No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

CloudEngine 8800, 7800, 6800, and 5800 V200R002C50

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Port Security Configuration Commands

Port Security Configuration Commands

display mac-address security

Function

The display mac-address security command displays secure dynamic MAC address entries.

Format

display mac-address security [ vlan vlan-id | interface interface-type interface-number ] *

Parameters

Parameter

Description

Value

vlan vlan-id

Displays secure dynamic MAC address entries in a specified VLAN.

The value is an integer that ranges from 1 to 4094, except reserved VLAN IDs, which can be configured using the vlan reserved command.

interface interface-type interface-number

Displays secure dynamic MAC address entries with a specified outbound interface.
  • interface-type specifies the type of the outbound interface.
  • interface-number specifies the number of the outbound interface.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After port security is enabled on an interface by using the port-security enable command, MAC address entries learned by the interface are stored in the MAC address table as secure dynamic MAC address entries. The learned secure dynamic MAC address entries are deleted after the device restarts.

After configuring the port security function, you can run the display mac-address security command to check whether the learned secure dynamic MAC address entries are correct.

Follow-up Procedure

If the displayed secure dynamic MAC address entries are invalid, run the undo mac-address secutiry command to delete secure dynamic MUX MAC address entries.

Precautions

If you run the display mac-address security command without parameters, all secure dynamic MAC address entries are displayed.

If the MAC address table does not contain any secure dynamic MAC address entry, no information is displayed.

When the device has a large number of secure dynamic MAC address entries, it is recommended that you specify parameters in the command to filter the output information. Otherwise, the following problems may occur due to excessive output information:
  • The displayed information is repeatedly refreshed, so you cannot find the required information.
  • The system traverses and retrieves information for a long time, and does not respond to any request.

Example

# Display all secure dynamic MAC address entries.

<HUAWEI> display mac-address security
Flags: * - Backup  
       # - forwarding logical interface, operations cannot be performed based 
           on the interface.
BD   : bridge-domain   Age : dynamic MAC learned time in seconds
-------------------------------------------------------------------------------                                                     
MAC Address    VLAN/VSI/BD   Learned-From        Type                Age                                                            
-------------------------------------------------------------------------------                                                     
0022-0022-0033 100/-/-       10GE1/0/1           security            -       
-------------------------------------------------------------------------------                                                     
Total items: 1 
Table 16-84  Description of the display mac-address security command output

Item

Description

Backup

Backup way.

MAC Address

Destination MAC address in a secure dynamic MAC address entry.

VLAN/VSI/BD

  • VLAN: ID of a VLAN to which an interface belongs
  • VSI: ID of a VSI associated with an interface
  • BD: ID of a bridge domain to which an interface belongs
NOTE:

Information including the BD is displayed only on the VXLAN-capable device.

Learned-From

Interface that learns a MAC address.

Type

Type of a MAC address entry.

Age

Dynamic MAC learned time in seconds.

display mac-address sticky

Function

The display mac-address sticky command displays sticky VLAN MAC address entries.

Format

display mac-address sticky [ vlan vlan-id | interface interface-type interface-number ] *

Parameters

Parameter

Description

Value

vlan vlan-id

Displays sticky MAC address entries in a specified VLAN.

The value is an integer that ranges from 1 to 4094, except reserved VLAN IDs, which can be configured using the vlan reserved command.

interface interface-type interface-number

Displays sticky MAC address entries with a specified outbound interface.
  • interface-type specifies the type of the outbound interface.
  • interface-number specifies the number of the outbound interface.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The MAC address table of the switch stores MAC addresses of other devices. When forwarding an Ethernet frame, the switch searches the MAC address table for the outbound interface according to the destination MAC address and VLAN ID in the Ethernet frame.

After port security is enabled on an interface by using the port-security enable command, MAC address entries learned by the interface are stored in the MAC address table as secure dynamic MAC address entries. The learned secure dynamic MAC address entries are deleted after the switch restarts. If the sticky MAC function is also enabled on the interface by using the port-security mac-address sticky command, secure dynamic MAC address entries change to sticky MAC address entries. Sticky MAC address entries are not deleted after the switch restarts.

To check the sticky MAC configuration or the learned sticky MAC address entries, run the display mac-address sticky command.

Follow-up Procedure

If the displayed sticky MAC address entries are invalid, run the undo mac-address sticky command to delete sticky MAC address entries.

