21-9
Catalyst 2960 Switch SoftwareConfiguration Guide
78-16881-01
Chapter21 Configuring Port-Based Tra ffic Control
Configuring Port Security
Security Violations
It is a security violation when one of these situations occurs:
The maximum number of secure MAC addresses have been added to the address table, and a station
whose MAC address is not in the address table attempts to access the interface.
An address learned or configured on one secure interface is seen on anothe r secure interface in the
same VLAN.
You can configure the interface for one of three violation modes, based on the action to be taken if a
violation occurs:
protect—when the number of secure MAC addresses reaches the maximum limit allowed on the
port, packets with unknown source addresses are dropped until you remove a sufficient number of
secure MAC addresses to drop below the maximum value or increase the number of maximum
allowable addresses. You are not notified that a security violation has occurred.
Note We do not recommend configuring the protect violation mode on a trunk port. The protect
mode disables learning when any VLAN reaches its maximum limit, even if the port has not
reached its maximum limit.
restrict—when the number of secure MAC addresses reaches the maximum limit allowed on the
port, packets with unknown source addresses are dropped until you remove a sufficient number of
secure MAC addresses to drop below the maximum value or increase the number of maximum
allowable addresses. In this mode, you are notified that a security viol ation has occurred. An SNMP
trap is sent, a syslog message is logged, and the violation counter increments.
shutdown—a port security violation causes the interface to become error-disabled an d to shut down
immediately, and the port LED turns off. An SNMP trap is sent, a syslog message is logged, and the
violation counter increments. When a secure port is in the e rror-disabled state, you can bring it out
of this state by entering the errdisable recovery cause psecure-violation global configuration
command, or you can manually re-enable it by e ntering the shutdown and no shut down interface
configuration commands. This is the default mode.
Table21-1 shows the vi olation mode and the actions taken when you configure an interface for port
security.
Table21-1 Security Violation Mode Actions
Violation Mode
Traffic is
forwarded1
1. Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses.
Sends SNMP
trap
Sends syslog
message
Displays error
message2
2. The switch returns an error message if you manually configure an address that would cause a security violation.
Violation
counter
increments Shuts down port
protect No No No No No No
restrict No Yes Yes No Yes No
shutdown No Yes Yes No Yes Yes