Forbidden Mac Addresses - Cisco Catalyst 4500 Series Software Configuration Manual

About Port Security
A security violation occurs if the maximum number of secure MAC addresses to a port has been added
to the address table and a workstation whose MAC address is not in the address table attempts to access
the interface.

Forbidden MAC Addresses

You can prevent the switch from learning specific MAC addresses, by forbidding the MAC addresses on
all interfaces, globally, or on a specific port-security enabled interface.
Violation Actions
A security violation is triggered when the number of secure MAC addresses on the port exceeds the
maximum number of secure MAC addresses allowed on the port.
A secure violation is not triggered if the host secured on one port shows up on another port. The
Note
Catalyst 4500 series switch drops such packets on the new port silently in the hardware and does not
overload the CPU.
You can configure the interface for one of following violation modes, which are based on the response
to the violation:
•
•
•
Invalid Packet Handling
Catalyst 4500 Series Switch, Cisco IOS Software Configuration Guide - Cisco IOS XE 3.9.xE and IOS 15.2(5)Ex
55-6
Restrict—A port security violation restricts data (that is, packets are dropped in software), causes
the SecurityViolation counter to increment, and causes an SNMP Notification to be generated. You
might want to configure this mode in order to provide uninterrupted service/access on a secure port.
The rate at which SNMP traps are generated can be controlled by the
snmp-server enable traps port-security trap-rate command. The default value ("0") causes an
SNMP trap to be generated for every security violation.
Shutdown—A port security violation causes the interface to shut down immediately. You might want
to configure this mode in a highly secure environment, where you do not want unsecured MAC
addresses to be denied in software and service interruption is not an issue.
Shutdown VLAN—Use to set the security violation mode for each VLAN. In this mode, the
offending VLAN is error disabled instead of the entire port when a violation occurs.
When a secure port is in the error-disabled state, you can bring it out of this state automatically by
configuring the errdisable recovery cause psecure-violation global configuration command or you
can manually reenable it by entering the shutdown and no shut down interface configuration
commands. it is the default mode. If a port is in per-VLAN errdisable mode, you can also use clear
errdisable interface name vlan range command to reenable the VLAN on the port.
You can also customize the time to recover from the specified error disable cause (default is 300
seconds) by entering the errdisable recovery interval interval command.
You might want to rate limit invalid source MAC address packets on a secure port if you anticipate
that a device will send invalid packets (such as traffic generator, sniffer, and bad NICs).
The port security feature considers the following as "invalid frames":
Packets with a source or destination MAC address that is all zero
–
Chapter 55 Configuring Port Security