Security Violations - Cisco Catalyst 2960-XR Security Configuration Manual
Ios release 15.0 2 ex1
Hide thumbs
Also See for Catalyst 2960-XR:
- Configuration manual (196 pages) ,
- Configuration manuals (120 pages) ,
- Reference (52 pages)
Table of Contents
Advertisement
Configuring Port-Based Traffic Control
Security Violations
It is a security violation when one of these situations occurs:
• The maximum number of secure MAC addresses have been added to the address table, and a station
• An address learned or configured on one secure interface is seen on another secure interface in the same
You can configure the interface for one of three violation modes, based on the action to be taken if a violation
occurs:
• protect—when the number of secure MAC addresses reaches the maximum limit allowed on the port,
• restrict—when the number of secure MAC addresses reaches the maximum limit allowed on the port,
• shutdown—a port security violation causes the interface to become error-disabled and to shut down
• shutdown vlan—Use to set the security violation mode per-VLAN. In this mode, the VLAN is error
This table shows the violation mode and the actions taken when you configure an interface for port security.
Table 33: Security Violation Mode Actions
Violation
Mode
protect
restrict
OL-29434-01
whose MAC address is not in the address table attempts to access the interface.
VLAN.
packets with unknown source addresses are dropped until you remove a sufficient number of secure
MAC addresses to drop below the maximum value or increase the number of maximum allowable
addresses. You are not notified that a security violation has occurred.
We do not recommend configuring the protect violation mode on a trunk port. The
Note
protect mode disables learning when any VLAN reaches its maximum limit, even if the
port has not reached its maximum limit.
packets with unknown source addresses are dropped until you remove a sufficient number of secure
MAC addresses to drop below the maximum value or increase the number of maximum allowable
addresses. In this mode, you are notified that a security violation has occurred. An SNMP trap is sent,
a syslog message is logged, and the violation counter increments.
immediately, and the port LED turns off. When a secure port is in the error-disabled state, you can bring
it out of this state by entering the errdisable recovery cause psecure-violation global configuration
command, or you can manually re-enable it by entering the shutdown and no shut down interface
configuration commands. This is the default mode.
disabled instead of the entire port when a violation occurs
Traffic is
Sends SNMP
forwarded
trap
8
No
No
No
Yes
Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1
Sends syslog
Displays
message
error
message
9
No
No
Yes
No
Security Violations
Violation
Shuts down
counter
port
increments
No
No
Yes
No
337
Advertisement
Table of Contents
