Cisco 2950G 24 Software Configuration Guide - Page 420
Security Violations, port
UPC - 746320687711
View all Cisco 2950G 24 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 420 highlights
Configuring Port Security Chapter 18 Configuring Port-Based Traffic Control This is an example of text from the running configuration when sticky learning is enabled on an interface: ! interface FastEthernet0/2 switchport mode access switchport port-security switchport port-security maximum 6 switchport port-security aging time 5 switchport port-security aging static switchport port-security mac-address sticky switchport port-security mac-address 0000.0000.000b switchport port-security mac-address sticky 0000.0000.4141 switchport port-security mac-address sticky 0000.0000.5050 no ip address If port security is disabled, the sticky secure MAC addresses remain in the running configuration. To disable sticky learning, enter the no switchport port-security mac-address sticky interface configuration command. If sticky learning is disabled or the running configuration is removed, the sticky secure MAC addresses remain part of the running configuration but are removed from the address table. The addresses that were removed can be dynamically reconfigured and added to the address table as dynamic addresses. Note If sticky learning is disabled, when the switch restarts or the interface shuts down, all the addresses that were dynamically learned are removed. Security Violations It is a security violation when one of these situations occurs: • The maximum number of secure MAC addresses have been added to the address table, and a station whose MAC address is not in the address table attempts to access the interface. • An address learned or configured on one secure interface is seen on another secure interface in the same VLAN. You can configure the interface for one of three violation modes, based on the action to be taken if a violation occurs: • protect-when the number of secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value. • restrict-a port security violation restricts data and causes the SecurityViolation counter to increment. It also sends an SNMP trap when an address-security violation occurs. • shutdown-the interface is error-disabled when a security violation occurs. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shutdown interface configuration commands. This is the default mode. 18-6 Catalyst 2950 Desktop Switch Software Configuration Guide 78-14982-01