Cisco Systems 2960 Model Vehicle User Manual


  Open as PDF
of 1004
 
23-14
Catalyst 2960 and 2960-S Switch Software Configuration Guide
OL-8603-09
Chapter 23 Configuring Port-Based Traffic Control
Configuring Port Security
Step 7
switchport port-security [violation
{protect | restrict | shutdown |
shutdown vlan}]
(Optional) Set the violation mode, the action to be taken when a security
violation is detected, as one of these:
protect—When the number of port secure MAC addresses reaches the
maximum limit allowed on the port, packets with unknown source
addresses are dropped until you remove a sufficient number of secure
MAC addresses to drop below the maximum value or increase the number
of maximum allowable addresses. You are not notified that a security
violation has occurred.
Note We do not recommend configuring the protect mode on a trunk port.
The protect mode disables learning when any VLAN reaches its
maximum limit, even if the port has not reached its maximum limit.
restrict—When the number of secure MAC addresses reaches the limit
allowed on the port, packets with unknown source addresses are dropped
until you remove a sufficient number of secure MAC addresses or
increase the number of maximum allowable addresses. An SNMP trap is
sent, a syslog message is logged, and the violation counter increments.
shutdown—The interface is error disabled when a violation occurs, and
the port LED turns off. An SNMP trap is sent, a syslog message is logged,
and the violation counter increments.
shutdown vlan—Use to set the security violation mode per VLAN. In
this mode, the VLAN is error disabled instead of the entire port when a
violation occurs.
Note When a secure port is in the error-disabled state, you can bring it out
of this state by entering the errdisable recovery cause
psecure-violation global configuration command. You can manually
re-enable it by entering the shutdown and no shutdown interface
configuration commands or by using the clear errdisable interface
vlan privileged EXEC command.
Command Purpose