Configuring the Secure MAC Address Function

Context

You can configure port security and set the maximum number of secure MAC addresses learned by an interface to improve access security on your network. Port security enables the switch to convert MAC addresses learned by an interface into secure MAC addresses and to stop learning new MAC addresses after the maximum number of learned MAC addresses is reached. After port security is enabled, the switch can only communicate with devices with learned MAC addresses. If an interface receives packets with a nonexistent source MAC address after the number of secure MAC addresses reaches the limit, the switch considers that the packets are sent from an unauthorized user and takes the configured action on the interface. This prevents unauthorized users from accessing these interfaces, improving security of the switch and the network. The following table describes port security actions.

**Table 1** Port security actions
Action	Description
restrict	Discards packets with a nonexistent source MAC address and generates a trap. This action is recommended.
protect	Discards packets with a nonexistent source MAC address but does not generate a trap.
shutdown	Sets the interface state to error-down and generates a trap. By default, an interface in error-down state can only be restored using the restart command in the interface view. To enable an interface in error-down state to automatically go Up after a period of time, run the error-down auto-recovery cause port-security interval interval-value command in the system view. In this command, interval-value specifies the period of time after which an interface can automatically go Up.

Procedure

Run system-view
The system view is displayed.
Run interface interface-type interface-number
The interface view is displayed.
Run port-security enable
Port security is enabled.

By default, port security is disabled on an interface.
Run port-security max-mac-num max-number
The maximum number of secure MAC addresses learned by an interface is set.

By default, the maximum number of secure MAC addresses learned by an interface is 1.
- If a PC connects to the switch using an IP phone, set the maximum number of secure MAC addresses to 3. This is because the IP phone occupies two MAC address entries and the PC occupies one MAC address entry. The VLAN IDs in the two MAC address entries used by the IP phone are different. The two VLANs are used to separately transmit voice and data packets.
- When multiple NAC users are online under one interface, if you want to enable port security function on the interface, you need to first run the port-security max-mac-num command to set the maximum number of MAC addresses learned by the interface, and then run the port-security enable command. Otherwise, only one user is reserved and other users are logged out.
(Optional) Run port-security mac-address mac-address vlan vlan-id
A static secure MAC address entry is configured.
(Optional) Run port-security protect-action { protect | restrict | shutdown }
A port security action is configured.

By default, the restrict action is used.
(Optional) Run port-security aging-time time [ type { absolute | inactivity } ]
The aging time of dynamic secure MAC address entries learned by the interface is set.

Note that a short aging time (for example, 1 minute) will cause MAC address entries to be aged out fast, and therefore result in traffic forwarding failures.

By default, dynamic secure MAC address entries learned by an interface are not aged out.

Verifying the Configuration

Check secure MAC addresses.
- Run the display mac-address security [ vlan vlan-id | interface-type interface-number ] ^* [ verbose ] command to check dynamic secure MAC address entries.
- Run the display mac-address sec-config [ vlan vlan-id | interface-type interface-number ] ^* [ verbose ] command to check static secure MAC address entries.

To view trap information, run the display trapbuffer command or log in to the NMS.