Home » Cisco Manuals » Hubs & Switches » Cisco 2950G 24 » Manual Viewer

Cisco 2950G 24 Software Configuration Guide - Page 420

Security Violations, port

UPC - 746320687711

Add to My Manuals
Save this manual to your list of manuals

Page 420 highlights

Configuring Port Security Chapter 18 Configuring Port-Based Traffic Control This is an example of text from the running configuration when sticky learning is enabled on an interface: ! interface FastEthernet0/2 switchport mode access switchport port-security switchport port-security maximum 6 switchport port-security aging time 5 switchport port-security aging static switchport port-security mac-address sticky switchport port-security mac-address 0000.0000.000b switchport port-security mac-address sticky 0000.0000.4141 switchport port-security mac-address sticky 0000.0000.5050 no ip address If port security is disabled, the sticky secure MAC addresses remain in the running configuration. To disable sticky learning, enter the no switchport port-security mac-address sticky interface configuration command. If sticky learning is disabled or the running configuration is removed, the sticky secure MAC addresses remain part of the running configuration but are removed from the address table. The addresses that were removed can be dynamically reconfigured and added to the address table as dynamic addresses. Note If sticky learning is disabled, when the switch restarts or the interface shuts down, all the addresses that were dynamically learned are removed. Security Violations It is a security violation when one of these situations occurs: • The maximum number of secure MAC addresses have been added to the address table, and a station whose MAC address is not in the address table attempts to access the interface. • An address learned or configured on one secure interface is seen on another secure interface in the same VLAN. You can configure the interface for one of three violation modes, based on the action to be taken if a violation occurs: • protect-when the number of secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value. • restrict-a port security violation restricts data and causes the SecurityViolation counter to increment. It also sends an SNMP trap when an address-security violation occurs. • shutdown-the interface is error-disabled when a security violation occurs. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shutdown interface configuration commands. This is the default mode. 18-6 Catalyst 2950 Desktop Switch Software Configuration Guide 78-14982-01

