Switchport port-security violation options
From: Joseph D. Phillips (josephdphillips@fastmail.us)
Date: Wed Jun 30 2004 - 12:03:12 GMT-3
Between "restrict" and "shutdown," which option would "disable" a
switchport receiving frames from a MAC address not its list of
acceptable source MACs?
Step 6
*switchport port-security violation *{*protect | restrict | shutdown*}
(Optional) Set the violation mode, the action to be taken when a
security violation is detected, as one of these:
�*protect*�When the number of secure MAC addresses reaches the limit
allowed on the port, packets with unknown source addresses are dropped
until you remove a sufficient number of secure MAC addresses or increase
the number of maximum allowable addresses. You are not notified that a
security violation has occurred.
*Note *We do not recommend enabling the *protect* mode on a trunk port.
The *protect* mode disables learning when any VLAN reaches its maximum
limit, even if the port has not reached its maximum limit.
�*restrict*�When the number of secure MAC addresses reaches the limit
allowed on the port, packets with unknown source addresses are dropped
until you remove a sufficient number of secure MAC addresses or increase
the number of maximum allowable addresses. In this mode, you are
notified that a security violation has occurred. Specifically, an SNMP
trap is sent, a syslog message is logged, and the violation counter
increments.
�*shutdown*�In this mode, a port security violation causes the interface
to immediately become error-disabled, and turns off the port LED. It
also sends an SNMP trap, logs a syslog message, and increments the
violation counter.
*Note *When a secure port is in the error-disabled state, you can bring
it out of this state by entering the *errdisable recovery cause*
/psecure-violation /global configuration command, or you can manually
re-enable it by entering the *shutdown* and *no shutdown* interface
configuration commands.
This archive was generated by hypermail 2.1.4
: Sat Jul 03 2004 - 19:40:53 GMT-3