Configuration Condition
Before configuring the port security rule, first complete the following task:
- Enable the port security function
Configure MAC Rule
If hoping to control whether the terminal can communicate via the MAC address, the user can use the MAC rule and the packets whose matching action is permit rule can be forwarded. The packets whose matching action is refuse rule are dropped.
Table 3-3 Configure the MAC rule
|
Step
|
Command
|
Description
|
|
Enter global configuration mode
|
configure terminal
|
-
|
|
Enter the L2 Ethernet interface configuration mode
|
interface interface-name
|
Either
After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.
|
|
Enter the aggregation group configuration mode
|
interface link-aggregation link-aggregation-id
|
|
Configure the MAC rule whose action is permit
|
port-security permit mac-address mac-address-value [ desc security-rule-description | ip-address ip-address-value [ desc security-rule-description ] | ipv6-address ipv6-address-value [ desc security-rule-description ] | vlan-id vlan-id [ desc security-rule-description ] ]
|
Either
By default, the MAC rule is not configured in the port.
|
|
Configure the MAC rule whose action is refuse
|
port-security deny mac-address mac-address-value [ ip-address ip-address-value | ipv6-address ipv6-address-value | vlan-id vlan-id ]
|
|
Configure IP Rule
If hoping to control whether the terminal can communicate via the IP address, the user can use the IP rule and the packets whose matching action is the permit rule can be forwarded. The packets whose matching action is the refuse rule are dropped.
Table 3-4 Configure the IP rule
|
Step
|
Command
|
Description
|
|
Enter global configuration mode
|
configure terminal
|
-
|
|
Enter the L2 Ethernet interface configuration mode
|
interface interface-name
|
Either
After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.
|
|
Enter the aggregation group configuration mode
|
interface link-aggregation link-aggregation-id
|
|
Configure the IP rule whose action is permit
|
port-security permit ip-address ip-address-value [ to ip-address-value ]
|
Either
By default, the IP rule is not configured in the port.
|
|
Configure the IP rule whose action is refuse
|
port-security deny ip-address ip-address-value [ to ip-address-value ]
|
Configure IPv6 Rule
If hoping to control whether the terminal can communicate via the IPv6 address, the user can use the IPv6 rule and the packets whose matching action is the permit rule can be forwarded. The packets whose matching action is the refuse rule are dropped.
Table 3-5 Configure the IPv6 rule
|
Step
|
Command
|
Description
|
|
Enter global configuration mode
|
configure terminal
|
-
|
|
Enter the L2 Ethernet interface configuration mode
|
interface interface-name
|
Either
After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.
|
|
Enter the aggregation group configuration mode
|
interface link-aggregation link-aggregation-id
|
|
Configure the IPv6 rule whose action is permit
|
port-security permit ipv6-address ipv6-address-value [ to ipv6-address-value ]
|
Either
By default, the IPv6 rule is not configured in the port.
|
| Configure the IPv6 rule whose action is refuse |
port-security deny ipv6-address ipv6-address-value [ to ipv6-address-value ] |
-
Port security is the role of security access at data link layer. For the currently supported MAC+IPv6, IPv6 and other rules related to IPv6, once the corresponding effective entry is generated, subsequent packets can be forwarded normally as long as they match the generated MAC + VLAN entry, and IPv6 address is not checked.
Configure MAX Rule
In the port enabled with the port security function, if hoping that the connected terminal not matching the MAC rule or IP rule also can communicate, the user can configure the MAX rule, the rule limits the number of the permitted access terminals.
Table 3-6 Configure the MAX rule
|
Step
|
Command
|
Description
|
|
Enter global configuration mode
|
configure terminal
|
-
|
|
Enter the L2 Ethernet interface configuration mode
|
interface interface-name
|
Either
After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.
|
|
Enter the aggregation group configuration mode
|
interface link-aggregation link-aggregation-id
|
|
Configure the MAX rule
|
port-security maximum maximum-number
|
Mandatory
By default, the number of the MAC addresses permitted to be learned by the MAX rule is 0.
|
-
The number of the dynamic addresses actually learned by the MAX rule is limited by the port, VLAN and the number of the system MAC addresses.
Configure STICKY Rule
If hoping that the MAC address and the VLAN information of the terminal permitted by the MAX rule can be saved in the configuration, the user can enable the STICKY function on the device so that the entries learned by the device via the MAX rule can be converted to the STICKY rule. After converting, the user can adjust the MAX rule quantity via the number of the current STICKY rules so that only the terminals matching the STICKY rule can communicate. In this way, the device can automatically learn the MAC address of the access terminal, convert to the STICKY rule, and save in the configuration, avoiding the operation of configuring the MAC rule manually.
Table 3-7 Configure the STICKY rule
|
Step
|
Command
|
Description
|
|
Enter global configuration mode
|
configure terminal
|
-
|
|
Enter the L2 Ethernet interface configuration mode
|
interface interface-name
|
Either
After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.
|
|
Enter the aggregation group configuration mode
|
interface link-aggregation link-aggregation-id
|
|
Configure the MAX rule
|
port-security maximum maximum-number
|
Mandatory
By default, the number of the dynamic MAC addresses permitted to be learned by the MAX rule is
0. The STICKY rule can be configured only after configuring the number of the MAX rules.
|
|
Enable the STICKY function
|
port-security permit mac-address sticky
|
Mandatory
By default, the STICKY function is disabled. The STICKY rule can be configured only after enabling the STICKY function.
|
|
Configure the STICKY rule
|
port-security permit mac-address sticky [ mac-address-value [ desc security-rule-description | vlan-id vlan-id [ desc security-rule-description ] | ip-address ip-address-value [ desc security-rule-description ] | ipv6-address ipv6-address-value [ desc security-rule-description ] ] ]
|
Mandatory
By default, the STICKY rule is not configured in the port.
|
Switch
.png){kind=icon}
.png){kind=logo}
