Port security on 4507S

Unanswered Question
Nov 10th, 2009

Hi All

I would like to enable port security on my core switch for security reasons and to avoid unauthorised access.

Can some one please tell me if there is any other pros & cons

What steps should I take to avoid future troubles.

Thanks in advance.... :-)



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Tue, 11/10/2009 - 05:47

Hello Naidu,

usually port security is deployed at the access layer level.

on core switch you should have only links to other switches or routers.

However, if you have a 48 10/100/1000 linecard with cables plugged in and terminated in closets it can be useful.

One important point:

secure MAC addresses are handled and stored in a separate CAM table usually much smaller then normal CAM.

so if your device has a CAM of 64,000 possible entries the secure CAM can have only few thousands. (3000 in 12.2(46)SG)

a reasonable MAC max per port is 3 to allow PCs to swap their cables/ports.



Hope to help


ilnaiduccna Tue, 11/10/2009 - 06:03

Hi Giuseppe,

I agree with your comment.

But in my case all important servers directly connected to this core switch only.

First I am configuring port security for some ports say 90 ports and total binding mac address probably 250.

I don't understand what do you mean by "if your device has a CAM of 64,000 possible entries the secure CAM can have only few thousands"

Can you please briefly explain about it..

Thanks in advance.



Giuseppe Larosa Tue, 11/10/2009 - 10:31

Hello Naidu,

I just wanted to warn you about the fact that total number of secure MAC addresses on device is limited to 3,000.

I see that you want to secure servers.

just one note: if your server people has already started to play with VMware and other virtualization this can cause you a lot of work: each time a new virtual machine is built they assign it a MAC address.

for vmware typically OUI are:



each server can easily use 6-8 mac addresses we see this in our server farms

In any case it can be wise to secure them.

Hope to help


ilnaiduccna Tue, 11/10/2009 - 22:04

Hi Giuseppe,

Thanks for your response.

Yes, in my environment the server people have VMware servers which are connected to the same coreswitch.

What if we Specifying the Maximum Number of Secure MAC Addresses say for each port 20

set port security 7/7 maximum 20

I think then the port will allow only 20 secure mac's after 20 it will drop as per our settings. Is that right?




This Discussion