Port Security Configuration
- Tracy Yang (Unlicensed)
Port security is a layer two traffic control feature on Pica8 switches. It enables an administrator to configure individual switch ports to allow only a specified number of source MAC addresses to ingress through the port. Port security enables the switch administrator to prevent unauthorized devices from gaining access to the network. Port security is normally enabled on access layer switches for this purpose.
Enabling Port Security
Port security is not enabled by default. It can be enabled with default parameters by issuing a single command on an interface:
admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 port-security mac-limit 10 admin@XorPlus# commit Merging the configuration. Commit OK. Save done. admin@XorPlus#
Configuring the Maximum Number of Secure Dynamically Learned MAC Addresses
User can use port security with dynamically learned MAC addresses to restrict a port's ingress traffic by limiting the MAC addresses that are allowed to send traffic into the port.
admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 port-security mac-limit 5 admin@XorPlus# commit Merging the configuration. Commit OK. Save done. admin@XorPlus# admin@XorPlus# run show port-security address Secure Mac Address Table ----------------------------------------------------- Vlan MAC Address Type Interfaces ---- ----------------- ------- ---------- 1 00:00:11:11:11:11 dynamic ge-1/1/1 1 00:00:11:11:11:12 dynamic ge-1/1/1 1 00:00:11:11:11:13 dynamic ge-1/1/1 1 00:00:11:11:11:14 dynamic ge-1/1/1 1 00:00:11:11:11:15 dynamic ge-1/1/1 ----------------------------------------------------- MAC age time :300s admin@XorPlus#
Configuring Static Secure MAC Addresses on a Port
User can use port security with static MAC addresses to restrict a port's ingress traffic by limiting the MAC addresses that are allowed to send traffic into the port.
admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 port-security mac-address 00:00:23:23:23:23 vlan 1 admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 port-security mac-address 00:00:23:23:23:24 vlan 1 admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 port-security mac-address 00:00:23:23:23:25 vlan 1 admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 port-security mac-address 00:00:23:23:23:26 vlan 1 admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 port-security mac-address 00:00:23:23:23:27 vlan 1 admin@XorPlus# commit Merging the configuration. Commit OK. Save done. admin@XorPlus# admin@XorPlus# run show port-security address Secure Mac Address Table ----------------------------------------------------- Vlan MAC Address Type Interfaces ---- ----------------- ------- ---------- 1 00:00:23:23:23:23 static ge-1/1/1 1 00:00:23:23:23:24 static ge-1/1/1 1 00:00:23:23:23:25 static ge-1/1/1 1 00:00:23:23:23:26 static ge-1/1/1 1 00:00:23:23:23:27 static ge-1/1/1 ----------------------------------------------------- MAC age time :300s admin@XorPlus#
Configuring Port Security with Sticky MAC Addresses on a Port
Port security with sticky MAC addresses retains dynamically learned MAC addresses when the link is down and restores the MAC addresses when the link is up.
admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 port-security sticky true admin@XorPlus# commit Merging the configuration. Commit OK. Save done. admin@XorPlus#
Configuring Secure MAC Address Aging Time
The aging time is global whether port security is configured or not.
admin@XorPlus# set interface ethernet-switching-options mac-table-aging-time 100 admin@XorPlus# commit Merging the configuration. Commit OK. Save done. admin@XorPlus#
Configuring Port Security Violation Mode on a Port
Port security can be configured to take one of four actions upon detecting a violation:
- protect (default) - Frames from MAC. Addresses other than the allowed addresses are dropped. Traffic from allowed addresses is permitted to pass normally.
- restrict - Like protect mode but generates a syslog message and increases the violation counter.
- shutdown - The interface is placed into the error-discard state, blocking all traffic.
