It can be less than or equal to the rising threshold level. Specify the action to be taken when a storm is detected. The default is to filter out the traffic and not to send traps. Verify the storm control suppression levels set on the interface for the specified traffic type.
If you do not enter a traffic type, broadcast storm control settings are displayed. This example shows how to enable unicast storm control on a port with an percent rising suppression level and a percent falling suppression level:. This example shows how to enable broadcast address storm control on a port to a level of 20 percent. When the broadcast traffic exceeds the configured level of 20 percent of the total available bandwidth of the port within the traffic-storm-control interval, the switch drops all broadcast traffic until the end of the traffic-storm-control interval:.
Incoming VLAN-tagged packets smaller than 67 bytes are considered small frames. They are forwarded by the switch, but they do not cause the switch storm-control counters to increment. You globally enable the small-frame arrival feature on the switch and then configure the small-frame threshold for packets on each interface. Packets smaller than the minimum size and arriving at a specified rate the threshold are dropped since the port is error disabled. If the errdisable recovery cause small-frame global configuration command is entered, the port is re-enabled after a specified time.
You specify the recovery time by using errdisable recovery global configuration command. Beginning in privileged EXEC mode, follow these steps to configure the threshold level for each interface:. Optional Specify the time to recover from the specified error-disabled state. Optional Configure the recovery time for error-disabled ports to be automatically re-enabled after they are error disabled by the arrival of small frames.
Enter interface configuration mode, and specify the interface to be configured. Configure the threshold rate for the interface to drop incoming packets and error disable the port. The range is 1 to 10, packets per second pps. This example shows how to enable the small-frame arrival-rate feature, configure the port recovery time, and configure the threshold for error disabling a port:. Some applications require that no traffic be forwarded at Layer 2 between ports on the same switch so that one neighbor does not see the traffic generated by another neighbor.
In such an environment, the use of protected ports ensures that there is no exchange of unicast, broadcast, or multicast traffic between these ports on the switch. Data traffic cannot be forwarded between protected ports at Layer 2; only control traffic, such as PIM packets, is forwarded because these packets are processed by the CPU and forwarded in software. All data traffic passing between protected ports must be forwarded through a Layer 3 device.
Because a switch stack represents a single logical switch, Layer 2 traffic is not forwarded between any protected ports in the switch stack, whether they are on the same or different switches in the stack. You can configure protected ports on a physical interface for example, Gigabit Ethernet port 1 or an EtherChannel group for example, port-channel 5. When you enable protected ports for a port channel, it is enabled for all ports in the port-channel group.
Do not configure a private-VLAN port as a protected port. Do not configure a protected port as a private-VLAN port. A private-VLAN isolated port does not forward traffic to other isolated ports or community ports. Beginning in privileged EXEC mode, follow these steps to define a port as a protected port:.
To disable protected port, use the no switchport protected interface configuration command. By default, the switch floods packets with unknown destination MAC addresses out of all ports. If unknown unicast and multicast traffic is forwarded to a protected port, there could be security issues. To prevent unknown unicast or multicast traffic from being forwarded from one port to another, you can block a port protected or nonprotected from flooding unknown unicast or multicast packets to other ports.
Note With multicast traffic, the port blocking feature blocks only pure Layer 2 packets. Multicast packets that contain IPv4 or IPv6 information in the header are not blocked. The default is to not block flooding of unknown multicast and unicast traffic out of a port, but to flood these packets to all ports. Note The interface can be a physical interface or an EtherChannel group. When you block multicast or unicast traffic for a port channel, it is blocked on all ports in the port-channel group. Beginning in privileged EXEC mode, follow these steps to disable the flooding of unicast and Layer 2 multicast packets out of an interface:.
Note Only pure Layer 2 multicast traffic is blocked. This example shows how to block unicast and Layer 2 multicast flooding on a port:. You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses.
If you limit the number of secure MAC addresses to one and assign a single secure MAC address, the workstation attached to that port is assured the full bandwidth of the port. If a port is configured as a secure port and the maximum number of secure MAC addresses is reached, when the MAC address of a station attempting to access the port is different from any of the identified secure MAC addresses, a security violation occurs.
Also, if a station with a secure MAC address configured or learned on one secure port attempts to access another secure port, a violation is flagged. You configure the maximum number of secure addresses allowed on a port by using the switchport port-security maximum value interface configuration command. Note If you try to set the maximum value to a number less than the number of secure addresses already configured on an interface, the command is rejected.
