No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, AR531, AR550, AR1500, and AR2500 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Understanding Port Security

Understanding Port Security

Classification of Secure MAC Addresses

A device takes certain actions after the number of secure MAC addresses reaches the limit.

Secure MAC addresses fall into dynamic secure MAC addresses and sticky MAC addresses.

Table 11-1  Classification of secure MAC addresses

Type

Description

Characteristic

Dynamic secure MAC address

MAC addresses that are learned on an interface where port security is enabled but the sticky MAC address function is disabled.

Dynamic secure MAC addresses will be lost after a device restart and need to be learned again.

Dynamic secure MAC addresses will never be aged out by default, and can be aged only when an aging time is set for them.

Sticky MAC address

MAC addresses that are learned on an interface where both port security and sticky MAC address function are enabled.

Sticky MAC addresses are not aged out. The sticky MAC addresses that are saved manually are not lost after a device restart.

Before port security is enabled on an interface, MAC address entries can be configured statically or learned dynamically on the interface. After port security is enabled on an interface, dynamic MAC address entries that have been learned on the interface are deleted and MAC address entries learned subsequently turn into secure dynamic MAC address entries. Only packets with source MAC addresses matching the secure dynamic MAC address entries or static MAC address entries can pass through the interface. After the sticky MAC address function is enabled on the interface, existing secure dynamic MAC address entries and MAC address entries learned subsequently on the interface turn into sticky MAC address entries. When the number of secure MAC addresses reaches the limit, the switch stops learning MAC addresses on the interface and takes a protection action on the interface or packets received.

Action to Take After the Number of Secure MAC Addresses Reaches the Limit

If the switch receives packets with a nonexistent source MAC address after the number of secure MAC addresses reaches the limit, the switch considers that the packets are sent from an unauthorized user and takes the configured action on the interface. By default, the switch discards the packets and generates an alarm in such a situation.

Table 11-2  Port security actions

Action

Description

restrict

Discards packets with a nonexistent source MAC address and generates an alarm. This action is recommended.

NOTE:

When receiving packets with a nonexistent source MAC address, the switch generates at least one alarm and at most two alarms every 30 seconds.

protect

Only discards packets with a nonexistent source MAC address but does not generate an alarm.

shutdown

Sets the interface state to error-down and generates an alarm.

By default, an interface cannot automatically restore to Up state after it is shut down. To restore the interface, run the undo shutdown command on the interface in sequence. Alternatively, run the restart command on the interface to restart the interface.

Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034236

Views: 95893

Downloads: 58

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next