Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Port security & snmp


Can Port-Security Be Configured to Send Alert but not shut down any


In other words, can a switch port be configured using Port Security or other commands to

not shut down *any* traffice but just send a trap and an SNMP alert sent out by our NMS?

The switch in question is a 3750-24PS-S running 12.2(44)SE5.

Thank you!

New Member

Re: Port security & snmp

I have been researching the same issue (and was about to post a question like yours before I came across it while searching for port security posts!) Cisco TAC has suggested that the use of ERRDISABLE RECOVERY CAUSE SECURITY-VIOLATION command along with the ERRDISABLE RECOVERY INTERVAL 30 argument would allow port security configuration and alerting without any traffic being dropped.

But I don't think this really is an appropriate solution (although I'm going to test it in the lab in a bit) because my opinion is that the alert will only be deferred and the violation will be noted again - with the most likely result being that any 'illegal' (insecure) MAC address will still not be allowed to send traffic on the port despite the use of the ERRDISABLE command?

New Member

Re: Port security & snmp

Sorry about not getting back to this sooner - they give me a new desktop and it has Vista on it and .... (you get the picture.)

The short answer is that ERRDISABLE RECOVERY does not work - traffic from insecure MAC addresses will still be dropped despite the presence of ERRDISABLE RECOVERY.

What will work (but will probably not be your favorite solution) is to establish a MAC database - centralized or a per-switch basis - of 'legal' (secure) addresses that will gain access to a specific VLAN without a trap being sent. Any 'illegal' (insecure) MAC address detected will be sent to a different restricted VLAN and trap would be sent.

As you would imagine, if you're not already doing this, it means (like almost any security mechanism) more work and a less elegant design.

Outside of that there does not seem to be any way of combining port security, no dropped traffic and trap notification.