No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

S1720, S2700, S5700, and S6720 V200R011C10

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Port Security Configuration Commands

Port Security Configuration Commands

Command Support

Commands provided in this section and all the parameters in the commands are supported by all switch models by default, unless otherwise specified. For details, see specific commands.

display mac-address sec-config

Function

The display mac-address sec-config command displays secure static MAC address entries.

Format

display mac-address sec-config [ vlan vlan-id | interface-type interface-number ] * [ verbose ]

Parameters

Parameter

Description

Value

vlan vlan-id

Displays the secure static MAC address entries in a specified VLAN.

The value is an integer that ranges from 1 to 4094.

interface-type interface-number

Displays the secure static MAC address entries on a specified interface.

-

verbose

Displays detailed information about secure static MAC address entries.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After secure static MAC address entries are configured by the command port-security mac-address, you can run the display mac-address sec-config command to check these entries.

Example

# Display all secure static MAC address entries.

<HUAWEI> display mac-address sec-config
------------------------------------------------------------------------------- 
MAC Address    VLAN/VSI/BD                       Learned-From        Type
-------------------------------------------------------------------------------
0022-0022-0033 100/-/-                           GE0/0/1             sec-config 

-------------------------------------------------------------------------------
Total items displayed = 1 
Table 14-49  Description of the display mac-address sec-config command output

Item

Description

MAC Address

Destination MAC address in a secure static MAC address entry.

VLAN/VSI/BD

ID of the VLAN, name of the VSI, or the ID of the BD that a MAC address belongs to.

Learned-From

Interface that learns a MAC address.

Type

Type of a MAC address entry. The value is sec-config, which indicates a secure static MAC address.

display mac-address security

Function

The display mac-address security command displays secure dynamic MAC address entries.

Format

display mac-address security [ vlan vlan-id | interface-type interface-number ] * [ verbose ]

Parameters

Parameter

Description

Value

vlan vlan-id

Displays secure dynamic MAC address entries in a specified VLAN.

The value is an integer that ranges from 1 to 4094.

interface-type interface-number

Displays secure dynamic MAC address entries with a specified outbound interface.
  • interface-type specifies the type of the outbound interface.
  • interface-number specifies the number of the outbound interface.

-

verbose

Displays detailed information about secure dynamic MAC address entries.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

After port security is enabled on an interface by using the port-security enable command, MAC address entries learned by the interface are stored in the MAC address table as secure dynamic MAC address entries. The learned secure dynamic MAC address entries are deleted after the device restarts.

After configuring the port security function, you can run the display mac-address security command to check whether the learned secure dynamic MAC address entries are correct.

Follow-up Procedure

If the displayed secure dynamic MAC address entries are invalid, run the undo mac-address security command to delete secure dynamic MUX MAC address entries.

Precautions

If you run the display mac-address security command without parameters, all secure dynamic MAC address entries are displayed.

If the MAC address table does not contain any secure dynamic MAC address entry, no information is displayed.

When the device has a large number of secure dynamic MAC address entries, it is recommended that you specify parameters in the command to filter the output information. Otherwise, the following problems may occur due to excessive output information:
  • The displayed information is repeatedly refreshed, so you cannot find the required information.
  • The system traverses and retrieves information for a long time, and does not respond to any request.

Example

# Display all secure dynamic MAC address entries.

<HUAWEI> display mac-address security
------------------------------------------------------------------------------- 
MAC Address    VLAN/VSI/BD                       Learned-From        Type       
-------------------------------------------------------------------------------
0022-0022-0033 100/-/-                           GE0/0/1             security 
0000-0000-0001 200/-/-                           GE0/0/2             security 

-------------------------------------------------------------------------------
Total items displayed = 2 

# Display detailed information about all secure dynamic MAC address entries in VLAN 10.

<HUAWEI> display mac-address security vlan 10 verbose
------------------------------------------------------------------------------- 
MAC Address : 0000-0000-0001            VLAN : 10                            
Learned-From: GE0/0/1                 Type : security                        
Aging-Time  : 200s 
                                                                               
------------------------------------------------------------------------------- 
Total items displayed = 1
Table 14-50  Description of the display mac-address security command output

Item

Description

MAC Address

Destination MAC address in a secure dynamic MAC address entry.

