Port Security Management

S12700 and S12700E V200R019C10 NETCONF YANG API Reference

This document describes the NETCONF YANG API functions supported by the switch, including the data model and samples.

Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).

This section describes the configuration model of port security management and provides examples of XML packets.

Data Model
Configuring Port Security

Data Model

The configuration model file matching port security management is huawei-mac.yang.

Table 2-373 Port security management

Object	Description	Value	Remarks
/huawei-mac:static-flapping-protect/enable	Enables static MAC address flapping detection.	The value is of the Boolean type: true: Static MAC address flapping detection is enabled. false: Static MAC address flapping detection is disabled.	Static MAC address flapping detection needs to be enabled only on the interfaces with port security enabled.
/ietf-interfaces:interfaces/interface/huawei-mac:mac-security/port-security/enable	Enables port security.	The value is of the Boolean type: true: Port security is enabled. false: Port security is disabled.	The following objects can be configured only when this object is set to true: /ietf-interfaces:interfaces/interface/huawei-mac:mac-security/port-security/action /ietf-interfaces:interfaces/interface/huawei-mac:mac-security/port-security/port-security-aging/aging-time /ietf-interfaces:interfaces/interface/huawei-mac:mac-security/port-security/port-security-aging/aging-type
/ietf-interfaces:interfaces/interface/huawei-mac:mac-security/port-security/maxinum	Configures the maximum number of secure MAC addresses that can be learned on an interface.	The value is an integer in the range from 1 to 4096.	The total number of MAC addresses on interfaces enabled with port security cannot exceed 4096.
/ietf-interfaces:interfaces/interface/huawei-mac:mac-security/port-security/action	Configures the protection action to be taken when the number of learned MAC addresses on an interface enabled with port security exceeds the upper limit or static MAC address flapping is detected.	The value is of the enumerated type: protect: If the number of learned MAC addresses exceeds the upper limit, the interface discards packets with new source MAC addresses. If static MAC address flapping is detected, the interface discards the packets with this MAC address. restrict: If the number of learned MAC addresses exceeds the upper limit, the interface discards packets with new source MAC addresses and sends a trap. If static MAC address flapping is detected, the interface discards the packets with this MAC address and sends a trap. shutdown: If the number of learned MAC addresses exceeds the upper limit or static MAC address flapping is detected, the interface sets the interface status to error down and sends a trap.	N/A
/ietf-interfaces:interfaces/interface/huawei-mac:mac-security/port-security/port-security-aging/aging-time	Configures the aging time of secure dynamic MAC addresses on an interface.	The value is an integer in the range from 1 to 1440, in minutes.	N/A
/ietf-interfaces:interfaces/interface/huawei-mac:mac-security/port-security/port-security-aging/aging-type	Configures the type of the aging time of secure dynamic MAC addresses on an interface.	The value is of the enumerated type: absolute: Indicates the absolute aging time. After the absolute aging time of secure dynamic MAC addresses is set, the system calculates the lifetime of each MAC address every minute. If the lifetime plus 1 minute is longer than or equal to the aging time, the secure dynamic MAC address is aged immediately. If the lifetime plus 1 minute is shorter than the aging time, the system determines whether to delete the secure dynamic MAC address after 1 minute. inactivity: Indicates the relative aging time. After the relative aging time of secure dynamic MAC addresses is set, the system checks traffic from each secure dynamic MAC address every 1 minute. If no traffic is received from a secure dynamic MAC address, this MAC address is aged after the aging time expires.	N/A
/ietf-interfaces:interfaces/interface/huawei-mac:mac-security/port-security/sticky	Enables the sticky MAC function on an interface.	Boolean type. Options: true: enables the function. false: disables the function.	Before setting this object to true, you must set /ietf-interfaces:interfaces/interface/huawei-mac:mac-security/port-security/enable to true. Before setting ietf-interfaces:interfaces/interface/huawei-mac:mac-security/port-security/enable to false, you must set this object to false.

Configuring Port Security

This section provides a sample of configuring port security using the edit-config method.

Table 2-374 Configuring port security

Operation	XPATH
edit-config	/ietf-interfaces:interfaces/interface/huawei-mac:mac-security/port-security /huawei-mac:static-flapping-protect /ietf-interfaces:interfaces/interface/name /ietf-interfaces:interfaces/interface/type

Data Requirement 1: Configuring the Port Security Function

Item	Data	Description
Whether to enable static MAC address flapping detection	true	Enable static MAC address flapping detection.
Interface name	GigabitEthernet1/0/9	Set the interface name to GigabitEthernet1/0/9.
Interface type	ethernetCsmacd	Set the interface type to physical interface.
Port security	true	Enable port security.
Maximum number of secure MAC addresses that can be learned on the interface	999	Set the maximum number of secure MAC addresses that can be learned on the interface to 999.
Protection action to be taken when the number of learned MAC addresses on the interface enabled with port security exceeds the upper limit or static MAC address flapping is detected	shutdown	Set the protection action to be taken when the number of learned MAC addresses on the interface enabled with port security exceeds the upper limit or static MAC address flapping is detected to shutdown.
Aging time of secure dynamic MAC addresses	1002	Set the aging time of secure dynamic MAC addresses to 1002 minutes.
Type of the aging time of secure dynamic MAC addresses	absolute	Set the type of the aging time of secure dynamic MAC addresses to absolute.

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <huawei-mac:static-flapping-protect xmlns:huawei-mac="urn:huawei:params:xml:ns:yang:huawei-mac">
        <huawei-mac:enable>true</huawei-mac:enable>
      </huawei-mac:static-flapping-protect>
      <if:interfaces xmlns:if="urn:ietf:params:xml:ns:yang:ietf-interfaces">
        <if:interface>
          <if:name>GigabitEthernet1/0/9</if:name>
          <if:type xmlns:iana-if-type="urn:ietf:params:xml:ns:yang:iana-if-type">iana-if-type:ethernetCsmacd</if:type>
          <huawei-mac:mac-security xmlns:huawei-mac="urn:huawei:params:xml:ns:yang:huawei-mac">
            <huawei-mac:port-security>
              <huawei-mac:enable>true</huawei-mac:enable>
              <huawei-mac:maxinum>999</huawei-mac:maxinum>
              <huawei-mac:action>shutdown</huawei-mac:action>
              <huawei-mac:port-security-aging>
                <huawei-mac:aging-time>1002</huawei-mac:aging-time>
                <huawei-mac:aging-type>absolute</huawei-mac:aging-type>
              </huawei-mac:port-security-aging>
            </huawei-mac:port-security>
          </huawei-mac:mac-security>
        </if:interface>
      </if:interfaces>
    </config>
  </edit-config>
</rpc>

Response Example

# Sample of successful response

##### Ok Reply or Operation Successful #####
<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
  <ok/>
</rpc-reply>

# Sample of failed response

##### Error Reply or Operation Failed #####
<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0">
  <rpc-error>
    <error-app-tag>-1</error-app-tag>
    <error-message>Wrong interface name.</error-message>
    <error-info>Error on node /ietf-interfaces:interfaces/interface[name="GigabitEthernet1/0/9"]/type</error-info>
  </rpc-error>
</rpc-reply>

Data Requirement 2: Deleting the Port Security Configuration

Delete the configuration performed in Data Requirement 1.

Request Example

<?xml version='1.0' encoding='UTF-8'?>
<rpc message-id="1" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
  <edit-config>
    <target>
      <running/>
    </target>
    <config>
      <huawei-mac:static-flapping-protect xmlns:huawei-mac="urn:huawei:params:xml:ns:yang:huawei-mac" xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="delete">
        <huawei-mac:enable>true</huawei-mac:enable>
      </huawei-mac:static-flapping-protect>
      <if:interfaces xmlns:if="urn:ietf:params:xml:ns:yang:ietf-interfaces">
        <if:interface>
          <if:name>GigabitEthernet1/0/9</if:name>
          <if:type xmlns:iana-if-type="urn:ietf:params:xml:ns:yang:iana-if-type">iana-if-type:ethernetCsmacd</if:type>
          <huawei-mac:mac-security xmlns:huawei-mac="urn:huawei:params:xml:ns:yang:huawei-mac">
            <huawei-mac:port-security xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0" xc:operation="delete"/>
          </huawei-mac:mac-security>
        </if:interface>
      </if:interfaces>
    </config>
  </edit-config>
</rpc>

Response Example

# Sample of successful response

##### Ok Reply or Operation Successful #####
<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <ok/>
</rpc-reply>

# Sample of failed response

##### Error Reply or Operation Failed #####
<?xml version='1.0' encoding='UTF-8'?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1">
  <rpc-error>
    <error-type>application</error-type>
    <error-tag>data-missing</error-tag>
    <error-severity>error</error-severity>
    <error-path/>
    <error-message>edit operation failed.</error-message>
  </rpc-error>
</rpc-reply>

Data Model
Configuring Port Security

Translation

简体中文

Download

Updated: 2022-05-25

Document ID: EDOC1100126933

Downloads: 83

Average rating:

This Document Applies to these Products

Related Version

Digital Signature File

Digital Signature Authentication Mode

Enterprise

Huawei Cloud

Carrier

Consumer

Corporate