Cisco WS-C2980G-A Software Guide - Page 316
Setting the Security Violation Action
UPC - 746320423555
View all Cisco WS-C2980G-A manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 316 highlights
Configuring Port Security on the Switch Chapter 16 Configuring Port Security This example shows how to enable MAC address notification globally, how to enable notification of added and removed MAC addresses, and how to set interval time between notifications: Console> (enable) set cam notification enable MAC address change detection globally enabled Be sure to specify which ports are to detect MAC address changes with the 'set cam notification [added|removed] enable command. SNMP traps will be sent if 'set snmp trap enable macnotification' has been set. Console> (enable) set cam notification historysize 300 MAC address change history log size set to 300 entries Console> (enable) set cam notification added enable 3/1-4 MAC address change notifications for added addresses are enabled on port(s) 3/1-4 Console> (enable) set cam notification removed enable 3/3-6 MAC address change notifications for removed addresses are enabled on port(s) 3/3-6 Console> (enable) set cam notification interval 10 MAC address change notification interval set to 10 seconds Console> (enable) show cam notification all MAC address change detection enabled CAM notification interval = 10 second(s). MAC address change history log size = 300 MAC addresses added = 3 MAC addresses removed = 5 MAC addresses added overflowed = 0 MAC addresses removed overflowed = 0 MAC address SNMP traps generated = 0 Console> (enable) set snmp trap enable macnotification SNMP MAC notification trap enabled. Console> (enable) Setting the Security Violation Action You can set a port to the following two modes to handle a security violation: • Shutdown-Shuts down the port permanently or for a specified time. Permanent shutdown is the default mode. • Restrict-Drops all packets from insecure hosts, but remains enabled. To set the security violation action to be taken, perform this task in privileged mode: Task Command Set the security violation action on a port. set port security mod_num/port_num violation {shutdown | restrict} This example sets the port to drop all packets that are coming in on the port from insecure hosts: Console> (enable) set port security 4/7 violation restrict Port security violation on port 4/7 will cause insecure packets to be dropped. Console> (enable) Note If you restrict the number of secure MAC addresses on a port to one, and additional hosts attempt to connect to that port, port security prevents these additional hosts from being connected to that port and to any other port in the same VLAN for the duration of the VLAN aging time. By default, the VLAN aging time is 5 minutes. If a host is blocked from joining a port in the same VLAN as the secured port, allow the VLAN aging time to expire before you attempt to connect the host to the port again. 16-8 Catalyst 4500 Series, Catalyst 2948G, Catalyst 2980G Switches Software Configuration Guide-Release 8.1 78-15486-01