VLAN/VSI/BD

ID of the VLAN, name of the VSI, or the ID of the BD that a MAC address belongs to.

Learned-From

Interface that learns a MAC address.

Type

Type of a MAC address entry. The value is security, which indicates a secure dynamic MAC address.

Aging-Time

How soon a secure dynamic MAC address entry will be aged out.

display mac-address sticky

Function

The display mac-address sticky command displays sticky VLAN MAC address entries.

Format

display mac-address sticky [ vlan vlan-id | interface-type interface-number ] * [ verbose ]

Parameters

Parameter

Description

Value

vlan vlan-id

Displays sticky MAC address entries in a specified VLAN.

The value is an integer that ranges from 1 to 4094.

interface-type interface-number

Displays sticky MAC address entries with a specified outbound interface.
  • interface-type specifies the type of the outbound interface.
  • interface-number specifies the number of the outbound interface.

-

verbose

Displays detailed information about sticky MAC address entries.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

The MAC address table of the switch stores MAC addresses of other devices. When forwarding an Ethernet frame, the switch searches the MAC address table for the outbound interface according to the destination MAC address and VLAN ID in the Ethernet frame.

After port security is enabled on an interface by using the port-security enable command, MAC address entries learned by the interface are stored in the MAC address table as secure dynamic MAC address entries. The learned secure dynamic MAC address entries are deleted after the switch restarts. If the sticky MAC function is also enabled on the interface by using the port-security mac-address sticky command, secure dynamic MAC address entries change to sticky MAC address entries. Sticky MAC address entries are not deleted after the switch restarts.

To check the sticky MAC configuration or the learned sticky MAC address entries, run the display mac-address sticky command.

Follow-up Procedure

If the displayed sticky MAC address entries are invalid, run the undo mac-address sticky command to delete sticky MAC address entries.

Precautions

If you run the display mac-address sticky command without parameters, all sticky MAC address entries are displayed.

If the MAC address table does not contain any sticky MAC address, no information is displayed.

When the switch has a large number of sticky MAC address entries, it is recommended that you specify parameters in the command to filter the output information. Otherwise, the following problems may occur due to excessive output information:
  • The displayed information is repeatedly refreshed, so you cannot find the required information.
  • The system traverses and retrieves information for a long time, and does not respond to any request.

Example

# Display all sticky MAC address entries.

<HUAWEI> display mac-address sticky
------------------------------------------------------------------------------- 
MAC Address    VLAN/VSI/BD                       Learned-From        Type       
-------------------------------------------------------------------------------
0022-0022-0033 100/-/-                           GE0/0/1             sticky 
0000-0000-0001 200/-/-                           GE0/0/2             sticky 

-------------------------------------------------------------------------------
Total items displayed = 2 

# Display detailed information about all sticky MAC address entries in VLAN 10.

<HUAWEI> display mac-address sticky vlan 10 verbose
------------------------------------------------------------------------------- 
MAC Address : 0000-0000-0001            VLAN : 10                            
Learned-From: GE0/0/1                   Type : sticky                        
                                                                                
------------------------------------------------------------------------------- 
Total items displayed = 1
Table 14-51  Description of the display mac-address sticky command output

Item

Description

MAC Address

MAC address in a sticky MAC address entry.

VLAN/VSI/BD

ID of the VLAN, name of the VSI, or the ID of the BD that a MAC address belongs to.

Learned-From

Interface that learns a MAC address.

Type

Type of a MAC address entry. The value is sticky, which indicates a sticky MAC address.

port-security aging-time

Function

The port-security aging-time command sets the aging time of secure dynamic MAC addresses on an interface.

The undo port-security aging-time command restores the default configuration.

By default, secure dynamic MAC addresses will not be aged out.

Format

port-security aging-time time [ type { absolute | inactivity } ]

undo port-security aging-time

Parameters

Parameter

Description

Value

time

Specifies the aging time of secure dynamic MAC addresses.

The value is an integer that ranges from 1 to 1440, in minutes.

type

Specifies the type of the aging time.

The default type is absolute, indicating the absolute aging time.

absolute

Indicates the absolute aging time. After the aging time of secure dynamic MAC addresses is set, the system calculates the lifetime of each MAC address every minute. If the lifetime of a MAC address plus 1 is greater than or equal to time minutes, the secure dynamic MAC address is aged immediately. If the lifetime is smaller than time minutes, the system determines whether to delete the secure dynamic MAC address after 1 minute.

-

inactivity

Indicates the relative aging time. After the relative aging time is set to time minutes, the system checks traffic from each secure dynamic MAC address every 1 minute. If no traffic is received from a secure dynamic MAC address, this MAC address is aged out after time minutes.

-

Views

Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, MultiGE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After you run the port-security enable command to enable port security on an interface, MAC address entries learned by the interface are saved in the MAC address table as secure dynamic MAC addresses. The learned secure dynamic MAC addresses will not be aged by default. When the number of learned MAC addresses reaches the limit, the interface cannot learn new MAC addresses.

If MAC addresses learned by an interface can be trusted only for a certain period, run the port-security aging-time command to set the aging time of secure dynamic MAC addresses on the interface. Then secure dynamic MAC addresses can be aged out and the interface can learn new MAC addresses.

Prerequisites

Port security is enabled on the interface.

Precautions

If the aging time of secure dynamic MAC addresses on an interface is shorter than the global aging time of dynamic MAC addresses, secure dynamic MAC addresses are aged out when the global aging time expires.

If you run the port-security aging-time command multiple times in the same interface view, only the latest configuration takes effect.

Example

# Set the aging time of secure dynamic MAC addresses on GE0/0/1 to 30 minutes.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port-security enable
[HUAWEI-GigabitEthernet0/0/1] port-security aging-time 30
Related Topics

port-security enable

Function

The port-security enable command enables the port security function on an interface.

The undo port-security enable command disables the port security function on an interface.

By default, port security is disabled on an interface.

Format

port-security enable

undo port-security enable

Parameters

None

Views

GE interface view, Ethernet interface view, XGE interface view, 40GE interface view, MultiGE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After port security is enabled on an interface, MAC address entries learned by the interface are stored in the MAC address table as secure dynamic MAC address entries. By default, secure dynamic MAC addresses will not be aged out. If the aging time of secure dynamic MAC address entries is set, these entries will be aged out. After the device restarts, secure dynamic MAC address entries are lost and need to be relearned.You can also create secure static MAC addresses which do not age out.

Port security has the following functions:

  • Prevent unauthorized guests from using their computers to connect to an enterprise network.
  • Prevent employees of a company from moving their computers without permission.

Precautions

  • On the S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E, S1720X-E, S2720EI, S5720LI, S5720S-LI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, and S6720S-SI, the total number of MAC addresses on interfaces enabled with port security cannot exceed 4096. For example, if the numbers of MAC addresses learned on interfaces 1 and 2 are 2000 and 1500, respectively, interface 3 can learn a maximum of 596 MAC addresses.
  • The protection action, maximum number of learned secure MAC address entries, and secure static MAC addresses, sticky MAC function can be configured only after port security is enabled.
  • Port security and MAC address limiting conflict on an interface; therefore, the port-security enable and mac-limit maximum commands cannot be used on the same interface.
  • Port security and MUX VLAN conflict on an interface; therefore, the port-security enable and port mux-vlan enable commands cannot be used on the same interface.
  • Port security and NAC conflict on an interface; therefore, the port-security enable and mac-authen, dot1x enable, or authentication-profile commands cannot be used on the same interface.
  • Port security and generating snooping MAC entries conflict on an interface; therefore, the port-security enable and user-bind ip sticky-mac commands cannot be used on the same interface.
  • If port security is enabled after MAC address learning is disabled using the mac-address learning disable command, the dynamic port security function does not take effect. If port security is enabled before MAC address learning is disabled on an interface, the device no longer learns MAC addresses on the interface, but secure MAC addresses that have been learned are reserved (including secure static MAC addresses).

