Cisco Systems 2940 Security Violations

17-6

Catalyst 2940 Switch Software Configuration Guide

78-15507-02

Chapter17 Configuring Port-Based Traffic Control

Configuring Port Security

The sticky secure MAC addresses do not automatically become part of the configuration file, which is

the startup configuration used each time the swit ch restar ts. I f you sa v e the s tick y secure MA C addresse s

in the configuration file, when the switch restarts, the interface does not need to relearn the se addre sses.

If you do not save the configuration, they are lost.

If sticky learning is disabled, the sticky secure M AC address es ar e co nverted to dyn am ic sec ur e

addresses and are removed from the running configuration.

A secure port can have from 1 to 132 associated secure addresses. The total number of available secure

addresses on the switch is 1024.

Security Violations

It is a security violation when one of these situations occurs:

•The maximum number of secure MAC addresses have been added to the address table, and a station

whose MAC address is not in the address table attempts to access the interface.

•An address learned or configured on one secure interface is seen on anothe r se cu re in ter face in t he

same VLAN.

You can configure the interface for one of three violation modes, based on the action to be taken if a

violation occurs:

•protect—When the number of secure MAC addresses reaches th e limit allowed on the port, packets

with unknown source addresses are dropped until you remove a sufficient number of secure MAC

addresses or increase the number of maximum allowable addresses. You are not notified that a

security violation has occurred.

•restrict—When the number of secure MAC addresses reaches the limit allowed on the port, packets

with unknown source addresses are dropped until you remove a sufficient number of secure MAC

addresses or increase the number of maximum allowable addresses. In this mode, you are notified

that a security violation has occurred. Specifically, an SNMP trap is sent, a syslog message is

logged, and the violation counter increments.

•shutdown—In this mode, a port security violation causes the interface to immediately become

error-disabled, and turns off the port LED. It also sends an SNMP trap, logs a syslog message, and

increments the violation counter. When a secure port is in the error-disabled state, you can b ri ng it

out of this state by entering the errdisable recovery cause psecure-violation global configuration

command, or you can manually re-enable it by entering the shutdown and no shutdown interface

configuration commands. This is the default mode.

Table17-1 shows the vi ola tio n mode an d the act ions taken whe n you configu re a n in terfa ce for po rt

security.

Table17-1 Security Violation Mode Actions

Violation Mode Traffic is

forwarded1

1. Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses.

Sends SNMP

trap Sends syslog

message Displays error

message2

2. The switch will return an error message if you manually configure an address that would cause a security violation.

Violation

counter

increments Shuts down port

protect No No No No No No

restrict No Yes Yes No Yes No

shutdown No Yes Yes No Yes Yes