No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Security

CloudEngine 8800, 7800, 6800, and 5800 V200R005C10

This document describes the configurations of Security, including ACL, local attack defense, MFF, attack defense, traffic suppression and storm control, ARP security, Port security, DHCP snooping, ND snooping, PPPoE+, IPSG, SAVI, separating the management plane from the service plane, security risks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the Secure MAC Function on an Interface

Configuring the Secure MAC Function on an Interface

Context

If a network requires high access security, you can configure port security on specified interfaces. MAC addresses learned by these interfaces change to secure dynamic MAC addresses or sticky MAC addresses. When the number of learned MAC addresses reaches the limit, the interface does not learn new MAC addresses and allows only the devices with the learned MAC addresses to communicate with the switch. This prevents devices with untrusted MAC addresses from accessing these interfaces, improving security of the network.

By default, secure dynamic MAC addresses will not be aged out. You can set the aging time for secure dynamic MAC addresses so that they can be aged out. Secure dynamic MAC addresses are lost after the device restarts and the device needs to learn the MAC addresses again.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

  3. Run port-security enable

    Port security is enabled.

    By default, port security is disabled on an interface.

  4. (Optional) Run port-security maximum max-number

    The limit on the number of secure dynamic MAC addresses is set.

    By default, the limit on the number of secure dynamic MAC addresses is 1.

  5. (Optional) Run port-security protect-action { protect | restrict | error-down }

    The protection action is configured.

    The default action is restrict.

    The protection actions are as follows:

    • protect: discards packets with new source MAC addresses when the number of learned MAC addresses reaches the limit.
    • restrict: discards packets with new source MAC addresses and sends an alarm when the number of learned MAC addresses exceeds the limit.
    • error-down: set the interface status to error down and sends an alarm when the number of learned MAC addresses exceeds the limit.

  6. (Optional) Run port-security aging-time time [ type { absolute | inactivity } ]

    The aging time of secure dynamic MAC addresses is set.

    By default, secure dynamic MAC addresses will not be aged out.

  7. Run commit

    The configuration is committed.

Follow-up Procedure

When the protection action is set to error-down and the number of secure MAC addresses on the interface reaches the limit, the interface enters the Error-Down state. The device records the status of an interface as Error-Down when it detects that a fault occurs. The interface in Error-Down state cannot receive or send packets and the interface indicator is off. You can run the display error-down recovery command to check information about all interfaces in Error-Down state on the device.

When the interface is in Error-Down state, check the cause. You can use the following modes to restore the interface status:
  • Manual (after the interface enters the Error-Down state)

    When there are few interfaces in Error-Down state, you can run the shutdown and undo shutdown commands in the interface view or run the restart command to restore the interface.

  • Auto (before the interface enters the Error-Down state)

    If there are many interfaces in Error-Down state, the manual mode brings in heavy workload and the configuration of some interfaces may be ignored. To prevent this problem, run the error-down auto-recovery cause portsec-reachedlimit interval interval-value command in the system view to enable an interface in error-down state to go Up and set a recovery delay. You can run the display error-down recovery command to view automatic recovery information about the interface.

    NOTE:

    This mode is invalid for the interface that has entered the Error-Down state, and is only valid for the interface that enters the Error-Down state after the error-down auto-recovery cause portsec-reachedlimit interval interval-value command is used.

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100074765

Views: 18686

Downloads: 64

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next