Cisco Switchport Security

Static access port with configurable permitted MAC's, if you want to use a dot1q trunk configure it as so and look up the option extras - MAC's can be specified per-VLAN on a dot1q trunk. One static MAC, sticky mode for additional MAC's. Duplicate mac-address line for more statics. Violation mode configurable, ensure mls statement is used if using protect or restrict to avoid CPU hammering.

May 15, 2012
Range: 1 to 4097

Cisco format: 0123.4567.89ab

Range: 1 to 1440, default 0

Range: 10 to 1000000, no default

Range: 1 to 255, default 10

VLAN ID (number)

Options: protect, restrict, shutdown (default)

Options: inactivity, absolute (default)

switchport access vlan %{VLAN_ID}%
switchport mode access
switchport nonegotiate
switchport port-security
switchport port-security maximum %{NUMBER_OF_MAC_ADDRESSES}%
switchport port-security mac-address %{MAC_ADDRESS}%
switchport port-security mac-address sticky
mls rate-limit layer2 port-security %{RATE_PPS}% %{BURST_SIZE}%
switchport port-security violation %{VIOLATION_MODE}%
switchport port-security aging type %{AGING_TYPE}%
switchport port-security aging time %{TIME_IN_MINUTES}%