22-14
Catalyst 2928 Switch Software Configuration Guide
OL-23389-01
Chapter 22 Configuring Port-Based Traffic Control
Configuring Port Security
Step 7
switchport port-security [violation
{
protect | restrict | shutdown
|
shutdown vlan
}]
(Optional) Set the violation mode, the action to be taken when a security
violation is detected, as one of these:
•
protect
—When the number of port secure MAC addresses reaches the
maximum limit allowed on the port, packets with unknown source
addresses are dropped until you remove a sufficient number of secure
MAC addresses to drop below the maximum value or increase the number
of maximum allowable addresses. You are not notified that a security
violation has occurred.
Note
We do not recommend configuring the protect mode on a trunk port.
The protect mode disables learning when any VLAN reaches its
maximum limit, even if the port has not reached its maximum limit.
•
restrict
—When the number of secure MAC addresses reaches the limit
allowed on the port, packets with unknown source addresses are dropped
until you remove a sufficient number of secure MAC addresses or
increase the number of maximum allowable addresses. An SNMP trap is
sent, a syslog message is logged, and the violation counter increments.
•
shutdown
—The interface is error disabled when a violation occurs, and
the port LED turns off. An SNMP trap is sent, a syslog message is logged,
and the violation counter increments.
•
shutdown vlan
—Use to set the security violation mode per VLAN. In
this mode, the VLAN is error disabled instead of the entire port when a
violation occurs.
Note
When a secure port is in the error-disabled state, you can bring it out
of this state by entering the
errdisable recovery cause
psecure-violation
global configuration command. You can manually
re-enable it by entering the
shutdown
and
no shutdown
interface
configuration commands or by using the
clear errdisable interface
vlan
privileged EXEC command.
Command
Purpose