No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S9300, S9300E, and S9300X V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring Port Security

Example for Configuring Port Security

Networking Requirements

As shown in Figure 8-3, PC1, PC2, and PC3 connect to the company network through the switch. For high user access security, port security is enabled on the interface of the switch and the maximum number of MAC addresses to be learned on the interface is set to the number of access users so that external users cannot use their PCs to access the company network.

Figure 8-3  Networking for configuring port security

Configuration Roadmap

The configuration roadmap is as follows:

  1. Create a VLAN to implement Layer 2 forwarding.

  2. Configure port security so that learned MAC address entries are not aged out.

Procedure

  1. Create a VLAN on the switch and add interfaces to the VLAN.

    # Create a VLAN.

    <Quidway> system-view
    [Quidway] sysname Switch
    [Switch] vlan 10
    [Switch-vlan10] quit
    

    # Add GE1/0/1 to VLAN 10. The configurations of GE1/0/2 and GE1/0/3 are similar to the configuration of GE1/0/1, and are not mentioned here.

    [Switch] interface gigabitethernet 1/0/1
    [Switch-GigabitEthernet1/0/1] port link-type access
    [Switch-GigabitEthernet1/0/1] port default vlan 10
    [Switch-GigabitEthernet1/0/1] quit
    

  2. Configure port security on GE1/0/1.

    # Enable the sticky MAC address function and set the maximum number of MAC addresses. The configurations of GE1/0/2 and GE1/0/3 are similar to the configuration of GE1/0/1, and are not mentioned here.

    [Switch] interface gigabitethernet 1/0/1
    [Switch-GigabitEthernet1/0/1] port-security enable
    [Switch-GigabitEthernet1/0/1] port-security mac-address sticky
    [Switch-GigabitEthernet1/0/1] port-security max-mac-num 1
    NOTE:
    • An interface can learn only one secure MAC address by default. If multiple PCs connect to the company network using one interface, run the port-security max-mac-num command to change the maximum number of secure MAC addresses.
    • If a PC connects to the switch using an IP phone, set the maximum number of secure MAC addresses to 3 because the IP phone occupies two MAC address entries and the PC occupies one MAC address entry. The VLAN IDs in two MAC address entries used by the IP phone are different. The two VLANs are used to transmit voice and data packets respectively.

  3. Verify the configuration.

    If PC1, PC2, and PC3 are replaced by other PCs, the PCs cannot access the company network.

Configuration Files

Switch configuration file

#
sysname Switch
#
vlan batch 10
#
interface GigabitEthernet1/0/1
 port link-type access                                                          
 port default vlan 10 
 port-security enable
 port-security mac-address sticky
#
interface GigabitEthernet1/0/2
 port link-type access                                                          
 port default vlan 10 
 port-security enable
 port-security mac-address sticky
#
interface GigabitEthernet1/0/3
 port link-type access                                                          
 port default vlan 10 
 port-security enable
 port-security mac-address sticky
#
return
Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178410

Views: 130784

Downloads: 25

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next