Port security & snmp

Unanswered Question
Apr 27th, 2009

Hi,

Can Port-Security Be Configured to Send Alert but not shut down any

traffic?

In other words, can a switch port be configured using Port Security or other commands to

not shut down *any* traffice but just send a trap and an SNMP alert sent out by our NMS?

The switch in question is a 3750-24PS-S running 12.2(44)SE5.

Thank you!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
pmettewie Tue, 04/28/2009 - 10:49

I have been researching the same issue (and was about to post a question like yours before I came across it while searching for port security posts!) Cisco TAC has suggested that the use of ERRDISABLE RECOVERY CAUSE SECURITY-VIOLATION command along with the ERRDISABLE RECOVERY INTERVAL 30 argument would allow port security configuration and alerting without any traffic being dropped.

But I don't think this really is an appropriate solution (although I'm going to test it in the lab in a bit) because my opinion is that the alert will only be deferred and the violation will be noted again - with the most likely result being that any 'illegal' (insecure) MAC address will still not be allowed to send traffic on the port despite the use of the ERRDISABLE command?

pmettewie Thu, 04/30/2009 - 12:42

Sorry about not getting back to this sooner - they give me a new desktop and it has Vista on it and .... (you get the picture.)

The short answer is that ERRDISABLE RECOVERY does not work - traffic from insecure MAC addresses will still be dropped despite the presence of ERRDISABLE RECOVERY.

What will work (but will probably not be your favorite solution) is to establish a MAC database - centralized or a per-switch basis - of 'legal' (secure) addresses that will gain access to a specific VLAN without a trap being sent. Any 'illegal' (insecure) MAC address detected will be sent to a different restricted VLAN and trap would be sent.

As you would imagine, if you're not already doing this, it means (like almost any security mechanism) more work and a less elegant design.

Outside of that there does not seem to be any way of combining port security, no dropped traffic and trap notification.

Actions

This Discussion