port-security disable-timer
Syntax
port-security <port-numbers> disable-timer <seconds>
Description
Configures the timer for the port numbers of port security once the port goes to the error-disabled state.
Command context
config
Parameters
port-numbers
-
Specifies the port numbers. You can configure a single port or range of ports.
seconds
-
Sets the number of seconds after which disabled ports are automatically re-enabled. The range can be from 0 to 300 seconds.
Types of port-security modes
switch(config)# port-security 1-4 action Define the action in case of an intrusion detection. address-limit Define number of authorized addresses on the ports. clear-intrusion-flag Clear the intrusion indicator for the ports. disable-timer Configure number of seconds after which disabled ports are automatically re-enabled. eavesdrop-prevention Enable Eavesdrop Prevention. learn-mode Define the mode for acquiring authorized MAC addresses. mac-address Configure the addresses authorized on the ports.
How to configure the disable timer:
Configuring timer as 50 seconds for the port numbers from 1 to 10.
switch(config)# port-security 1-4 disable-timer 50
switch(config)# show port-security 1-4 Port Security Port : 1 Learn Mode [Continuous] : Port-Access Action [None] : Send Alarm, Disable Port Eavesdrop Prevention [Enabled] : Enabled Disable Timer : 50 Authorized Addresses -------------------- Port : 2 Learn Mode [Continuous] : Port-Access Action [None] : Send Alarm, Disable Port Eavesdrop Prevention [Enabled] : Enabled Disable Timer : 50 Authorized Addresses -------------------- Port : 3 Learn Mode [Continuous] : Port-Access Action [None] : Send Alarm, Disable Port Eavesdrop Prevention [Enabled] : Enabled Disable Timer : 50 Authorized Addresses -------------------- Port : 4 Learn Mode [Continuous] : Port-Access Action [None] : Send Alarm, Disable Port Eavesdrop Prevention [Enabled] : Enabled Disable Timer : 50 Authorized Addresses --------------------
To check Intrusion
switch(config)#sh int brief 1-4 Status and Counters - Port Status | Intrusion MDI Flow Bcast Port Type | Alert Enabled Status Mode Mode Ctrl Limit ------------ ---------- + --------- ------- ------ ---------- ---- ---- ----- 1 100/1000T | Yes Yes Up 1000FDx Auto off 0 2 100/1000T | Yes Yes Down 1000FDx Auto off 0 3 100/1000T | No Yes Up 1000FDx MDI off 0 4 100/1000T | Yes Yes Down 1000FDx Auto off 0
To check event logs
To check the debug log for port security, you can enable
debug security port-security
command. Check the logs in reversible order by using following command:
switch(config)#sh log -r Keys: W=Warning I=Information M=Major D=Debug E=Error ---- Reverse event Log listing: Events Since Boot ---- I 03/11/18 12:31:19 00001 vlan: ST1-CMDR: VLAN10 virtual LAN enabled (122 times in 60 seconds) I 03/11/18 12:31:19 00076 ports: ST1-CMDR: port 1/A1 is now on-line I 03/11/18 12:31:17 03125 mgr: ST1-CMDR: Startup configuration changed by unknown. New seq. number 186 I 03/11/18 12:31:17 02611 mgr: ST1-CMDR: port-security subsystem saved some internal change(s) to startup config. I 03/11/18 12:31:17 05754 fault: ST1-CMDR: port-security disable timer expired for port:1/A1 I 03/11/18 12:30:27 00002 vlan: ST1-CMDR: VLAN10 virtual LAN disabled (121 times in 60 seconds) 03/11/18 12:30:27 00077 ports: ST1-CMDR: port 1/A1 is now off-line I 03/11/18 12:30:27 03125 mgr: ST1-CMDR: Startup configuration changed by unknown. New seq. number 185 I 03/11/18 12:30:27 02611 mgr: ST1-CMDR: port-security subsystem saved some internal change(s) to startup config. W 03/11/18 12:30:26 00334 FFI: ST1-CMDR: Port 1/A1 - Security violation caused by MAC address 300002-b85107. I 03/11/18 12:30:26 05753 fault: ST1-CMDR: Port-security disable timer set for port:1/A1
Supported platforms:
- 2930F/2930M
- 2930F VSF
- 2930M Stack
- 3810 [Standalone/Stack]
- 5400R [Standalone/VSF]