23-14
Catalyst 2960 and 2960-S Switch Software Configuration Guide
OL-8603-09
Chapter 23 Configuring Port-Based Traffic Control
Configuring Port Security
Step 7
switchport port-security [violation
{protect | restrict | shutdown |
shutdown vlan}]
(Optional) Set the violation mode, the action to be taken when a security
violation is detected, as one of these:
• protect—When the number of port secure MAC addresses reaches the
maximum limit allowed on the port, packets with unknown source
addresses are dropped until you remove a sufficient number of secure
MAC addresses to drop below the maximum value or increase the number
of maximum allowable addresses. You are not notified that a security
violation has occurred.
Note We do not recommend configuring the protect mode on a trunk port.
The protect mode disables learning when any VLAN reaches its
maximum limit, even if the port has not reached its maximum limit.
• restrict—When the number of secure MAC addresses reaches the limit
allowed on the port, packets with unknown source addresses are dropped
until you remove a sufficient number of secure MAC addresses or
increase the number of maximum allowable addresses. An SNMP trap is
sent, a syslog message is logged, and the violation counter increments.
• shutdown—The interface is error disabled when a violation occurs, and
the port LED turns off. An SNMP trap is sent, a syslog message is logged,
and the violation counter increments.
• shutdown vlan—Use to set the security violation mode per VLAN. In
this mode, the VLAN is error disabled instead of the entire port when a
violation occurs.
Note When a secure port is in the error-disabled state, you can bring it out
of this state by entering the errdisable recovery cause
psecure-violation global configuration command. You can manually
re-enable it by entering the shutdown and no shutdown interface
configuration commands or by using the clear errdisable interface
vlan privileged EXEC command.
Command Purpose