Precautions

If you run the display mac-address sticky command without parameters, all sticky MAC address entries are displayed.

If the MAC address table does not contain any sticky MAC address, no information is displayed.

When the switch has a large number of sticky MAC address entries, it is recommended that you specify parameters in the command to filter the output information. Otherwise, the following problems may occur due to excessive output information:
  • The displayed information is repeatedly refreshed, so you cannot find the required information.
  • The system traverses and retrieves information for a long time, and does not respond to any request.

Example

# Display all sticky MAC address entries.

<HUAWEI> display mac-address sticky
Flags: * - Backup  
       # - forwarding logical interface, operations cannot be performed based 
           on the interface.
BD   : bridge-domain   Age : dynamic MAC learned time in seconds
-------------------------------------------------------------------------------                                                     
MAC Address    VLAN/VSI/BD   Learned-From        Type                Age                                                            
-------------------------------------------------------------------------------                                                     
0000-0000-0001 5/-/-         10GE1/0/1           sticky              -                                          
-------------------------------------------------------------------------------                                                     
Total items: 1
Table 16-85  Description of the display mac-address sticky command output

Item

Description

Backup

Backup way.

MAC Address

MAC address in a sticky MAC address entry.

VLAN/VSI/BD

  • VLAN: ID of a VLAN to which an interface belongs
  • VSI: ID of a VSI associated with an interface
  • BD: ID of a bridge domain to which an interface belongs
NOTE:

Information including the BD is displayed only on the VXLAN-capable device.

Learned-From

Interface that learns a MAC address.

Type

Type of a MAC address entry.

Age

Dynamic MAC learned time in seconds.

display port-security

Function

The display port-security command displays security information of interfaces.

Format

display port-security [ interface interface-type interface-number ]

Parameters

Parameter Description Value
interface interface-type interface-number

Displays security information of a specific interface.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After interface security is configured on a device, run the display port-security command to check the security information of interfaces. The command output helps you check whether interface security is correctly configured, thereby allowing authorized users to communicate.

Example

# Display security information of all interfaces.

<HUAWEI> display port-security
--------------------------------------------------------------------------------
SecurePort           MaxSecureAddr CurrentAddr SecurityViolation ProtectAction
                           (count)     (count)           (count)
--------------------------------------------------------------------------------
Eth-Trunk11                      1           0                 0 Restrict         
Eth-Trunk12                      1           0                 0 Restrict         
Eth-Trunk13                      1           0                 0 Restrict         
Eth-Trunk14                      1           0                 0 Restrict         
Eth-Trunk15                      1           0                 0 Restrict                  
--------------------------------------------------------------------------------
Total Secured MAC Addresses in System: 0

# Display security information of a specified interface.

<HUAWEI> display port-security interface eth-trunk 1
Port Security              : Enabled
Port Status                : Secure-up
Protect Action             : Restrict
Aging Time(minutes)        : -
Aging Type                 : -
Maximum MAC Addresses      : 100
Total MAC Addresses        : 0
Configured MAC Addresses   : 2
Sticky MAC Addresses       : 0
Last Source MAC Address    : 0000-0000-0000
Last Source VLAN ID        : -
Security Violation Count   : 0
Table 16-86  Description of the display port-security command output

Item

Description

SecurePort

Interfaces that have the interface security function enabled

MaxSecureAddr (count)/Maximum MAC Addresses

Maximum number of secure dynamic MAC addresses that can be learned on an interface

CurrentAddr (count)

Number of secure dynamic MAC addresses that are learned on an interface

SecurityViolation (count)/Security Violation Count

Number of times an interface learns the maximum number of secure dynamic MAC addresses

ProtectAction/Protect Action

Security protection action taken by an interface:
  • Protect: When the number of MAC addresses learned on an interface reaches the maximum, the interface discards the packets whose source MAC addresses are not in the MAC table.
  • Restrict: When the number of MAC addresses learned on an interface reaches the maximum, the interface discards the packets whose source MAC addresses are not in the MAC table and reports an alarm.
  • Error-down: When the number of MAC addresses learned on an interface reaches the maximum, the interface becomes Error-Down and reports an alarm.

Total Secured MAC Addresses in System

Total number of secure dynamic MAC addresses and sticky MAC addresses on all interfaces

Port Security

Whether interface security is enabled on the interface:
  • Enabled
  • Disabled

Port Status

Interface status:
  • Secure-up
  • Secure-down

Aging Time(minutes)

Aging time (in minutes) of the secure dynamic MAC addresses learned on the interface

Aging Type

Aging type of the secure dynamic MAC addresses learned on the interface:
  • Absolute: absolute time aging. Specifically, after an aging time is configured for secure dynamic MAC addresses on an interface, the system detects whether there is traffic carrying these MAC addresses at an interval of the set aging time. If no such traffic exists, the system immediately ages these MAC addresses.
  • Inactivity: relative time aging. Specifically, after an aging time is configured for secure dynamic MAC addresses on an interface, the system detects whether there is traffic carrying these MAC addresses every 1 minute. If no such traffic exists, the system ages these MAC addresses after the time specified by Aging Time(minutes) elapses.
  • -: Secure dynamic MAC addresses are not configured.

Total MAC Addresses

Total number of secure dynamic MAC addresses that are learned on the interface

Configured MAC Addresses

Number of sticky MAC addresses configured on the interface

Sticky MAC Addresses

Number of sticky MAC addresses converted from learned MAC addresses on the interface

Last Source MAC Address

Secure dynamic MAC address that was last learned on the interface

Last Source VLAN ID

VLAN to which the secure dynamic MAC address that was last learned on the interface belongs

port-security aging-time

Function

The port-security aging-time command sets the aging time of secure dynamic MAC addresses on an interface.

The undo port-security aging-time command restores the default configuration.

By default, secure dynamic MAC addresses will not be aged out.

Format

port-security aging-time time [ type { absolute | inactivity } ]

undo port-security aging-time

Parameters

Parameter

Description

Value

time

Specifies the aging time of secure dynamic MAC addresses.

The value is an integer that ranges from 1 to 1440, in minutes.

type

Specifies the type of the aging time.

The default type is absolute, indicating the absolute aging time.

absolute

Indicates the absolute aging time. After the absolute aging time is set to time minutes, the system checks traffic from sent each secure dynamic MAC address every time minutes. If no traffic is received from a secure dynamic MAC address, this MAC address is aged out immediately.

-

inactivity

Indicates the relative aging time. After the relative aging time is set to time minutes, the system checks traffic from each secure dynamic MAC address every 1 minute. If no traffic is received from a secure dynamic MAC address, this MAC address is aged out after time minutes.

-

Views

GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After you run the port-security enable command to enable port security on an interface, MAC address entries learned by the interface are saved in the MAC address table as secure dynamic MAC addresses. The learned secure dynamic MAC addresses will not be aged by default. When the number of learned MAC addresses reaches the limit, the interface cannot learn new MAC addresses.

If MAC addresses learned by an interface can be trusted only for a certain period, run the port-security aging-time command to set the aging time of secure dynamic MAC addresses on the interface. Then secure dynamic MAC addresses can be aged out and the interface can learn new MAC addresses.

Prerequisites

Port security is enabled on the interface.

Precautions

If you run the port-security aging-time command multiple times in the same interface view, only the latest configuration takes effect.

Example

# Set the aging time of secure dynamic MAC addresses on 10GE1/0/1 to 30 minutes.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] port-security enable
[*HUAWEI-10GE1/0/1] port-security aging-time 30
Related Topics

port-security enable

Function

The port-security enable command enables the port security function on an interface.

The undo port-security enable command disables the port security function on an interface.

By default, port security is disabled on an interface.

Format

port-security enable

undo port-security enable

Parameters

None

Views

GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After port security is enabled on an interface, MAC address entries learned by the interface are stored in the MAC address table as secure dynamic MAC address entries. By default, secure dynamic MAC addresses will not be aged out. After the device restarts, secure dynamic MAC address entries are lost and need to be relearned.

Port security has the following functions:

  • Prevent unauthorized guests from using their computers to connect to an enterprise network.
  • Prevent employees of a company from moving their computers without permission.

Precautions

The protection action, maximum number of learned secure MAC address entries, and sticky MAC function can be configured only after port security is enabled.

The port-security enable and mac-address limit maximum cannot be used on the same interface.

The MUX VLAN and port security functions conflict on an interface. That is, the port mux-vlan enable and port-security enable commands cannot be used on the same interface.