If these addresses are saved in the configuration file, when the switch restarts, the interface does not need to dynamically reconfigure them. You can configure an interface to convert the dynamic MAC addresses to sticky secure MAC addresses and to add them to the running configuration by enabling sticky learning. To enable sticky learning, enter the switchport port-security mac-address sticky interface configuration command. When you enter this command, the interface converts all the dynamic secure MAC addresses, including those that were dynamically learned before sticky learning was enabled, to sticky secure MAC addresses.
All sticky secure MAC addresses are added to the running configuration. The sticky secure MAC addresses do not automatically become part of the configuration file, which is the startup configuration used each time the switch restarts. If you save the sticky secure MAC addresses in the configuration file, when the switch restarts, the interface does not need to relearn these addresses.
If you do not save the sticky secure addresses, they are lost. If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses and are removed from the running configuration. The maximum number of secure MAC addresses that you can configure on a switch or switch stack is set by the maximum number of available MAC addresses allowed in the system.
You can configure the interface for one of three violation modes, based on the action to be taken if a violation occurs:. You are not notified that a security violation has occurred. Note We do not recommend configuring the protect violation mode on a trunk port. The protect mode disables learning when any VLAN reaches its maximum limit, even if the port has not reached its maximum limit. In this mode, you are notified that a security violation has occurred. An SNMP trap is sent, a syslog message is logged, and the violation counter increments. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shut down interface configuration commands.
This is the default mode. In this mode, the VLAN is error disabled instead of the entire port when a violation occurs. The port shuts down when the maximum number of secure MAC addresses is exceeded. A secure port cannot be a dynamic access port. Note Voice VLAN is only supported on access ports and not on trunk ports, even though the configuration is allowed. If you connect more than one PC to the Cisco IP phone, you must configure enough secure addresses to allow one for each PC and one for the phone.
If the new value is less than the previous value and the number of configured secure addresses on the interface exceeds the new value, the command is rejected. DTP 1 port 2. Beginning in privileged EXEC mode, follow these steps to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port:.
Catalyst 3750-E and 3560-E Switch Software Configuration Guide, Release 12.2(55)SE
Set the interface switchport mode as access or trunk; an interface in the default mode dynamic auto cannot be configured as a secure port. Optional Set the maximum number of secure MAC addresses for the interface. Enter one of these options after you enter the vlan keyword:. Optional Set the violation mode, the action to be taken when a security violation is detected, as one of these:.
Note We do not recommend configuring the protect mode on a trunk port. Note When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command. Optional Enter a secure MAC address for the interface. You can use this command to enter the maximum number of secure MAC addresses. Note If you enable sticky learning after you enter this command, the secure addresses that were dynamically learned are converted to sticky secure MAC addresses and are added to the running configuration.
Mac Address Limit - Cisco Community
Optional Enter a sticky secure MAC address, repeating the command as many times as necessary. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned, are converted to sticky secure MAC addresses, and are added to the running configuration. Note If you do not enable sticky learning before this command is entered, an error message appears, and you cannot enter a sticky secure MAC address. To return the interface to the default condition as not a secure port, use the no switchport port-security interface configuration command.
If you enter this command when sticky learning is enabled, the sticky secure addresses remain part of the running configuration but are removed from the address table. All addresses are now dynamically learned. To return the interface to the default number of secure MAC addresses, use the no switchport port-security maximum value interface configuration command.
To disable sticky learning on an interface, use the no switchport port-security mac-address sticky interface configuration command. The interface converts the sticky secure MAC addresses to dynamic secure addresses.
Configuring Port-Based Traffic Control
However, if you have previously saved the configuration with the sticky MAC addresses, you should save the configuration again after entering the no switchport port-security mac-address sticky command, or the sticky addresses will be restored if the switch reboots. To delete a specific secure MAC address from the address table, use the no switchport port-security mac-address mac-address interface configuration command. To delete all dynamic secure addresses on an interface from the address table, enter the no switchport port-security interface configuration command followed by the switchport port-security command to re-enable port security on the interface.
