Manualshelf

Technical Manual

ManualsBrandsCisco ManualsSwitchesCisco Catalyst 3560E-12SD-E Switch
12345678910
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0011.8565.4B75:1
Security Violation Count : 1
Note: Same MAC addresses should not be configured as secure and static MAC address on different ports of
a switch.
When an IP phone is connected to a switch through the switchport configured for voice VLAN, the phone
sends untagged CDP packets and tagged voice CDP packets. So the MAC address of the IP phone is learned
on both the PVID and the VVID. If the appropriate number of secure addresses are not configured, you can
get an error message similar to this message:
%PORT_SECURITY−2−PSECURE_VIOLATION: Security violation occurred,
caused by MAC address 001b.77ee.eeee on port GigabitEthernet1/0/18.
PSECURE: Assert failure: psecure_sb−>info.num_addrs <= psecure_sb−>max_addrs:
You must set the maximum allowed secure addresses on the port to two (for IP phone) plus the maximum
number of secure addresses allowed on the access VLAN in order to resolve this issue.
Refer to Configuring Port Security for more information.
DHCP Snooping
DHCP snooping acts like a firewall between untrusted hosts and DHCP servers. You use DHCP snooping to
differentiate between untrusted interfaces connected to the end user and trusted interfaces connected to the
DHCP server or another switch. When a switch receives a packet on an untrusted interface and the interface
belongs to a VLAN that has DHCP snooping enabled, the switch compares the source MAC address and the
DHCP client hardware address. If the addresses match (the default), the switch forwards the packet. If the
addresses do not match, the switch drops the packet. The switch drops a DHCP packet when one of these
situations occurs:
A packet from a DHCP server, such as a DHCPOFFER, DHCPACK, DHCPNAK, or
DHCPLEASEQUERY packet, is received from outside the network or firewall.
A packet is received on an untrusted interface, and the source MAC address and the DHCP client
hardware address do not match.
The switch receives a DHCPRELEASE or DHCPDECLINE broadcast message that has a MAC
address in the DHCP snooping binding database, but the interface information in the binding database
does not match the interface on which the message was received.
A DHCP relay agent forwards a DHCP packet, which includes a relay−agent IP address that is not
0.0.0.0, or the relay agent forwards a packet that includes option−82 information to an untrusted port.
Refer to DHCP Snooping Configuration Guidelines for the guidelines on how to configure DHCP snooping.
Note: For DHCP snooping to function properly, all DHCP servers must be connected to the switch through
trusted interfaces.
Note: In a switch stack with Catalyst 3750 Switches, DHCP snooping is managed on the stack master. When
a new switch joins the stack, the switch receives DHCP snooping configuration from the stack master. When a
member leaves the stack, all DHCP snooping bindings associated with the switch age out.
Note: In order to ensure that the lease time in the database is accurate, Cisco recommends that you enable and
configure NTP. If NTP is configured, the switch writes binding changes to the binding file only when the
switch system clock is synchronized with NTP.