Huawei Switch Port Security

Session 1 Port Security

The MAC address in the network is the constant physical address in the device, the control of the MAC address access control the switch port access, so port security is also the security of the Mac. In the switch, the cam (content addressable memory, the contents of the table) table, also known as the MAC Address table, which records the device connected to the switch's MAC address, port number, the VLAN belongs to the corresponding relationship.

One, the MAC address table is divided into three sheets

1, Static MAC Address table, hand-bound, priority higher than the dynamic MAC address Table

2, the dynamic MAC Address table, the switch receives the data frame will learn the source Mac into the MAC address table

3, Black hole MAC Address table, manual binding or automatic learning, used to discard the specified MAC address

Second, the MAC Address Table Management command

1. View MAC Address Table

2. Configure the static MAC Address Table

[Huawei] mac-address static 5489-98c0-7e34 gigabitethernet 0/0/1 VLAN 1 bind MAC address to interface G0/0/1 valid in Vlan1

3. Configure the Black hole MAC address Table

[Huawei] mac-address blackhole 5489-987f-161a vlan 1 drop frame when source or destination is received in Vlan1 for this Mac

4. Prohibit Port learning MAC address, can prohibit MAC address learning function in port or VLAN

[Huawei-gigabitethernet0/0/1]mac-address Learning Disable action Discard

Prevent learning MAC addresses and discard any frames you receive, or configure them in VLANs

[HUAWEI-GIGABITETHERNET0/0/1] Mac-address learning Disable action forward

It is forbidden to learn MAC addresses, but will receive frames to be forwarded in red (the switch principle for unknown MAC address forwarding), or it can be configured in VLANs

5, limit the number of MAC address learning, can be configured in port or VLAN

[Huawei-gigabitethernet0/0/1]mac-limit Maximum 9 alarm Enable

The switch restricts the number of MAC address learning to 9, and alerts when the number is exceeded, the number of Macs exceeded will not be learned by the port, but can be through the red forwarding (switch for unknown purpose MAC address forwarding principle), can also be configured in the VLAN

6. Configure port security Dynamic MAC address

This feature is to set the dynamically learned MAC address to a security attribute, and other frames of the Mac that are not learned to the non-security properties will be discarded by the port

[huawei-gigabitethernet0/0/3]port-security Enable open port security feature

[Huawei-gigabitethernet0/0/3]port-security max-mac-num 1 limits the maximum number of secure MAC addresses to 1, the default is 1

[huawei-gigabitethernet0/0/3]port-security protect-action             Configure other non-secure MAC address data frame processing actions
  protect   Discard packets                 &NBS P                          ,         &NB Sp           Discard, do not generate alarm information
  restrict  discard packets and warning       &NB Sp                          ,         &NB Sp Discard, generate alarm information (default)
  shutdown  shutdown                     &NB Sp                          ,         &NB Sp           Discard and port shutdown

[huawei-gigabitethernet0/0/3]port-security aging-time 300 Configuring a Secure MAC address aging time 300s, default not aging

In the port-safe dynamic MAC address, configured as above, the first MAC address learned on the G0/0/3 port is set to a secure MAC address, and other MAC addresses are not forwarded on the access port, refresh the secure MAC Address table after 300s, and re-learn the secure MAC address, (which MAC address) is first learned port and set as a secure MAC address, but the security MAC address will be emptied and re-learned after the switch restarts.

7. Configure port security sticky Sticky MAC address

This feature with Port security dynamic MAC address has been,

The only difference is that the paste MAC address does not age , and the switching is still present after the restart.

Dynamic Secure Mac addresses can only be learned dynamically

While the secure paste Mac can be dynamically learned or manually configured .

[huawei-gigabitethernet0/0/3]port-security Enable open port security feature

[huawei-gigabitethernet0/0/3]port-security mac-address sticky open secure paste Mac feature

[Huawei-gigabitethernet0/0/3]port-security max-mac-num 1 limits the maximum number of secure MAC addresses to 1, the default is 1

[huawei-gigabitethernet0/0/3]port-security mac-address sticky 5489-98d8-71d5 vlan 1 Manually binding paste MAC address and owning VLAN

[Huawei-gigabitethernet0/0/3]port-security protect-action Restrict configuring other non-secure MAC address data frame processing actions

View Paste MAC Address status
[HUAWEI-GIGABITETHERNET0/0/3] Display mac-address
MAC Address Table of slot 0:
-------------------------------------------------------------------------------
MAC Address Vlan/pevlan Cevlan Port Type Lsp/lsr-id
Vsi/si Mac-tunnel
-------------------------------------------------------------------------------
5489-98D8-71D5 1--GE0/0/3 sticky-
-------------------------------------------------------------------------------
Total matching items on slot 0 displayed = 1
[HUAWEI-GIGABITETHERNET0/0/3]

8, configure the MAC address anti-drift function

MAC address Drift is: The MAC address learned in one interface is also learned on the other interface in the same VLAN, so that the MAC address information after learning will cover the first learned MAC address information (out of the interface frequent changes),

This is most often the case when a loop occurs, so This feature can also be used to troubleshoot and resolve loop problems .

The principle of MAC address to prevent drift function is:

1) Configure priority on the interface, the MAC address learned by the high priority interface will not be learned on other interfaces with lower priority of the bucket VLAN,

2) If the priority level is the same then you can configure the interface that does not allow the same priority to learn to the same MAC address.

[Huawei]mac-address flapping detection global turn on Mac drift detection

[Huawei]interface G0/0/2

[Huawei-gigabitethernet0/0/2]mac-learning Priority 3 Configuration G0/0/2 has an interface precedence of 3 and defaults to 0

[Huawei-gigabitethernet0/0/2]mac-address flapping trigger Error-down interface occurs after MAC address drift is turned off

[Huawei-gigabitethernet0/0/2]quit

[Huawei]interface G0/0/3

[Huawei-gigabitethernet0/0/3]mac-address flapping trigger Error-down interface occurs after MAC address drift is turned off

[Huawei-gigabitethernet0/0/3]quit

After the configuration is complete, the G0/0/3 port will be turned off when G0/0/2 's Mac drifts to G0/0/3.

View MAC address drift Record command: [huawei]display mac-address flapping record view MAC address drift Recording

9, configure the drop all 0 MAC address message function

In the network, some hosts or devices in the event of a failure, the full-source and destination MAC address is sent to the full 0 of frames, you can configure the switch to discard these error message functions.

[Huawei]drop illegal-mac enable open discard all 0 MAC address feature

[Huawei]snmp-agent Trap Enable Feature-name Lldptrap turn on SNMP lldptrap alarm function

[Huawei]drop illegal-mac Alarm Open received full 0 alarm function, provided that the SNMP lldptrap alarm function must be turned on

10. Configure MAC address refresh ARP function

Automatically refresh ARP table entry function after Mac information update (such as user replacement access port)

[Huawei]mac-address Update arp

11. Configure Port Bridging function

Under normal circumstances, when the switch receives the source MAC address and the destination MAC address the interface is the same interface of the message, it is considered that the message is an illegal message, discard, but in some cases the source Mac and the destination MAC address of the data frame is indeed the same out of the interface, In order for the switch to be able to not discard the frames in these special cases need to enable the exchange of Port bridge features, such as the switch is not equipped with a two-layer forwarding capacity of the hub device, or the next to hang a multiple virtual machine-enabled server, so that under the hanging device under the host communication is sent through the same interface of the switch , so these frames are normal frames that cannot be discarded.

[Huawei]interface G0/0/10

[HUAWEI-GIGABITETHERNET0/0/10] Port bridge enable the interface to open the bridge function

[HUAWEI-GIGABITETHERNET0/0/10] Quit

Huawei Switch Port Security