Cisco Catalyst 2960-X Security Configuration Manual page 437
Cisco ios release 15.0(2)ex
Hide thumbs
Also See for Catalyst 2960-X:
- Command reference manual (135 pages) ,
- Hardware installation manual (34 pages) ,
- Getting started manual (25 pages)
Table of Contents
Advertisement
Configuring Port-Based Traffic Control
Command or Action
Step 8
switchport port-security violation
{protect | restrict | shutdown |
shutdown vlan}
Example:
Switch(config-if)# switchport
port-security violation restrict
Step 9
switchport port-security
[mac-address mac-address [vlan
{vlan-id | {access | voice}}]
OL-29048-01
Purpose
Enter one of these options after you enter the vlan keyword:
• vlan-list—On a trunk port, you can set a per-VLAN maximum value on a
range of VLANs separated by a hyphen or a series of VLANs separated by
commas. For nonspecified VLANs, the per-VLAN maximum value is used.
• access—On an access port, specifies the VLAN as an access VLAN.
• voice—On an access port, specifies the VLAN as a voice VLAN.
Note
The voice keyword is available only if a voice VLAN is configured on
a port and if that port is not the access VLAN. If an interface is configured
for voice VLAN, configure a maximum of two secure MAC addresses.
(Optional) Sets the violation mode, the action to be taken when a security violation
is detected, as one of these:
• protect—When the number of port secure MAC addresses reaches the
maximum limit allowed on the port, packets with unknown source addresses
are dropped until you remove a sufficient number of secure MAC addresses
to drop below the maximum value or increase the number of maximum
allowable addresses. You are not notified that a security violation has
occurred.
We do not recommend configuring the protect mode on a trunk
Note
port. The protect mode disables learning when any VLAN reaches
its maximum limit, even if the port has not reached its maximum
limit.
• restrict—When the number of secure MAC addresses reaches the limit
allowed on the port, packets with unknown source addresses are dropped
until you remove a sufficient number of secure MAC addresses or increase
the number of maximum allowable addresses. An SNMP trap is sent, a
syslog message is logged, and the violation counter increments.
• shutdown—The interface is error-disabled when a violation occurs, and
the port LED turns off. An SNMP trap is sent, a syslog message is logged,
and the violation counter increments.
• shutdown vlan—Use to set the security violation mode per VLAN. In this
mode, the VLAN is error disabled instead of the entire port when a violation
occurs.
Note
When a secure port is in the error-disabled state, you can bring it
out of this state by entering the errdisable recovery cause
psecure-violation global configuration command. You can
manually re-enable it by entering the shutdown and no shutdown
interface configuration commands or by using the clear errdisable
interface vlan privileged EXEC command.
(Optional) Enters a secure MAC address for the interface. You can use this
command to enter the maximum number of secure MAC addresses. If you
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
Enabling and Configuring Port Security
413
Hide quick links:
Advertisement
Table of Contents
