Specifications

ManualsBrandsCisco ManualsComputer equipmentIE 2000

131

132

133

134

135

136

137

138

139

140

9-5

System Management Software Configuration Guide for Cisco IE 2000U and Connected Grid Switches

Chapter 9 Configuring Port-Based Traffic Control

Prerequisites

You can configure the interface for one of three violation modes, based on the action to be taken if a

violation occurs:

• protect—when the number of secure MAC addresses reaches the maximum limit allowed on the

port, packets with unknown source addresses are dropped until you remove a sufficient number of

secure MAC addresses to drop below the maximum value or increase the number of maximum

allowable addresses. You are not notified that a security violation has occurred.

Note We do not recommend configuring the protect violation mode on a trunk port. The protect

mode disables learning when any VLAN reaches its maximum limit, even if the port has not

reached its maximum limit.

• restrict—when the number of secure MAC addresses reaches the maximum limit allowed on the

port, packets with unknown source addresses are dropped until you remove a sufficient number of

secure MAC addresses to drop below the maximum value or increase the number of maximum

allowable addresses. In this mode, you are notified that a security violation has occurred. An SNMP

trap is sent, a syslog message is logged, and the violation counter increments.

• shutdown (Default)—a port security violation causes the interface to become error-disabled and to

shut down immediately, and the port LED turns off. When a secure port is in the error-disabled state,

you can bring it out of this state by entering the errdisable recovery cause psecure-violation global

configuration command, or you can manually re-enable it by entering the shutdown and no shut

down interface configuration commands.

Table 9-1 shows the violation mode and the actions taken when you configure an interface for port

security.

Prerequisites

Review the “Information About Port-Based Traffic Control” section on page 9-1.

Guidelines and Limitations

Storm Control

• The switch does not require additional configuration to cause the switch storm-control counters to

increment for small frames because the storm-control feature correctly handles small frames.

However, because of hardware limitations and the way in which packets of different sizes are

Table 9-1 Security Violation Mode Actions

Violation Mode

Traffic is

forwarded

1. Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses.

Sends SNMP

trap

Sends syslog

message

Displays error

message

2. The switch returns an error message if you manually configure an address that would cause a security violation.

Violation

counter

increments Shuts down port

protect No No No No No No

restrict No Yes Yes No Yes No

shutdown No No No No Yes Yes