No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Understanding Port Security

Understanding Port Security

Classification of Secure MAC Addresses

A device takes certain actions after the number of secure MAC addresses reaches the limit.

Secure MAC addresses fall into dynamic secure MAC addresses, static secure MAC addresses, and sticky MAC addresses.

Table 8-1  Classification of secure MAC addresses

Type

Description

Characteristic

Dynamic secure MAC address

MAC addresses that are learned on an interface where port security is enabled but the sticky MAC address function is disabled.

Dynamic secure MAC addresses will be lost after a device restart and need to be learned again.

Dynamic secure MAC addresses will never be aged out by default, and can be aged only when an aging time is set for them.

Dynamic secure MAC addresses may be aged out in two modes: absolute aging and relative aging.

  • Absolute aging time: If the absolute aging time is set to 5 minutes, the system calculates the lifetime of each MAC address every minute. If the lifetime is greater than or equal to 5 minutes, the secure dynamic MAC address is aged immediately. If the lifetime is smaller than 5 minutes, the system determines whether to delete the secure dynamic MAC address after 1 minute.
  • Relative aging time: If the value is set to 5 minutes, the system checks whether there is traffic from a specified dynamic secure MAC address every 1 minute. If no traffic is received from the secure dynamic MAC address, this MAC address is aged out 5 minutes later.

Static secure MAC address

MAC addresses that are manually configured on an interface where port security is enabled.

Static secure MAC addresses are not aged out. The static secure MAC addresses that are saved manually are not lost after a device restart.

Sticky MAC address

MAC addresses that are learned on an interface where both port security and sticky MAC address function are enabled.

Sticky MAC addresses are not aged out. The sticky MAC addresses that are saved manually are not lost after a device restart.

NOTE:
  • After port security is enabled on an interface, dynamic MAC address entries that have been learned on the interface are deleted and MAC address entries learned subsequently turn into dynamic secure MAC address entries.
  • After the sticky MAC address function is enabled on an interface, existing dynamic secure MAC address entries and MAC address entries learned subsequently on the interface turn into sticky MAC address entries.
  • After port security is disabled on an interface, existing dynamic secure MAC address entries on the interface are deleted. The interface learns dynamic MAC address entries again.
  • After the sticky MAC address function is disabled on an interface, sticky MAC address entries on the interface turn into dynamic secure MAC address entries.

Actions to Take After the Number of Secure MAC Addresses Exceeds the Limit

If an interface receives packets with a nonexistent source MAC address after the number of secure MAC addresses reaches the limit, the switch considers that the packets are sent from an unauthorized user, regardless of whether the destination MAC address of packets is valid, and takes the configured action on the interface. By default, the switch discards the packets and generates a trap in such a situation.

Table 8-2  Port security actions

Action

Description

restrict

Discards packets with a nonexistent source MAC address and generates a trap. This action is recommended.

protect

Discards packets with a nonexistent source MAC address but does not generate a trap.

shutdown

Sets the interface state to error-down and generates a trap.

By default, an interface in error-down state can only be restored by using the restart command in the interface view.

To enable an interface in error-down state to automatically go Up after a period of time, run the error-down auto-recovery cause port-security interval interval-value command in the system view. In this command, interval-value specifies the period of time after which an interface can automatically go Up.

To view trap information, run the display trapbuffer command or log in to the NMS.

Actions to Take When Static MAC Address Flapping Occurs

On a switch with static MAC address flapping detection configured, when an interface receives a packet of which the source MAC address exists in a static MAC address table on another interface, the switch considers that a static MAC address flapping has occurred and takes the configured port security action. There are three port security actions: restrict, protect, and shutdown.

Table 8-3  Port security actions

Action

Description

restrict

Discards the packet triggering the static MAC address flapping and generates a trap. This action is recommended.

protect

Discards the packet triggering the static MAC address flapping but does not generate a trap.

shutdown

Sets the interface state to error-down and generates a trap.

By default, an interface in error-down state can only be restored by using the restart command in the interface view.

To enable an interface in error-down state to automatically go Up after a period of time, run the error-down auto-recovery cause port-security interval interval-value command in the system view. In this command, interval-value specifies the period of time after which an interface can automatically go Up.

To view trap information, run the display trapbuffer command or log in to the NMS.

Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178319

Views: 137007

Downloads: 78

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next