Section	Page
Catalyst2950Desktop Switch Software Configuration Guide	1
Contents	3
Preface	25
Audience	25
Purpose	25
Organization	26
Conventions	28
Related Publications	29
Obtaining Documentation	29
World Wide Web	29
Documentation CD-ROM	30
Ordering Documentation	30
Documentation Feedback	30
Obtaining Technical Assistance	30
Cisco.com	31
Technical Assistance Center	31
Cisco TAC Website	31
Cisco TAC Escalation Center	32
Overview	33
Features	33
Management Options	39
Management Interface Options	39
Advantages of Using CMS and Clustering Switches	39
Network Configuration Examples	40
Design Concepts for Using the Switch	40
Small to Medium-Sized Network Configuration	43
Collapsed Backbone and Switch Cluster Configuration	45
Large Campus Configuration	46
Hotel Network Configuration	48
Multidwelling Network Using Catalyst 2950 Switches	50
Long-Distance, High-Bandwidth Transport Configuration	52
Where to Go Next	53
Using the Command-Line Interface	55
IOS Command Modes	55
Getting Help	57
Specifying Ports in Interface Configuration Mode	58
Abbreviating Commands	59
Using no and default Forms of Commands	59
Understanding CLI Messages	59
Using Command History	60
Changing the Command History Buffer Size	60
Recalling Commands	60
Disabling the Command History Feature	61
Using Editing Features	61
Enabling and Disabling Editing Features	61
Editing Commands through Keystrokes	62
Editing Command Lines that Wrap	63
Searching and Filtering Output of show and more Commands	64
Accessing the CLI	64
Accessing the CLI from a Browser	65
Getting Started with CMS	67
Features	68
Front Panel View	70
Cluster Tree	72
Front-Panel Images	73
Redundant Power System LED	74
Port Modes and LEDs	74
VLAN Membership Modes	75
Topology View	76
Topology Icons	78
Device and Link Labels	79
Colors in the Topology View	80
Topology Display Options	81
Menus and Toolbar	81
Menu Bar	81
Toolbar	86
Front Panel View Popup Menus	87
Device Popup Menu	87
Port Popup Menu	87
Topology View Popup Menus	88
Link Popup Menu	88
Device Popup Menus	89
Interaction Modes	91
Guide Mode	91
Expert Mode	91
Wizards	92
Tool Tips	92
Online Help	92
CMS Window Components	94
Host Name List	94
Tabs, Lists, and Tables	95
Filter Editor	95
Icons Used in Windows	95
Buttons	96
Accessing CMS	96
Access Modes in CMS	97
HTTP Access to CMS	98
Verifying Your Changes	98
Change Notification	98
Error Checking	98
Saving Your Configuration	99
Restoring Your Configuration	99
CMS Preferences	99
Using Different Versions of CMS	100
Where to Go Next	100
Assigning the Switch IP Address and Default Gateway	101
Understanding the Boot Process	101
Assigning Switch Information	102
Default Switch Information	103
Understanding DHCP-Based Autoconfiguration	103
DHCP Client Request Process	104
Configuring the DHCP Server	105
Configuring the TFTP Server	105
Configuring the DNS	106
Configuring the Relay Device	106
Obtaining Configuration Files	107
Example Configuration	108
Manually Assigning IP Information	110
Checking and Saving the Running Configuration	110
Configuring IE2100 CNS Agents	113
Understanding IE2100Series Configuration Registrar Software	113
CNS Configuration Service	114
CNS Event Service	115
NameSpace Mapper	115
What You Should Know About ConfigID, DeviceID, and Host Name	115
ConfigID	115
DeviceID	116
Host Name and DeviceID	116
Using Host Name, DeviceID, and ConfigID	116
Understanding CNS Embedded Agents	117
Initial Configuration	117
Incremental (Partial) Configuration	118
Synchronized Configuration	118
Configuring CNS Embedded Agents	118
Enabling Automated CNS Configuration	118
Enabling the CNS Event Agent	120
Enabling the CNS Configuration Agent	121
Enabling an Initial Configuration	121
Enabling a Partial Configuration	124
Displaying CNS Configuration	125
Clustering Switches	127
Understanding Switch Clusters	128
Command Switch Characteristics	129
Standby Command Switch Characteristics	129
Candidate Switch and Member Switch Characteristics	130
Planning a Switch Cluster	131
Automatic Discovery of Cluster Candidates and Members	131
Discovery through CDP Hops	132
Discovery through Non-CDP-Capable and Noncluster-Capable Devices	133
Discovery through the Same Management VLAN	134
Discovery through Different Management VLANs	135
Discovery of Newly Installed Switches	136
HSRP and Standby Command Switches	138
Virtual IP Addresses	139
Other Considerations for Cluster Standby Groups	139
Automatic Recovery of Cluster Configuration	141
IP Addresses	141
Host Names	142
Passwords	142
SNMP Community Strings	142
TACACS+ and RADIUS	143
Access Modes in CMS	143
Management VLAN	144
LRE Profiles	144
Availability of Switch-Specific Features in Switch Clusters	145
Creating a Switch Cluster	145
Enabling a Command Switch	145
Adding Member Switches	146
Creating a Cluster Standby Group	148
Verifying a Switch Cluster	150
Using the CLI to Manage Switch Clusters	151
Catalyst1900 and Catalyst2820 CLI Considerations	151
Using SNMP to Manage Switch Clusters	152
Administering the Switch	153
Preventing Unauthorized Access to Your Switch	153
Protecting Access to Privileged EXEC Commands	154
Default Password and Privilege Level Configuration	154
Setting or Changing a Static Enable Password	155
Protecting Enable and Enable Secret Passwords with Encryption	156
Disabling Password Recovery	157
Setting a Telnet Password for a Terminal Line	158
Configuring Username and Password Pairs	159
Configuring Multiple Privilege Levels	160
Setting the Privilege Level for a Command	160
Changing the Default Privilege Level for Lines	161
Logging into and Exiting a Privilege Level	162
Controlling Switch Access with TACACS+	162
Understanding TACACS+	162
TACACS+ Operation	164
Configuring TACACS+	164
Default TACACS+ Configuration	165
Identifying the TACACS+ Server Host and Setting the Authentication Key	165
Configuring TACACS+ Login Authentication	166
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services	168
Starting TACACS+ Accounting	169
Displaying the TACACS+ Configuration	169
Controlling Switch Access with RADIUS	170
Understanding RADIUS	170
RADIUS Operation	171
Configuring RADIUS	172
Default RADIUS Configuration	172
Identifying the RADIUS Server Host	172
Configuring RADIUS Login Authentication	175
Defining AAA Server Groups	177
Configuring RADIUS Authorization for User Privileged Access and Network Services	179
Starting RADIUS Accounting	180
Configuring Settings for All RADIUS Servers	181
Configuring the Switch to Use Vendor-Specific RADIUS Attributes	181
Configuring the Switch for Vendor-Proprietary RADIUS Server Communication	182
Displaying the RADIUS Configuration	183
Configuring the Switch for Local Authentication and Authorization	184
Configuring the Switch for Secure Shell	185
Understanding SSH	185
Configuring SSH	185
Managing the System Time and Date	186
Understanding the System Clock	186
Understanding Network Time Protocol	186
Configuring NTP	188
Default NTP Configuration	189
Configuring NTP Authentication	189
Configuring NTP Associations	190
Configuring NTP Broadcast Service	191
Configuring NTP Access Restrictions	192
Configuring the Source IP Address for NTP Packets	194
Displaying the NTP Configuration	195
Configuring Time and Date Manually	195
Setting the System Clock	196
Displaying the Time and Date Configuration	196
Configuring the Time Zone	197
Configuring Summer Time (Daylight Saving Time)	198
Configuring a System Name and Prompt	200
Default System Name and Prompt Configuration	200
Configuring a System Name	200
Configuring a System Prompt	201
Understanding DNS	201
Default DNS Configuration	202
Setting Up DNS	202
Displaying the DNS Configuration	203
Creating a Banner	203
Default Banner Configuration	203
Configuring a Message-of-the-Day Login Banner	204
Configuring a Login Banner	205
Managing the MAC Address Table	206
Building the Address Table	206
MAC Addresses and VLANs	207
Default MAC Address Table Configuration	207
Changing the Address Aging Time	207
Removing Dynamic Address Entries	208
Configuring MAC Address Notification Traps	208
Adding and Removing Static Address Entries	210
Adding and Removing Secure Addresses	211
Displaying Address Table Entries	212
Managing the ARP Table	213
Switch Software Releases	213
Configuring 802.1X Port-Based Authentication	215
Understanding 802.1X Port-Based Authentication	215
Device Roles	216
Authentication Initiation and Message Exchange	217
Ports in Authorized and Unauthorized States	218
Supported Topologies	219
Configuring 802.1X Authentication	219
Default 802.1X Configuration	220
802.1X Configuration Guidelines	221
Enabling 802.1X Authentication	222
Configuring the Switch-to-RADIUS-Server Communication	223
Enabling Periodic Re-Authentication	224
Manually Re-Authenticating a Client Connected to a Port	225
Changing the Quiet Period	225
Changing the Switch-to-Client Retransmission Time	226
Setting the Switch-to-Client Frame-Retransmission Number	227
Enabling Multiple Hosts	227
Resetting the 802.1X Configuration to the Default Values	228
Displaying 802.1X Statistics and Status	228
Configuring the Switch Interfaces	229
Understanding Interface Types	229
Access Ports	230
Trunk Ports	230
Port-Based VLANs	231
EtherChannel Port Groups	231
Connecting Interfaces	231
Using the Interface Command	232
Procedures for Configuring Interfaces	232
Configuring a Range of Interfaces	234
Configuring and Using Interface-Range Macros	236
Configuring Switch Interfaces	237
Default Ethernet Interface Configuration	238
SFP Configuration	238
Configuring Interface Speed and Duplex Mode	239
Configuration Guidelines	240
Setting the Interface Speed and Duplex Parameters	241
Configuring Media Types for Gigabit Interfaces	242
Configuring IEEE 802.3X Flow Control on Gigabit Ethernet Ports	242
Adding a Description for an Interface	244
Monitoring and Maintaining the Interfaces	244
Monitoring Interface and Controller Status	244
Clearing and Resetting Interfaces and Counters	247
Shutting Down and Restarting the Interface	247
Configuring LRE	249
Ports on the 2950 LRE	249
LRE Links and LRE Profiles	250
LRE Profiles	250
LRE Sequences	252
CPE Ethernet Links	253
Configuring LRE Ports	253
Environmental Guidelines for LRE Links	254
Guidelines for Using LRE Profiles	255
CPE Ethernet Link Guidelines	255
Considerations for Connected Cisco 575 LRE CPEs	255
Considerations for Connected Cisco 585 LRE CPEs	256
Assigning a Global Profile to All LRE Ports	256
Assigning a Profile to a Specific LRE Port	257
Assigning a Global Sequence to All LRE Ports	257
Assigning a Sequence to a Specific LRE Port	258
Using Rate Selection to Automatically Assign Profiles	258
Precedence	259
Profile Locking	259
Link Qualification and SNR Margins	260
LRE Link Persistence	262
LRE Link Monitor	262
Upgrading LRE Switch Firmware	263
Configuring for an LRE Upgrade	263
Performing an LRE Upgrade	264
Global Configuration of LRE Upgrades	265
Controller Configuration of LRE Upgrades	265
LRE Upgrade Behavior Details	266
LRE Upgrade Example	266
Configuring STP	269
Understanding Spanning-Tree Features	269
STP Overview	270
Supported Spanning-Tree Instances	270
Bridge Protocol Data Units	270
Election of the Root Switch	271
Bridge ID, Switch Priority, and Extended System ID	272
Spanning-Tree Timers	272
Creating the Spanning-Tree Topology	273
Spanning-Tree Interface States	273
Blocking State	275
Listening State	275
Learning State	275
Forwarding State	275
Disabled State	276
Spanning-Tree Address Management	276
STP and IEEE 802.1Q Trunks	276
Spanning Tree and Redundant Connectivity	276
Accelerated Aging to Retain Connectivity	277
