Security Violations - Cisco Catalyst 3750-E Software Configuration Manual
Hide thumbs
Also See for Catalyst 3750-E:
- Getting started manual (27 pages) ,
- Product support bulletin (6 pages) ,
- Configuration handbook (359 pages)
Table of Contents
Advertisement
Configuring Port Security
If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure
addresses and are removed from the running configuration.
The maximum number of secure MAC addresses that you can configure on a switch or switch stack is
set by the maximum number of available MAC addresses allowed in the system. This number is
determined by the active Switch Database Management (SDM) template. See
SDM Templates."
Layer 2 functions and any other secure MAC addresses configured on interfaces.
Security Violations
It is a security violation when one of these situations occurs:
•
The maximum number of secure MAC addresses have been added to the address table, and a station
whose MAC address is not in the address table attempts to access the interface.
•
An address learned or configured on one secure interface is seen on another secure interface in the
same VLAN.
You can configure the interface for one of three violation modes, based on the action to be taken if a
violation occurs:
protect—when the number of secure MAC addresses reaches the maximum limit allowed on the
•
port, packets with unknown source addresses are dropped until you remove a sufficient number of
secure MAC addresses to drop below the maximum value or increase the number of maximum
allowable addresses. You are not notified that a security violation has occurred.
Note
restrict—when the number of secure MAC addresses reaches the maximum limit allowed on the
•
port, packets with unknown source addresses are dropped until you remove a sufficient number of
secure MAC addresses to drop below the maximum value or increase the number of maximum
allowable addresses. In this mode, you are notified that a security violation has occurred. An SNMP
trap is sent, a syslog message is logged, and the violation counter increments.
shutdown—a port security violation causes the interface to become error-disabled and to shut down
•
immediately, and the port LED turns off. When a secure port is in the error-disabled state, you can bring it out
of this state by entering the errdisable recovery cause psecure-violation global configuration
command, or you can manually re-enable it by entering the shutdown and no shut down interface
configuration commands. This is the default mode.
shutdown vlan—Use to set the security violation mode per-VLAN. In this mode, the VLAN is error
•
disabled instead of the entire port when a violation occurs
Table 26-1
security.
Catalyst 3750-E and 3560-E Switch Software Configuration Guide
26-10
This number is the total of available MAC addresses, including those used for other
We do not recommend configuring the protect violation mode on a trunk port. The protect
mode disables learning when any VLAN reaches its maximum limit, even if the port has not
reached its maximum limit.
shows the violation mode and the actions taken when you configure an interface for port
Chapter 26
Configuring Port-Based Traffic Control
Chapter 8, "Configuring
OL-9775-08
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
