Configuring the Sticky MAC Function on an Interface
Context
If a network requires high access security, you can configure port security on specified interfaces. MAC addresses learned by these interfaces change to secure dynamic MAC addresses or sticky MAC addresses. When the number of learned MAC addresses reaches the limit, the interface does not learn new MAC addresses and allows only the devices with the learned MAC addresses to communicate with the switch. This prevents devices with untrusted MAC addresses from accessing these interfaces, improving security of the network.
Sticky MAC addresses are not aged. After the configuration is saved, the switch or the VS generates a file (*.ztbl/*.ctbl/*.dtbl) that contains information about sticky MAC addresses. After the switch or the VS restarts, sticky MAC addresses are not lost and do not need to be learned again.
Procedure
- Run system-view
The system view is displayed.
- Run interface interface-type interface-number
The interface view is displayed.
- Run port-security enable
Port security is enabled.
By default, port security is disabled on an interface.
- Run port-security mac-address sticky
The sticky MAC function is enabled on the interface.
By default, the sticky MAC function is disabled on an interface.
- (Optional) Run port-security maximum max-number
The limit on the number of sticky MAC addresses is set on the interface.
By default, the limit on the number of sticky MAC addresses is 1.
- (Optional) Run port-security protect-action { protect | restrict | error-down }
The protection action is configured.
The default action is restrict.
The protection actions are as follows:
- protect: discards packets with new source MAC addresses when the number of learned MAC addresses reaches the limit.
- restrict: discards packets with new source MAC addresses and sends an alarm when the number of learned MAC addresses reaches the limit.
- error-down: set the interface status to error down and sends an alarm when the number of learned MAC addresses exceeds the limit.
- (Optional) Run port-security mac-address sticky mac-address vlan vlan-id
A sticky MAC address entry is configured.
- Run commit
The configuration is committed.
Follow-up Procedure
When the protection action is set to error-down and the number of secure MAC addresses on the interface reaches the limit, the interface enters the Error-Down state. The device records the status of an interface as Error-Down when it detects that a fault occurs. The interface in Error-Down state cannot receive or send packets and the interface indicator is off. You can run the display error-down recovery command to check information about all interfaces in Error-Down state on the device.
Manual (after the interface enters the Error-Down state)
When there are few interfaces in Error-Down state, you can run the shutdown and undo shutdown commands in the interface view or run the restart command to restore the interface.
Auto (before the interface enters the Error-Down state)
If there are many interfaces in Error-Down state, the manual mode brings in heavy workload and the configuration of some interfaces may be ignored. To prevent this problem, run the error-down auto-recovery cause portsec-reachedlimit interval interval-value command in the system view to enable an interface in error-down state to go Up and set a recovery delay. You can run the display error-down recovery command to view automatic recovery information about the interface.
This mode is invalid for the interface that has entered the Error-Down state, and is only valid for the interface that enters the Error-Down state after the error-down auto-recovery cause portsec-reachedlimit interval interval-value command is used.
