If a network requires high access security, configure port security on specified interfaces so that MAC addresses learned by these interfaces are converted to secure dynamic, secure static, or sticky MAC addresses. When the number of learned MAC addresses reaches the upper limit, the interfaces do not learn new MAC addresses. This prevents hosts with untrusted MAC addresses from accessing these interfaces, improving security of the switch and network.
Configure the secure MAC address function.
Configure GE1/0/1 to allow the access from a maximum of two PCs. Therefore, the maximum number of secure access MAC addresses is 2.
<HUAWEI> system-view [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] port-security enable [HUAWEI-GigabitEthernet1/0/1] port-security max-mac-num 2 [HUAWEI-GigabitEthernet1/0/1] port-security protect-action restrict [HUAWEI-GigabitEthernet1/0/1] quit
Configure the sticky MAC address function.
Configure the sticky MAC address function for GE1/0/1.
<HUAWEI> system-view [HUAWEI] interface gigabitethernet 1/0/1 [HUAWEI-GigabitEthernet1/0/1] port-security enable [HUAWEI-GigabitEthernet1/0/1] port-security mac-address sticky [HUAWEI-GigabitEthernet1/0/1] port-security max-mac-num 5 [HUAWEI-GigabitEthernet1/0/1] quit