22-8
Catalyst2950 and Catalyst2955 Switch Software Configuration Guide
78-11380-10
Chapter22 Configuring Port-Based Traffic Control
Configuring Port Security
Security Violations
It is a security violation when one of these situations occurs:
The maximum number of secure MAC addresses have been added to the address table, and a station
whose MAC address is not in the address table attempts to access the interface.
An address learned or configured on one secure interface is seen on anothe r se cu re in ter face in t he
same VLAN.
You can configure the interface for one of three violation modes, based on the action to be taken if a
violation occurs:
protectWhen the number of secure MAC addresses reaches the limit allowed on the port, packets
with unknown source addresses are dropped until you remove a sufficient number of secure MAC
addresses or increase the number of maximum allowable addresses. You are not notified that a
security violation has occurred.
restrictWhen the number of secure MAC addresses reaches the limit al lowed on the port, packets
with unknown source addresses are dropped until you remove a sufficient number of secure MAC
addresses or increase the number of maximum allowable addresses. In this mode, you are notified
that a security violation has occurred. Specifically, an SNMP trap is sent, a syslog message is
logged, and the violation counter increments.
shutdownIn this mode, a port security violation causes the interface to immediately become
error-disabled, and turns off the port LED. It also sends an SNMP trap, logs a syslog message, and
increments the violation counter. When a secure port is in the error-disabled state, you can b ri ng it
out of this state by entering the errdisable recovery cause psecure-violation global configuration
command, or you can manually re-enable it by entering the shutdown and no shutdown interface
configuration commands. This is the default mode.
Table22-1 shows the vi ola tio n mode an d the act ions taken whe n you configu re a n in terfa ce for po rt
security.
Table22-1 Security Violation Mode Actions
Violation Mode Traffic is
forwarded1
1. Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses.
Sends SNMP
trap Sends syslog
message Displays error
message2
2. The switch will return an error message if you manually configure an address that would cause a security violation.
Violation
counter
increments Shuts down port
protect No No No No No No
restrict No Yes Yes No Yes No
shutdown No Yes Yes No Yes Yes