HP Cisco Catalyst Blade Switch 3020 Cisco Catalyst Blade Switch 3020 for HP So - Page 411
Security Violations, Violation Mode, Traffic is, forwarded, Sends SNMP, Sends syslog, message
View all HP Cisco Catalyst Blade Switch 3020 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 411 highlights
Chapter 19 Configuring Port-Based Traffic Control Configuring Port Security The maximum number of secure MAC addresses that you can configure on a switch is set by the maximum number of available MAC addresses allowed in the system. This number is the total of available MAC addresses, including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces. Security Violations It is a security violation when one of these situations occurs: • The maximum number of secure MAC addresses have been added to the address table, and a station whose MAC address is not in the address table attempts to access the interface. • An address learned or configured on one secure interface is seen on another secure interface in the same VLAN. You can configure the interface for one of three violation modes, based on the action to be taken if a violation occurs: • protect-when the number of secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred. Note We do not recommend configuring the protect violation mode on a trunk port. The protect mode disables learning when any VLAN reaches its maximum limit, even if the port has not reached its maximum limit. • restrict-when the number of secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred. An SNMP trap is sent, a syslog message is logged, and the violation counter increments. • shutdown-a port security violation causes the interface to become error-disabled and to shut down immediately, and the port LED turns off. An SNMP trap is sent, a syslog message is logged, and the violation counter increments. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shut down interface configuration commands. This is the default mode. Table 19-1 shows the violation mode and the actions taken when you configure an interface for port security. Table 19-1 Security Violation Mode Actions Traffic is Violation Mode forwarded1 Sends SNMP trap Sends syslog message Displays error message2 Violation counter increments protect No No No No No restrict No Yes Yes No Yes shutdown No Yes Yes No Yes 1. Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses. 2. The switch returns an error message if you manually configure an address that would cause a security violation. Shuts down port No No Yes OL-8915-01 Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide 19-9