port-security mac-address security
Syntax
In Layer 2 Ethernet interface view:
port-security mac-address security [ sticky ] mac-address vlan vlan-id
undo port-security mac-address security [ sticky ] mac-address vlan vlan-id
In system view:
port-security mac-address security [ sticky ] mac-address interface interface-type interface-number vlan vlan-id
undo port-security mac-address security [ [ mac-address [ interface interface-type interface-number ] ] vlan vlan-id ]
View
Layer 2 Ethernet interface view, system view
Default level
2: System level
Parameters
sticky: Specifies a sticky MAC address. If you do not provide this keyword, the command configures a static secure MAC address.
mac-address: Secure MAC address, in the H-H-H format.
interface interface-type interface-number: Specifies a Layer 2 Ethernet port by its type and number.
vlan vlan-id: Specifies the VLAN that has the secure MAC address. The vlan-id argument represents the ID of the VLAN in the range of 1 to 4094. Make sure that you have assigned the Layer 2 port to the specified VLAN.
Description
Use port-security mac-address security to add a secure MAC address.
Use undo port-security mac-address security to remove a secure MAC address.
By default, no secure MAC address entry is configured.
Secure MAC addresses are MAC addresses configured or learned in autoLearn mode. They can survive link down/up events, and once saved, can survive a device reboot. You can bind a MAC address to only one port in a VLAN.
When a port is operating in autoLearn mode, you can add important or frequently used MAC addresses as sticky or static secure MAC addresses to avoid the secure MAC address limit causing authentication failure.
Static secure MAC addresses never age out unless you remove them by using the undo port-security mac-address security command, changing the port security mode, or disabling the port security feature.
Sticky MAC addresses can be manually configured or automatically learned in autoLearn mode. Sticky MAC addresses do not age out by default. You can use the port-security timer autolearn aging command to set an aging timer for them. When the timer expires, the sticky MAC addresses are removed.
You cannot change the type of a secure address entry that has been added or add two entries that are identical except for their entry type. For example, you cannot add the port-security mac-address security sticky 1-1-1 vlan 10 entry when a port-security mac-address security 1-1-1 vlan 10 entry exists. To add the new entry, you must delete the old entry.
To enable port security on a port, use the port-security enable command, and to set the port in autoLearn mode, use the port-security port-mode autolearn command.
Related commands: display port-security and port-security timer autolearn aging.
Examples
# Enable port security, set port Ethernet 1/0/1 in autoLearn mode, and add a static secure MAC address 0001-0001-0002 in VLAN 10.
<Sysname> system-view [Sysname] port-security enable [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] port-security max-mac-count 100 [Sysname-Ethernet1/0/1] port-security port-mode autolearn [Sysname-Ethernet1/0/1] quit [Sysname] port-security mac-address security 0001-0001-0002 interface ethernet 1/0/1 vlan 10
# Enable port security, set port Ethernet 1/0/1 in autoLearn mode, and add a static secure MAC address 0001-0002-0003 in VLAN 4 in interface view.
<Sysname> system-view [Sysname] port-security enable [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] port-security max-mac-count 100 [Sysname-Ethernet1/0/1] port-security port-mode autolearn [Sysname-Ethernet1/0/1] port-security mac-address security 0001-0002-0003 vlan 4