Example

# Enable port security on GigabitEthernet0/0/2.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/2
[HUAWEI-GigabitEthernet0/0/2] port-security enable

port-security mac-address

Function

The port-security mac-address command configures a static secure MAC address.

The undo port-security mac-address command deletes a static secure MAC address.

By default, a static secure MAC address is not configured.

Format

port-security mac-address mac-address vlan vlan-id

undo port-security mac-address mac-address vlan vlan-id

Parameters

Parameter

Description

Value

mac-address

Specifies a static secure MAC address.

The value is in H-H-H format. An H contains 1 to 4 hexadecimal digits.. The MAC address cannot be The MAC address cannot be FFFF-FFFF-FFFF, 0000-0000-0000, or a multicast MAC address.

vlan vlan-id

Specifies the ID of a VLAN.

The value is an integer that ranges from 1 to 4094.

Views

Ethernet interface view, GE interface view, XGE interface view, MultiGE interface view, 40GE interface view, Eth-Trunk interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the port-security enable command is used to configure port security, the learned MAC address becomes a dynamic secure MAC address.

When the interface becomes Down or the device is reset, static secure MAC addresses are not affected, and dynamic secure MAC addresses need to be learned again. Static secure MAC addresses are not aged out. Static secure MAC addresses have higher priority than dynamic secure MAC addresses.

Prerequisites

Port security has been enabled by using the port-security enable command on the interface.

Precautions

Yu can run the port-security mac-address mac-address vlan vlan-id command multiple times to configure multiple static secure MAC addresses.

The static secure MAC can not be the virtual MAC address of the Virtual Router Redundancy Protocol (VRRP).

Example

# Configure a static secure MAC address on GE0/0/1.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port-security enable
[HUAWEI-GigabitEthernet0/0/1] port-security mac-address 286E-D488-B6FF vlan 10
Related Topics

port-security mac-address sticky

Function

The port-security mac-address sticky enables the sticky MAC function on an interface.

The undo port-security mac-address sticky disables the sticky MAC function on an interface.

By default, the sticky MAC function is disabled on an interface.

Format

port-security mac-address sticky [ mac-address vlan vlan-id ]

undo port-security mac-address sticky [ mac-address vlan vlan-id ]

Parameters

Parameter

Description

Value

mac-address

Specifies the MAC address in a sticky MAC address entry.

NOTE:

This parameter is not supported in the port group view.

The value is in H-H-H format. H is a hexadecimal number of 1 to 4 digits. A MAC address cannot be FFFF-FFFF-FFFF, 0000-0000-0000, or a multicast MAC address.

vlan vlan-id

Specifies the ID of a VLAN.

NOTE:

This parameter is not supported in the port group view.

The value is an integer that ranges from 1 to 4094.

Views

Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, MultiGE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After port security is enabled on an interface, MAC address entries learned by the interface are stored in the MAC address table as secure dynamic MAC address entries.

After the sticky MAC function is enabled on an interface, the dynamic MAC addresses learned by the interface change to sticky MAC addresses. If the number of sticky MAC addresses does not reach the limit, the MAC addresses learned subsequently change to sticky MAC addresses. When the number of sticky MAC addresses reaches the limit, packets whose source MAC addresses do not match sticky MAC address entries are discarded. In addition, the system determines whether to send a trap message or shut down the interface according to the configured security protection action.

After enabling the sticky MAC function on an interface, you can run the port-security mac-address sticky mac-address vlan vlan-id command to manually configure a sticky MAC address entry.

The sticky MAC function has the following functions:

  • Prevent non-employees from using their own computers to access the company intranet without the permission of the network administrator.

  • Prevent employees from moving network devices or computers of the company without the permission of the network administrator.

Prerequisites

Port security has been enabled by using the port-security enable command on the interface.

Precautions

Running the undo port-security mac-address sticky command will convert the sticky MAC addresses on the interface into secure dynamic MAC addresses.

