Last Updated on August 1, 2021 by Admin 2
What is accomplished by the command switchport port-security violation protect?
- The switch will generate a log message but will not block any packets
- The switch will drop packets that are in violation and generate a log message
- The switch will drop packets that are in violation, but not generate a log message
- The switch will shut down the interface when packets in violation are detected
The command switchport port-security port violation protect will cause the switch to drop packets that are in violation, but does not generate a log message. The complete syntax of the command is:
switch(config-if)# switchport port-security violation protect
The port-security command is used to lock a port to a specific MAC addresses. Port security can be used to limit access to a port by MACaddress. It can be applied to:
ports where multiple MAC addresses are expected, such as a port connecting to a hub
It cannot be applied to trunk ports or to ports that are part of an Etherchannel.
Three keywords can be used with this command: protect, restrict and shutdown. The restrict keyword tells the port to drop packets and generate a log message for packets that are in violation. The protect keyword tells the port to drop packets without generating a log message for packets that are in violation. The shutdown keyword causes the port to be place into the errdisable state if a violation is detected.
The following configuration, generated from a partial output of the show run command, would apply port security to the Fa0/1 interface. It would allow five addresses to access the interface at time. This count includes addresses that have been seen by the port but are currently inactive. Therefore, if five addresses have been seen and three are inactive, then a sixth address would not be allowed. If the port security maximum command has not been issued, the default behavior will only allow one address on the port.
The aging command can be used to force inactive addresses to be dropped from the list of addresses seen, thereby allowing active addresses access to the port.
The above configuration also includes a static entry for the MAC address 0006.0006.0006. This means that this address is always in the list, and so in effect, this configuration leaves only four other dynamic MAC addresses that can connect at a time.
There is no option to generate a log message but not block any packets.
Configure and verify switch security features