Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
765
Views
5
Helpful
2
Replies

Port security & snmp

georgeef1
Level 1
Level 1

‎04-27-2009 09:28 AM

Hi,

Can Port-Security Be Configured to Send Alert but not shut down any

traffic?

In other words, can a switch port be configured using Port Security or other commands to

not shut down *any* traffice but just send a trap and an SNMP alert sent out by our NMS?

The switch in question is a 3750-24PS-S running 12.2(44)SE5.

Thank you!

Labels:
0 Helpful
2 Replies 2

pmettewie
Level 1
Level 1

‎04-28-2009 10:49 AM

I have been researching the same issue (and was about to post a question like yours before I came across it while searching for port security posts!) Cisco TAC has suggested that the use of ERRDISABLE RECOVERY CAUSE SECURITY-VIOLATION command along with the ERRDISABLE RECOVERY INTERVAL 30 argument would allow port security configuration and alerting without any traffic being dropped.

But I don't think this really is an appropriate solution (although I'm going to test it in the lab in a bit) because my opinion is that the alert will only be deferred and the violation will be noted again - with the most likely result being that any 'illegal' (insecure) MAC address will still not be allowed to send traffic on the port despite the use of the ERRDISABLE command?

0 Helpful

pmettewie
Level 1
Level 1
In response to pmettewie

‎04-30-2009 12:42 PM

Sorry about not getting back to this sooner - they give me a new desktop and it has Vista on it and .... (you get the picture.)

The short answer is that ERRDISABLE RECOVERY does not work - traffic from insecure MAC addresses will still be dropped despite the presence of ERRDISABLE RECOVERY.

What will work (but will probably not be your favorite solution) is to establish a MAC database - centralized or a per-switch basis - of 'legal' (secure) addresses that will gain access to a specific VLAN without a trap being sent. Any 'illegal' (insecure) MAC address detected will be sent to a different restricted VLAN and trap would be sent.

As you would imagine, if you're not already doing this, it means (like almost any security mechanism) more work and a less elegant design.

Outside of that there does not seem to be any way of combining port security, no dropped traffic and trap notification.

Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card