No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S7700 and S9700 V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the Secure MAC Address Function

Configuring the Secure MAC Address Function

Context

You can configure port security and set the maximum number of secure MAC addresses learned by an interface on networks demanding high access security. Port security enables the switch to convert MAC addresses learned by an interface into secure MAC addresses and to stop learning new MAC addresses after the maximum number of learned MAC addresses is reached. After port security is enabled, the switch can only communicate with devices with learned MAC addresses. If an interface receives packets with a nonexistent source MAC address after the number of secure MAC addresses reaches the limit, the switch considers that the packets are sent from an unauthorized user and takes the configured action on the interface. This prevents untrusted users from accessing these interfaces, improving security of the switch and the network. The following table describes port security actions.

Table 8-6  Port security actions

Action

Description

restrict

Discards packets with a nonexistent source MAC address and generates a trap. This action is recommended.

protect

Discards packets with a nonexistent source MAC address but does not generate a trap.

shutdown

Sets the interface state to error-down and generates a trap.

By default, an interface in error-down state can only be restored by using the restart command in the interface view.

To enable an interface in error-down state to automatically go Up after a period of time, run the error-down auto-recovery cause port-security interval interval-value command in the system view. In this command, interval-value specifies the period of time after which an interface can automatically go Up.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

  3. Run port-security enable

    Port security is enabled.

    By default, port security is disabled on an interface.

  4. Run port-security max-mac-num max-number

    The maximum number of secure MAC addresses learned by an interface is set.

    By default, the maximum number of secure MAC addresses learned by an interface is 1.

    NOTE:
    • An interface can learn only one secure MAC address by default. If multiple PCs connect to the company network using one interface, run the port-security max-mac-num command to change the maximum number of secure MAC addresses.
    • If a PC connects to the switch using an IP phone, set the maximum number of secure MAC addresses to 3. This is because the IP phone occupies two MAC address entries and the PC occupies one MAC address entry. The VLAN IDs in two MAC address entries used by the IP phone are different. The two VLANs are used to transmit voice and data packets respectively.

  5. (Optional) Run port-security mac-address mac-address vlan vlan-id

    A static secure MAC address entry is configured.

  6. (Optional) Run port-security protect-action { protect | restrict | shutdown }

    A port security action is configured.

    By default, the restrict action is used.

  7. (Optional) Run port-security aging-time time [ type { absolute | inactivity } ]

    The aging time of dynamic secure MAC address entries learned by the interface is set.

    By default, dynamic secure MAC address entries learned by an interface are not aged out.

Verifying the Configuration

  • Check secure MAC addresses.
    • Run the display mac-address security [ vlan vlan-id | interface-type interface-number ] * [ verbose ] command to check dynamic secure MAC address entries.
    • Run the display mac-address sec-config [ vlan vlan-id | interface-type interface-number ] * [ verbose ] command to check static secure MAC address entries.
  • To view trap information, run the display trapbuffer command or log in to the NMS.

Translation
Download
Updated: 2019-10-18

Document ID: EDOC1000178319

Views: 152583

Downloads: 84

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next