Using Port Security
Enabling port security eavesdrop-prevention
Syntax
[no] port-securityport-listeavesdrop-preventionWith port security enabled, the port is prevented form transmitting packets that have unknown destination addresses. Only devices attached to the port receive packets intended for them.
This option does not apply to a learning mode of
port-accessorcontinuous.See Configuring port security for more information on learning modes.Default:
Enabled.
Configuring DHCP snooping
Networking switches support DHCPv4 and DHCPv6 snooping. Configuring both versions helps protect your entire network configuration by blocking unintended or rogue DHCPv4 and DHCPv6 servers.
Configuring DHCPv4 snooping
Enabling DHCPv4 snooping
To globally enable DHCPv4 snooping, enter :
switch(config)# dhcp-snoopingUse the no form of the command
to disable DHCPv4 snooping.
Configuring DHCPv4 snooping
Syntax
[no]
dhcp-snooping [authorized-server | database | option | trust | verify | vlan]
authorized server
Specifies the IP address of a trusted DHCP server. If no authorized servers are configured, all DHCP server addresses are considered valid. Maximum: 20 authorized servers.
database
Specifies a URL location for the lease database in the format
tftp://ip-addr/ascii-string. The maximum number of characters for the URL is 63. option
Adds the relay information option (Option 82) to DHCP client packets that are being forwarded out trusted ports. The default is
yes, add relay information. trust
Configures trusted ports. Only server packets received on trusted ports are forwarded. Default:
untrusted. verify
Enables DHCP packet validation. The DHCP client hardware address field and the source MAC address must be the same for packets received on untrusted ports or the packet is dropped. Default:
Yes. vlan
Enables DHCP snooping on a vlan. DHCP snooping must be enabled already. Default:
No.
To display the DHCPv4 snooping configuration, enter this command:
switch(config)# show dhcp-snooping
The following figure shows sample output.
To display statistics about the DHCPv4 snooping process, enter this command:
switch(config)# show dhcp-snooping stats
The following figure shows sample output.
Enabling DHCPv4 snooping on VLANs
DHCPv4 snooping on VLANs is disabled by default. To enable DHCP snooping on a VLAN or range of VLANs enter this command:
switch(config)# dhcp-snooping vlan <vlan-id-range>
You can also use this command in the vlan context, in which case you cannot enter a range of VLANs for snooping. Below is an example of DHCP snooping enabled on VLAN 4.
Using DHCPv4 snooping with option 82
DHCPv4 adds Option 82 (relay information option) to DHCPv4 request packets received on untrusted ports by default. (See “Configuring DHCP Relay” in the management and configuration guide for more information on Option 82.)
When DHCPv4 is enabled globally and also enabled on a VLAN, and the switch is acting as a DHCPv4 relay, the settings for the DHCPv4 relay Option 82 command are ignored when snooping is controlling Option 82 insertion. Option 82 inserted in this manner allows the association of the client’s lease with the correct port, even when another device is acting as a DHCPv4 relay or when the server is on the same subnet as the client.
![[NOTE: ]](images/note.gif) | NOTE: DHCPv4 snooping only overrides the Option 82 settings on a VLAN that has snooping enabled, not on VLANs without snooping enabled. |
If DHCPv4 snooping is enabled on a switch where an edge switch is also using DHCPv4 snooping, it is desirable to have the packets forwarded so the DHCPv4 bindings are learned. To configure the policy for DHCPv4 packets from untrusted ports that already have Option 82 present, enter this command in the global configuration context.
[no]
dhcp-snooping option 82 [remote-id <mac|subnet-ip|mgmt-ip>][untrusted-policy<drop|keep|replace>]Enables DHCP Option 82 insertion in the packet
remote-id
Sets the value used for the remote-id field of the relay information option.
mac
Uses the switch mac address for the remote-id. This is the default.
subnet-ip
Uses the IP address of the VLAN on which the packet was received for the remote-id. If subnet-ip is specified but the value is not set, the MAC address is used.
mgmt-ip
Uses the management VLAN IP address as the remote-id. If mgmt-ip is specified but the value is not set, the MAC address is used.
untrusted-policy
Configures DHCPv4 snooping behavior when forwarding a DHCPv4 packet from an untrusted port that already contains DHCPv4 relay information (Option 82). The default is
drop.
drop
Drops the packet.
keep
Forwards the packet without replacing the option information.
replace
Replaces the existing option with a new Option 82 generated by the switch.
