Checking for intrusions, listing intrusion alerts, and resetting alert flags (CLI)

The following commands display port status, including whether there are intrusion alerts for any ports, list the last 20 intrusions, and either reset the alert flag on all ports or for a specific port for which an intrusion was detected. The record of the intrusion remains in the log. For more information, see Operating notes for port security.

Syntax:


show interfaces brief

List intrusion alert status (and other port status information)'.


show port-security intrusion-log

List intrusion log content.


clear intrusion-flags

Clear intrusion flags on all ports.


port-security <port-number> clear-intrusion-flag

Clear the intrusion flag on one or more specific ports.

Example:

In the following example, executing show interfaces brief lists the switch port status, indicating an intrusion alert on port 1.

An unacknowledged intrusion alert in a port status display

To see the details of the intrusion, enter the show port-security intrusion-log command. For example:

The intrusion log with multiple entries for the same port

The above example shows three intrusions for port 1. Since the switch can show only one uncleared intrusion per port, the older two intrusions in this example have already been cleared by earlier use of the clear intrusion-log or the port-security <port-list> clear-intrusion-flag command. The intrusion log holds up to 20 intrusion records, and deletes intrusion records only when the log becomes full and new intrusions are subsequently added. The "prior to " text in the record for the third intrusion means that a switch reset occurred at the indicated time and that the intrusion occurred prior to the reset.

To clear the intrusion from port 1 and enable the switch to enter any subsequent intrusion for port 1 in the Intrusion Log, execute the port-security clear-intrusion-flag command. If you then re-display the port status screen, you will see that the Intrusion Alert entry for port 1 has changed to "No". (Executing show port-security intrusion-log again will result in the same display as above, and does not include the Intrusion Alert status.)

switch(config)# port-security 1 clear-intrusion-flag
switch(config)# show interfaces brief
Port status screen after alert flags reset

For more on clearing intrusions, see Keeping the intrusion log current by resetting alert flags.