- shutdown-temp - The interface is placed into the error-discard state and blocking all traffic temporarily. After 20 seconds (default), the interface comes up.
admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 port-security violation ? Possible completions: protect Drop packets with unknown source addresses restrict Drop packets with unknown source addresses and log violation shutdown Disable interface shutdown-temp Disable interface temporarily(20 seconds for the default) admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 port-security violation restrict admin@XorPlus# commit Merging the configuration. Commit OK. Save done. admin@XorPlus#
Configuring Port Security Auto-recovery Time
When the port security violation mode is configured to shutdown-temp, user can configure the recovery interval with the command below.
admin@XorPlus# set interface ethernet-switching-options port-error-discard timeout 30 admin@XorPlus# commit Merging the configuration. Commit OK. Save done. admin@XorPlus#
Recovering the Port in Error-discard
When the port security violation mode is configured to shutdown, the port will be placed into the error-discard state after detecting a violation. User can recover the port with the following command.
admin@XorPlus# run clear port-security port-error Clear done. admin@XorPlus#
Configuring Port Security Block Mode on a Port
Port security can be configured to take one of five block actions:
- all – All traffic are not permitted to forward normally on egress.
- broadcast– Broadcast packets will be blocked on egress, but unknown uni/multi cast addresses can forwards normally.
- multicast – Only the multicast packets will be dropped.
- uni-multi-cast- The unknown uni/multi cast packets will be blocked on egress.
- unicast - Only the unknown unicast packets will be dropped.
admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 port-security block ? Possible completions: all Block broadcast and unknow addresses broadcast Block broadcast address multicast Block unknow multicast addresses uni-multi-cast Block unknow uni/multi cast addresses unicast Block unknow unicast addresses admin@XorPlus# set interface gigabit-ethernet ge-1/1/1 port-security block broadcast admin@XorPlus# commit Merging the configuration. Commit OK. Save done. admin@XorPlus#
Displaying Port Security Settings
To display port security settings, enter this command:
admin@XorPlus# run show port-security address Secure Mac Address Table ----------------------------------------------------- Vlan MAC Address Type Interfaces ---- ----------------- ------- ---------- 1 00:00:11:11:11:11 dynamic ge-1/1/1 1 00:00:11:11:11:12 dynamic ge-1/1/1 1 00:00:11:11:11:13 dynamic ge-1/1/1 1 00:00:11:11:11:14 dynamic ge-1/1/1 1 00:00:11:11:11:15 dynamic ge-1/1/1 1 00:00:23:23:23:23 static ge-1/1/1 1 00:00:23:23:23:24 static ge-1/1/1 1 00:00:23:23:23:25 static ge-1/1/1 1 00:00:23:23:23:26 static ge-1/1/1 1 00:00:23:23:23:27 static ge-1/1/1 ----------------------------------------------------- MAC age time :100s admin@XorPlus# run show port-security brief System MAC limit : 32767 Secure port DynamicMacLim CurrentAddr ViolationCount Action ------------------------------------------------------------------------------- ge-1/1/1 5 10 213940 restrict ------------------------------------------------------------------------------- admin@XorPlus# admin@XorPlus# run show port-security interface gigabit-ethernet ge-1/1/1 Interface ge-1/1/1 ---------------------------------------- Port security : enabled Violation action : restrict Block type : broadcast Sticky : true Dynamic MAC limit : 5 Total MAC addresses : 10 Configured MAC addresses : 5 Sticky MAC addresses : 5 Security violation count : 286062 admin@XorPlus#
Disabling Port Security
To disable port security, enter this command:
admin@XorPlus# delete interface gigabit-ethernet ge-1/1/1 port-security
Deleting:
port-security {
mac-limit: 5
violation: "restrict"
mac-address 00:00:23:23:23:23 {
vlan 1 {
}
}
mac-address 00:00:23:23:23:24 {
vlan 1 {
}
}
mac-address 00:00:23:23:23:25 {
vlan 1 {
}
}
mac-address 00:00:23:23:23:26 {
vlan 1 {
}
}
mac-address 00:00:23:23:23:27 {
vlan 1 {
}
}
sticky: true
block: "broadcast"
}
OK
admin@XorPlus# commit
Merging the configuration.
Commit OK.
Save done.
admin@XorPlus#
Copyright © 2025 Pica8 Inc. All Rights Reserved.