NOTE: The default drop policy should remain in effect if there are any untrusted nodes, such as clients, directly connected to this switch.
Changing the DHCPv4 remote-id from a MAC to an IP address
By default, DHCPv4 snooping uses the MAC address of the switch as the remoteid in Option 82 additions. The IP address of the VLAN the packet was received on or the IP address of the management VLAN can be used instead by entering this command with the associated parameter:
switch(config)# dhcp-snooping option 82 remote-id <mac|subnet-ip|mgmt-ip>
Disabling the DHCPv4 MAC address check
DHCPv4 snooping drops DHCPv4 packets received on untrusted ports when the check address (chaddr) field in the DHCPv4 header does not match the source MAC address of the packet (default behavior). To disable this checking, use the no form of this command.
switch(config)# dhcp-snooping verify mac
Setting the DHCPv4 binding database location
DHCPv4 snooping maintains a database of up to 8192 DHCP bindings on untrusted ports. Each binding consists of:
Client MAC address
Port number
VLAN identifier
Leased IP address
Lease time
You can configure the switch to store the bindings at a specific URL so they are not lost if the switch is rebooted. If the switch is rebooted, it reads its binding database from the specified location. To configure this location use this command.
[no]
dhcp-snooping database [file<tftp://<ip-address>/<ascii-string>>][delay<15-86400>][timeout<0-86400>]
file
Specifies a file in Uniform Resource Locator (URL) format — “tftp://ip-address/ascii-string”. The maximum filename length is 63 characters.
delay
Specifies the number of seconds to wait before writing to the database. Default = 300 seconds.
timeout
Specifies the number of seconds to wait for the database file transfer to finish before returning an error. A value of zero (0) means retry indefinitely. Default = 300 seconds.
A message is logged in the system event log if the DHCP binding database fails to update. To display the contents of the DHCP snooping binding database, enter this command.
show dhcp-snooping
binding
| NOTE: If a lease database is configured, the switch drops all DHCPv4 packets until the lease database is read. This only occurs when the switch reboots and is completed quickly. If the switch is unable to read the lease database from the tftp server, it waits until that operation times out and then begins forwarding DHCP packets. |
DHCPv4 Snooping Max Binding
DHCPv4 snooping max-binding prevents binding entries from getting exhausted. This feature is on a per-port basis. It restricts the maximum number of bindings allowed on a port/interface. It applies to untrusted interfaces only. The maximum bindings for a particular port includes both statically configured and dynamically learned. The number of bindings on a per port basis is maintained i.e., incremented upon a lease offer and decremented upon a lease expiry or release.
DHCPv4 snooping max-binding can be configured in configuration context or in an interface context for an untrusted interface. In case of configuration context, a port or a list of ports is selected for which max-binding is to be configured. Then the corresponding max-binding value is provided within a range of <1-8192>. For the interface context, after selecting the interface on which max-binding is to be configured, the max-binding value is provided within a range of <1-8192>. The max-binding configuration for a port can be removed using the no option of the command. max-binding cannot be set on trusted ports and ports for which the associated VLAN is not DHCP-snooping enabled. Once the max-bindings limit on an interface is reached, packets for DHCP clients which do not have a binding entry are dropped.
(config)# dhcp-snooping max-bindings [PORT-LIST][MAX-BINDING-NUM]Configure the maximum number of bindings on specified ports. The maximum number of bindings default value is 8192. The allowed range on a port is 1 to 8192.
(interface)# dhcp-snooping<trust|max-bindings>[1-8192]Configures the maximum binding value on a port. Only this number of clients are allowed on a port. By specifying [no] the max-binding is removed from the configuration and set to the default value of 8192.
(config)# show dhcp-snoopingShows all available dhcpv4-snooping information.
Example DHCP Snooping Information DHCP Snooping : Yes Max Current Bindings Port Trust Bindings Static Dynamic _____ ______ ________ _______ _________ 1 Yes - - - 2 No 200 10 3 3 No 3* 3 6 4 No 5* 23 0 5 No - - - 6 No - - - 7 No - - - 8 No - - - 9 No - - - 10 No - - - 11 Yes - - - 12 Yes - - - 13 No - - - 14 No - - - 15 No - - - 16 No - 2 8 17 No 21 12 24 18 Yes - - - 19 No - - - 20 No - - - 21 No - - - 22 No - - - 23 No - - - 24 Yes - - -
(config)# show dhcp-snooping statsShows the dhcpv4 -snooping statistics.
Packet type Action Reason Count ----------- ------- ---------------------------- --------- server forward from trusted port 0 client forward to trusted port 0 server drop received on untrusted port 0 server drop unauthorized server 0 client drop destination on untrusted port 0 client drop untrusted option 82 field 0 client drop bad DHCP release request 0 client drop failed verify MAC check 0 client drop failed on max-binding limit 0
Configuring DHCPv6 snooping
Enabling DHCPv6 snooping
To globally enable DHCPv6 snooping, enter:
switch(config)# dhcpv6-snoopingUse the no form of the command
to disable DHCPv6 snooping.
Enabling DHCPv6 snooping on VLANs
After you globally enable DHCPv6, use this command to enable DHCPv6 snooping on a VLAN or range of VLANs.
Syntax
Configuring an authorized DHCPv6 server for snooping
Use this command to configure an authorized DHCPv6 server.
Syntax
Configuring a lease entry file for DHCPv6 snooping
Use this command to configure lease database transfer options for DHCPv6 snooping
Syntax
[no]
dhcpv6-snooping database[file <ASCII string>] [delay <15-86400>] [timeout <0-86400>]
file <ASCII string>
Specifies the database URL in the form: "tftp://<IP-ADDR>/<FILENAME>" with a maximum length of 255 characters, IP-ADDR can be an IPv4 or an IPv6 address. IPv6 addresses must be enclosed in square brackets.
delay <15-86400>
Specifies the seconds to delay before writing to the lease database file. Valid values are 15 to -86400. Default is 300 seconds.
timeout <0-86400>
Specifies the seconds to wait for the lease file transfer to finish before a failure message is displayed. Valid values are 0 to 86400. Default is 300 seconds. If 0 is specified, the file transfer is retried indefinitely.
Configuring DHCPv6 snooping max binding
Use this command to configure the maximum number of binding addresses allowed per port. . If you configure the max-bindings value before enabling DHCPv6 -snooping, the limit you enter is immediately applied, and the bindings are not allowed to exceed the max-bindings value. If you set the max-bindings value after enabling DHCPv6 -snooping, the following occurs:
If current bindings are greater than the max-binding value, the configuration is applied when clients release their IPv6 addresses.
If current bindings are lesser than that of the max-binding value, the configuration is immediately applied.
Syntax
Configuring traps for DHCPv6 snooping
Use this command to configure traps for DHCPv6 snooping.
Syntax
Clearing DHCPv6 snooping statistics
Use this command in switch config mode to clear DHCPv6 snooping statistics.
Syntax
Enabling debug logging for DHCPv6 snooping
To enable debug logging for DHCPv6 snooping, use this command.
Syntax
DHCPv6 show commands
Use this command to show DHCPv6 snooping information.
Syntax
show dhcpv6-snooping[stats] [bindings]
stats
Shows DHCPv6 snooping statistics.
bindings
Shows DHCPv6 binding state entries in a tabular format.
