The first two days of the engine room a Cisco2960 of the port often down, at that time let the engine room restart switch also useless, later let change a mouth on the recovery, but over a period of time the port will be down, on-line check may be due to the port-security of the Cisco switch caused the port down, Later to the computer room connected to the switch to view the next, G17 Port display err-disabled, in order to confirm the reason is port-security, I set it to restore add loop, 30 seconds of automatic recovery, and then after the first down about 30 seconds G17 automatically up
switch#show interfaces status err-disabled port Name Status Reason Err-disabled VlansGi0/17 err-disabled loopbackswitch#configure terminal switch (config) # errdisable recovery cause loopback //err-disabled Port recovery Add loop This switch (config) # errdisable recovery interval 30 //Configuration Timeout Time 30 sec switch (config) #
If you do not configure the time-out recovery feature, or if you want to restore the port to normal before timing out, you will need to shutdown and Noshutdown on the port in order for the port to return to the forwarding normal state. Re-viewing the port in the err-disabled state, no ports are found in this state, and the G17 state is restored
Switch (config) #interface gigabitethernet 0/17switch (config-if) #shutdown Switch (config-if) #no shutdown switch#show Interfaces Gigabitethernet 0/17gigabitethernet0/17 is down, line protocol are down (Notconnect)
To prevent the back down again, I turned off the port-security function on the switch directly
Switch#configure terminal Switch (config) #interface range gigabitethernet 0/1-17Switch (Config-if-range) #switchport Mode access Switch (config-if-range) #no switchport port-security switch (config-if-range) #endSwitch #wrbuilding Configuration ... [OK] switch#
Introduction to Cisco switch Port security (port-security)
Prevents flooding of MAC addresses, and if illegal traffic is detected (the whitelist address is full), the security defaults for the interface are turned off.
Turn on the Port security feature
Switchport port-security [violation {protect | restrict | shutdown}]
Parameter description
Switchport port-security violation shutdown//execute action after violation shutdown (err-disable), the default execution strategy is to err-disable the port
Switchport port-security violation protect // Discard traffic for the offending MAC address, do not log
Switchport port-security violation Restrict// drops traffic to the offending MAC address and sends a violation log to SNMP
eg
Single Port operation
SW2 (config) #int F0/2
SW2 (config-if) #switchport port-security // open port security
Command REJECTED:FASTETHERNET0/2 is a dynamic port dynamic port cannot enable port Security, only a static access port or trunk port. To switch the mode to access. Dynamic ports are auto-recognized, either for access or trunk, so you want to set it to access
SW2 (config-if) #switchport mode access// open port before security, port mode must be in Access mode
SW2 (config-if) #switchport port-security
SW2 (config-if) #switchport port-security violation shutdown
SW2 (config-if) #switchport port-security maximum 100/The maximum number of MAC addresses allowed for this port is 100. Default maximum allowable number of secure MAC addresses 1
SW2 (config-if) #switchport port-security mac-address sticky/turn on mac whitelist address paste
SW2 (config-if) #switchport port-security mac-address sticky 000c.8543.0a81/Paste MAC address
Switch (config) #errdisable recovery cause psecure-violation/recovery, or you can manually shut no shut port.
Multi-port operation
Switch (config) #interface range gigabitethernet 0/3-6
Switch (Config-if-range) #switchport mode access
SW2 (config-if) #switchport port-security violation protect
SW2 (config-if) #switchport port-security violation restrict
After being punished, enter Err-disable's recovery:
If a PSEC port has entered the err-disable due to penalty, you can use the following method to restore the status of the interface:
Turn off the port security feature
SW2 (config) #int F0/2
SW2 (config-if) #no switchport port-security/off Port security
Switch (config-if) #exit
Switch (config) #interface range gigabitethernet 0/3-6
Switch (config-if-range) #no switchport port-security
This article is from "I am not a rookie" blog, please be sure to keep this source http://pvbutler.blog.51cto.com/7662323/1733122
Cisco2960 Switch Port Security port-security