No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Port Security

Example for Configuring Port Security

Networking Requirements

As shown in Figure 11-3, PC1, PC2, and PC3 connect to the company network through the router. For high user access security, port security is enabled on the interface of the router and the maximum number of MAC addresses to be learned on the interface is set to the number of access users so that external users cannot use their PCs to access the company network.

Figure 11-3  Networking for configuring port security

Configuration Roadmap

The configuration roadmap is as follows:

  1. Create a VLAN to implement Layer 2 forwarding.

  2. Configure port security so that learned MAC address entries are not aged out.

Procedure

  1. Create a VLAN on the router and add interfaces to the VLAN.

    # Create a VLAN.

    <Huawei> system-view
    [Huawei] sysname Router
    [Router] vlan 10
    [Router-vlan10] quit
    

    # Add GE0/0/1 to VLAN 10. The configurations of GE0/0/2 and GE0/0/3 are similar to the configuration of GE0/0/1, and are not mentioned here.

    [Router] interface gigabitethernet 0/0/1
    [Router-GigabitEthernet0/0/1] port link-type access
    [Router-GigabitEthernet0/0/1] port default vlan 10
    [Router-GigabitEthernet0/0/1] quit
    

  2. Configure port security on GE0/0/1.

    # Enable the sticky MAC function and set the maximum number of MAC addresses. The configurations of GE0/0/2 and GE0/0/3 are similar to the configuration of GE0/0/1, and are not mentioned here.

    [Router] interface gigabitethernet 0/0/1
    [Router-GigabitEthernet0/0/1] port-security enable
    [Router-GigabitEthernet0/0/1] port-security mac-address sticky
    [Router-GigabitEthernet0/0/1] port-security max-mac-num 1
    NOTE:
    • An interface can learn only one secure MAC address by default. If multiple PCs connect to the company network using one interface, run the port-security max-mac-num command to change the maximum number of secure MAC addresses.
    • If a PC connects to the router using an IP phone, set the maximum number of secure MAC addresses to 3 because the IP phone occupies two MAC address entries and the PC occupies one MAC address entry. The VLAN IDs in two MAC address entries used by the IP phone are different. The two VLANs are used to transmit voice and data packets respectively.

  3. Verify the configuration.

    If PC1, PC2, and PC3 are replaced by other PCs, the PCs cannot access the company network.

Configuration Files

Router configuration file

#
 sysname Router
#
vlan batch 10
#
interface GigabitEthernet0/0/1
 port link-type access                                                          
 port default vlan 10 
 port-security enable
 port-security mac-address sticky
#
interface GigabitEthernet0/0/2
 port link-type access                                                          
 port default vlan 10 
 port-security enable
 port-security mac-address sticky
#
interface GigabitEthernet0/0/3
 port link-type access                                                          
 port default vlan 10 
 port-security enable
 port-security mac-address sticky
#
return
Translation
Download
Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 12959

Downloads: 38

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next