Cisco Switchport Port-Security Violation Protect – Breach Limits Explained

ciscocisco-commandsmac addressport-securityswitch

The switchport port-security violation shutdown , shuts the port (err-disabled) when the policy is violated. But, for restrict and protect modes there isn't a mention of shutting a port down. So, can the policy be violated unlimited number of times when a switch port is configured with :
switchport port-security violation restrict(or protect)

Best Answer

Yes, the restrict and protect modes can be violated any number of times without shutting down the port since they are not designed to do that; they will drop packets with unknown source addresses:

See Configuring the Port Security Violation Mode on a Port on page 62-6:

protect—Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value.

restrict—Drops packets with unknown source addresses until you remove a sufficient number of secure MAC addresses to drop below the maximum value and causes the SecurityViolation counter to increment.

shutdown—Puts the interface into the error-disabled state immediately and sends an SNMP trap notification.

Related Solutions

Cisco – Sticky mac learning PC mac as vlan voice on Cisco 3750v2

I have seen this happen before, I think it was on a soft phone. Anyways the fix was disabling cdp on the port.

(config-if)#no cdp enable

Cisco – 802.1x on Access VLAN Only, Not on Voice VLAN

You would need to configure MAB (Mac Auth Bypass) authentication for the ip phone in the multi-vlan interface. You also need multi-auth so the switch knows to look for more than one MAC address.

-authentication host-mode multi-auth

-authentication order mab dot1x

Best Answer

Related Solutions

Cisco – Sticky mac learning PC mac as vlan voice on Cisco 3750v2

Cisco – 802.1x on Access VLAN Only, Not on Voice VLAN

Related Topic