Configuring Spanning-Tree Features	277
Default STP Configuration	278
STP Configuration Guidelines	278
Disabling STP	280
Configuring the Root Switch	280
Configuring a Secondary Root Switch	282
Configuring the Port Priority	283
Configuring the Path Cost	284
Configuring the Switch Priority of a VLAN	286
Configuring the Hello Time	287
Configuring the Forwarding-Delay Time for a VLAN	287
Configuring the Maximum-Aging Time for a VLAN	288
Configuring STP for Use in a Cascaded Stack	288
Displaying the Spanning-Tree Status	289
Configuring RSTP and MSTP	291
Understanding RSTP	292
Port Roles and the Active Topology	292
Rapid Convergence	293
Synchronization of Port Roles	294
Bridge Protocol Data Unit Format and Processing	295
Processing Superior BPDU Information	296
Processing Inferior BPDU Information	296
Topology Changes	296
Understanding MSTP	297
Multiple Spanning-Tree Regions	297
IST, CIST, and CST	298
Operations Within an MST Region	298
Operations Between MST Regions	299
Hop Count	300
Boundary Ports	300
Interoperability with 802.1D STP	301
Configuring RSTP and MSTP Features	301
Default RSTP and MSTP Configuration	302
RSTP and MSTP Configuration Guidelines	302
Specifying the MST Region Configuration and Enabling MSTP	303
Configuring the Root Switch	304
Configuring a Secondary Root Switch	306
Configuring the Port Priority	307
Configuring the Path Cost	308
Configuring the Switch Priority	309
Configuring the Hello Time	309
Configuring the Forwarding-Delay Time	310
Configuring the Maximum-Aging Time	311
Configuring the Maximum-Hop Count	311
Specifying the Link Type to Ensure Rapid Transitions	312
Restarting the Protocol Migration Process	312
Displaying the MST Configuration and Status	313
Configuring Optional Spanning-Tree Features	315
Understanding Optional Spanning-Tree Features	315
Understanding Port Fast	316
Understanding BPDU Guard	317
Understanding BPDU Filtering	317
Understanding UplinkFast	318
Understanding Cross-Stack UplinkFast	319
How CSUF Works	320
Events That Cause Fast Convergence	321
Limitations	322
Connecting the Stack Ports	322
Understanding BackboneFast	324
Understanding Root Guard	326
Understanding Loop Guard	327
Configuring Optional Spanning-Tree Features	327
Default Optional Spanning-Tree Configuration	328
Enabling Port Fast	328
Enabling BPDU Guard	329
Enabling BPDU Filtering	330
Enabling UplinkFast for Use with Redundant Links	331
Enabling Cross-Stack UplinkFast	332
Enabling BackboneFast	333
Enabling Root Guard	333
Enabling Loop Guard	334
Displaying the Spanning-Tree Status	335
Configuring VLANs	337
Understanding VLANs	337
Supported VLANs	338
VLAN Port Membership Modes	339
Configuring Normal-Range VLANs	340
Token Ring VLANs	341
Normal-Range VLAN Configuration Guidelines	341
VLAN Configuration Mode Options	342
VLAN Configuration in config-vlan Mode	342
VLAN Configuration in VLAN Configuration Mode	342
Saving VLAN Configuration	343
Default Ethernet VLAN Configuration	344
Creating or Modifying an Ethernet VLAN	344
Deleting a VLAN	346
Assigning Static-Access Ports to a VLAN	347
Configuring Extended-Range VLANs	348
Default VLAN Configuration	348
Extended-Range VLAN Configuration Guidelines	348
Creating an Extended-Range VLAN	349
Displaying VLANs	350
Configuring VLAN Trunks	351
Trunking Overview	351
802.1Q Configuration Considerations	352
Default Layer 2 Ethernet Interface VLAN Configuration	353
Configuring an Ethernet Interface as a Trunk Port	353
Interaction with Other Features	353
Configuring a Trunk Port	354
Defining the Allowed VLANs on a Trunk	355
Changing the Pruning-Eligible List	356
Configuring the Native VLAN for Untagged Traffic	356
Load Sharing Using STP	357
Load Sharing Using STP Port Priorities	357
Load Sharing Using STP Path Cost	359
Configuring VMPS	360
Understanding VMPS	361
Dynamic Port VLAN Membership	361
VMPS Database Configuration File	362
Default VMPS Configuration	363
VMPS Configuration Guidelines	364
Configuring the VMPS Client	364
Entering the IP Address of the VMPS	364
Configuring Dynamic Access Ports on VMPS Clients	365
Reconfirming VLAN Memberships	366
Changing the Reconfirmation Interval	366
Changing the Retry Count	366
Monitoring the VMPS	367
Troubleshooting Dynamic Port VLAN Membership	367
VMPS Configuration Example	368
Configuring VTP	369
Understanding VTP	369
The VTP Domain	370
VTP Modes	371
VTP Advertisements	371
VTP Version 2	372
VTP Pruning	372
Configuring VTP	374
Default VTP Configuration	374
VTP Configuration Options	375
VTP Configuration in Global Configuration Modes	375
VTP Configuration in VLAN Configuration Mode	375
VTP Configuration Guidelines	376
Domain Names	376
Passwords	376
Upgrading from Previous Software Releases	376
VTP Version	377
Configuration Requirements	377
Configuring a VTP Server	377
Configuring a VTP Client	379
Disabling VTP (VTP Transparent Mode)	380
Enabling VTP Version 2	381
Enabling VTP Pruning	382
Adding a VTP Client Switch to a VTP Domain	383
Monitoring VTP	384
Configuring Voice VLAN	385
Understanding Voice VLAN	385
Configuring Voice VLAN	386
Default Voice VLAN Configuration	386
Voice VLAN Configuration Guidelines	387
Configuring a Port to Connect to a Cisco7960 IP Phone	387
Configuring Ports to Carry Voice Traffic in 802.1Q Frames	388
Configuring Ports to Carry Voice Traffic in 802.1P Priority Tagged Frames	388
Overriding the CoS Priority of Incoming Data Frames	389
Configuring the IP Phone to Trust the CoS Priority of Incoming Data Frames	390
Displaying Voice VLAN	390
Configuring IGMP Snooping and MVR	391
Understanding IGMP Snooping	391
Joining a Multicast Group	392
Leaving a Multicast Group	394
Immediate-Leave Processing	394
Configuring IGMP Snooping	395
Default IGMP Snooping Configuration	395
Enabling or Disabling IGMP Snooping	395
Setting the Snooping Method	396