Examples
The following example shows all available DHCPv6 snooping information.
switch(config)# show dhcpv6 snooping DHCP Snooping Information DHCP Snooping : Yes Enabled VLANs : 1 13 16 Remote-ID : MAC Store Lease Database : Yes URL : tftp://120.93.49.9/avi Read at boot : no Write Delay : 300 Write Timeout : 300 File Status : up-to-date Write Attempts : 0 Write Failures : 0 Last Successful File Update Max Current Bindings Port Trust Bindings Static Dynamic _____ ______ ________ _______ _________ 1 Yes - - - 2 No 20 20 3 4 No 3* 3 6 4 No 543 231 10 13 No - 3 6 48 Yes - - - Ports 3,5-12,14-47 are untrusted. Note that show commands list only those ports that have bindings on them. Ports 3, 5, 6,8 are untrusted as they are not listed in table and they do not have associated bindings.The following example shows DHCPv6 snooping statistics.
switch(config)# show dhcpv6 snooping stats Packet Type Action Reason Count ___________ ______ ______ _____ server forward from trusted port 0 client forward to trusted port 0 server drop received on validating port 0 server drop unauthorized server 0 client drop destination on validating port 0 client drop relay reply on validating port 0 client drop bad DHCPv6 release request 0 client drop failed verify MAC check 0 client drop failed on max-binding limit 0
Enabling Dynamic ARP protection
To enable dynamic ARP protection for VLAN traffic
on a routing switch, enter the arp-protect vlan command
at the global configuration level.
Syntax
Enabling Dynamic IP Lockdown
For IPv4
To enable dynamic IP lockdown on all ports or specified ports, enter this command at the global configuration level.
Syntax
Removing MAC Addresses
To remove an address learned using either of the preceding methods, do one of the following:
Delete the address by using no port-security
port-numbermac-addressmac-addr.Download a configuration file that does not include the unwanted MAC address assignment.
Reset the switch to its factory-default configuration.
Assigned/authorized addresses
If you manually assign a MAC address (using port-security port-number address-list mac-addr)
and then execute write memory, the assigned MAC address remains in
memory until you do one of the following:
Delete it by using no port-security
port-numbermac-addressmac-addr.Download a configuration file that does not include the unwanted MAC address assignment.
Reset the switch to its factory-default configuration.
Removing a MAC Address from the Authorized list for a port
This command option removes unwanted devices (MAC addresses) from the Authorized Addresses list. An Authorized Address list is available for each port for which Learn Mode is currently set to "Static". See the command syntax listing under Configuring port security.
![[CAUTION: ]](images/caution.gif) | CAUTION: When learn mode is set to static, the Address Limit (address-limit) parameter controls how many devices are allowed in the Authorized Addresses (mac-address) for a given port. If you remove a MAC address from the Authorized Addresses list without also reducing the Address Limit by 1, the port may subsequently detect and accept as authorized a MAC address that you do not intend to include in your Authorized Address list. Thus, if you use the CLI to remove a device that is no longer authorized, it is recommended that you first reduce the Address Limit (address-limit) integer by 1, as shown below. This prevents the possibility of the same device or another unauthorized device on the network from automatically being accepted as "authorized" for that port. |
To remove a device (MAC address) from the "Authorized" list and when the current number of devices equals the Address Limit value, you should first reduce the Address Limit value by 1, then remove the unwanted device.
| NOTE: You can reduce the address limit below the number of currently authorized addresses on a port. This enables you to subsequently remove a device from the "Authorized" list without opening the possibility for an unwanted device to automatically become authorized. |
Example
Suppose port A1 is configured as shown below and you want to remove 0c0090-123456 from the Authorized Address list:
The following command serves this purpose by removing 0c0090-123456 and reducing the Address Limit to 1:
switch(config)# port-security a1 address-limit 1
switch(config)# no port-security a1 mac-address
0c0090-123456
The above command sequence results in the following configuration for port A1:
Specifying MAC Address and intrusion responses
This example configures port A1 to automatically accept the first device (MAC address) it detects as the only authorized device for that port. The default device limit is 1. It also configures the port to send an alarm to a network management station and disable itself if an intruder is detected on the port.
switch(config)# port-security a1 learn-mode static action send-disable
The next example does the same as the preceding example, except that it specifies a MAC address of 0c0090-123456 as the authorized device instead of allowing the port to automatically assign the first device it detects as an authorized device.
switch(config)# port-security a1 learn-mode static mac-address 0c0090-123456 action send-disable
This example configures port A5 to:
Allow two MAC addresses, 00c100-7fec00 and 0060b0-889e00, as the authorized devices.
