No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

S9300, S9300E, and S9300X V200R011C10

This document describes the configurations of Security, including ACL, reflective ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, URPF, keychain, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the Sticky MAC Address Function

Configuring the Sticky MAC Address Function

Context

You can configure port security and set the maximum number of secure MAC addresses learned by an interface on networks demanding high access security. Port security enables the switch to convert MAC addresses learned by an interface into secure MAC addresses and to stop learning new MAC addresses after the maximum number of learned MAC addresses is reached. After port security is enabled, the switch can only communicate with devices with learned MAC addresses. If an interface receives packets with a nonexistent source MAC address after the number of secure MAC addresses reaches the limit, the switch considers that the packets are sent from an unauthorized user and takes the configured action on the interface. This prevents untrusted users from accessing these interfaces, improving security of the switch and the network. The following table describes port security actions.

Table 8-7  Port security actions

Action

Description

restrict

Discards packets with a nonexistent source MAC address and generates a trap. This action is recommended.

protect

Discards packets with a nonexistent source MAC address but does not generate a trap.

shutdown

Sets the interface state to error-down and generates a trap.

By default, an interface in error-down state can only be restored by using the restart command in the interface view.

To enable an interface in error-down state to automatically go Up after a period of time, run the error-down auto-recovery cause port-security interval interval-value command in the system view. In this command, interval-value specifies the period of time after which an interface can automatically go Up.

The sticky MAC address function usually applies to networks where terminal users seldom change.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

  3. Run port-security enable

    Port security is enabled.

    By default, port security is disabled on an interface.

  4. Run port-security mac-address sticky

    The sticky MAC address function is enabled on the interface.

    By default, the sticky MAC address function is disabled on an interface.

  5. Run port-security max-mac-num max-number

    The maximum number of sticky MAC addresses is set.

    By default, an interface enabled with the sticky MAC address function can learn only one sticky MAC address.

    NOTE:
    • An interface can learn only one sticky MAC address by default. If multiple PCs connect to a network using one interface, run the port-security max-mac-num command to change the maximum number of sticky MAC addresses.
    • If a PC connects to the switch using an IP phone, set the maximum number of sticky MAC addresses to 3. This is because the IP phone occupies two MAC address entries and the PC occupies one MAC address entry. The VLAN IDs in two MAC address entries used by the IP phone are different. The two VLANs are used to transmit voice and data packets respectively.

  6. (Optional) Run port-security protect-action { protect | restrict | shutdown }

    A port security action is configured.

    By default, the restrict action is used.

  7. (Optional) Run port-security mac-address sticky mac-address vlan vlan-id

    A sticky MAC address entry is configured.

    NOTE:
    • After the sticky MAC address function is enabled on an interface, existing dynamic secure MAC address entries and MAC address entries learned subsequently on the interface turn into sticky MAC address entries.
    • After the sticky MAC address function is enabled on an interface, sticky MAC address entries are not aged even if the port-security aging-time command is configured.
    • The saved sticky MAC address entries will not be lost after a device restart.

Verifying the Configuration

  • Run the display mac-address sticky [ vlan vlan-id | interface-type interface-number ] * [ verbose ] command to check sticky MAC address entries.
  • To view trap information, run the display trapbuffer command or log in to the NMS.

Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178410

Views: 130629

Downloads: 25

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next