If you use the no switchport port-security mac-address sticky interface configuration command to convert sticky secure MAC addresses to dynamic secure MAC addresses before entering the no switchport port-security command, all secure addresses on the interface except those that were manually configured are deleted. You must specifically delete configured secure MAC addresses from the address table by using the no switchport port-security mac-address mac-address interface configuration command. This example shows how to enable port security on a port and to set the maximum number of secure addresses to The violation mode is the default, no static secure MAC addresses are configured, and sticky learning is enabled.
You can use port security aging to set the aging time for all secure addresses on a port. Two types of aging are supported per port:. Use this feature to remove and add devices on a secure port without manually deleting the existing secure MAC addresses and to still limit the number of secure addresses on a port. You can enable or disable the aging of secure addresses on a per-port basis.
Beginning in privileged EXEC mode, follow these steps to configure port security aging:. Enable or disable static aging for the secure port, or set the aging time or type. Note The switch does not support port security aging of sticky secure addresses. Enter static to enable aging for statically configured secure addresses on this port. For time , specify the aging time for this port. The valid range is from 0 to minutes. All the secure addresses on this port age out exactly after the time minutes specified lapses and are removed from the secure address list.
The secure addresses on this port age out only if there is no data traffic from the secure source addresses for the specified time period. To disable port security aging for all secure addresses on a port, use the no switchport port-security aging time interface configuration command. This strategy effectively builds a self-organizing tree of NTP speakers.
NTP avoids synchronizing to a device whose time might not be accurate by never synchronizing to a device that is not synchronized. NTP also compares the time reported by several devices and does not synchronize to a device whose time is significantly different than the others, even if its stratum is lower. The communications between devices running NTP known as associations are usually statically configured; each device is given the IP address of all devices with which it should form associations.
Accurate timekeeping is possible by exchanging NTP messages between each pair of devices with an association. This alternative reduces configuration complexity because each device can simply be configured to send or receive broadcast messages. However, in that case, information flow is one-way only. The time kept on a device is a critical resource; you should use the security features of NTP to avoid the accidental or malicious setting of an incorrect time.
Two mechanisms are available: We recommend that the time service for your network be derived from the public NTP servers available on the IP Internet. Figure shows a typical network example using NTP. Other devices then synchronize to that device through NTP. When multiple sources of time are available, NTP is always considered to be more authoritative. NTP time overrides the time set by any other method.
Several manufacturers include NTP software for their host systems, and a publicly available version for systems running UNIX and its various derivatives is also available. This software allows host systems to be time-synchronized as well. NTP version 4 is implemented on the switch. You cannot disable NTP packets from being received on access ports. If no other source of time is available , you can manually configure the time and date after the system is restarted.
The time remains accurate until the next system restart. We recommend that you use manual configuration only as a last resort. If you have an outside source to which the switch can synchronize, you do not need to manually set the system clock. Note You must reset this setting if you have manually set the system clock and the stack master fails and different stack member resumes the role of stack master.
Catalyst 3750 Switch Software Configuration Guide, Cisco IOS Release 15.0(1)SE
If you have an outside source on the network that provides time services, such as an NTP server, you do not need to manually set the system clock. Beginning in privileged EXEC mode, follow these steps to set the system clock:. Manually set the system clock using one of these formats. This example shows how to manually set the system clock to 1: To display the time and date configuration, use the show clock [ detail ] privileged EXEC command.
The system clock keeps an authoritative flag that shows whether the time is authoritative believed to be accurate. If the system clock has been set by a timing source such as NTP, the flag is set. If the time is not authoritative, it is used only for display purposes. The symbol that precedes the show clock display has this meaning:. Beginning in privileged EXEC mode, follow these steps to manually configure the time zone:. The switch keeps internal time in universal time coordinated UTC , so this command is used only for display purposes and when the time is manually set.
Optional Save your entries in the configuration file. The minutes-offset variable in the clock timezone global configuration command is available for those cases where a local time zone is a percentage of an hour different from UTC. In this case, the necessary command is clock timezone AST -3 To set the time to UTC, use the no clock timezone global configuration command.
Beginning in privileged EXEC mode, follow these steps to configure summer time daylight saving time in areas where it starts and ends on a particular day of the week each year:. Configure summer time to start and end on the specified days every year. Summer time is disabled by default. If you specify clock summer-time zone recurring without parameters, the summer time rules default to the United States rules. The first part of the clock summer-time global configuration command specifies when summer time begins, and the second part specifies when it ends.
