Port Security - Huawei AR530 series Configuration Manual
Industrial switch routers ethernet switching
Hide thumbs
Also See for AR530 series:
- Configuration manual (310 pages) ,
- Quick start manual (9 pages) ,
- Hardware installation and maintenance manual (219 pages)
Table of Contents
Advertisement
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
l
l
After MAC address learning is disabled on an interface or a VLAN, no MAC address entry can
be learned on the interface or VLAN. The system deletes the previously learned dynamic MAC
entries after the aging time expires. You can also manually delete these entries.
You can limit the maximum number of dynamic MAC address entries on a specified VLAN or
interface. After the number of MAC address entries learned by the VLAN or interface reaches
the limit, no MAC address entry can be learned on the VLAN or interface until the previously
learned MAC address entries age out.
In most cases, attack packets sent by a hacker enter a switch through the same interface.
Therefore, you can set the limit on the number of MAC address entries or disable MAC address
learning on an interface to prevent attack packets from exhausting the MAC address table.
1.2.3 Port Security
Introduction to Port Security
The port security function changes MAC addresses learned on an interface into secure MAC
addresses (including dynamic secure MAC addresses and sticky MAC addresses). Only hosts
using secure MAC addresses or static MAC addresses can communicate with the device through
the interface. This function enhances device security.
Secure MAC Address Learning
Secure MAC addresses are classified into dynamic secure MAC addresses and sticky MAC
addresses:
l
l
Before port security is enabled on an interface, MAC address entries can be configured statically
or learned dynamically on the interface. After port security is enabled on an interface, dynamic
MAC address entries that have been learned on the interface are deleted and MAC address entries
learned subsequently turn into secure dynamic MAC address entries. Only packets with source
MAC addresses matching the secure dynamic MAC address entries or static MAC address
entries can pass through the interface. After the sticky MAC function is enabled on the interface,
existing secure dynamic MAC address entries and MAC address entries learned subsequently
on the interface turn into sticky MAC address entries. When the number of secure MAC
addresses reaches the limit, the switch stops learning MAC addresses on the interface and takes
a protection action on the interface or packets received.
1.2.4 MAC Address Flapping
MAC address flapping occurs when a MAC address is learned by two interfaces in the same
VLAN. The MAC address entry learned later replaces the earlier one. If a large number of MAC
Issue 01 (2014-11-30)
Disabling MAC address learning on an interface or a VLAN
Limiting the number of MAC addresses on an interface or a VLAN
Dynamic secure MAC addresses: are learned on an interface where port security is enabled
but the sticky MAC function is disabled. By default, secure dynamic MAC addresses will
never be aged out. After the switch restarts, secure dynamic MAC addresses are lost and
need to be learned again.
Sticky MAC addresses: are learned on an interface where both port security and sticky
MAC function are enabled. Sticky MAC addresses will not be aged out. After you save the
configuration and restart the switch, sticky MAC addresses still exist.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
1 MAC Address Table Configuration
5
Hide quick links:
Advertisement
Table of Contents
