Configuring and Monitoring Port Security

Reading Intrusion Alerts and Resetting Alert Flags

When a security violation occurs on a port configured for Port Security, the switch responds in the following ways to notify you:

The switch sets an alert flag for that port. This flag remains set until:

You use either the CLI, menu interface, or web browser interface to reset the flag.

The switch is reset to its factory default configuration.

The switch enables notification of the intrusion through the following means:

In the CLI:

The show port-security intrusion-log command displays the Intrusion Log

The log command displays the Event Log

In the menu interface:

The Port Status screen includes a per-port intrusion alert

The Event Log includes per-port entries for security viola- tions

In the web browser interface:

The Alert Log’s Status Overview window includes entries for per-port security violations

The Intrusion Log in the Security Intrusion Log window lists per-port security violation entries

In an active network management environment via an SNMP trap sent to a network management station

How the Intrusion Log Operates

When the switch detects an intrusion attempt on a port, it enters a record of this event in the Intrusion Log. No further intrusion attempts on that port will appear in the Log until you acknowledge the earlier intrusion event by resetting the alert flag.

The Intrusion Log lists the 20 most recently detected security violation attempts, regardless of whether the alert flags for these attempts have been reset. This gives you a history of past intrusion attempts. Thus, for example, if there is an intrusion alert for port A1 and the Intrusion Log shows two or more entries for port 1, only the most recent entry has not been acknowledged

9-18