The configuration information is not displayed after you run the port-security mac-address sticky [ mac-address vlan vlan-id ] command to configure sticky MAC address entries.

If you run the port-security mac-address sticky [ mac-address vlan vlan-id ] command multiple times, multiple sticky MAC address entries are configured.

Sticky MAC can not be the virtual MAC address of the Virtual Router Redundancy Protocol (VRRP).

Example

# Enable the sticky MAC function on GigabitEthernet0/0/1.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port-security enable
[HUAWEI-GigabitEthernet0/0/1] port-security mac-address sticky

port-security max-mac-num

Function

The port-security max-mac-num command sets the maximum number of secure MAC addresses that can be learned on an interface.

The undo port-security max-mac-num command restores the default maximum number of secure MAC addresses that can be learned on an interface.

By default, only one MAC addresses can be learned on an interface.

Format

port-security max-mac-num max-number

undo port-security max-mac-num

Parameters

Parameter

Description

Value

max-number

Specifies the maximum number of secure MAC addresses that can be learned by an interface.

The value is an integer that ranges from 1 to 1024.

Views

Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, MultiGE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After enabling port security on an interface, you can run the port-security max-mac-num command to limit the number of MAC addresses that the interface can learn. If the switch receives packets with a nonexistent source MAC address after the number of secure MAC addresses reaches the limit, the switch considers that the packets are sent from an unauthorized user, regardless of whether the destination MAC address of packets is valid, and takes the action configured using the port-security protect-action command on the interface. This prevents untrusted users from accessing these interfaces, improving security of the switch and the network.

Prerequisites

Port security has been enabled by using the port-security enable command on the interface.

Precautions

  • On the S1720GW, S1720GWR, S1720X, S1720GW-E, S1720GWR-E, S1720X-E, S2720EI, S5720LI, S5720S-LI, S5730SI, S5730S-EI, S6720LI, S6720S-LI, S6720SI, and S6720S-SI, the total number of MAC addresses on interfaces enabled with port security cannot exceed 4096. For example, if the numbers of MAC addresses learned on interfaces 1 and 2 are 2000 and 1500, respectively, interface 3 can learn a maximum of 596 MAC addresses.
  • If the sticky MAC function is disabled, max-number limits the number of secure dynamic MAC addresses learned by the interface and secure static MAC addresses configured manually.
  • If the sticky MAC function is enabled, max-number limits the number of sticky MAC addresses learned by the interface, and sticky MAC addresses and secure static MAC addresses configured manually.
  • If you run the port-security max-mac-num command multiple times in the same interface view, only the latest configuration takes effect.

Example

# Set the maximum number of MAC addresses that can be learned by GigabitEthernet0/0/1 to 5.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port-security enable
[HUAWEI-GigabitEthernet0/0/1] port-security max-mac-num 5

port-security protect-action

Function

The port-security protect-action command configures the protection action to be used when the number of learned MAC addresses on an interface exceeds the upper limit or static MAC address flapping is detected.

The undo port-security protect-action command restores the default protection action.

The default action is restrict.

Format

port-security protect-action { protect | restrict | shutdown }

undo port-security protect-action

Parameters

Parameter

Description

Value

protect

  • Discards packets with new source MAC addresses when the number of learned MAC addresses exceeds the limit.

  • When static MAC address flapping occurs, the interface discards the packets with this MAC address.

-

restrict

  • Discards packets with new source MAC addresses and sends a trap message when the number of learned MAC addresses exceeds the limit.

  • When static MAC address flapping occurs, the interface discards the packets with this MAC address and sends a trap.

-

shutdown

  • Set the interface status to error down and sends a trap message when the number of learned MAC addresses exceeds the limit.

  • When static MAC address flapping occurs, the interface takes the error down action and sends a trap.

-

Views

Ethernet interface view, GE interface view, XGE interface view, 40GE interface view, MultiGE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After enabling port security, you can run the port-security protect-action command to configure the action performed on the interface when the number of learned MAC addresses on an interface exceeds the upper limit or static MAC address flapping is detected.

