I thought that each mode <protect>, <restrict> and <shutdown> are suppose to disregard offending mac-address's traffic to the incoming switch port. I'm only able to get <shutdown> to stop offending traffic from reaching the layer 3 Vlan1 address of my switch.

As I understand this:

• Protect disregards offending mac-address traffic on the incoming port, doesn't send any SNMP trap messages and doesn't increment security violation counter.
• Restrict disregards offending mac-address traffic on the incoming port, send an SNMP trap messages and increment security violation counter.
• Shutdown shuts down the port, send an SNMP trap messages and increment security violation counter.

When I use protect, nothing happens.. I'm able to SSH into the switches Vlan1 management IP interface successfully
When I use Restrict I receive SNMP for the violation, the counter increments but I'm still able to SSH into the switch
Shutdown works as expected..

What gives? I thought the offending mac-address traffic were suppose to be dropped..

I don't remember needing to know this for the CCNA, but I'm definitely studying this for the CCNP Switch. Interesting question. So we see a security violation count increasing. Can you do more than just reach the management interface? Can you actually log in and make changes?

_________________
Regards,

Steven King
San Diego Cisco User Group - http://www.sdcug.com
"The only time something is impossible is when you think it is." - Kevin Corbin, CCIE #11577

I can SSH in authenticated to my privilege level 15 user account. I ran a couple show commands, but left it at that..

I was doing some looking around but couldn't find anything. Can you post a show ver? I'll try this out at home tonight (If I remember.), and let you know what I find on my 2950 and 3550 EMI.

Sounds like a wierd issue... especially if it's flagging violations.

_________________
Regards,

Steven King
San Diego Cisco User Group - http://www.sdcug.com
"The only time something is impossible is when you think it is." - Kevin Corbin, CCIE #11577

I have 3 switches. 2950, 2950g and 3550. I only tried this on my 2950si, it was 11:30pm. The IOS version is 12.1(22)xx, I thought it might just be something I over looked.. I'll test it out on the other 2 switches when I get a little time this evening.

Just a guess...

The default maximum macs is 128. If you configure 1 mac statically the rest are learned dynamically. Add in the command 'switch port maximum mac 1' and try it again.

_________________
blog.brokennetwork.ca

I thought one MAC address was the maximum default.

_________________
"See packet, be packet, you are packet. Ignore all else!" -The Networker
packetsdropped.wordpress.com

Not according to step 4 here:

http://www.cisco.com/en/US/docs/switche ... #wp1044863

_________________
blog.brokennetwork.ca

Going to have to go back over my CCNP training, I coulda swore somewhere in there it said 1 was the default max. My memory is horrible so that is most likely the problem.

_________________
"See packet, be packet, you are packet. Ignore all else!" -The Networker
packetsdropped.wordpress.com

That page indicates a default maximum as 1, and I'm almost 100% positive the default is 1, but I've been wrong before..

I just skimmed my CCNP Switch Book on Port-Security and found a tip I'll try

Ahh eff. I linked to the 6500 document. The 2950 12.1(20) config guide says 1 mac.

http://www.cisco.com/en/US/docs/switche ... #wp1038552

_________________
blog.brokennetwork.ca

1 should be the default. Most of our switches are configured with port-security and we leave the max at the default, which blocks more than one MAC.

_________________
http://blog.alwaysthenetwork.com

show port-security will tell you. scottsee posted that in his first post. The max is one.

_________________
blog.brokennetwork.ca

Yeah, so I figured maybe it was a problem with the mac-address table so I unplugged my cat6 cable from the switch, turned it on configured port security without the switch ever learning a dynamic MAC from my NIC and issue still occurs.

I tried the following command to flush any dynamic MAC but it didn't stop the offending frames from entering the Vlan1 interface..

I wonder if the VLAN1 management interface is an exception to port-security?..

Yep. I turned on another switch and trunked a link between the two. Communication to the VLAN management interface is successful even though port-security is configured on the switch, but it will not process frames designated to any other ip address. ICMP ping and Telnet session requests from my desktop to the 2nd switched failed every time while the port-security counters increase as expect. Essentially doing the job that it should. When I turned off port-security on the offending f/01 port layer 3 communication goes back to normal and I'm able to reach my second switch.

Interesting..

i'm confused

_________________
http://blog.alwaysthenetwork.com

Me too.. The 2950's IOS version is 12.1(22). Maybe it's a glitch in the matrix.

Yeah... that sounds very wierd. I'll try it on my 2950, 2950T, and 3550 and see what I find.

_________________
Regards,

Steven King
San Diego Cisco User Group - http://www.sdcug.com
"The only time something is impossible is when you think it is." - Kevin Corbin, CCIE #11577

Please do..

maybe the difference is the plane you are riding on, data vs. management plane.
are you going to the switch or through the switch.