< Home

port-security protect-action

Function

The port-security protect-action command configures the protection action to be used when the number of learned MAC addresses on an interface exceeds the upper limit or static MAC address flapping is detected.

The undo port-security protect-action command restores the default protection action.

The default action is restrict.

Format

port-security protect-action { protect | restrict | shutdown }

undo port-security protect-action

Parameters

Parameter

Description

Value

protect

  • Discards packets with new source MAC addresses when the number of learned MAC addresses exceeds the limit.

  • When static MAC address flapping occurs, the interface discards the packets with this MAC address.

-

restrict

  • Discards packets with new source MAC addresses and sends a trap message when the number of learned MAC addresses exceeds the limit.

  • When static MAC address flapping occurs, the interface discards the packets with this MAC address and sends a trap.

-

shutdown

  • Set the interface status to error down and sends a trap message when the number of learned MAC addresses exceeds the limit.

  • When static MAC address flapping occurs, the interface takes the error down action and sends a trap.

-

Views

Ethernet interface view, GE interface view, XGE interface view, 25GE interface view, MultiGE interface view, 40GE interface view, 100GE interface view, Eth-Trunk interface view, port group view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After enabling port security, you can run the port-security protect-action command to configure the action performed on the interface when the number of learned MAC addresses on an interface exceeds the upper limit or static MAC address flapping is detected.

The default action restrict is recommended. If the action is set to shutdown on an interface connected to a downstream device, the interface discards packets from trusted MAC addresses. Select the shutdown action only when the interface is directly connected to a user terminal.

Prerequisites

Port security has been enabled by using the port-security enable command on the interface.

Precautions

The interface takes protection actions when detecting static MAC address flapping only after the port-security static-flapping protect command is executed.

If the action is set to shutdown, the interface takes the error down action when the number of learned MAC addresses exceeds the limit or static MAC address flapping is detected. In addition, the interface status will not be automatically recovered.

If you run the port-security protect-action command multiple times in the same interface view, only the latest configuration takes effect.

If both port security and traffic policy-based VLAN translation are configured on an interface of the S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S6720-EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, and S6730S-S, the interface can forward protocol packets with source MAC addresses out of the MAC address table when the number of learned MAC addresses exceeds the limit.

Example

# Set the protection action on GigabitEthernet0/0/1 to protect.

<HUAWEI> system-view
[HUAWEI] interface gigabitethernet 0/0/1
[HUAWEI-GigabitEthernet0/0/1] port-security enable
[HUAWEI-GigabitEthernet0/0/1] port-security protect-action protect
Parent Topic: Port Security Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >