Cisco2960 Switch Port Security port-security

The first two days of the engine room a Cisco2960 of the port often down, at that time let the engine room restart switch also useless, later let change a mouth on the recovery, but over a period of time the port will be down, on-line check may be due to the port-security of the Cisco switch caused the port down, Later to the computer room connected to the switch to view the next, G17 Port display err-disabled, in order to confirm the reason is port-security, I set it to restore add loop, 30 seconds of automatic recovery, and then after the first down about 30 seconds G17 automatically up

switch#show interfaces status err-disabled port       Name                Status         Reason               Err-disabled VlansGi0/17                         err-disabled   loopbackswitch#configure terminal switch (config) # errdisable recovery cause loopback   //err-disabled Port recovery Add loop This switch (config) # errdisable recovery interval 30    //Configuration Timeout Time 30 sec   switch (config) # 

If you do not configure the time-out recovery feature, or if you want to restore the port to normal before timing out, you will need to shutdown and Noshutdown on the port in order for the port to return to the forwarding normal state. Re-viewing the port in the err-disabled state, no ports are found in this state, and the G17 state is restored

Switch (config) #interface gigabitethernet 0/17switch (config-if) #shutdown Switch (config-if) #no shutdown switch#show Interfaces Gigabitethernet 0/17gigabitethernet0/17 is down, line protocol are down (Notconnect)

To prevent the back down again, I turned off the port-security function on the switch directly

Switch#configure terminal Switch (config) #interface range gigabitethernet 0/1-17Switch (Config-if-range) #switchport Mode access Switch (config-if-range) #no switchport port-security switch (config-if-range) #endSwitch #wrbuilding Configuration ... [OK] switch#

Introduction to Cisco switch Port security (port-security)

Prevents flooding of MAC addresses, and if illegal traffic is detected (the whitelist address is full), the security defaults for the interface are turned off.

Turn on the Port security feature

Switchport port-security [violation {protect | restrict | shutdown}]

Parameter description

Switchport port-security violation shutdown//execute action after violation shutdown (err-disable), the default execution strategy is to err-disable the port

Switchport port-security violation protect // Discard traffic for the offending MAC address, do not log

Switchport port-security violation Restrict// drops traffic to the offending MAC address and sends a violation log to SNMP

eg

Single Port operation

SW2 (config) #int F0/2

SW2 (config-if) #switchport port-security // open port security

Command REJECTED:FASTETHERNET0/2 is a dynamic port dynamic port cannot enable port Security, only a static access port or trunk port. To switch the mode to access. Dynamic ports are auto-recognized, either for access or trunk, so you want to set it to access

SW2 (config-if) #switchport mode access// open port before security, port mode must be in Access mode

SW2 (config-if) #switchport port-security

SW2 (config-if) #switchport port-security violation shutdown

SW2 (config-if) #switchport port-security maximum 100/The maximum number of MAC addresses allowed for this port is 100. Default maximum allowable number of secure MAC addresses 1

SW2 (config-if) #switchport port-security mac-address sticky/turn on mac whitelist address paste

SW2 (config-if) #switchport port-security mac-address sticky 000c.8543.0a81/Paste MAC address

Switch (config) #errdisable recovery cause psecure-violation/recovery, or you can manually shut no shut port.

Multi-port operation

Switch (config) #interface range gigabitethernet 0/3-6

Switch (Config-if-range) #switchport mode access

SW2 (config-if) #switchport port-security violation protect

SW2 (config-if) #switchport port-security violation restrict

After being punished, enter Err-disable's recovery:

If a PSEC port has entered the err-disable due to penalty, you can use the following method to restore the status of the interface:

• Using the Global configuration command: err-disable recovery psecure-violation

• Manually shutdown a specific port to Noshutdown

Turn off the port security feature

SW2 (config) #int F0/2

SW2 (config-if) #no switchport port-security/off Port security

Switch (config-if) #exit

Switch (config) #interface range gigabitethernet 0/3-6

Switch (config-if-range) #no switchport port-security

This article is from "I am not a rookie" blog, please be sure to keep this source http://pvbutler.blog.51cto.com/7662323/1733122

Cisco2960 Switch Port Security port-security