background image
LAN Switch Configuration 185
In this example, the permanently defined MAC address of 0200.4444.444, the comptroller's
MAC address, is always associated with port e0/1. Notice that the two new employees' MAC
addresses are also in the MAC address table.
The port secure max-mac-count 3 command means that a total of three addresses can be
learned on this port. So, the first two addresses learned, in addition to the permanent address
that is configured, are considered to be sticky-learned. These two addresses are considered to
be static, so that if someone came along and plugged into the finance hub, the switch would not
add that hacker's MAC address to the MAC address table.
So what should the switch do when a fourth MAC address sources a frame that enters E0/1? An
address violation occurs when a secured port receives a frame from a new source address that,
if added to the MAC table, would cause the switch to exceed its address table size limit for that
port. When a port security address violation occurs, the options for action to be taken on a port
include suspending, ignoring, or disabling the port. When a port is suspended, it is re-enabled
when a frame containing a valid address is received. When a port is disabled, it must be
manually re-enabled. If the action is ignored, the switch ignores the security violation and keeps
the port enabled.
Use the address-violation global configuration command to specify the action for a port
address violation. The syntax for this command is as follows:
address-violation {suspend
|
disable
|
ignore}
Use the no address-violation command to set the switch to its default value, which is suspend.
wg_sw_a#show mac-address-table security
Action upon address violation : Suspend
Interface Addressing Security Address Table Size
--------------------------------------------------------------
Ethernet 0/1 Enabled 3
Ethernet 0/2 Disabled N/A
Ethernet 0/3 Disabled N/A
Ethernet 0/4 Disabled N/A
Ethernet 0/5 Disabled N/A
Ethernet 0/6 Disabled N/A
Ethernet 0/7 Disabled N/A
Ethernet 0/8 Disabled N/A
Ethernet 0/9 Disabled N/A
Ethernet 0/10 Disabled N/A
Ethernet 0/11 Disabled N/A
Ethernet 0/12 Disabled N/A
Example 4-6
Port Security Example (Continued)
ch04.fm Page 185 Monday, March 20, 2000 5:02 PM