Send an alarm to a management station if an intruder is detected on the port, but allow the intruder access to the network.
switch(config)# port-security a5 learn-mode static address-limit 2 mac-address 00c100-7fec00 0060b0-889e00 action send-alarm
If you manually configure authorized devices (MAC addresses) and an alarm action on a port, those settings remain unless you either manually change them or the switch is reset to its factory-default configuration. You can "turn off" authorized devices on a port by configuring the port to continuous Learn Mode, but subsequently reconfiguring the port to static Learn Mode restores those authorized devices.
Clear MAC address table
The following options allow learned MAC addresses to be removed from the MAC address table as follows:
Remove all MAC addresses.
Remove all MAC address on a specified VLAN
Remove all MAC addresses on a port
Remove a specific MAC address on a specific VLAN
This functionality is also supported by SNMP.
Configuring Clearing of Learned MAC Addresses
Use the following commands to clear learned MAC addresses from a port or list of ports, a specific VLAN, or to clear a specific MAC address from a VLAN.
Syntax
clear mac-address port <port-list>
Removes MAC addresses that were learned on the specified port or ports in <port-list> . Use all to remove all MAC addresses in the MAC address table.
switch(config)# clear mac-address port 4-7
Syntax
clear mac-address vlan <vid>
Removes all MAC addresses that were learned on the specified VLAN.
switch(config)# clear mac-address vlan 2
Syntax
clear mac-address vlan <vid> mac<mac-addr>
Removes the specified MAC address from the specified VLAN
switch(config)# clear mac-address vlan 2 mac 0001e6-b197a8
To view the results from clearing a MAC address,
use the show mac-address command with the appropriate
option.
Deploying MAC Lockdown
When deploying MAC Lockdown, it is crucial to consider its use in your network topology to ensure security. If using techniques such as meshing or Spanning Tree Protocol (STP) to speed up network performance by providing multiple paths for devices, using MAC Lockdown either will not work or may defeat the purpose of having multiple data paths.
Using MAC Lockdown to prevent a malicious user from hijacking an approved MAC address to steal data traffic sent to that address. The MAC lockdown feature (static‐mac) allows administrators to configure the authorized set of clients on a given port.
MAC Lockdown helps prevent hijacking by ensuring that all traffic to a specific MAC address goes only to the correct port on a switch, which must be connected to the real device bearing that MAC address.
However, incorrectly deploying MAC Lockdown in a network that uses multiple path technology, Spanning Tree or mesh networks can cause errors.
Let’s examine a good use of MAC Lockdown within a network to ensure security first.
Adding an IP-to-MAC Binding to the DHCP Database
A routing switch maintains a DHCP binding database, which is used for DHCP and ARP packet validation. Both the DHCP snooping and DHCP Option 82 insertion features maintain the lease database by learning the IP-to-MAC bindings on untrusted ports. Each binding consists of the client MAC address, port number, VLAN identifier, leased IP address, and lease time.
If your network does not use DHCP or if some network devices have fixed, user-configured IP addresses, you can enter static IP-to-MAC address bindings in the DHCP binding database. The switch uses manually configured static bindings for DHCP snooping and dynamic ARP protection.
Clearing the DHCP snooping binding table
To remove the IP-to-MAC binding from the database, use the no form
of the ip source-binding command.
Adding a static binding
To add the static configuration of an IP-to-MAC
binding for a port to the database, enter the ip source-binding or ipv6
source-binding command at the global configuration level.
Use the noform of the command to remove the IP-to-MAC
binding from the database.
