cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
53545
Views
15
Helpful
6
Replies

Difference between protect/restrict port security violation action?

m.lammerse
Level 1
Level 1

Hi all,

I've read the documentation, but found the explanations a bit vague. Could someone please explain the difference between these two?

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/12_1e/comref/s1.htm#wp1184020

Thanks.

1 Accepted Solution

Accepted Solutions

thisisshanky
Level 11
Level 11

Only difference is that, security violation counters are incremented in restrict, while its not incremented in protect.

So each time a violation occurs and you do a show port-security on that port.

Switch# show port-security interface fastethernet0/1

Port Security: Enabled

Port status: SecureUp

Violation mode: Shutdown

Maximum MAC Addresses :50

Total MAC Addresses: 11

Configured MAC Addresses: 0

Sticky MAC Addresses :11

Aging time: 20 mins

Aging type: Inactivity

SecureStatic address aging: Enabled

Security Violation count: 0

The counter above in bold will be incremented when restrict is configured, and will not increment, if protect is configured.

Either ways, the packets from the insecure hosts will be dropped, if a violation occurs.

HTH

Sankar.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

View solution in original post

6 Replies 6

thisisshanky
Level 11
Level 11

Only difference is that, security violation counters are incremented in restrict, while its not incremented in protect.

So each time a violation occurs and you do a show port-security on that port.

Switch# show port-security interface fastethernet0/1

Port Security: Enabled

Port status: SecureUp

Violation mode: Shutdown

Maximum MAC Addresses :50

Total MAC Addresses: 11

Configured MAC Addresses: 0

Sticky MAC Addresses :11

Aging time: 20 mins

Aging type: Inactivity

SecureStatic address aging: Enabled

Security Violation count: 0

The counter above in bold will be incremented when restrict is configured, and will not increment, if protect is configured.

Either ways, the packets from the insecure hosts will be dropped, if a violation occurs.

HTH

Sankar.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

Clear!

Thanks Sankar..

Sankar... if I may, do you know what the point is of increasing the security violation count? IMHO , this is only a cosmetic difference. Is that correct?

Thanks,

Marcel

I think, its only used for statistics.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

It also determines whether you can get a syslog message and SNMP trap for the event.

http://www.cisco.com/en/US/products/hw/switches/ps646/products_command_reference_chapter09186a008021145b.html#wp3062358

Kevin Dorrell

Luxembourg

OK.

I'll just stop thinking about it and store it in memory ;-)

Thanks for your replies, both.

Marcel

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: