Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
l
l
l
l
l
l
l
----End
1.6.2 Configuring Port Security
The port security function changes MAC addresses learned on an interface into secure MAC
addresses (including secure dynamic MAC addresses and sticky MAC addresses). Only hosts
using secure MAC addresses or static MAC addresses can communicate with the device through
the interface. This function enhances security of the device.
Pre-configuration Tasks
Before configuring port security on an interface, complete the following tasks:
l
l
l
l
1.6.2.1 Configuring the Secure MAC Function on an Interface
Context
If a network requires high access security, you can configure port security on specified interfaces.
MAC addresses learned by these interfaces change to secure dynamic MAC addresses or sticky
MAC addresses. When the number of learned MAC addresses reaches the limit, the interface
does not learn new MAC addresses and allows only the devices with the learned MAC addresses
to communicate with the industrial switch router. This prevents devices with untrusted MAC
addresses from accessing these interfaces, improving security of the industrial switch router and
the network.
By default, secure dynamic MAC addresses will not be aged out. You can set the aging time for
secure dynamic MAC addresses so that they can be aged out. Secure dynamic MAC addresses
are lost after the device restarts and the device needs to learn the MAC addresses again.
Issue 01 (2014-11-30)
Run the display mac-address static command to check static MAC address entries.
Run the display mac-address dynamic command to check dynamic MAC address entries.
Run the display mac-address blackhole command to check blackhole MAC address
entries.
Run the display mac-address aging-time command to check the aging time of dynamic
MAC address entries.
Run the display mac-address summary command to check statistics on all the MAC
address entries.
Run the display mac-address total-number command to check the number of MAC
address entries.
Run the display mac-limit command to check the limit of the number of learned MAC
addresses.
Disabling MAC address limiting on the interface
Disabling MAC address authentication on the interface
Disabling 802.1x authentication on the interface
Disabling MAC address security for DHCP snooping on the interface
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
1 MAC Address Table Configuration
14