Configuring the Secure MAC Function on an Interface
Context
If a network requires high access security, you can configure port security on specified interfaces. MAC addresses learned by these interfaces change to secure dynamic MAC addresses or sticky MAC addresses. When the number of learned MAC addresses reaches the limit, the interface does not learn new MAC addresses and allows only the devices with the learned MAC addresses to communicate with the switch. This prevents devices with untrusted MAC addresses from accessing these interfaces, improving security of the network.
By default, secure dynamic MAC addresses will not be aged out. You can set the aging time for secure dynamic MAC addresses so that they can be aged out. Secure dynamic MAC addresses are lost after the device restarts and the device needs to learn the MAC addresses again.
Procedure
- Run system-view
The system view is displayed.
- Run interface interface-type interface-number
The interface view is displayed.
- Run port-security enable
Port security is enabled.
By default, port security is disabled on an interface.
- (Optional) Run port-security maximum max-number
The limit on the number of secure dynamic MAC addresses is set.
By default, the limit on the number of secure dynamic MAC addresses is 1.
- (Optional) Run port-security protect-action { protect | restrict | error-down }
The protection action is configured.
The default action is restrict.
The protection actions are as follows:
- protect: discards packets with new source MAC addresses when the number of learned MAC addresses reaches the limit.
- restrict: discards packets with new source MAC addresses and sends an alarm when the number of learned MAC addresses reaches the limit.
- error-down: set the interface status to error down and sends an alarm when the number of learned MAC addresses exceeds the limit.
- (Optional) Run port-security aging-time time [ type { absolute | inactivity } ]
The aging time of secure dynamic MAC addresses is set.
By default, secure dynamic MAC addresses will not be aged out.
- Run commit
The configuration is committed.
Follow-up Procedure
When the protection action is set to error-down and the number of secure MAC addresses on the interface reaches the limit, the interface enters the Error-Down state. The device records the status of an interface as Error-Down when it detects that a fault occurs. The interface in Error-Down state cannot receive or send packets and the interface indicator is off. You can run the display error-down recovery command to check information about all interfaces in Error-Down state on the device.
Manual (after the interface enters the Error-Down state)
When there are few interfaces in Error-Down state, you can run the shutdown and undo shutdown commands in the interface view or run the restart command to restore the interface.
Auto (before the interface enters the Error-Down state)
If there are many interfaces in Error-Down state, the manual mode brings in heavy workload and the configuration of some interfaces may be ignored. To prevent this problem, run the error-down auto-recovery cause portsec-reachedlimit interval interval-value command in the system view to enable an interface in error-down state to go Up and set a recovery delay. You can run the display error-down recovery command to view automatic recovery information about the interface.
This mode is invalid for the interface that has entered the Error-Down state, and is only valid for the interface that enters the Error-Down state after the error-down auto-recovery cause portsec-reachedlimit interval interval-value command is used.
