Hà Nội: NTT03, Line 1, Thống Nhất Complex, 82 Nguyễn Tuân, Thanh Xuân, Hà Nội. ● HCM: Số 31B, Đường 1, Phường An Phú, Quận 2 (Thủ Đức), TP HCM. ===> Đơn Vị Hàng Đầu Trong Lĩnh Vực Cung Cấp Thiết Bị Security - Network - Wifi - CCTV - Conference - Máy chủ Server - Lưu trữ Storge.
Danh mục sản phẩm

Configure Port Security Rule

Configuration Condition

Before configuring the port security rule, first complete the following task:

  • Enable the port security function

Configure MAC Rule

If hoping to control whether the terminal can communicate via the MAC address, the user can use the MAC rule and the packets whose matching action is permit rule can be forwarded. The packets whose matching action is refuse rule are dropped.

Table 3-3 Configure the MAC rule

Step

Command

Description

Enter global configuration mode

configure terminal

-

Enter the L2 Ethernet interface configuration mode

interface interface-name

Either

After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.

Enter the aggregation group configuration mode

interface link-aggregation link-aggregation-id

Configure the MAC rule whose action is permit

port-security permit mac-address mac-address-value [ desc security-rule-description | ip-address ip-address-value [ desc security-rule-description ] | ipv6-address ipv6-address-value [ desc security-rule-description ] | vlan-id vlan-id [ desc security-rule-description ] ]

Either

By default, the MAC rule is not configured in the port.

Configure the MAC rule whose action is refuse

port-security deny mac-address mac-address-value [ ip-address ip-address-value | ipv6-address ipv6-address-value | vlan-id vlan-id ]

 

Configure IP Rule

If hoping to control whether the terminal can communicate via the IP address, the user can use the IP rule and the packets whose matching action is the permit rule can be forwarded. The packets whose matching action is the refuse rule are dropped.

Table 3-4 Configure the IP rule

Step

Command

Description

Enter global configuration mode

configure terminal

-

Enter the L2 Ethernet interface configuration mode

interface interface-name

Either

After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.

Enter the aggregation group configuration mode

interface link-aggregation link-aggregation-id

Configure the IP rule whose action is permit

port-security permit ip-address ip-address-value [ to ip-address-value ]

Either

By default, the IP rule is not configured in the port.

Configure the IP rule whose action is refuse

port-security deny ip-address ip-address-value [ to ip-address-value ]

Configure IPv6 Rule

If hoping to control whether the terminal can communicate via the IPv6 address, the user can use the IPv6 rule and the packets whose matching action is the permit rule can be forwarded. The packets whose matching action is the refuse rule are dropped.

Table 3-5 Configure the IPv6 rule

Step

Command

Description

Enter global configuration mode

configure terminal

-

Enter the L2 Ethernet interface configuration mode

interface interface-name

Either

After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.

Enter the aggregation group configuration mode

interface link-aggregation link-aggregation-id

Configure the IPv6 rule whose action is permit

port-security permit ipv6-address ipv6-address-value [ to ipv6-address-value ]

Either
By default, the IPv6 rule is not configured in the port.

Configure the IPv6 rule whose action is refuse port-security deny ipv6-address ipv6-address-value [ to ipv6-address-value ]

note


  • Port security is the role of security access at data link layer. For the currently supported MAC+IPv6, IPv6 and other rules related to IPv6, once the corresponding effective entry is generated, subsequent packets can be forwarded normally as long as they match the generated MAC + VLAN entry, and IPv6 address is not checked.

Configure MAX Rule

In the port enabled with the port security function, if hoping that the connected terminal not matching the MAC rule or IP rule also can communicate, the user can configure the MAX rule, the rule limits the number of the permitted access terminals.

Table 3-6 Configure the MAX rule

Step

Command

Description

Enter global configuration mode

configure terminal

-

Enter the L2 Ethernet interface configuration mode

interface interface-name

Either

After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.

Enter the aggregation group configuration mode

interface link-aggregation link-aggregation-id

Configure the MAX rule

port-security maximum maximum-number

Mandatory

By default, the number of the MAC addresses permitted to be learned by the MAX rule is 0.

note


  • The number of the dynamic addresses actually learned by the MAX rule is limited by the port, VLAN and the number of the system MAC addresses.

Configure STICKY Rule

If hoping that the MAC address and the VLAN information of the terminal permitted by the MAX rule can be saved in the configuration, the user can enable the STICKY function on the device so that the entries learned by the device via the MAX rule can be converted to the STICKY rule. After converting, the user can adjust the MAX rule quantity via the number of the current STICKY rules so that only the terminals matching the STICKY rule can communicate. In this way, the device can automatically learn the MAC address of the access terminal, convert to the STICKY rule, and save in the configuration, avoiding the operation of configuring the MAC rule manually.

Table 3-7 Configure the STICKY rule

Step

Command

Description

Enter global configuration mode

configure terminal

-

Enter the L2 Ethernet interface configuration mode

interface interface-name

Either

After entering the L2 Ethernet interface configuration mode, the subsequent configuration just takes effect on the current port. After entering the aggregation group configuration mode, the subsequent configuration just takes effect on the aggregation group.

Enter the aggregation group configuration mode

interface link-aggregation link-aggregation-id

Configure the MAX rule

port-security maximum maximum-number​

Mandatory

By default, the number of the dynamic MAC addresses permitted to be learned by the MAX rule is

0. The STICKY rule can be configured only after configuring the number of the MAX rules.

Enable the STICKY function

port-security permit mac-address sticky

Mandatory

By default, the STICKY function is disabled. The STICKY rule can be configured only after enabling the STICKY function.

Configure the STICKY rule

port-security permit mac-address sticky [ mac-address-value [ desc security-rule-description | vlan-id vlan-id [ desc security-rule-description ] | ip-address ip-address-value [ desc security-rule-description ] | ipv6-address ipv6-address-value [ desc security-rule-description ] ] ]

Mandatory
By default, the STICKY rule is not configured in the port.