RE: Switchport port-security violation options

From: Mike Dickson (Mike@dicksonnetworks.com)
Date: Wed Jun 30 2004 - 13:19:06 GMT-3

• Next message: Felice Russell: "CQ vs CB & Bc query"
• Previous message: Brian McGahan: "RE: Switchport port-security violation options"
• Maybe in reply to: Joseph D. Phillips: "Switchport port-security violation options"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Restrict and protect will stop frames from unauthorized MAC addresses
while allowing frames from authorized MAC addresses, and err-disable
shuts down the port. In a scenario where the immediate downstream
device is a hub, you would probably not want to disable the legitimate
devices from accessing the network.

Unless having the offender abused by his peers for shutting down their
network access is part of your network policy enforcement program, of
course.

Mike Dickson
CCIE #12281
Dickson Network Designs

-----Original Message-----
From: Brian McGahan [mailto:bmcgahan@internetworkexpert.com]
Sent: Wednesday, June 30, 2004 10:58 AM
To: ccie2be; Joseph D. Phillips; group study
Subject: RE: Switchport port-security violation options

        Technically any of them. Restrict and protect stop traffic from
insecure addresses but allow traffic from secure addresses. The
difference between them is that restrict will generate an snmp/syslog
message when the violation occurs. Shutdown will put the interface into
err-disabled state (up/down).

        So ask yourself, in which of these cases *are* frames from a MAC
address not in the list of acceptable source MACs allowed to get
through? :)

HTH,

Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987 x 705
Outside US: 775-826-4344 x 705

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> ccie2be
> Sent: Wednesday, June 30, 2004 10:37 AM
> To: Joseph D. Phillips; group study
> Subject: Re: Switchport port-security violation options
>
> Hey Joseph,
>
> The answer is in the last part of your question. Shutdown puts the
> interface in "error-disabled".
>
> The 3550 command reference has a number of commands related to err-
> disable.
> Personally, I suspect it would be useful to you to be familiar with
these
> commands if you actually use the 3550 in a production network or if
you
> plan
> to take the lab.
>
> HTH
> ----- Original Message -----
> From: "Joseph D. Phillips" <josephdphillips@fastmail.us>
> To: "group study" <ccielab@groupstudy.com>
> Sent: Wednesday, June 30, 2004 11:03 AM
> Subject: Switchport port-security violation options
>
>
> > Between "restrict" and "shutdown," which option would "disable" a
> > switchport receiving frames from a MAC address not its list of
> > acceptable source MACs?
> >
> > Step 6
> >
> >
> >
> > *switchport port-security violation *{*protect | restrict |
shutdown*}
> >
> >
> >
> > (Optional) Set the violation mode, the action to be taken when a
> > security violation is detected, as one of these:
> >
> > *protect*When the number of secure MAC addresses reaches the limit

> > allowed on the port, packets with unknown source addresses are
dropped
> > until you remove a sufficient number of secure MAC addresses or
increase
> > the number of maximum allowable addresses. You are not notified that
a
> > security violation has occurred.
> >
> > *Note *We do not recommend enabling the *protect* mode on a trunk
port.
> > The *protect* mode disables learning when any VLAN reaches its
maximum
> > limit, even if the port has not reached its maximum limit.
> >
> > *restrict*When the number of secure MAC addresses reaches the
limit
> > allowed on the port, packets with unknown source addresses are
dropped
> > until you remove a sufficient number of secure MAC addresses or
increase
> > the number of maximum allowable addresses. In this mode, you are
> > notified that a security violation has occurred. Specifically, an
SNMP
> > trap is sent, a syslog message is logged, and the violation counter
> > increments.
> >
> > *shutdown*In this mode, a port security violation causes the
interface
> > to immediately become error-disabled, and turns off the port LED. It

> > also sends an SNMP trap, logs a syslog message, and increments the
> > violation counter.
> >
> > *Note *When a secure port is in the error-disabled state, you can
bring
> > it out of this state by entering the *errdisable recovery cause*
> > /psecure-violation /global configuration command, or you can
manually
> > re-enable it by entering the *shutdown* and *no shutdown* interface
> > configuration commands.
> >
> >

• Next message: Felice Russell: "CQ vs CB & Bc query"
• Previous message: Brian McGahan: "RE: Switchport port-security violation options"
• Maybe in reply to: Joseph D. Phillips: "Switchport port-security violation options"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Jul 03 2004 - 19:40:53 GMT-3