Core issue

An incorrect switchport mode configuration causes the inability to configure port security on a switch in the Catalyst 2950 or 3550 series.

Resolution

A port on a Catalyst 2950 or 3550 model must first be configured as an access port in order to configure port security. Set the interface mode as access by issuing the interface configuration switchport mode access command. An interface in the default mode (dynamic desirable) cannot be configured as a secure port.

These are some other guidelines for configuring port security:

• Port security can only be configured on static access ports. 
• A secure port cannot be a dynamic access port or a trunk port. 
• A secure port cannot be a destination port for Switch Port Analyzer (SPAN). 
• A secure port cannot belong to an EtherChannel port group. 
• A secure port cannot be an 802.1X port. 
• You cannot configure static secure MAC addresses in the voice VLAN.

When you enable port security on a voice VLAN port, you must set the maximum allowed secure addresses on the port to at least two. When the port is connected to a Cisco IP phone, the IP phone requires two MAC addresses: one for the access VLAN and the other for the voice VLAN. Connecting a PC to the IP phone requires additional MAC addresses.

When port security is enabled on a port, the secure addresses on the port are deleted only if they are inactive for the specified aging time.You can issue the port security aging or switchport port-security aging time command to set the aging time for all dynamic and static secure addresses on a port.

For more information on port security, refer to Understanding Port Security section of the document Configuring Port-Based Traffic Control.

Note: Port security can be configured on static access ports or trunk ports in Catalyst 3750 switches.