Port Security Violation options question

Unanswered Question
Mar 6th, 2007

What do the following commands really do?


Do they drop or block the data from the interface that the violation has occurred?


Switch(config-if)#switchport port-security violation protect


&


switch(config-if)#switchport port-security violation restrict


Thanks


Reza

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Amit Singh Tue, 03/06/2007 - 21:44

Hi Reza,


With Violation Protect mode, When the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped.You have to remove the secure mac-addresses below the maximum allowed number in order to learn a new MAC or allowing a host on the port.You are not notified that a security violation has occurred.


With Violaion restrict, the same process happens but a, SNMP trap is sent, syslog message is logged in the syslog server and the voilation counter increases.


HTH,Please rate if it does.

-amit singh

rezaalikhani Tue, 03/13/2007 - 01:49

Thanks for your helpful replies:


Another question:


My scenario


I use two PCs in my scenario. One is the PC that I want to use port f0/5, for example. And another PC that acts like a non-secure that wants to attach to a port that I designated it for PC 1.


Note I use "protect" option for the violation in the example.


I use the MAC address of the PC 1 to setup a secure switch port. I then takes off the PC 1 and take in PC 2 in the f0/5.


As expected, the port is received a violation. Right?


But I can ping or telnet the switch with PC 2, actually. However, I cannot ping another IP address. It seems that the switch is dropping the packets. Is it normal?


I pull out the PC 2 and take in the PC 1 in its port again. I can ping or telnet the switch, but I cannot ping another IP address. It seems that the switch is dropping the packets for a PC that I setup its MAC address for security (PC 1). Is it normal?


Thanks


Reza

Amit Singh Tue, 03/13/2007 - 02:31

Reza,


Please paste the switch port configuration where you are connecting the PC. Also paste the "show version" from the switch.


-amit singh

rezaalikhani Tue, 03/13/2007 - 02:47

My 0/5 port security configuration:


interface FastEthernet0/5

switchport mode access

switchport port-security

switchport port-security violation protect

switchport port-security mac-address sticky

switchport port-security mac-address sticky 0004.7583.cb52

speed 100

no cdp enable

!


"Show version" output:


S1#sh ver

Cisco Internetwork Operating System Software

IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(14)EA1a, RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2003 by cisco Systems, Inc.

Compiled Tue 02-Sep-03 03:33 by antonino

Image text-base: 0x80010000, data-base: 0x805C0000


ROM: Bootstrap program is CALHOUN boot loader


S1 uptime is 8 weeks, 3 days, 16 hours, 16 minutes

System returned to ROM by power-on

System image file is "flash:/c2950-i6q4l2-mz.121-14.EA1a.bin"


cisco WS-C2950T-24 (RC32300) processor (revision M0) with 20710K bytes of memory.

Processor board ID FOC0751W351

Last reset from system-reset

Running Enhanced Image

24 FastEthernet/IEEE 802.3 interface(s)

2 Gigabit Ethernet/IEEE 802.3 interface(s)


32K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address: 00:0E:84:EF:DF:80

Motherboard assembly number: 73-6114-09

Power supply part number: 34-0965-01

Motherboard serial number: FOC07511ARB

Power supply serial number: DAB0750HAZH

Model revision number: M0

Motherboard revision number: B0

Model number: WS-C2950T-24

System serial number: FOC0751W351

Configuration register is 0xF


S1#sh port-security

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

(Count) (Count) (Count)

---------------------------------------------------------------------------

Fa0/5 1 1 0 Protect

---------------------------------------------------------------------------

Total Addresses in System (excluding one mac per port) : 0

Max Addresses limit in System (excluding one mac per port) : 1024

rezaalikhani Tue, 03/13/2007 - 22:35

I solved the problem. The problem was the IOS.

I tested this feature with another updated switch and everything is OK.


Thanks


Reza

Amit Singh Tue, 03/13/2007 - 22:53

Hi Reza,


Thanks for the update on this. Sorry, I couldnt reply yesterday as I left a bit early for the day.


-amit singh

abhishek_nandavat Tue, 03/06/2007 - 21:58

Hi,


protect - drops all the packets with unknown source addresses, after the limit of secure addresses on that port is reached.


restrict - Sends an SNMP trap and also causes the switch to increment the security violation counter.


For more on port security, have a look at the following link-->

http://articles.techrepublic.com.com/5100-1035-6123047.html



Hope this helps...


Regards,

AbhisheK


Please rate helpful posts!!!

Actions

This Discussion