< Home

port-security enable

Function

The port-security enable command enables the port security function on an interface.

The undo port-security enable command disables the port security function on an interface.

By default, port security is disabled on an interface.

Format

port-security enable

undo port-security enable

Parameters

None

Views

GE interface view, Ethernet interface view, XGE interface view, 25GE interface view, MultiGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After port security is enabled on an interface, MAC address entries learned by the interface are stored in the MAC address table as secure dynamic MAC address entries. By default, secure dynamic MAC addresses will not be aged out. If the aging time of secure dynamic MAC address entries is set, these entries will be aged out. After the device restarts, secure dynamic MAC address entries are lost and need to be relearned. You can also create secure static MAC addresses which do not age out.

Port security has the following functions:

  • Prevent unauthorized guests from using their computers to connect to an enterprise network.
  • Prevent employees of a company from moving their computers without permission.

Precautions

  • The total number of MAC addresses on interfaces enabled with port security cannot exceed 4096. For example, if the numbers of MAC addresses learned on interfaces 1, 2, 3, and 4 are 1000 respectively, interface 5 can learn a maximum of 96 MAC addresses.
  • The protection action, maximum number of learned secure MAC address entries, and secure static MAC addresses, sticky MAC function can be configured only after port security is enabled.
  • Port security and MAC address limiting conflict on an interface; therefore, the port-security enable and mac-limit maximum commands cannot be used on the same interface.
  • Port security and MUX VLAN conflict on an interface; therefore, the port-security enable and port mux-vlan enable commands are not advised to be used on the same interface.
  • Port security and GVRP conflict on an interface; therefore, the port-security enable and gvrp commands cannot be used on the same interface.
  • Port security and generating snooping MAC entries conflict on an interface; therefore, the port-security enable and user-bind ip sticky-mac commands cannot be used on the same interface.
  • If port security is enabled after MAC address learning is disabled using the mac-address learning disable command, the dynamic port security function does not take effect. If port security is enabled before MAC address learning is disabled on an interface, the device no longer learns MAC addresses on the interface, but secure MAC addresses that have been learned are reserved (including secure static MAC addresses).
  • When multiple NAC users are online under one interface, if you want to enable port security function on the interface, you need to first run the port-security max-mac-num command to set the maximum number of MAC addresses learned by the interface, and then run the port-security enable command. Otherwise, only one user is reserved and other users are logged out.

Example

# Enable port security on GigabitEthernet0/0/2.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/2
[HUAWEI-GigabitEthernet0/0/2] port-security enable
Parent Topic: Port Security Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >