user manual
28-14
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-21521-01
Chapter 28 Configuring Port-Based Traffic Control
Configuring Port Security
Step 7
switchport port-security violation 
{protect | restrict | shutdown | 
shutdown vlan} 
(Optional) Set the violation mode, the action to be taken when a security 
violation is detected, as one of these: 
  • protect—When the number of port secure MAC addresses reaches the 
maximum limit allowed on the port, packets with unknown source 
addresses are dropped until you remove a sufficient number of secure 
MAC addresses to drop below the maximum value or increase the number 
of maximum allowable addresses. You are not notified that a security 
violation has occurred. 
Note We do not recommend configuring the protect mode on a trunk port. 
The protect mode disables learning when any VLAN reaches its 
maximum limit, even if the port has not reached its maximum limit.
  • restrict—When the number of secure MAC addresses reaches the limit 
allowed on the port, packets with unknown source addresses are dropped 
until you remove a sufficient number of secure MAC addresses or 
increase the number of maximum allowable addresses. An SNMP trap is 
sent, a syslog message is logged, and the violation counter increments. 
  • shutdown—The interface is error-disabled when a violation occurs, and 
the port LED turns off. An SNMP trap is sent, a syslog message is logged, 
and the violation counter increments. 
  • shutdown vlan—Use to set the security violation mode per VLAN. In 
this mode, the VLAN is error disabled instead of the entire port when a 
violation occurs.
Note When a secure port is in the error-disabled state, you can bring it out 
of this state by entering the errdisable recovery cause 
psecure-violation global configuration command. You can manually 
re-enable it by entering the shutdown and no shutdown in
terface 
configuration commands or by using the clear errdisable interface 
vlan privileged EXEC command.
Command Purpose










