Up to three Media Access Control (MAC) addresses will be stored in the running configuration. In this scenario, the switchport portsecurity maximum 3 command specifies that three MAC addresses are authorized to send traffic on port FastEthernet 0/1. MAC addresses can be configured statically or learned dynamically by port security. Dynamically learned MAC addresses are converted to sticky addresses and stored in the running configuration when the switchport port-security mac-address sticky command is issued on a port. Any MAC addresses that are not configured statically will be learned dynamically from incoming traffic, up to the maximum number of MAC addresses allowed to communicate on the port.
Because no MAC addresses have been statically configured in this scenario, all three MAC addresses will be learned dynamically. If the switchport port-security mac-address sticky command had not been issued, the switch would retain dynamically learned MAC addresses in the MAC address table but not in the running configuration.
Additionally, the switch will discard the traffic, log the unauthorized entry attempt, increment the Security Violation counter, and send a Simple Network Management Protocol (SNMP) trap message when a security violation occurs in this scenario. You can configure a switch to perform the following actions when a switch port with port security enabled receives traffic from a host with an unauthorized MAC address:
- Protect: The switch will discard the traffic.
- Restrict: The switch will discard the traffic, log the unauthorized entry attempt, increment the SecurityViolation counter, and send an SNMP trap message.
- Shutdown: The switch will discard the traffic, log the unauthorized entry attempt, increment the SecurityViolation counter, and place the port into the error-disabled state.
To configure the action that a switch will perform when unauthorized traffic is received on a switch port, you should issue the switchport portsecurity violation {protect | restrict | shutdown} command in interface configuration mode. By default, a switch port with port security enabled will be configured for shutdown mode. For example, the following commands would configure port security on SwitchA to use the default violation behavior:
SwitchA(config-if)#switchport port-security SwitchA(config-if)#switchport port-security maximum 3 SwitchA(config-if)#switchport port-security mac-address sticky
Because no switchport port-security violation command is issued in the output above, the switch will discard the traffic, log the unauthorized entry attempt, increment the Security Violation counter, and place the port into the errordisabled state when an unauthorized MAC address attempts to use the port.