Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Port Security Violation options question

What do the following commands really do?

Do they drop or block the data from the interface that the violation has occurred?

Switch(config-if)#switchport port-security violation protect

&

switch(config-if)#switchport port-security violation restrict

Thanks

Reza

7 REPLIES
Cisco Employee

Re: Port Security Violation options question

Hi Reza,

With Violation Protect mode, When the number of port secure MAC addresses reaches the maximum limit allowed on the port, packets with unknown source addresses are dropped.You have to remove the secure mac-addresses below the maximum allowed number in order to learn a new MAC or allowing a host on the port.You are not notified that a security violation has occurred.

With Violaion restrict, the same process happens but a, SNMP trap is sent, syslog message is logged in the syslog server and the voilation counter increases.

HTH,Please rate if it does.

-amit singh

New Member

Re: Port Security Violation options question

Thanks for your helpful replies:

Another question:

My scenario

I use two PCs in my scenario. One is the PC that I want to use port f0/5, for example. And another PC that acts like a non-secure that wants to attach to a port that I designated it for PC 1.

Note I use "protect" option for the violation in the example.

I use the MAC address of the PC 1 to setup a secure switch port. I then takes off the PC 1 and take in PC 2 in the f0/5.

As expected, the port is received a violation. Right?

But I can ping or telnet the switch with PC 2, actually. However, I cannot ping another IP address. It seems that the switch is dropping the packets. Is it normal?

I pull out the PC 2 and take in the PC 1 in its port again. I can ping or telnet the switch, but I cannot ping another IP address. It seems that the switch is dropping the packets for a PC that I setup its MAC address for security (PC 1). Is it normal?

Thanks

Reza

Cisco Employee

Re: Port Security Violation options question

Reza,

Please paste the switch port configuration where you are connecting the PC. Also paste the "show version" from the switch.

-amit singh

New Member

Re: Port Security Violation options question

My 0/5 port security configuration:

interface FastEthernet0/5

switchport mode access

switchport port-security

switchport port-security violation protect

switchport port-security mac-address sticky

switchport port-security mac-address sticky 0004.7583.cb52

speed 100

no cdp enable

!

"Show version" output:

S1#sh ver

Cisco Internetwork Operating System Software

IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(14)EA1a, RELEASE SOFTWARE (fc1)

Copyright (c) 1986-2003 by cisco Systems, Inc.

Compiled Tue 02-Sep-03 03:33 by antonino

Image text-base: 0x80010000, data-base: 0x805C0000

ROM: Bootstrap program is CALHOUN boot loader

S1 uptime is 8 weeks, 3 days, 16 hours, 16 minutes

System returned to ROM by power-on

System image file is "flash:/c2950-i6q4l2-mz.121-14.EA1a.bin"

cisco WS-C2950T-24 (RC32300) processor (revision M0) with 20710K bytes of memory.

Processor board ID FOC0751W351

Last reset from system-reset

Running Enhanced Image

24 FastEthernet/IEEE 802.3 interface(s)

2 Gigabit Ethernet/IEEE 802.3 interface(s)

32K bytes of flash-simulated non-volatile configuration memory.

Base ethernet MAC Address: 00:0E:84:EF:DF:80

Motherboard assembly number: 73-6114-09

Power supply part number: 34-0965-01

Motherboard serial number: FOC07511ARB

Power supply serial number: DAB0750HAZH

Model revision number: M0

Motherboard revision number: B0

Model number: WS-C2950T-24

System serial number: FOC0751W351

Configuration register is 0xF

S1#sh port-security

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

(Count) (Count) (Count)

---------------------------------------------------------------------------

Fa0/5 1 1 0 Protect

---------------------------------------------------------------------------

Total Addresses in System (excluding one mac per port) : 0

Max Addresses limit in System (excluding one mac per port) : 1024

New Member

Re: Port Security Violation options question

I solved the problem. The problem was the IOS.

I tested this feature with another updated switch and everything is OK.

Thanks

Reza

Cisco Employee

Re: Port Security Violation options question

Hi Reza,

Thanks for the update on this. Sorry, I couldnt reply yesterday as I left a bit early for the day.

-amit singh

Re: Port Security Violation options question

Hi,

protect - drops all the packets with unknown source addresses, after the limit of secure addresses on that port is reached.

restrict - Sends an SNMP trap and also causes the switch to increment the security violation counter.

For more on port security, have a look at the following link-->

http://articles.techrepublic.com.com/5100-1035-6123047.html

Hope this helps...

Regards,

AbhisheK

Please rate helpful posts!!!

1752
Views
4
Helpful
7
Replies
CreatePlease login to create content