< Home

port-security max-mac-num

Function

The port-security max-mac-num command sets the maximum number of secure MAC addresses that can be learned on an interface.

The undo port-security max-mac-num command restores the default maximum number of secure MAC addresses that can be learned on an interface.

By default, only one MAC addresses can be learned on an interface.

Format

port-security max-mac-num max-number

undo port-security max-mac-num

Parameters

Parameter

Description

Value

max-number

Specifies the maximum number of secure MAC addresses that can be learned by an interface.

The value is an integer that ranges from 1 to 1024.

Views

Ethernet interface view, GE interface view, XGE interface view, 25GE interface view, MultiGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After enabling port security on an interface, you can run the port-security max-mac-num command to limit the number of MAC addresses that the interface can learn. If the switch receives packets with a nonexistent source MAC address after the number of secure MAC addresses reaches the limit, the switch considers that the packets are sent from an unauthorized user, regardless of whether the destination MAC address of packets is valid, and takes the action configured using the port-security protect-action command on the interface. This prevents untrusted users from accessing these interfaces, improving security of the switch and the network.

Precautions

  • The total number of MAC addresses on interfaces enabled with port security cannot exceed 4096. For example, if the numbers of MAC addresses learned on interfaces 1, 2, 3, and 4 are 1000 respectively, interface 5 can learn a maximum of 96 MAC addresses.
  • If the sticky MAC function is disabled, max-number limits the number of secure dynamic MAC addresses learned by the interface and secure static MAC addresses configured manually.
  • If the sticky MAC function is enabled, max-number limits the number of sticky MAC addresses learned by the interface, and sticky MAC addresses and secure static MAC addresses configured manually.
  • When multiple NAC users are online under one interface, if you want to enable port security function on the interface, you need to first run the port-security max-mac-num command to set the maximum number of MAC addresses learned by the interface, and then run the port-security enable command. Otherwise, only one user is reserved and other users are logged out.
  • If you run the port-security max-mac-num command multiple times in the same interface view, only the latest configuration takes effect.

Example

# Set the maximum number of MAC addresses that can be learned by GigabitEthernet0/0/1 to 5.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port-security enable
[HUAWEI-GigabitEthernet0/0/1] port-security max-mac-num 5
Parent Topic: Port Security Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >