C H A P T E R

22

Configuring Port-Based Traffic Control

This chapter describes how to configure the port-based traffic control features on your Catalyst 2950 or Catalyst 2955 switch.

Note

For complete syntax and usage information for the commands used in this chapter, refer to the command reference for this release. This chapter consists of these sections:

Configuring Storm Control, page 22-1 Configuring Protected Ports, page 22-4 Configuring Port Blocking, page 22-5 Configuring Port Security, page 22-7 Displaying Port-Based Traffic Control Settings, page 22-14

Configuring Storm Control

These sections include storm control configuration information and procedures:

Understanding Storm Control, page 22-1 Default Storm Control Configuration, page 22-2 Enabling Storm Control, page 22-2 Disabling Storm Control, page 22-3

Understanding Storm Control

A packet storm occurs when a large number of broadcast, unicast, or multicast packets are received on a port. Forwarding these packets can cause the network to slow down or to time out. Storm control is configured for the switch as a whole but operates on a per-port basis. By default, storm control is disabled. Storm control uses rising and falling thresholds to block and then restore the forwarding of broadcast, unicast, or multicast packets. You can also set the switch to shut down the port when the rising threshold is reached.

Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 78-11380-09

22-1

Chapter 22 Configuring Storm Control

Configuring Port-Based Traffic Control

Storm control uses one of these methods to measure traffic activity:

Bandwidth based Traffic rate at which packets are received (in packets per second) (available only on non-Long-Reach Ethernet [LRE] Catalyst 2950 switches)

The thresholds can either be expressed as a percentage of the total available bandwidth that can be used by the broadcast, multicast, or unicast traffic, or as the rate at which the interface receives multicast, broadcast, or unicast traffic. When a switch uses the bandwidth-based method, the rising threshold is the percentage of total available bandwidth associated with multicast, broadcast, or unicast traffic before forwarding is blocked. The falling threshold is the percentage of total available bandwidth below which the switch resumes normal forwarding. In general, the higher the level, the less effective the protection against broadcast storms. When a non-LRE Catalyst 2950 switch running Cisco IOS Release 12.1(14)EA1 or later uses traffic rates as the threshold values, the rising and falling thresholds are in packets per second. The rising threshold is the rate at which multicast, broadcast, and unicast traffic is received before forwarding is blocked. The falling threshold is the rate below which the switch resumes normal forwarding. In general, the higher the rate, the less effective the protection against broadcast storms.

Default Storm Control Configuration

By default, broadcast, multicast, and unicast storm control is disabled on the switch. The default action is to filter traffic and to not send an SNMP trap.

Enabling Storm Control

Beginning in privileged EXEC mode, follow these steps to enable storm control: Command
Step 1 Step 2

Purpose Enter global configuration mode. Specify the port to configure, and enter interface configuration mode.

configure terminal interface interface-id

Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide

22-2

78-11380-09

Chapter 22

Configuring Port-Based Traffic Control Configuring Storm Control

Command
Step 3

Purpose Configure broadcast, multicast, or unicast storm control. For level, specify the rising threshold level for broadcast, multicast, or unicast traffic as a percentage of the bandwidth. The storm control action occurs when traffic utilization reaches this level. (Optional) For level-low, specify the falling threshold level as a percentage of the bandwidth. This value must be less than the rising supression value.The normal transmission restarts (if the action is filtering) when traffic drops below this level. For pps pps, specify the rising threshold level for broadcast, multicast, or unicast traffic in packets per second. The storm control action occurs when traffic reaches this level. This option is supported only on non-LRE Catalyst 2950 switches running Cisco IOS Release 12.1(14)EA1 or later. For pps-low, specify the falling threshold level in packets per second that can be less than or equal to the rising threshold level. The normal transmission restarts (if the action is filtering) when traffic drops below this level. This option is supported only on non-LRE Catalyst 2950 switches. For pps and pps-low, the range is from 0 to 4294967295 .

storm-control {broadcast | multicast | unicast} level {level [level-low] | pps pps pps-low}

Step 4

storm-control action {shutdown | trap}

Specify the action to be taken when a storm is detected. The default is to filter out the traffic and not to send traps. Select the shutdown keyword to error-disable the port during a storm. Select the trap keyword to generate an SNMP trap when a storm is detected.

Step 5 Step 6 Step 7

end

Return to privileged EXEC mode.

show storm-control [interface] [{broadcast Verify your entries. | history | multicast | unicast}] copy running-config startup-config (Optional) Save your entries in the configuration file.

The output from the show storm-control privileged EXEC command shows the upper, lower, and current thresholds as a percentage of the total bandwidth or the packets per second, depending on the configuration.

Disabling Storm Control

Beginning in privileged EXEC mode, follow these steps to disable storm control: Command
Step 1 Step 2 Step 3

Purpose Enter global configuration mode. Specify the port to configure, and enter interface configuration mode. Disable port storm control.

configure terminal interface interface-id no storm-control {broadcast | multicast | unicast} level

Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 78-11380-09

22-3

Chapter 22 Configuring Protected Ports

Configuring Port-Based Traffic Control

Command
Step 4 Step 5 Step 6 Step 7

Purpose Disable the specified storm control action. Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file.

no storm-control action {shutdown | trap} end show storm-control {broadcast | multicast | unicast} copy running-config startup-config

Configuring Protected Ports

Some applications require that no traffic be forwarded between ports on the same switch so that one neighbor does not see the traffic generated by another neighbor. In such an environment, the use of protected ports ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports on the switch. Protected ports have these features:

A protected port does not forward any traffic (unicast, multicast, or broadcast) to any other port that is also a protected port. Traffic cannot be forwarded between protected ports at Layer 2; all traffic passing between protected ports must be forwarded through a Layer 3 device. Forwarding behavior between a protected port and a nonprotected port proceeds as usual. Protected ports are supported on 802.1Q trunks.

The default is to have no protected ports defined. You can configure protected ports on a physical interface (for example, Gigabit Ethernet 0/1) or an EtherChannel group (for example, port-channel 5). When you enable protected ports for a port channel, it is enabled for all ports in the port-channel group. Both LRE interface ports and CPE device ports can be configured as protected ports. When you use a Cisco 575 LRE CPE or a Cisco 576 LRE 997 CPE device, the cpe protected interface configuration command is not available. When you use a Cisco 585 LRE CPE device (which has multiple Ethernet interfaces), the switchport protected command allows devices on different ports of the same CPE device to exchange data locally. In some cases, you might want to protect individual CPE device ports. You can do this with the cpe protected interface configuration command. Devices connected to different ports on the same CPE device cannot exchange data directly but must forward it through a Layer 3 device. Beginning in privileged EXEC mode, follow these steps to define a port as a protected port: Command
Step 1 Step 2

Purpose Enter global configuration mode. Specify the type and number of the physical interface to configure, for example gigabitethernet0/1, and enter interface configuration mode. Configure the interface to be a protected port. Return to privileged EXEC mode.

configure terminal interface interface-id

Step 3 Step 4

switchport protected end

Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide

22-4

78-11380-09

Chapter 22

Configuring Port-Based Traffic Control Configuring Port Blocking

Command
Step 5 Step 6

Purpose Verify your entries. (Optional) Save your entries in the configuration file.

show interfaces interface-id switchport copy running-config startup-config

To disable protected port, use the no switchport protected interface configuration command. This example shows how to configure Gigabit Ethernet interface 0/1 as a protected port and verify the configuration:
Switch# configure terminal Switch(config)# interface gigabitethernet0/1 Switch(config-if)# switchport protected Switch(config-if)# end Switch# show interfaces gigabitethernet0/1 switchport Name: Gi0/1 Switchport: Enabled <output truncated> Protected: True Unknown unicast blocked: disabled Unknown multicast blocked: disabled

Configuring Port Blocking

By default, the switch floods packets with unknown destination MAC addresses to all ports. If unknown unicast and multicast traffic is forwarded to a protected port, there could be security issues. To prevent unknown unicast or multicast traffic from being forwarded from one port to another, you can configure a port (protected or nonprotected) to block unknown unicast or multicast packets.

Note

Blocking unicast or multicast traffic is not automatically enabled on protected ports; you must explicitly configure it. The port blocking feature is only supported on these switches:

Catalyst 2950 Long-Reach Ethernet (LRE) switches running Cisco IOS Release 12.1(14)EA1 or later Catalyst 2950G-12-EI, 2950G-24-EI, 2950G-24-EI-DC, 2950G-48-EI, and 2955 switches running Cisco IOS Release 12.1(19)EA1 or later

Blocking Flooded Traffic on an Interface

Note

The interface can be a physical interface (for example, Gigabit Ethernet 0/1) or an EtherChannel group (for example, port-channel 5). When you block multicast or unicast traffic for a port channel, it is blocked on all ports in the port channel group.

Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 78-11380-09

22-5

Chapter 22 Configuring Port Blocking

Configuring Port-Based Traffic Control

Beginning in privileged EXEC mode, follow these steps to disable the flooding of multicast and unicast packets to an interface: Command
Step 1 Step 2

Purpose Enter global configuration mode. Specify the type and number of the physical interface to configure, for example gigabitethernet0/1, and enter interface configuration mode. Block unknown multicast forwarding to the port. Block unknown unicast forwarding to the port. Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file.

configure terminal interface interface-id

Step 3 Step 4 Step 5 Step 6 Step 7

switchport block multicast switchport block unicast end show interfaces interface-id switchport copy running-config startup-config

To return the interface to the default condition where no traffic is blocked, use the no switchport block {multicast | unicast} interface configuration commands. This example shows how to block unicast and multicast flooding on Gigabit Ethernet interface 0/1 and verify the configuration:
Switch# configure terminal Switch(config)# interface gigabitethernet0/1 Switch(config-if)# switchport block multicast Switch(config-if)# switchport block unicast Switch(config-if)# end Switch# show interfaces gigabitethernet0/1 switchport Name: Gi0/1 Switchport: Enabled <output truncated> Protected: True Unknown unicast blocked: enabled Unknown multicast blocked: enabled

Resuming Normal Forwarding on a Port

Beginning in privileged EXEC mode, follow these steps to resume normal forwarding on a port: Command
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7

Purpose Enter global configuration mode. Specify the type and number of the physical interface to configure, for example gigabitethernet0/1, and enter interface configuration mode. Enable unknown multicast flooding to the port. Enable unknown unicast flooding to the port. Return to privileged EXEC mode Verify your entries. (Optional) Save your entries in the configuration file.

configure terminal interface interface-id no switchport block multicast no switchport block unicast end show interfaces interface-id switchport copy running-config startup-config

Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide

22-6

78-11380-09

Chapter 22

Configuring Port-Based Traffic Control Configuring Port Security

Configuring Port Security

You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. This section includes information about these topics:

Understanding Port Security, page 22-7 Default Port Security Configuration, page 22-9 Port Security Configuration Guidelines, page 22-9 Enabling and Configuring Port Security, page 22-10 Enabling and Configuring Port Security Aging, page 22-12

Understanding Port Security

This section includes information about:

Secure MAC Addresses, page 22-7 Security Violations, page 22-8

Secure MAC Addresses

You can configure these types of secure MAC addresses:

Static secure MAC addressesThese are manually configured by using the switchport port-security mac-address mac-address interface configuration command, stored in the address table, and added to the switch running configuration. Dynamic secure MAC addressesThese are dynamically learned, stored only in the address table, and removed when the switch restarts. Sticky secure MAC addressesThese can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, the interface does not need to dynamically relearn them when the switch restarts. Although sticky secure addresses can be manually configured, we do not recommend it.

You can configure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses and to add them to the running configuration by enabling sticky learning. To enable sticky learning, enter the switchport port-security mac-address sticky interface configuration command. When you enter this command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses. The sticky secure MAC addresses do not automatically become part of the configuration file, which is the startup configuration used each time the switch restarts. If you save the sticky secure MAC addresses in the configuration file, when the switch restarts, the interface does not need to relearn these addresses. If you do not save the configuration, they are lost. If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses and are removed from the running configuration. A secure port can have from 1 to 132 associated secure addresses. The total number of available secure addresses on the switch is 1024.

Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 78-11380-09

22-7

Chapter 22 Configuring Port Security

Configuring Port-Based Traffic Control

Security Violations
It is a security violation when one of these situations occurs:

The maximum number of secure MAC addresses have been added to the address table, and a station whose MAC address is not in the address table attempts to access the interface. An address learned or configured on one secure interface is seen on another secure interface in the same VLAN.

You can configure the interface for one of three violation modes, based on the action to be taken if a violation occurs:

protectWhen the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred. restrictWhen the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred. Specifically, an SNMP trap is sent, a syslog message is logged, and the violation counter increments. shutdownIn this mode, a port security violation causes the interface to immediately become error-disabled, and turns off the port LED. It also sends an SNMP trap, logs a syslog message, and increments the violation counter. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shutdown interface configuration commands. This is the default mode.

Table 22-1 shows the violation mode and the actions taken when you configure an interface for port security.
Table 22-1 Security Violation Mode Actions

Violation Mode protect restrict shutdown

Traffic is forwarded1 No No No

Sends SNMP trap No Yes Yes

Sends syslog message No Yes Yes

Displays error message2 No No No

Violation counter increments No Yes Yes

Shuts down port No No Yes

1. Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses. 2. The switch will return an error message if you manually configure an address that would cause a security violation.

Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide

22-8

78-11380-09

Chapter 22

Configuring Port-Based Traffic Control Configuring Port Security

Default Port Security Configuration

Table 22-2 shows the default port security configuration for an interface.
Table 22-2 Default Port Security Configuration

Feature Port security Maximum number of secure MAC addresses Violation mode Sticky address learning Port security aging

Default Setting Disabled. One. Shutdown. Disabled. Disabled. Aging time is 0. When enabled, the default type is absolute.

Port Security Configuration Guidelines

Follow these guidelines when configuring port security:

Port security can only be configured on static access ports. A secure port cannot be a dynamic access port or a trunk port. A secure port cannot be a destination port for Switched Port Analyzer (SPAN). A secure port cannot belong to a Fast EtherChannel or Gigabit EtherChannel port group. You cannot configure static secure or sticky secure MAC addresses on a voice VLAN. When you enable port security on an interface that is also configured with a voice VLAN, you must set the maximum allowed secure addresses on the port to at least two. If any type of port security is enabled on the access VLAN, dynamic port security is automatically enabled on the voice VLAN. When a voice VLAN is configured on a secure port that is also configured as a sticky secure port, all addresses seen on the voice VLAN are learned as dynamic secure addresses, and all addresses seen on the access VLAN (to which the port belongs) are learned as sticky secure addresses. You cannot configure port security on a per-VLAN basis. The switch does not support port security aging of sticky secure MAC addresses. The protect and restrict options cannot be simultaneously enabled on an interface.

Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 78-11380-09

22-9

Chapter 22 Configuring Port Security

Configuring Port-Based Traffic Control

Enabling and Configuring Port Security

Beginning in privileged EXEC mode, follow these steps to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port: Command
Step 1 Step 2 Step 3 Step 4 Step 5

Purpose Enter global configuration mode. Specify the type and number of the physical interface to configure, for example gigabitethernet0/1, and enter interface configuration mode. Set the interface mode as access; an interface in the default mode (dynamic desirable) cannot be configured as a secure port. Enable port security on the interface. (Optional) Set the maximum number of secure MAC addresses for the interface. The range is 1 to 132; the default is 1. (Optional) Set the violation mode, the action to be taken when a security violation is detected, as one of these:

configure terminal interface interface-id switchport mode access switchport port-security switchport port-security maximum value switchport port-security violation {protect | restrict | shutdown}

Step 6

protectWhen the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred. restrictWhen the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred. Specifically, an SNMP trap is sent, a syslog message is logged, and the violation counter increments. shutdownIn this mode, a port security violation causes the interface to immediately become error-disabled, and turns off the port LED. It also sends an SNMP trap, logs a syslog message, and increments the violation counter. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shutdown interface configuration commands.

Note

Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide

22-10

78-11380-09

Chapter 22

Configuring Port-Based Traffic Control Configuring Port Security

Command
Step 7

Purpose (Optional) Enter a static secure MAC address for the interface, repeating the command as many times as necessary. You can use this command to enter the maximum number of secure MAC addresses. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned.
Note

switchport port-security mac-address mac-address

If you enable sticky learning after you enter this command, the secure addresses that were dynamically learned are converted to sticky secure MAC addresses and are added to the running configuration.

Step 8 Step 9 Step 10 Step 11

switchport port-security mac-address sticky end show port-security copy running-config startup-config

(Optional) Enable sticky learning on the interface. Return to privileged EXEC mode. Verify your entries. (Optional) Save your entries in the configuration file.

To return the interface to the default condition as not a secure port, use the no switchport port-security interface configuration command. If you enter this command when sticky learning is enabled, the sticky secure addresses remain part of the running configuration but are removed from the address table. All addresses are now dynamically learned. To return the interface to the default number of secure MAC addresses, use the no switchport port-security maximum value interface configuration command. To return the violation mode to the default condition (shutdown mode), use the no switchport port-security violation {protect | restrict} interface configuration command. To disable sticky learning on an interface, use the no switchport port-security mac-address sticky interface configuration command. The interface converts the sticky secure MAC addresses to dynamic secure addresses. To delete a static secure MAC address from the address table, use the clear port-security configured address mac-address privileged EXEC command. To delete all the static secure MAC addresses on an interface, use the clear port-security configured interface interface-id privileged EXEC command. To delete a dynamic secure MAC address from the address table, use the clear port-security dynamic address mac-address privileged EXEC command. To delete all the dynamic addresses on an interface, use the clear port-security dynamic interface interface-id privileged EXEC command. To delete a sticky secure MAC addresses from the address table, use the clear port-security sticky address mac-address privileged EXEC command. To delete all the sticky addresses on an interface, use the clear port-security sticky interface interface-id privileged EXEC command. This example shows how to enable port security on Fast Ethernet port 1 and to set the maximum number of secure addresses to 50. The violation mode is the default, no static secure MAC addresses are configured, and sticky learning is enabled.
Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface fastethernet0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 50 Switch(config-if)# switchport port-security mac-address sticky Switch(config-if)# end

Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 78-11380-09

22-11

Chapter 22 Configuring Port Security

Configuring Port-Based Traffic Control

Switch# show port-security Port Security Port Status Violation Mode Aging Time Aging Type SecureStatic Address Aging Maximum MAC Addresses Total MAC Addresses Configured MAC Addresses Sticky MAC Addresses Last Source Address Security Violation Count

interface fastethernet0/1 : Enabled : Secure-up : Shutdown : 20 mins : Inactivity : Enabled : 50 : 11 : 0 : 11 : 0000.0000.0000 : 0

This example shows how to configure a static secure MAC address on Fast Ethernet port 12, enable sticky learning, and verify the configuration:
Switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# interface fastethernet0/12 Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security mac-address 0000.02000.0004 Switch(config-if)# switchport port-security mac-address sticky Switch(config-if)# end Switch# show port-security address = Secure Mac Address Table ------------------------------------------------------------------Vlan Mac Address Type Ports Remaining Age (mins) --------------------------------1 0000.0000.000a SecureDynamic Fa0/1 1 0000.0002.0300 SecureDynamic Fa0/1 1 0000.0200.0003 SecureConfigured Fa0/1 1 0000.0200.0004 SecureConfigured Fa0/12 1 0003.fd62.1d40 SecureConfigured Fa0/5 1 0003.fd62.1d45 SecureConfigured Fa0/5 1 0003.fd62.21d3 SecureSticky Fa0/5 1 0005.7428.1a45 SecureSticky Fa0/8 1 0005.7428.1a46 SecureSticky Fa0/8 1 0006.1218.2436 SecureSticky Fa0/8 ------------------------------------------------------------------Total Addresses in System :10 Max Addresses limit in System :1024

Enabling and Configuring Port Security Aging

You can use port security aging to set the aging time for static and dynamic secure addresses on a port. Two types of aging are supported per port:

AbsoluteThe secure addresses on the port are deleted after the specified aging time. InactivityThe secure addresses on the port are deleted only if the secure addresses are inactive for the specified aging time.