The port-security enable and dhcp snooping sticky-mac command cannot be used on the same interface.

If port security is enabled after MAC address learning is disabled using the mac-address learning disable command, the port security function does not take effect. If port security is enabled before MAC address learning is disabled on an interface, the device no longer learns MAC addresses on the interface, but secure MAC addresses that have been learned are reserved.

Example

# Enable port security on 10GE1/0/2.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/2
[~HUAWEI-10GE1/0/2] port-security enable

port-security mac-address sticky

Function

The port-security mac-address sticky enables the sticky MAC function on an interface.

The undo port-security mac-address sticky disables the sticky MAC function on an interface.

By default, the sticky MAC function is disabled on an interface.

Format

port-security mac-address sticky [ mac-address vlan vlan-id ]

undo port-security mac-address sticky [ mac-address vlan vlan-id ]

Parameters

Parameter

Description

Value

mac-address

Specifies the MAC address in a sticky MAC address entry.

NOTE:

This parameter is not supported in the port group view.

The value is in H-H-H format. H is a hexadecimal number of 1 to 4 digits. The MAC address cannot be a broadcast MAC address (FFFF-FFFF-FFFF) or a multicast MAC address (the eighth bit is 1).

vlan vlan-id

Specifies the ID of a VLAN.

NOTE:

This parameter is not supported in the port group view.

The value is an integer that ranges from 1 to 4094, except reserved VLAN IDs, which can be configured using the vlan reserved command.

Views

GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After port security is enabled on an interface, MAC address entries learned by the interface are stored in the MAC address table as secure dynamic MAC address entries.

After the sticky MAC function is enabled on an interface, the dynamic MAC addresses learned by the interface change to sticky MAC addresses. If the number of sticky MAC addresses does not reach the limit, the MAC addresses learned subsequently change to sticky MAC addresses. When the number of sticky MAC addresses reaches the limit, packets whose source MAC addresses do not match sticky MAC address entries are discarded. In addition, the system determines whether to send a trap message or shut down the interface according to the configured security protection action.

After enabling the sticky MAC function on an interface, you can run the port-security mac-address sticky mac-address vlan vlan-id command to manually configure a sticky MAC address entry.

The sticky MAC function has the following functions:

  • Prevent non-employees from using their own computers to access the company intranet without the permission of the network administrator.

  • Prevent employees from moving network devices or computers of the company without the permission of the network administrator.

Prerequisites

Port security has been enabled by using the port-security enable command on the interface.

Precautions

If you run the port-security mac-address sticky [ mac-address vlan vlan-id ] command multiple times, multiple sticky MAC address entries are configured.

Example

# Enable the sticky MAC function on 10GE1/0/1.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] port-security enable
[*HUAWEI-10GE1/0/1] port-security mac-address sticky

port-security maximum

Function

The port-security maximum command sets the maximum number of secure MAC addresses that can be learned on an interface.

The undo port-security maximum command restores the default maximum number of secure MAC addresses that can be learned on an interface.

By default, only one MAC address can be learned on an interface.

Format

port-security maximum max-number

undo port-security maximum

Parameters

Parameter

Description

Value

max-number

Specifies the maximum number of secure MAC addresses that can be learned by an interface.

The value is an integer that ranges from 1 to 4096.

Views

GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After enabling port security on an interface, you can run the port-security maximum command to limit the number of MAC addresses that the interface can learn.

Prerequisites

Port security has been enabled by using the port-security enable command on the interface.

Precautions

If the sticky MAC function is disabled, max-number limits the number of secure dynamic MAC addresses learned by the interface and secure static MAC addresses configured manually.

If the sticky MAC function is enabled, max-number limits the number of sticky MAC addresses learned by the interface, and sticky MAC addresses and secure static MAC addresses configured manually.

If you run the port-security maximum command multiple times in the same interface view, only the latest configuration takes effect.

NOTE:
This command is valid for new online users and invalid for existing online users.

Example

# Set the maximum number of MAC addresses that can be learned by 10GE1/0/1 to 5.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] port-security enable
[*HUAWEI-10GE1/0/1] port-security maximum 5

port-security protect-action

Function

The port-security protect-action command configures a protection action for the system to perform when the number of learned MAC addresses reaches the limit.

The undo port-security protect-action command restores the default protection action.

