Switchport Port-Security Violation Options in Cisco Switch

Understand Swithport Port-Security

Cisco layer 2 switch maintains the MAC address-table and it forwards a frames to destination based on MAC address table. We can enable a Switchport Port Security feature by allowing the specific Ethernet MAC address connected to the switch port. If any other MAC address tries to communicate through the same Switch port, port security will disable the port. Most of the time, network administrators configure the switch to send a SNMP trap to their network monitoring solution that the port’s disabled for security reasons.

When using port security, you can prevent devices from accessing the network, which increases security. If any devices tried to connect to same switch port, there are three port security violation options available in Cisco Switch, based on your requirement you can enable any option for the switch port.

There are three port security violation options are restrict, protect and shutdown, If you enabled default shutdown option, it will creates administrative burden to Network administrator.

Configure port security in Cisco Switch

Configuring the Switch port Port-Security feature is relatively easy in Cisco Switch.  You can configure Switchport port-security by entering the port-security Interface Mode command. Here’s an example:

Cisco-Switch# config t
Cisco-Switch(config)# int fa0/18
Cisco-Switch(config-if)# switchport port-security ?
aging
Port-security
aging commands
mac-address
Secure mac address
maximum
Max secure addresses
violation
Security violation mode
Cisco-Switch(config-if)#switchport port-security
Cisco-Switch(config-if)#^Z
Cisco-Switch#

Of course, you can also configure port security on a range of ports. Here’s an example:

Cisco-Switch#config t
Cisco-Switch(config)#int range fastEthernet 0/1 – 24
Cisco-Switch(config-if)#switchport port-security

However, you need to be very careful with this option if you enter this command on an uplink port that goes to more than one device. As soon as the second device sends a packet, the entire port will shut down.

Cisco Switchport Port-Security Violation options

By entering the most basic command to configure port security, Cisco Switch will accept the default settings of only allowing one MAC address, determining that MAC address from the first device that communicates on this switch port, and shutting down that switch port if another MAC address attempts to communicate via the port. But you don’t have to accept the defaults.

As you can see in the example, there are a three types of port security violation options that you can configure. Here find the violation options:

Cisco-Switch(config-if)#switchport port-security violation {shutdown | restrict | protect}

This command tells the switch what to do when the number of MAC addresses on the port has exceeded the maximum. The default is to shut down the port.

  1. Protect – when the port receives the traffic from the MAC addresses which are not configured as secure, it silently drops those transmissions. There is NO notification logged about the violation occurring on a port.
  2. Restrict – similar to ‘protect’ only the switch logs the violations detected, SNMP trap is sent, syslog message is logged in the syslog server and the violation counter increases.
  1. Shutdown (default) – the port will transition to err-disable upon detecting the violation, the switch port will not forward any traffic and manually administrator have to make the switch port up from Command line interface.
  2. Shutdown VLAN – This mode is act like a behavior of shutdown mode but it limits the error disabled state the specific violating VLAN.

Filed Under: LAN Security

Tags:

About the Author:

RSSComments (7)

Leave a Reply | Trackback URL

  1. Stan says:

    I simply needed to thank you very much again.

  2. Kamilah says:

    I really like your writing style, wonderful information on Switchport port-security violation options to Configure on Cisco Switch, thanks for putting up : D.

  3. Travers Gour says:

    would it be possible to translate your web-site into spanish because i have difficulties of speaking to english, and as there usually are not numerous pictures in your internet site i’d prefer to go through a fantastic of what you may be writting

  4. Fancy says:

    Nice article on Switch port port security violation options on Cisco Switch, I have read some of the articles also on your own website today, and I enjoy your style of blogging.

  5. Abhi says:

    Hi,

    Find some switch port security violation options.

    protect mode – drops all the packets with unknown source addresses, after the limit of secure addresses on that port is reached.

    restrict mode- Sends an SNMP trap and also causes the switch to increment the security violation counter.

    Regards,
    Abhi

  6. Sandy says:

    Find below Fa 0/5 switch port security configuration and switch port statistics.

    interface FastEthernet0/5

    switchport mode access

    switchport port-security

    switchport port-security violation protect

    switchport port-security mac-address sticky

    switchport port-security mac-address sticky 0004.7583.cb52

    speed 100

    no cdp enable

    !

    “Show version” output:

    Switch#sh ver

    Cisco Internetwork Operating System Software

    IOS ™ C2950 Software (C2950-I6Q4L2-M), Version 12.1(14)EA1a, RELEASE SOFTWARE (fc1)

    Copyright (c) 1986-2003 by cisco Systems, Inc.

    Compiled Tue 02-Sep-03 03:33 by antonino

    Image text-base: 0x80010000, data-base: 0x805C0000

    ROM: Bootstrap program is CALHOUN boot loader

    Switch uptime is 8 weeks, 3 days, 16 hours, 16 minutes

    System returned to ROM by power-on

    System image file is “flash:/c2950-i6q4l2-mz.121-14.EA1a.bin”

    cisco WS-C2950T-24 (RC32300) processor (revision M0) with 20710K bytes of memory.

    Processor board ID FOC0751W351

    Last reset from system-reset

    Running Enhanced Image

    24 FastEthernet/IEEE 802.3 interface(s)

    2 Gigabit Ethernet/IEEE 802.3 interface(s)

    32K bytes of flash-simulated non-volatile configuration memory.

    Base ethernet MAC Address: 00:0E:84:EF:DF:80

    Motherboard assembly number: 73-6114-09

    Power supply part number: 34-0965-01

    Motherboard serial number: FOC07511ARB

    Power supply serial number: DAB0750HAZH

    Model revision number: M0

    Motherboard revision number: B0

    Model number: WS-C2950T-24

    System serial number: FOC0751W351

    Configuration register is 0xF

    Switch#sh port-security

    Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

    (Count) (Count) (Count)

    —————————————————————————

    Fa0/5 1 1 0 Protect

    —————————————————————————

    Total Addresses in System (excluding one mac per port) : 0

    Max Addresses limit in System (excluding one mac per port) : 1024

  7. Gupta says:

    this post covers all three Switch port violation options very nicely. thanks

Leave a Reply




If you want a picture to show with your comment, go get a Gravatar.