The default action restrict is recommended. If the action is set to shutdown on an interface connected to a downstream device, the interface discards packets from trusted MAC addresses. Select the shutdown action only when the interface is directly connected to a user terminal.

Prerequisites

Port security has been enabled by using the port-security enable command on the interface.

Precautions

The interface takes protection actions when detecting static MAC address flapping only after the port-security static-flapping protect command is executed.

If the action is set to shutdown, the interface takes the error down action when the number of learned MAC addresses exceeds the limit or static MAC address flapping is detected. In addition, the interface status will not be automatically recovered.

If you run the port-security protect-action command multiple times in the same interface view, only the latest configuration takes effect.

If both port security and traffic policy-based VLAN translation are configured on an interface of the S5720EI, S5720HI, S6720EI, and S6720S-EI, the interface can forward protocol packets with source MAC addresses out of the MAC address table when the number of learned MAC addresses exceeds the limit.

Example

# Set the protection action on GigabitEthernet0/0/1 to protect.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port-security enable
[HUAWEI-GigabitEthernet0/0/1] port-security protect-action protect

port-security static-flapping protect

Function

The port-security static-flapping protect command enables static MAC address flapping detection.

The undo port-security static-flapping protect command disables static MAC address flapping detection.

By default, static MAC address flapping detection is disabled.

Format

port-security static-flapping protect

undo port-security static-flapping protect

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When an interface receives a packet of which the source MAC address exists in the static MAC table on another interface, the interface discards this packet. This affects customer services. For example, when PC 1 connects to GE0/0/1 where sticky MAC is enabled, the sticky MAC table of GE0/0/1 includes PC 1's MAC address. When PC 1 is disconnected from GE0/0/1 and connected to GE0/0/2, GE0/0/2 discards the packets from PC 1. In this situation, you can enable static MAC address flapping detection. Then the interface will take the configured action.

Precautions

Static MAC address flapping detection is supported only on the interfaces with port security enabled.

Example

# Enable static MAC address flapping detection.

<HUAWEI> system-view
[HUAWEI] port-security static-flapping protect

undo mac-address security

Function

The undo mac-address security command deletes secure MAC address entries. Secure MAC address entries include dynamic and static secure MAC address entries and sticky MAC address entries.

Format

undo mac-address { sec-config | security | sticky } [ interface-type interface-number | vlan vlan-id ] *

Parameters

Parameter

Description

Value

interface-type interface-number

Specifies the outbound interface in a secure MAC address entry to be deleted.

-

vlan vlan-id

Specifies the VLAN ID in a secure MAC address entry to be deleted.

The value is an integer that ranges from 1 to 4094.

sec-config

Deletes static secure MAC address entries.

-

security

Deletes dynamic secure MAC address entries, that is, MAC address entries learned by an interface enabled with port security.

-

sticky

Deletes sticky MAC address entries, that is, MAC address entries learned by an interface enabled with the sticky MAC function.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

After port security is enabled on an interface, dynamic MAC address entries learned by the interface turn into secure MAC address entries. secure MAC address entries are not aged out. After the number of MAC address entries learned by an interface reaches the limit, the interface cannot learn new MAC address entries. Packets matching no MAC address entry are broadcast, wasting bandwidth resources. This command can delete useless secure MAC address entries to release the MAC address table space.

You can delete some of secure MAC address entries as required. For example:
  • If you do not specify interface-type interface-number, the command deletes MAC address entries of the specified type on all interfaces.
  • If you do not specify vlan vlan-id, the command deletes MAC address entries of the specified type in all VLANs.

Example

# Delete all static secure MAC address entries.

<HUAWEI> system-view
[HUAWEI] undo mac-address sec-config

# Delete all dynamic secure MAC address entries on gigabitethernet0/0/1.

<HUAWEI> system-view
[HUAWEI] undo mac-address security gigabitethernet 0/0/1

# Delete all sticky MAC address entries.

<HUAWEI> system-view
[HUAWEI] undo mac-address sticky
Translation
Download
Updated: 2019-04-18

Document ID: EDOC1000178165

Views: 43017

Downloads: 1107

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next