What is accomplished by the command switchport port-security violation protect?

Posted on By admin No Comments on What is accomplished by the command switchport port-security violation protect?

[TABS_R id=8322]

What is accomplished by the command switchport port-security violation protect?

  • The switch will generate a log message but will not block any packets
  • The switch will drop packets that are in violation and generate a log message
  • The switch will drop packets that are in violation, but not generate a log message
  • The switch will shut down the interface when packets in violation are detected

Explanation:

The command switchport port-security port violation protect will cause the switch to drop packets that are in violation, but does not generate a log message. The complete syntax of the command is:

switch(config-if)# switchport port-security violation protect

The port-security command is used to lock a port to a specific MAC addresses. Port security can be used to limit access to a port by MACaddress. It can be applied to:
access ports
VoIP ports
ports where multiple MAC addresses are expected, such as a port connecting to a hub

It cannot be applied to trunk ports or to ports that are part of an Etherchannel.

Three keywords can be used with this command: protect, restrict and shutdown. The restrict keyword tells the port to drop packets and generate a log message for packets that are in violation. The protect keyword tells the port to drop packets without generating a log message for packets that are in violation. The shutdown keyword causes the port to be place into the errdisable state if a violation is detected.

The following configuration, generated from a partial output of the show run command, would apply port security to the Fa0/1 interface. It would allow five addresses to access the interface at time. This count includes addresses that have been seen by the port but are currently inactive. Therefore, if five addresses have been seen and three are inactive, then a sixth address would not be allowed. If the port security maximum command has not been issued, the default behavior will only allow one address on the port.

The aging command can be used to force inactive addresses to be dropped from the list of addresses seen, thereby allowing active addresses access to the port.

300-420 Part 07 Q10 055
300-420 Part 07 Q10 055

The above configuration also includes a static entry for the MAC address 0006.0006.0006. This means that this address is always in the list, and so in effect, this configuration leaves only four other dynamic MAC addresses that can connect at a time.

There is no option to generate a log message but not block any packets.

Objective:
Infrastructure Security
Sub-Objective:
Configure and verify switch security features

[TABS_R id=8322]

Uncategorized
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x