Huawei HCIE port security sticky basic configuration
Port security is often used at the access layer. By configuring port security, you can prevent counterfeit users from attacking other ports, or at the aggregation layer. By configuring port security, you can control the number of access users.
In a network with high security requirements for access users, the MAC address learned by the interface can be converted into a secure dynamic MAC or Sticky MAC by using a port security mechanism. If the maximum number of MACs learned by the interface exceeds the specified number, the device no longer learns new MAC addresses, but only allows these MAC addresses to communicate with the device. This can effectively prevent untrusted MAC hosts from communicating with other hosts through this interface and improve network security.
Sticky MAC will not be aging. After saving the configuration, a file (.ztbl/.ctbl/*.dtbl) containing Sticky MAC address information will be generated on the device to save the secure MAC address information. After restarting the device, the Sticky MAC will not be lost, no need to learn again.
Before configuring the port security mechanism, you need to ensure:
- The MAC address learning restriction function of the interface is closed
- The MUX VLAN function is not enabled
- The MAC security function of DHCP snooping is closed
The configuration method is as follows:
1.interface interface-type interface-numbe //Enter the interface that requires port security
2.port-security enable //Enable port security function, by default, this function is disabled
- port-security mac-address sticky
//Enable the Sticky MAC function of the interface, which is not enabled by default
4.port-security maximum max-number
//Configure the number of Sticky MAC learning limits on the port, the default is 1.
5.port-security protect-action {protect | restrict | error-down}
//Configure the port security protection action, the default protection action is restrict - port-security mac-address sticky mac-address vlan vlan-id
//Manually configure a sticky-mac entry - error-down auto-recovery cause portsec-reachedlimit interval intervalvalue
// Configure error-down automatic recovery
Check the configuration results:
1.display current-configuration interface interface-type interface-number
// View interface configuration information
2.display mac-address security [vlan vlan-id | interface interface-type interface-number] *
// View secure dynamic MAC table entries
3.display mac-address sticky [vlan vlan-id | interface interface-type interfacenumber] *
// View Sticky MAC entries
4.display port-security [interface interface-type interface-number]
// View port security information
Get 100% accurate CCIE/ CCNP/CCNA/HCIE dumps in IELAB .
Please follow us if you like our articles.
visit us: http://ielab.network
Facebook : https://www.facebook.com/ielab.network/
Linkedin: https://www.linkedin.com/company/ielabnetwork/
WhatsApp: +8617782638871
Skype:live:ielab.anna