For IPv4
Syntax
[no]
ip source-binding <mac-address> vlan <vlan-id><ip-address>interface <port-number>
mac-address
Specifies a MAC address to bind with a VLAN and IP address on the specified port in the DHCP binding database.
vlan-id
Specifies a VLAN ID number to bind with the specified MAC and IP addresses on the specified port in the DHCP binding database.
ip-address
Specifies an IP address to bind with a VLAN and MAC address on the specified port in the DHCP binding database.
<port-number>
Specifies the port number on which the IP-to- MAC address and VLAN binding is configured in the DHCP binding database.
An example of the
ip source-bindingcommand is shown here:
switch(config)# ip source-binding 0030c1-7f49c0 interface vlan 100 10.10.20.1 interface A4
| NOTE: The |
For IPv6
Syntax
[no]
ipv6 source-binding <mac-address> vlan <vlan-id><ip-address>interface <port-number>
mac-address
Specifies a MAC address to bind with a VLAN and IP address on the specified port in the DHCP binding database.
vlan-id
Specifies a VLAN ID number to bind with the specified MAC and IP addresses on the specified port in the DHCP binding database.
ip-address
Specifies an IPv6 address to bind with a VLAN and MAC address on the specified port in the DHCP binding database.
<port-number>
Specifies the port number on which the IP-to- MAC address and VLAN binding is configured in the DHCP binding database.
Displaying the static configuration of IP-to-MAC bindings
To display the static configurations of IP-to-MAC
bindings stored in the DHCP lease database, enter the show
ip source-lockdown bindings or show ipv6 source-lockdown
bindingscommand.
For IPv4
Syntax
show ip source-lockdown bindings [port-number]
port-number
(Optional) Specifies the port number on which source IP-to-MAC address and VLAN bindings are configured in the DHCP lease database.
The following example shows output from the
show ip source-lockdown bindingscommand.In the
show ip source-lockdown bindingscommand output, the “Not in HW” column specifies whether or not (YES or NO) a statically configured IP-to- MAC and VLAN binding on a specified port has been combined in the lease database maintained by the DHCP Snooping feature.
Debugging dynamic IP lockdown
To enable the debugging of packets dropped by
dynamic IP lockdown, enter the debug dynamic-ip-lockdown command.
Syntax
To send command output to the active CLI session,
enter the debug destination session command.
Counters for denied packets are displayed in
the debug dynamic-ip-lockdown command output. Packet
counts are updated every five minutes. An example of the command output
is shown in Debug dynamic-ip-lockdown command output.
When dynamic IP lockdown drops IP packets in VLAN traffic that do not contain a known source IP-to-MAC address binding for the port on which the packets are received, a message is entered in the event log.
Verifying the dynamic IP lockdown configuration
To display the ports on which dynamic IP lockdown
is configured, enter the show ip source-lockdown status or show
ipv6 source-lockdown status command at the global configuration
level.
Adding a MAC Address to a port
To simply add a device (MAC address) to a port's existing Authorized Addresses list, enter the port number with the mac-address parameter and the device's MAC address.This assumes that Learn Mode is set to static and the Authorized Addresses list is not full (as determined by the current Address Limit value).
Example
Suppose port A1 allows two authorized devices, but has only one device in its Authorized Address list:
With the above configuration for port A1, the following command adds the 0c0090-456456 MAC address as the second authorized address.
switch(config)# port-security a1 mac-address 0c0090-456456
After executing the above command, the security configuration for port A1 would be:
The message Inconsistent value appears if the new MAC address exceeds the current Address Limit or specifies a device that is already on the list. Note that if you change a port from static to continuous learn mode, the port retains in memory any authorized addresses it had while in static mode. If you subsequently attempt to convert the port back to static mode with the same authorized addresses, the Inconsistent value message appears because the port already has the addresses in its "Authorized" list.
If adding a device (MAC address) to a port on which the Authorized Addresses list is already full (as controlled by the port’s current Address Limit setting), then increase the Address Limit in order to add the device, even if replacing one device with another. Using the CLI, you can simultaneously increase the limit and add the MAC address with a single command.