All times are relative to the local time zone. The start time is relative to standard time. The end time is relative to summer time. If the starting month is after the ending month, the system assumes that you are in the southern hemisphere. This example shows how to specify that summer time starts on the first Sunday in April at Beginning in privileged EXEC mode, follow these steps if summer time in your area does not follow a recurring pattern configure the exact date and time of the next summer time events:.
Configure summer time to start on the first date and end on the second date. To disable summer time, use the no clock summer-time global configuration command. This example shows how to set summer time to start on October 12, , at You configure the system name on the switch to identify it.
By default, the system name and prompt are Switch. If you have not configured a system prompt , the first 20 characters of the system name are used as the system prompt. The prompt is updated whenever the system name changes. If yo u are accessing a stack member through the stack master, you must use the session stack-member-number privileged EXEC command. The stack member number range is from 1 through 9. When you use this command, the stack member number is appended to the system prompt. For example, Switch-2 is the prompt in privileged EXEC mode for stack member 2, and the system prompt for the switch stack is Switch.
Routing Protocols. The default switch system name and prompt is Switch. Beginning in privileged EXEC mode, follow these steps to manually configure a system name:. The default setting is switch. They must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, and hyphens.
Names can be up to 63 characters. When you set the system name, it is also used as the system prompt. To return to the default hostname, use the no hostname global configuration command. When you configure DNS on your switch, you can substitute the hostname for the IP address with all IP commands, such as ping , telnet , connect , and related Telnet support operations.
IP defines a hierarchical naming scheme that allows a device to be identified by its location or domain. Domain names are pieced together with periods. For example, Cisco Systems is a commercial organization that IP identifies by a com domain name, so its domain name is cisco. To keep track of domain names, IP has defined the concept of a domain name server, which holds a cache or database of names mapped to IP addresses. To map domain names to IP addresses, you must first identify the hostnames, specify the name server that is present on your network, and enable the DNS.
Table shows the default DNS configuration. Define a default domain name that the software uses to complete unqualified hostnames names without a dotted-decimal domain name. Do not include the initial period that separates an unqualified name from the domain name. Specify the address of one or more name servers to use for name and address resolution. You can specify up to six name servers. Separate each server address with a space.
The first server specified is the primary server. The switch sends DNS queries to the primary server first. If that query fails, the backup servers are queried. Optional Enable DNS-based hostname-to-address translation on your switch. This feature is enabled by default. If your network devices require connectivity with devices in networks for which you do not control name assignment, you can dynamically assign device names that uniquely identify your devices by using the global Internet naming scheme DNS. If you configure a hostname that contains no periods.
The default domain name is the value set by the ip domain-name global configuration command. If there is a period. To remove a domain name, use the no ip domain-name name global configuration command. To remove a name server address, use the no ip name-server server-address global configuration command. To disable DNS on the switch, use the no ip domain-lookup global configuration command.
You can configure a message-of-the-day MOTD and a login banner. The MOTD banner displays on all connected terminals at login and is useful for sending messages that affect all network users such as impending system shutdowns. The login banner also displays on all connected terminals. It appears after the MOTD banner and before the login prompts. You can create a single or multiline message banner that appears on the screen when someone logs in to the switch. For c , enter the delimiting character of your choice, for example, a pound sign , and press the Return key.
The delimiting character signifies the beginning and end of the banner text. Characters after the ending delimiter are discarded. For message , enter a banner message up to characters. You cannot use the delimiting character in the message.
To delete the MOTD banner, use the no banner motd global configuration command. This example shows how to configure a MOTD banner for the switch by using the pound sign symbol as the beginning and ending delimiter:. This example shows the banner that appears from the previous configuration:. You can configure a login banner to be displayed on all connected terminals.
This banner appears after the MOTD banner and before the login prompt. Beginning in privileged EXEC mode, follow these steps to configure a login banner:. For message , enter a login message up to characters. To delete the login banner, use the no banner login global configuration command. The MAC address table contains address information that the switch uses to forward traffic between ports.
All MAC addresses in the address table are associated with one or more ports. The address table includes these types of addresses:. Note For complete syntax and usage information for the commands used in this section, see the command reference for this release. With multiple MAC addresses supported on all ports, you can connect any port on the switch to individual workstations, repeaters, switches, routers, or other network devices.