Match case Limit results 1 per page

18-6

Catalyst 2950 Desktop Switch Software Configuration Guide

78-14982-01

Chapter 18

Configuring Port-Based Traffic Control

Configuring Port Security

This is an example of text from the running configuration when sticky learning is enabled on an

interface:

interface FastEthernet0/2

switchport mode access

switchport port-security

switchport port-security maximum 6

switchport port-security aging time 5

switchport port-security aging static

switchport port-security mac-address sticky

switchport port-security mac-address 0000.0000.000b

switchport port-security mac-address sticky 0000.0000.4141

switchport port-security mac-address sticky 0000.0000.5050

no ip address

If port security is disabled, the sticky secure MAC addresses remain in the running configuration.

To disable sticky learning, enter the

no switchport port-security mac-address sticky

interface

configuration command. If sticky learning is disabled or the running configuration is removed, the sticky

secure MAC addresses remain part of the running configuration but are removed from the address table.

The addresses that were removed can be dynamically reconfigured and added to the address table as

dynamic addresses.

Note

If sticky learning is disabled, when the switch restarts or the interface shuts down, all the addresses that

were dynamically learned are removed.

Security Violations

It is a security violation when one of these situations occurs:

•

The maximum number of secure MAC addresses have been added to the address table, and a station

whose MAC address is not in the address table attempts to access the interface.

•

An address learned or configured on one secure interface is seen on another secure interface in the

same VLAN.

You can configure the interface for one of three violation modes, based on the action to be taken if a

violation occurs:

•

protect—when the number of secure MAC addresses reaches the maximum limit allowed on the

port, packets with unknown source addresses are dropped until you remove a sufficient number of

secure MAC addresses to drop below the maximum value.

•

restrict—a port security violation restricts data and causes the SecurityViolation counter to

increment. It also sends an SNMP trap when an address-security violation occurs.

•

shutdown—the interface is error-disabled when a security violation occurs. When a secure port is

in the error-disabled state, you can bring it out of this state by entering the

errdisable recovery

cause

psecure-violation

global configuration command, or you can manually re-enable it by

entering the

shutdown

and

no shutdown

interface configuration commands. This is the default

mode.