No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, and AR530 V200R007

This document describes the configurations of Security, including AAA, DAA,NAC, BRAS Access, ACL, Firewall, Deep Security Defense, Local Attack Defense;Attack Defense, Traffic Suppression, ARP Security, Port Security, DHCP Snooping, IPSG, URPF, PKI, SSL, HTTPS, Keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the Sticky MAC Function

Configuring the Sticky MAC Function

Context

You can configure port security on networks demanding high access security. Port security enables the router to convert MAC addresses learned by an interface into secure MAC addresses and to stop learning new MAC addresses after the maximum number of learned MAC addresses is reached. In this case, the router can only communicate with devices with learned MAC addresses. This prevents devices with untrusted MAC addresses from communicating with the industrial switch router through this interface, improving security of the device and network.

The sticky MAC function usually applies to networks where terminal users seldom change.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    interface interface-type interface-number

    The interface view is displayed.

  3. Run:

    port-security enable

    Port security is enabled.

    By default, port security is disabled on an interface.

  4. Run:

    port-security mac-address sticky

    The sticky MAC function is enabled on the interface.

    By default, the sticky MAC function is disabled on an interface.

  5. Run:

    port-security max-mac-num max-number

    The maximum number of sticky MAC addresses is set.

    By default, an interface enabled with the sticky MAC function can learn only one sticky MAC address.

    NOTE:
    • An interface can learn only one secure MAC address by default. If multiple PCs connect to the company network using one interface, run the port-security max-mac-num command to change the maximum number of secure MAC addresses.
    • If a PC connects to the router using an IP phone, set the maximum number of secure MAC addresses to 3 because the IP phone occupies two MAC address entries and the PC occupies one MAC address entry. The VLAN IDs in two MAC address entries used by the IP phone are different. The two VLANs are used to transmit voice and data packets respectively.

  6. (Optional) Run:

    port-security protect-action { protect | restrict | shutdown }

    A port security action is configured.

    By default, the restrict action is used.

  7. (Optional) Run:

    port-security mac-address sticky mac-address vlan vlan-id

    A sticky MAC address entry is configured.

    NOTE:
    • After the sticky MAC function is enabled on an interface, existing dynamic secure MAC address entries and MAC address entries learned subsequently on the interface turn into sticky MAC address entries.
    • After the sticky MAC function is enabled on an interface, sticky MAC address entries are not aged even if the port-security aging-time command is configured.
    • The saved sticky MAC address entries are not lost after a device restart.

Follow-up Procedure

  • Run the display mac-address sticky [ vlan vlan-id | interface-type interface-number ] command to check sticky MAC address entries.
  • If the switch receives packets with a nonexistent source MAC address after the number of secure MAC addresses reaches the limit, the switch considers that the packets are sent from an unauthorized user and takes the configured action on the interface. There are three actions: restrict, protect, and shutdown.
    Table 11-5  Port security actions

    Action

    Description

    restrict

    Discards packets with a nonexistent source MAC address and generates an alarm. This action is recommended.

    protect

    Only discards packets with a nonexistent source MAC address but does not generate an alarm.

    shutdown

    Sets the interface state to error-down and generates an alarm.

    By default, an interface cannot automatically restore to Up state after it is shut down. To restore the interface, run the undo shutdown command on the interface in sequence. Alternatively, run the restart command on the interface to restart the interface.

Translation
Download
Updated: 2019-05-25

Document ID: EDOC1000097287

Views: 14762

Downloads: 40

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next