Use this feature to remove and add PCs on a secure port without manually deleting the existing secure MAC addresses and to still limit the number of secure addresses on a port. You can enable or disable the aging of statically configured secure addresses on a per-port basis.

Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide

22-12

78-11380-09

Chapter 22

Configuring Port-Based Traffic Control Configuring Port Security

Beginning in privileged EXEC mode, follow these steps to configure port security aging: Command
Step 1 Step 2

Purpose Enter global configuration mode. Specify the port on which you want to enable port security aging, and enter interface configuration mode.
Note

configure terminal interface interface-id

The switch does not support port security aging of sticky secure addresses.

Step 3

switchport port-security aging Enable or disable static aging for the secure port, or set the aging time or {static | time time | type {absolute | type. inactivity}} Enter static to enable aging for statically configured secure addresses on this port. For time, specify the aging time for this port. The valid range is from 0 to 1440 minutes. If the time is equal to 0, aging is disabled for this port. For type, select one of these keywords:

absoluteSets the aging type as absolute aging. All the secure addresses on this port age out after the specified time (minutes) lapses and are removed from the secure address list. The absolute aging time could vary by 1 minute, depending on the sequence of the system timer. inactivitySets the aging type as inactivity aging. The secure addresses on this port age out only if there is no data traffic from the secure source addresses for the specified time period.

Note

Step 4 Step 5 Step 6

end show port-security [interface interface-id] [address]

Return to privileged EXEC mode. Verify your entries.

copy running-config startup-config (Optional) Save your entries in the configuration file. To disable port security aging for all secure addresses on a port, use the no switchport port-security aging time interface configuration command. To disable aging for only statically configured secure addresses, use the no switchport port-security aging static interface configuration command. This example shows how to set the aging time as 2 hours for the secure addresses on the Fast Ethernet interface 0/1:
Switch(config)# interface fastethernet0/1 Switch(config-if)# switchport port-security aging time 120

This example shows how to set the aging time as 2 minutes for the inactivity aging type with aging enabled for the configured secure addresses on the interface:
Switch(config-if)# switchport port-security aging time 2 Switch(config-if)# switchport port-security aging type inactivity Switch(config-if)# switchport port-security aging static

You can verify the previous commands by entering the show port-security interface interface-id privileged EXEC command.

Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide 78-11380-09

22-13

Chapter 22 Displaying Port-Based Traffic Control Settings

Configuring Port-Based Traffic Control

Displaying Port-Based Traffic Control Settings

The show interfaces interface-id switchport privileged EXEC command displays (among other characteristics) the interface traffic suppression and control configuration. The show interfaces counters privileged EXEC commands display the count of discarded packets. The show storm-control and show port-security privileged EXEC commands display those features. To display traffic control information, use one or more of the privileged EXEC commands in Table 22-3.
Table 22-3 Commands for Displaying Traffic Control Status and Configuration

Command show interfaces [interface-id] switchport

Purpose Displays the administrative and operational status of all switching (nonrouting) ports or the specified port, including port protection settings. Displays storm control suppression levels set on all interfaces or the specified interface for the specified traffic type or for broadcast traffic if no traffic type is entered. Displays the storm-control broadcast suppression discard counter with the number of packets discarded for all interfaces or the specified interface. Displays the storm-control multicast suppression discard counter with the number of packets discarded for all interfaces or the specified interface. Displays the storm-control unicast suppression discard counter with the number of packets discarded for all interfaces or the specified interface. Displays port security settings for the switch or for the specified interface, including the maximum allowed number of secure MAC addresses for each interface, the number of secure MAC addresses on the interface, the number of security violations that have occurred, and the violation mode.

show storm-control [interface-id] [broadcast | multicast | unicast] show interfaces [interface-id] counters broadcast

show interfaces [interface-id] counters multicast

show interfaces [interface-id] counters unicast

show port-security [interface interface-id]

show port-security [interface interface-id] address Displays all secure MAC addresses configured on all switch interfaces or on a specified interface with aging information for each address.

Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide

22-14

78-11380-09