No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Understanding Port Security

Understanding Port Security

A device takes certain actions after the number of secure MAC addresses reaches the limit.

Classification of Secure MAC Addresses

Secure MAC addresses fall into dynamic secure MAC addresses and sticky MAC addresses.

Table 11-1 Classification of secure MAC addresses

Type

Description

Characteristic

Dynamic secure MAC address

MAC addresses that are learned on an interface where port security is enabled but the sticky MAC function is disabled.

Dynamic secure MAC addresses will be lost after a device restart and need to be learned again.

Dynamic secure MAC addresses will never be aged out by default, and can be aged only when an aging time is set for them.

Dynamic secure MAC addresses may be aged in two modes: absolute aging and relative aging.

  • Absolute aging time: If the value is set to 5 minutes, the system checks whether there is traffic from a specified dynamic secure MAC address every 5 minutes. If no traffic is received from the dynamic secure MAC address, this MAC address is aged out immediately. If traffic is received from the dynamic secure MAC address, the system checks for traffic 5 minutes later.
  • Relative aging time: If the value is set to 5 minutes, the system checks whether there is traffic from a specified dynamic secure MAC address every 1 minute. If no traffic is received from the secure dynamic MAC address, this MAC address is aged out 5 minutes later.

Sticky MAC address

MAC addresses that are learned on an interface where both port security and sticky MAC function are enabled.

Sticky MAC addresses are not aged out. The sticky MAC addresses that are saved manually are not lost after a device restart.

NOTE:
  • After port security is enabled on an interface, dynamic MAC address entries that have been learned on the interface are deleted and MAC address entries learned subsequently turn into dynamic secure MAC address entries.
  • Dynamic MAC addresses on an interface can be only converted into secure dynamic MAC addresses or sticky MAC addresses. After the sticky MAC function is enabled on an interface, existing dynamic secure MAC address entries and MAC address entries learned subsequently on the interface turn into sticky MAC address entries. After the sticky MAC function is disabled on an interface, sticky MAC addresses on the interface turn into dynamic secure MAC addresses.
  • After port security is disabled on an interface, existing dynamic secure MAC address entries on the interface are deleted. The interface learns dynamic MAC address entries again.

Action to Take After the Number of Secure MAC Addresses Reaches the Limit

If the switch receives packets with a nonexistent source MAC address after the number of secure MAC addresses reaches the limit, the switch considers that the packets are sent from an unauthorized user and takes the configured action on the interface. By default, the switch discards the packets and generates an alarm in such a situation.

Table 11-2 Port security actions

Action

Description

restrict

Discards packets with a nonexistent source MAC address and generates an alarm. This action is recommended.

protect

Only discards packets with a nonexistent source MAC address but does not generate an alarm.

error-down

Sets the interface state to ERROR DOWN(portsec-reachedlimit)and generates an alarm.

When the protection action is set to error-down and the number of secure MAC addresses on the interface reaches the limit, the interface enters the Error-Down state. The device records the status of an interface as Error-Down when it detects that a fault occurs. The interface in Error-Down state cannot receive or send packets and the interface indicator is off. You can run the display error-down recovery command to check information about all interfaces in Error-Down state on the device.

When the interface is in Error-Down state, check the cause. You can use the following modes to restore the interface status:
  • Manual (after the interface enters the Error-Down state)

    When there are few interfaces in Error-Down state, you can run the shutdown and undo shutdown commands in the interface view or run the restart command to restore the interface.

  • Auto (before the interface enters the Error-Down state)

    If there are many interfaces in Error-Down state, the manual mode brings in heavy workload and the configuration of some interfaces may be ignored. To prevent this problem, run the error-down auto-recovery cause portsec-reachedlimit interval interval-value command in the system view to enable an interface in error-down state to go Up and set a recovery delay. You can run the display error-down recovery command to view automatic recovery information about the interface.

    NOTE:

    This mode is invalid for the interface that has entered the Error-Down state, and is only valid for the interface that enters the Error-Down state after the error-down auto-recovery cause portsec-reachedlimit interval interval-value command is used.

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 23144

Downloads: 93

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next