The default action is restrict.

Format

port-security protect-action { protect | restrict | error-down }

undo port-security protect-action

Parameters

Parameter

Description

Value

protect

Discards packets with new source MAC addresses when the number of learned MAC addresses reaches the limit.

-

restrict

Discards packets with new source MAC addresses and sends a trap message when the number of learned MAC addresses reaches the limit.

-

error-down

Set the interface status to error down and sends a trap message when the number of learned MAC addresses reaches the limit.

-

Views

GE interface view, 10GE interface view, 25GE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After enabling port security, you can run the port-security protect-action command to configure the action performed on the interface when the number of learned MAC addresses reaches the limit.

Prerequisites

Port security has been enabled by using the port-security enable command on the interface.

Precautions

When the protection action is set to error-down and the number of secure MAC addresses on the interface reaches the limit, the interface enters the Error-Down state. The device records the status of an interface as Error-Down when it detects that a fault occurs. The interface in Error-Down state cannot receive or send packets and the interface indicator is off. You can run the display error-down recovery command to check information about all interfaces in Error-Down state on the device.

When the interface is in Error-Down state, check the cause. You can use the following modes to restore the interface status:
  • Manual (after the interface enters the Error-Down state)

    When there are few interfaces in Error-Down state, you can run the shutdown and undo shutdown commands in the interface view or run the restart command to restore the interface.

  • Auto (before the interface enter the Error-Down state)

    If there are many interfaces in Error-Down state, the manual mode brings in heavy workload and the configuration of some interfaces may be ignored. To prevent this problem, run the error-down auto-recovery cause portsec-reachedlimit interval interval-value command in the system view to enable an interface in error-down state to go Up and set a recovery delay. You can run the display error-down recovery command to view automatic recovery information about the interface.

    NOTE:

    This mode is invalid for the interface that has entered the Error-Down state, and is only valid for the interface that enters the Error-Down state after the error-down auto-recovery cause portsec-reachedlimit interval interval-value command is used.

If you run the port-security protect-action command multiple times in the same interface view, only the latest configuration takes effect.

Example

# Set the protection action on 10GE1/0/1 to protect.

<HUAWEI> system-view
[~HUAWEI] interface 10ge 1/0/1
[~HUAWEI-10GE1/0/1] port-security enable
[*HUAWEI-10GE1/0/1] port-security protect-action protect

undo mac-address { security | sticky }

Function

The undo mac-address { security | sticky } command deletes secure MAC address entries. Secure MAC address entries include dynamic secure MAC address entries and sticky MAC address entries.

Format

undo mac-address { security | sticky } [ interface-type interface-number | vlan vlan-id ] *

Parameters

Parameter

Description

Value

interface-type interface-number

Specifies the outbound interface in a secure MAC address entry to be deleted.

-

vlan vlan-id

Specifies the VLAN ID in a secure MAC address entry to be deleted.

The value is an integer that ranges from 1 to 4094. The VLAN cannot be the reserved VLAN configured by the vlan reserved command.

security

Deletes dynamic secure MAC address entries, that is, MAC address entries learned by an interface enabled with port security.

-

sticky

Deletes sticky MAC address entries, that is, MAC address entries learned by an interface enabled with the sticky MAC function.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After port security is enabled on an interface, dynamic MAC address entries learned by the interface turn into secure MAC address entries. secure MAC address entries are not aged out. After the number of MAC address entries learned by an interface reaches the limit, the interface cannot learn new MAC address entries. Packets matching no MAC address entry are broadcast, wasting bandwidth resources. This command can delete useless secure MAC address entries to release the MAC address table space.

You can delete some of secure MAC address entries as required. For example:
  • If you do not specify interface-type interface-number, the command deletes MAC address entries of the specified type on all interfaces.
  • If you do not specify vlan vlan-id, the command deletes MAC address entries of the specified type in all VLANs.

Example

# Delete all dynamic secure MAC address entries on 10ge1/0/1.

<HUAWEI> system-view
[~HUAWEI] undo mac-address security 10ge 1/0/1

# Delete all sticky MAC address entries.

<HUAWEI> system-view
[~HUAWEI] undo mac-address sticky
Translation
Download
Updated: 2019-03-21

Document ID: EDOC1000166501

Views: 52465

Downloads: 339

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next