Cisco switch port regardless of who is trying to generate traffic? Or does it restrict the flow of data only for the MAC that generated a vilation?
Thank you for your help.
1- Yes, the 20 mac-addresses should then be sticky. This means the 20 mac-addresses will be put into the running-config, as if you entered the mac-addresses manually with the "switchport port-security mac-address xxxx.xxxx.xxxx" command.
From this follows, that you have to do a "copy running-config startup-config" to save the learned mac-addresses. When the switch reboots next time, it will already know those mac-addresses.
2- Definitely, you have to set the maximum to 21, and you may enter the mac-address manually or wait for the switch to learn it.
Again, don't forget to copy the running-config to the startup-config, once the new mac-address is learned.