Port Security

此内容尚不支持你的语言。

show port-security

[Command] show port-security [{ethernet|link-aggregation}] [interface_num|lag_id]

[Purpose] Display Port Security configuration

[Parameter]

Parameter	Description
interface_num	Ethernet name
lag_id	Aggregate group id, range 1-9999

[View] System view

sonic# show port-security
Interface  Port-Security Sticky-Mac Max-Secure-Addr Violation-Action
--------------- --------------- --------------- --------------------- ------------------
Ethernet1    enable  enable  1       restrict
PortChannel0020 enable  enable  1       restrict

show port-security address

[Command] show port-security address [{ethernet|link-aggregation}] [interface_num|lag_id]

[Purpose] Display specific security MAC information

[Parameter]

Parameter	Description
interface_num	Ethernet name
lag_id	Aggregate group id, range 1-9999

[View] System view

sonic# show port-security address ethernet 1
No.      VLAN          MAC Address                Port         Type
----- ---------- ------------------------- ------------- ------
1          Vlan100     00:00:01:02:03:04         Ethernet1     static
Total number of entries 1

[Command] port-security enable no port-security enable

[Purpose] Enable port security function

[View] Interface view

[Comment] Before enabling port security, you need to add the interface to a VLAN first.

sonic# configure
sonic(config)# interface ethernet 1
sonic(config-if-1)# port-security enable

port-security address

[Command] port-security address nn:nn:nn:nn:nn:nn vlan vlan_id no port-security address nn:nn:nn:nn:nn:nn vlan vlan_id

[Purpose] Configure static security MAC address

[View] Interface view

[Comment] Before configuring a static security MAC address, you need to enable the port security function first.

sonic# configure
sonic(config)# interface ethernet 1
sonic(config-if-1)# port-security address 00:00:01:02:03:05 vlan 100

port-security maximum

[Command] port-security maximum max_num no port-security maximum

[Purpose] Configure the maximum limit of secure MAC addresses for the interface. The default value is 1. Static secure MAC addresses, dynamic secure MAC addresses, and sticky MAC addresses share this maximum limit.

[Parameter]

Parameter	Description
max_num	The maximum number of interface security MAC addresses, ranging from 1 to 1024

[View] Interface view

sonic# configure
sonic(config)# interface ethernet 1
sonic(config-if-1)# port-security maximum 10

port-security sticky

[Command] port-security sticky no port-security sticky

[Purpose] Enable sticky mac function

[View] Interface view

sonic# configure
sonic(config)# interface ethernet 1
sonic(config-if-1)# port-security sticky

port-security violation

[Command] port-security violation {protect|restrict|shutdown} no port-security violation

[Purpose] Configure security MAC protection actions. When the number of security MAC addresses reaches the set maximum, the default protection action is “restrict”.

[Parameter]

Parameter	Description
protect	Discard packets with source addresses not in the MAC table.
restrict	Discard packets with source addresses not in the MAC table and issues an alert.
shutdown	The interface performs a shutdown operation and issues an alert.

[View] Interface view

sonic# configure
sonic(config)# interface ethernet 1
sonic(config-if-1)# port-security violation protect

clear port-security address

[Command] clear port-security address [ethernet|link-aggregation] [interface_num|lag_id] clear port-security address [static|dynamic|sticky]

[Purpose] Delete entries from the security MAC table

[Parameter]

Parameter	Description
interface_num	Ethernet name
lag_id	Aggregate group id, range 1-9999
static	Static security MAC address
dynamic	Dynamic security MAC address
sticky	Sticky security MAC address

[View] System view

sonic# clear port-security address

[Command] mac-learning priority {low|high} no mac-learning priority

[Purpose] Configure the learning priority for mac. The default is low. FDBs learned from high-priority interfaces are not allowed to drift to low-priority interfaces; FDBs learned from low-priority interfaces are allowed to drift to high-priority interfaces.

[View] Interface view

sonic# configure
sonic(config)# interface ethernet 1
sonic(config-if-1)# mac-learning priority high

mac-learning group

[Command] mac-learning group group_id no mac-learning group

[Purpose] Configure MAC learning groups, allowing MAC migration between interfaces within the same learning group.

[Parameter]

Parameter	Description
group_id	Mac learning group name, range 0-15, default 0

[View] Interface view

sonic# configure
sonic(config)# interface ethernet 1
sonic(config-if-1)# mac-learning group 10

show mac-learning priority

[Command] show mac-learning priority [{ethernet|link-aggregation}] [interface_num|lag_id]

[Purpose] Displays MAC learning priority configuration.

[Parameter]

Parameter	Description
interface_num	Ethernet name
lag_id	Aggregate group id, range 1-9999

[View] System view

sonic# show mac-learning priority ethernet 5
Interface  Priority
-------------  ----------
Ethernet5  low

show mac-learning group

[Command] show mac-learning group [{ethernet|link-aggregation}] [interface_num|lag_id]

[Purpose] Displays MAC learning group configuration.

[Parameter]

Parameter	Description
interface_num	Ethernet name
lag_id	Aggregate group id, range 1-9999

[View] System view

sonic# show mac-learning group ethernet 6
Interface   Group-Id
----------- ----------
Ethernet6       0