Port Security Commands
This chapter describes the Port Security commands.
show port-security
Use this command to display Port Security configuration for all ports or for a particular interface.
Command Syntax
show port-security
show port-security (interface IFNAME |)
Parameters
IFNAME
Interface name
Default
None
Command Mode
Exec mode
Applicability
This command was introduced in OcNOS version 1.3.6.
Examples
#show port-security
Port port-security mode MAC limit CVLAN SVLAN static secure MAC
----------------------------------------------------------------
ge1 dynamic 3 2 0000.0000.1112
10 0000.0000.3333
#show port-security interface ge1
Port Security Mode : Dynamic
Secure MAC limit : 3
Static Secure MAC list :
CVLAN SVLAN MAC Address
---------------------------
2 0000.0000.1112
10 0000.0000.3333
switchport port-security
Use this command to enable Port Security on an interface.
Use the no parameter with this command to disable Port Security on an interface. This command removes configured secured MAC, if any, on this interface.
Note: This command is supported for physical, LAG, and MLAG (active) interfaces only. Enabling port security on an interface removes learned MAC addresses of interfaces (whether learned by static or dynamic means), and then relearns the secure MAC addresses. Multicast MAC addresses are not considered as part of the MAC learning limit.
Note: This command is ignored when port security is already enabled on an interface.
Command Syntax
switchport port-security (static |)
no switchport port-security
Parameters
static
Static mode of Port Security.
Default
By default this feature is disabled, the default mode of Port Security is to dynamically learn. In dynamic mode, devices learn MAC addresses dynamically. Users can program static MACs, however, dynamic MAC learning will not be allowed in static mode for port security.
Command Mode
Interface mode
Applicability
This command was introduced in OcNOS version 1.3.6.
Examples
#configure terminal
(config)#interface ge1
(config-if)#switchport
(config-if)#bridge-group 1
(config-if)#switchport mode hybrid
(config-if)#switchport hybrid allowed vlan all
(config-if)#switchport port-security
switchport port-security logging enable
Use this command to enable violated MAC logging on a port security enabled interface.
Use the no parameter with this command to disable violated mac logging on a port security enabled interface.
Command Syntax
switchport port-security logging enable
no switchport port-security logging
Parameters
None
Default
By default logging is disabled.
Command Mode
Interface mode
Applicability
This command was introduced in OcNOS version 1.3.6.
Examples
#configure terminal
(config)#interface ge1
(config-if)#switchport port-security logging enable
switchport port-security mac-address
Use this command to add static secure MAC addresses.
Use the no parameter to remove static secure MAC addresses.
Command Syntax
switchport port-security mac-address XXXX.XXXX.XXXX
no switchport port-security mac-address XXXX.XXXX.XXXX
switchport port-security mac-address XXXX.XXXX.XXXX vlanId <2-4094>
no switchport port-security mac-address XXXX.XXXX.XXXX vlanId <2-4094>
Parameters
XXXX.XXXX.XXXX
Static secure MAC
<2-4094>
VLAN identifier
Default
NA
Command Mode
Interface mode
Applicability
This command was introduced in OcNOS version 1.3.6.
Examples
#configure terminal
(config)#interface ge1
(config-if)#switchport port-security mac-address 0000.0000.1112 vlan 2
switchport port-security maximum
Use this command to configure MAC learn limit for an interface.
Note: When a newly configured max learn limit is less than the previous value, the user must remove/flush-out the unwanted MACs to stop traffic forwarding from the unwanted Source MAC addresses. MAC addresses can be removed using “clear mac address-table”
Command Syntax
switchport port-security maximum <1-1000>
Parameters
<1-1000>
Port security maximum learn limit
Default
Default learn limit is 1.
Command Mode
Interface mode
Applicability
This command was introduced in OcNOS version 1.3.6.
Examples
#configure terminal
(config)#interface ge1
(config-if)#switchport port-security maximum 3