Cisco WS-C3560E-48PD-SF Command Reference - Page 666
Defaults, Command Modes, shutdown, violation, protect, restrict, errdisable recovery cause
View all Cisco WS-C3560E-48PD-SF manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 666 highlights
switchport port-security Chapter 2 Catalyst 3560 Switch Cisco IOS Commands vlan [vlan-list] violation protect restrict shutdown (Optional) For trunk ports, you can set the maximum number of secure MAC addresses on a VLAN. If the vlan keyword is not entered, the default value is used. • vlan-set a per-VLAN maximum value. • vlan vlan-list-set a per-VLAN maximum value on a range of VLANs separated by a hyphen or a series of VLANs separated by commas. For nonspecified VLANs, the per-VLAN maximum value is used. (Optional) Set the security violation mode or the action to be taken if port security is violated. The default is shutdown. Set the security violation protect mode. In this mode, when the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred. Note We do not recommend configuring the protect mode on a trunk port. The protect mode disables learning when any VLAN reaches its maximum limit, even if the port has not reached its maximum limit. Set the security violation restrict mode. In this mode, when the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. An SNMP trap is sent, a syslog message is logged, and the violation counter increments. Set the security violation shutdown mode. In this mode, the interface is error-disabled when a violation occurs and the port LED turns off. An SNMP trap is sent, a syslog message is logged, and the violation counter increments. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shut down interface configuration commands. Defaults The default is to disable port security. When port security is enabled and no keywords are entered, the default maximum number of secure MAC addresses is 1. The default violation mode is shutdown. Sticky learning is disabled. Command Modes Interface configuration 2-634 Catalyst 3560 Switch Command Reference 78-16405-05