The switch provides dynamic addressing by learning the source address of packets it receives on each port and adding the address and its associated port number to the address table. As stations are added or removed from the network, the switch updates the address table, adding new dynamic addresses and aging out those that are not in use. The aging interval is globally configured on a standalone switch or on the switch stack. The switch sends packets between any combination of ports, based on the destination address of the received packet. Using the MAC address table, the switch forwards the packet only to the port associated with the destination address.
If the destination address is on the port that sent the packet, the packet is filtered and not forwarded. The switch always uses the store-and-forward method: All addresses are associated with a VLAN. An address can exist in more than one VLAN and have different destinations in each. Each VLAN maintains its own logical address table.
The MAC address tables on all stack members are synchronized. At any given time, each stack member has the same copy of the address tables for each VLAN. When an address ages out, the address is removed from the address tables on all stack members. When a switch joins a switch stack, that switch receives the addresses for each VLAN learned on the other stack members. When a stack member leaves the switch stack, the remaining stack members age out or remove all addresses learned by the former stack member.
Table shows the default MAC address table configuration. Dynamic addresses are source MAC addresses that the switch learns and then ages when they are not in use. Setting too short an aging time can cause addresses to be prematurely removed from the table. Then when the switch receives a packet for an unknown destination, it floods the packet to all ports in the same VLAN as the receiving port.
This unnecessary flooding can impact performance. Setting too long an aging time can cause the address table to be filled with unused addresses, which prevents new addresses from being learned. Flooding results, which can impact switch performance. Beginning in privileged EXEC mode, follow these steps to configure the dynamic address table aging time:.
Set the length of time that a dynamic entry remains in the MAC address table after the entry is used or updated. The range is 10 to seconds. The default is You can also enter 0, which disables aging. Static address entries are never aged or removed from the table.
For vlan-id , valid IDs are 1 to To return to the default value, use the no mac address-table aging-time global configuration command. To remove all dynamic entries, use the clear mac address-table dynamic command in privileged EXEC mode. You can also remove a specific MAC address clear mac address-table dynamic address mac-address , remove all addresses on the specified physical port or port channel clear mac address-table dynamic interface interface-id , or remove all addresses on a specified VLAN clear mac address-table dynamic vlan vlan-id.
To verify that dynamic entries have been removed, use the show mac address-table dynamic privileged EXEC command. MAC address change notification tracks users on a network by storing the MAC address change activity. If you have many users coming and going from the network, you can set a trap-interval time to bundle the notification traps to reduce network traffic. Notifications are not generated for self addresses, multicast addresses, or other static addresses. Enable the MAC address change notification feature. Enter the trap interval time and the history table size.
Enable the MAC address change notification trap on the interface. To disable MAC address-change notification traps, use the no snmp-server enable traps mac-notification change global configuration command.
To disable the MAC address-change notification feature, use the no mac address-table notification change global configuration command. This example shows how to specify You can verify your settings by entering the show mac address-table notification change interface and the show mac address-table notification change privileged EXEC commands. To disable MAC address-move notification traps, use the no snmp-server enable traps mac-notification move global configuration command. To disable the MAC address-move notification feature, use the no mac address-table notification mac-move global configuration command.
You can verify your settings by entering the show mac address-table notification mac-move privileged EXEC commands. When you configure MAC threshold notification, an SNMP notification is generated and sent to the network management system when a MAC address table threshold limit is reached or exceeded. Enable the MAC address threshold notification feature. Enter the threshold value for the MAC address threshold usage monitoring. To disable MAC address-threshold notification traps, use the no snmp-server enable traps mac-notification threshold global configuration command.
To disable the MAC address-threshold notification feature, use the no mac address-table notification threshold global configuration command. You can verify your settings by entering the show mac address-table notification threshold privileged EXEC commands. A static address has these characteristics: You can add and remove static addresses and define the forwarding behavior for them. The forwarding behavior defines how a port that receives a packet forwards it to another port for transmission.
You can specify a different list of destination ports for each source port. A packet with a static address that arrives on a VLAN where it has not been statically entered is flooded to all ports and not learned. You add a static address to the address table by specifying the destination MAC unicast address and the VLAN from which it is received. Packets received with this destination address are forwarded to the interface specified with the interface-id option. Beginning in privileged EXEC mode, follow these steps to add a static address:.
To remove static entries from the address table, use the no mac address-table static mac-addr vlan vlan-id [ interface interface-id ] global configuration command.