RE: Switchport port-security violation options
From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Wed Jun 30 2004 - 12:57:39 GMT-3
Technically any of them. Restrict and protect stop traffic from
insecure addresses but allow traffic from secure addresses. The
difference between them is that restrict will generate an snmp/syslog
message when the violation occurs. Shutdown will put the interface into
err-disabled state (up/down).
So ask yourself, in which of these cases *are* frames from a MAC
address not in the list of acceptable source MACs allowed to get
through? :)
HTH,
Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> ccie2be
> Sent: Wednesday, June 30, 2004 10:37 AM
> To: Joseph D. Phillips; group study
> Subject: Re: Switchport port-security violation options
>
> Hey Joseph,
>
> The answer is in the last part of your question. Shutdown puts the
> interface in "error-disabled".
>
> The 3550 command reference has a number of commands related to err-
> disable.
> Personally, I suspect it would be useful to you to be familiar with
these
> commands if you actually use the 3550 in a production network or if
you
> plan
> to take the lab.
>
> HTH
> ----- Original Message -----
> From: "Joseph D. Phillips" <josephdphillips@fastmail.us>
> To: "group study" <ccielab@groupstudy.com>
> Sent: Wednesday, June 30, 2004 11:03 AM
> Subject: Switchport port-security violation options
>
>
> > Between "restrict" and "shutdown," which option would "disable" a
> > switchport receiving frames from a MAC address not its list of
> > acceptable source MACs?
> >
> > Step 6
> >
> >
> >
> > *switchport port-security violation *{*protect | restrict |
shutdown*}
> >
> >
> >
> > (Optional) Set the violation mode, the action to be taken when a
> > security violation is detected, as one of these:
> >
> > �*protect*�When the number of secure MAC addresses reaches the limit
> > allowed on the port, packets with unknown source addresses are
dropped
> > until you remove a sufficient number of secure MAC addresses or
increase
> > the number of maximum allowable addresses. You are not notified that
a
> > security violation has occurred.
> >
> > *Note *We do not recommend enabling the *protect* mode on a trunk
port.
> > The *protect* mode disables learning when any VLAN reaches its
maximum
> > limit, even if the port has not reached its maximum limit.
> >
> > �*restrict*�When the number of secure MAC addresses reaches the
limit
> > allowed on the port, packets with unknown source addresses are
dropped
> > until you remove a sufficient number of secure MAC addresses or
increase
> > the number of maximum allowable addresses. In this mode, you are
> > notified that a security violation has occurred. Specifically, an
SNMP
> > trap is sent, a syslog message is logged, and the violation counter
> > increments.
> >
> > �*shutdown*�In this mode, a port security violation causes the
interface
> > to immediately become error-disabled, and turns off the port LED. It
> > also sends an SNMP trap, logs a syslog message, and increments the
> > violation counter.
> >
> > *Note *When a secure port is in the error-disabled state, you can
bring
> > it out of this state by entering the *errdisable recovery cause*
> > /psecure-violation /global configuration command, or you can
manually
> > re-enable it by entering the *shutdown* and *no shutdown* interface
> > configuration commands.
> >
> >
This archive was generated by hypermail 2.1.4
: Sat Jul 03 2004 - 19:40:53 GMT-3