1.6.2 Configuring Port Security. Huawei AR550 Series, AR530 Series

Huawei AR530&AR550 Series Industrial Switch Routers

Configuration Guide - Ethernet Switching 1 MAC Address Table Configuration l Run the display mac-address static command to check static MAC address entries.

l Run the display mac-address dynamic command to check dynamic MAC address entries.

l Run the display mac-address blackhole command to check blackhole MAC address entries.

l Run the display mac-address aging-time command to check the aging time of dynamic

MAC address entries.

l Run the display mac-address summary command to check statistics on all the MAC address entries.

l Run the display mac-address total-number command to check the number of MAC address entries.

l Run the display mac-limit command to check the limit of the number of learned MAC addresses.

----End

1.6.2 Configuring Port Security

The port security function changes MAC addresses learned on an interface into secure MAC addresses (including secure dynamic MAC addresses and sticky MAC addresses). Only hosts using secure MAC addresses or static MAC addresses can communicate with the device through the interface. This function enhances security of the device.

Pre-configuration Tasks

Before configuring port security on an interface, complete the following tasks: l Disabling MAC address limiting on the interface l Disabling MAC address authentication on the interface l Disabling 802.1x authentication on the interface l Disabling MAC address security for DHCP snooping on the interface

1.6.2.1 Configuring the Secure MAC Function on an Interface

Context

If a network requires high access security, you can configure port security on specified interfaces.

MAC addresses learned by these interfaces change to secure dynamic MAC addresses or sticky

MAC addresses. When the number of learned MAC addresses reaches the limit, the interface does not learn new MAC addresses and allows only the devices with the learned MAC addresses to communicate with the industrial switch router. This prevents devices with untrusted MAC addresses from accessing these interfaces, improving security of the industrial switch router and the network.

By default, secure dynamic MAC addresses will not be aged out. You can set the aging time for secure dynamic MAC addresses so that they can be aged out. Secure dynamic MAC addresses are lost after the device restarts and the device needs to learn the MAC addresses again.

Issue 01 (2014-11-30) Huawei Proprietary and Confidential

Copyright © Huawei Technologies Co., Ltd.

14

Huawei AR530&AR550 Series Industrial Switch Routers

Configuration Guide - Ethernet Switching 1 MAC Address Table Configuration

Procedure

Step 1 Run: system-view

The system view is displayed.

Step 2 Run: interface interface-type interface-number

The interface view is displayed.

Step 3 Run: port-security enable

Port security is enabled.

By default, port security is disabled on an interface.

Step 4 (Optional) Run: port-security max-mac-num max-number

The limit on the number of secure dynamic MAC addresses is set.

By default, the limit on the number of secure dynamic MAC addresses is 1.

Step 5 (Optional) Run: port-security protect-action { protect | restrict | shutdown }

The protection action is configured.

The default action is restrict .

The protection actions are as follows: l protect : discards packets with new source MAC addresses when the number of learned MAC addresses reaches the limit.

l restrict : discards packets with new source MAC addresses and sends an alarm when the number of learned MAC addresses exceeds the limit.

l shutdown : set the interface status to error down and sends an alarm when the number of learned MAC addresses exceeds the limit.

By default, an interface cannot automatically restore to Up state after it is shut down. To restore the interface, run the undo shutdown command on the interface in sequence.

Alternatively, run the restart command on the interface to restart the interface.

Step 6 (Optional) Run: port-security aging-time time

The aging time of secure dynamic MAC addresses is set.

By default, secure dynamic MAC addresses will not be aged out.

----End

Issue 01 (2014-11-30) Huawei Proprietary and Confidential

Copyright © Huawei Technologies Co., Ltd.

15