Interface Security Overview; Interface Security Features Supported By The S9300; Configuring Interface Security - Huawei Quidway S9300 Configuration Manual
Terabit routing switch
Hide thumbs
Also See for Quidway S9300:
- Configuration manual - network management (630 pages) ,
- Configuration manual (603 pages) ,
- Configuration manual - multicast (262 pages)
Table of Contents
Advertisement
9 Interface Security Configuration
9.1 Interface Security Overview
This section describes the principle of the interface security function.
The interface security function is a security protection mechanism that controls the access to the
network.
The interface security function records the MAC address of the host connected to an interface
of the S9300, that is, the network adapter ID of the host. Only the host with the specified MAC
address can communicate with this interface. Hosts with other MAC addresses are prevented
form communicating with the interface. The interface security function prevents certain devices
from accessing the network, thus enhancing network security.
9.2 Interface Security Features Supported by the S9300
This section describes the interface security features supported by the S9300.
The Ethernet and GE interfaces on the S9300 support the interface security function. After
interface security is configured on an Ethernet interface or a GE interface, the S9300 considers
the following types of MAC addresses authorized:
l
l
l
The S9300 considers other types of MAC addresses unauthorized. When an interface receives
the packets sent from unauthorized MAC addresses, the interface security function takes effect.
Currently, the S9300 supports the following protection actions in interface security:
l
l
9.3 Configuring Interface Security
This section describes how to configure the interface security function.
9.3.1 Establishing the Configuration Task
9.3.2 Enabling the Interface Security Function
9.3.3 (Optional) Configuring the Protection Action in Interface Security
9.3.4 Setting the Maximum Number of MAC Addresses Learned by an Interface
9.3.5 Enabling Sticky MAC on an Interface
9.3.6 Checking the Configuration
9-2
Static MAC addresses that are manually configured
Dynamic MAC addresses learned before the number of MAC addresses reaches the upper
limit
Dynamic or static MAC addresses in a DHCP snooping table
protect: When an interface receives the packets sent from unauthorized MAC addresses, it
does not learn the source MAC addresses of the packets or forward the packets. Instead,
the interface directly discards them.
restrict: When an interface receives the packets sent from unauthorized MAC addresses, it
does not learn the source MAC addresses of the packets or forward the packets. Instead,
the interface directly discards them and sends a trap to the Network Management System
(NMS).
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
Quidway S9300 Terabit Routing Switch
Configuration Guide - Security
Issue 06 (2010–01–08)
Advertisement
Chapters
Table of Contents
