Re: Switchport port-security violation options

From: ccie2be (ccie2be@nyc.rr.com)
Date: Wed Jun 30 2004 - 12:37:19 GMT-3

• Next message: Brian McGahan: "RE: A new signature"
• Previous message: Joseph D. Phillips: "Switchport port-security violation options"
• Maybe in reply to: Joseph D. Phillips: "Switchport port-security violation options"
• Next in thread: Brian McGahan: "RE: Switchport port-security violation options"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hey Joseph,

The answer is in the last part of your question. Shutdown puts the
interface in "error-disabled".

The 3550 command reference has a number of commands related to err-disable.
Personally, I suspect it would be useful to you to be familiar with these
commands if you actually use the 3550 in a production network or if you plan
to take the lab.

HTH
----- Original Message -----
From: "Joseph D. Phillips" <josephdphillips@fastmail.us>
To: "group study" <ccielab@groupstudy.com>
Sent: Wednesday, June 30, 2004 11:03 AM
Subject: Switchport port-security violation options

> Between "restrict" and "shutdown," which option would "disable" a
> switchport receiving frames from a MAC address not its list of
> acceptable source MACs?
>
> Step 6
>
>
>
> *switchport port-security violation *{*protect | restrict | shutdown*}
>
>
>
> (Optional) Set the violation mode, the action to be taken when a
> security violation is detected, as one of these:
>
> *protect*When the number of secure MAC addresses reaches the limit
> allowed on the port, packets with unknown source addresses are dropped
> until you remove a sufficient number of secure MAC addresses or increase
> the number of maximum allowable addresses. You are not notified that a
> security violation has occurred.
>
> *Note *We do not recommend enabling the *protect* mode on a trunk port.
> The *protect* mode disables learning when any VLAN reaches its maximum
> limit, even if the port has not reached its maximum limit.
>
> *restrict*When the number of secure MAC addresses reaches the limit
> allowed on the port, packets with unknown source addresses are dropped
> until you remove a sufficient number of secure MAC addresses or increase
> the number of maximum allowable addresses. In this mode, you are
> notified that a security violation has occurred. Specifically, an SNMP
> trap is sent, a syslog message is logged, and the violation counter
> increments.
>
> *shutdown*In this mode, a port security violation causes the interface
> to immediately become error-disabled, and turns off the port LED. It
> also sends an SNMP trap, logs a syslog message, and increments the
> violation counter.
>
> *Note *When a secure port is in the error-disabled state, you can bring
> it out of this state by entering the *errdisable recovery cause*
> /psecure-violation /global configuration command, or you can manually
> re-enable it by entering the *shutdown* and *no shutdown* interface
> configuration commands.
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Brian McGahan: "RE: A new signature"
• Previous message: Joseph D. Phillips: "Switchport port-security violation options"
• Maybe in reply to: Joseph D. Phillips: "Switchport port-security violation options"
• Next in thread: Brian McGahan: "RE: Switchport port-security violation options"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jul 03 2004 - 19:40:53 GMT-3