For example, suppose port A1 allows one authorized device and already has a device listed:
To add a second authorized device to port A1, execute a port-security command for port A1 that raises the address limit to 2 and specifies the additional device's MAC address. For example:
switch(config)# port-security a1 mac-address 0c0090-456456 address-limit 2
Checking for intrusions, listing intrusion alerts, and resetting alert flags (CLI)
The following commands display port status, including whether there are intrusion alerts for any ports, list the last 20 intrusions, and either reset the alert flag on all ports or for a specific port for which an intrusion was detected. The record of the intrusion remains in the log. For more information, see Operating notes for port security.
Syntax
port-security [e]<port number>clear-intrusion-flagClear the intrusion flag on one or more specific ports.
Example
In the following example, executing show
interfaces brief lists the switch port status, indicating
an intrusion alert on port A1.
To see the details of the intrusion, enter the show
port-security intrusion-log command. For example:
The above example shows three intrusions for port A1. Since the switch can show only one uncleared intrusion per port, the older two intrusions in this example have already been cleared by earlier use of the clear intrusion-log or the port-security <port-list> clear-intrusion-flag command. The intrusion log holds up to 20 intrusion records, and deletes intrusion records only when the log becomes full and new intrusions are subsequently added. The "prior to" text in the record for the third intrusion means that a switch reset occurred at the indicated time and that the intrusion occurred prior to the reset.
To clear the intrusion from port A1 and enable the switch to enter any subsequent intrusion for port A1 in the Intrusion Log, execute the port-security clear-intrusion-flag command. If you then re-display the port status screen, you see that the Intrusion Alert entry for port A1 is changed to "No". (Executing show port-security intrusion-log again results in the same display as above, and does not include the Intrusion Alert status.)
switch(config)# port-security a1 clear-intrusion-flag
switch(config)# show interfaces brief
For more on clearing intrusions, see Keeping the intrusion log current by resetting alert flags.
Checking for intrusions, listing intrusion alerts, and resetting alert flags (Menu)
The menu interface indicates per-port intrusions in the Port Status screen, and provides details and the reset function in the Intrusion Log screen.
From the Main Menu select:
1. Status and Counters4. Port StatusType
[
I](Intrusion log)to display the Intrusion Log.
This example shows two intrusions for port A3 and one intrusion for port A1. In this case, only the most recent intrusion at port A3 has not been acknowledged (reset). This is indicated by the following:
Because the Port Status screen Port status screen with intrusion alert on port A3 does not indicate an intrusion for port A1, the alert flag for the intrusion on port A1 has already been reset.
Since the switch can show only one uncleared intrusion per port, the alert flag for the older intrusion for port A3 in this example has also been previously reset.
The intrusion log holds up to 20 intrusion records and deletes an intrusion record only when the log becomes full and a new intrusion is subsequently detected.
NOTE: The "prior to " text in the record for the earliest intrusion means that a switch reset occurred at the indicated time and that the intrusion occurred prior to the reset.
To acknowledge the most recent intrusion entry on port A3 and enable the switch to enter a subsequently detected intrusion on this port, type
[
R]For Reset alert flags.
Note that if there are unacknowledged intrusions on two or more ports, this step resets the alert flags for all such ports.
If you then re-display the port status screen,
you see that the Intrusion Alert entry for port A3 is changed to "NoYes
Using the event log to find intrusion alerts CLI
The Event Log lists port security intrusions as:
W MM/DD/YY HH:MM:SS FFI: port A3 — Security Violation
where "W" is the severity level of
the log entry and FFI is the system module that
generated the entry. For further information, display the Intrusion
Log, as shown below.
From the Manager or Configuration level:
Syntax
Example
For more Event Log information, see "Using the Event Log To Identify Problem Sources" in the management and configuration guide for your switch.
Using the event log to find intrusion alerts menu
In the Main Menu, click on 4. Event
Log and useNext page and Prev
page to review the Event Log contents.
For more Event Log information, see "Using the Event Log To Identify Problem Sources" in the management and configuration guide for your switch.