Port Security Commands
This chapter describes the port security commands.
port-security
Use this command to enable or disable port security globally.
Command Syntax
port-security (enable | disable)
Parameters
enable
Enable port security globally
disable
Disable port security globally
Default
By default, port security is enabled globally.
Command Mode
Configure mode
Applicability
This command was introduced in OcNOS version 4.0.
Examples
(config)#port-security enable
(config)#
show port-security
Use this command to display the port security configuration for all interfaces or for a particular interface.
Command Syntax
show port-security (interface IFNAME |)
Parameters
IFNAME
Interface name
Default
None
Command Mode
Exec mode
Applicability
This command was introduced in OcNOS version 4.0.
Examples
#show port-security
Port port-security mode MAC limit CVLAN SVLAN static secure MAC
----------------------------------------------------------------
ge1 dynamic 3 2 0000.0000.1112
10 0000.0000.3333
#show port-security interface ge1
Port Security Mode : Dynamic
Secure MAC limit : 3
Static Secure MAC list :
CVLAN SVLAN MAC Address
---------------------------
2 0000.0000.1112
10 0000.0000.3333
switchport port-security
Use this command to enable port security on an interface.
Use the no form of this command to disable port security on an interface. This command removes configured secured MAC, if any, on this interface.
Note: This command is supported for physical, LAG, and MLAG (active) interfaces only. Enabling port security on an interface removes learned MAC addresses of interfaces (whether learned by static or dynamic means), and then relearns the secure MAC addresses. Multicast MAC addresses are not considered as part of the MAC learning limit.
Note: This command is ignored when port security is already enabled on an interface.
Command Syntax
switchport port-security (static |)
no switchport port-security
Parameters
static
Static mode
Default
By default this feature is disabled; the default mode of port security is to dynamically learn. In dynamic mode, devices learn MAC addresses dynamically. You can program static MACs, however, dynamic MAC learning will not be allowed in static mode for port security.
Command Mode
Interface mode
Applicability
This command was introduced in OcNOS version 4.0.
Examples
#configure terminal
(config)#interface ge1
(config-if)#switchport
(config-if)#bridge-group 1
(config-if)#switchport mode hybrid
(config-if)#switchport hybrid allowed vlan all
(config-if)#switchport port-security
switchport port-security logging
Use this command to enable violated MAC logging on a port security enabled interface.
Use the disable parameter with this command to disable violated mac logging on a port security enabled interface.
Command Syntax
switchport port-security logging (enable | disable)
Parameters
enable
Enable violated MAC logging
disable
Disable violated MAC logging
Default
By default logging is disabled.
Command Mode
Interface mode
Applicability
This command was introduced in OcNOS version 4.0.
Examples
#configure terminal
(config)#interface ge1
(config-if)#switchport port-security logging enable
switchport port-security mac-address
Use this command to add static secure MAC addresses.
Use the no form of this command to remove static secure MAC addresses.
Command Syntax
switchport port-security mac-address XXXX.XXXX.XXXX
no switchport port-security mac-address XXXX.XXXX.XXXX
switchport port-security mac-address XXXX.XXXX.XXXX vlanId <2-4094>
no switchport port-security mac-address XXXX.XXXX.XXXX vlanId <2-4094>
switchport port-security mac-address XXXX.XXXX.XXXX svlanId <2-4094>
no switchport port-security mac-address XXXX.XXXX.XXXX svlanId <2-4094>
switchport port-security mac-address XXXX.XXXX.XXXX vlanId <2-4094> svlanId <2-4094>
no switchport port-security mac-address XXXX.XXXX.XXXX vlanId <2-4094> svlanId <2-4094>
Parameters
XXXX.XXXX.XXXX
Static secure MAC address
vlanId
VLAN identifier
<2-4094>
VLAN identifier
svlanId
SVLAN identifier
<2-4094>
SVLAN identifier
Default
N/A
Command Mode
Interface mode
Applicability
This command was introduced in OcNOS version 4.0.
Examples
#configure terminal
(config)#interface ge1
(config-if)#switchport port-security mac-address 0000.0000.1112 vlan 2
(config-if)# no switchport port-security mac-address 0000.0000.1112 vlan 2
(config)#interface ge2
(config-if)#switchport port-security mac-address 0000.1111.2222
(config-if)#no switchport port-security mac-address 0000.1111.2222
(config)#interface ge3
(config-if)#switchport port-security mac-address 0000.2222.3333 svlan 9
(config-if)#no switchport port-security mac-address 0000.2222.3333 svlan 9
(config)#interface ge4
(config-if)#switchport port-security mac-address 0000.2222.3333 vlan 23 svlan 31
(config-if)#no switchport port-security mac-address 0000.2222.3333 vlan 23 svlan 31
switchport port-security maximum
Use this command to set the MAC address learning limit for an interface.
Note: This command is supported for physical, LAG, and MLAG (active) interfaces only. When a newly configured maximum learn limit is less than the previous value, you must remove/flush-out the unwanted MACs to stop traffic forwarding from the unwanted source MAC addresses. MAC addresses can be removed using the
clear mac address-table command.
Use no form cli to set the maximum limit back to default value 1.
Command Syntax
switchport port-security maximum <1-1000>
no switchport port-security maximum
Parameters
<1-1000>
Maximum MAC address learning limit
Default
The default MAC address learning limit is 1.
Command Mode
Interface mode
Applicability
This command was introduced in OcNOS version 4.0.
Examples
#configure terminal
(config)#interface ge1
(config-if)#switchport port-security maximum 3
#configure terminal
(config)#interface po1
(config-if)#switchport port-security maximum 3
#configure terminal
(config)#interface mlag1
(config-if)#switchport port-security maximum 3