Port Security
The nv unset
commands remove the configuration you set with the equivalent nv set
commands. This guide only describes an nv unset
command if it differs from the nv set
command.
nv set interface <interface-id> port-security static-mac
Configures specific MAC addresses allowed to access the specified port.
Command Syntax
Syntax | Description |
---|---|
<interface-id> | The interface you want to configure. |
Version History
Introduced in Cumulus Linux 5.7.0
Example
cumulus@switch:~$ nv set interface swp1 port-security static-mac 00:02:00:00:00:05
nv set interface <interface-id> port-security enable
Enables (on
) and disables (off
) port security on an interface.
Command Syntax
Syntax | Description |
---|---|
<interface-id> | The interface you want to configure. |
Version History
Introduced in Cumulus Linux 5.7.0
Example
cumulus@switch:~$ nv set interface swp1 port-security enable on
nv set interface <interface-id> port-security mac-limit
Configures the maximum number of MAC addresses allowed to access the specified port. You can specify a value between 1 and 512. The default value is 32.
Command Syntax
Syntax | Description |
---|---|
<interface-id> | The interface you want to configure. |
Version History
Introduced in Cumulus Linux 5.7.0
Example
cumulus@switch:~$ nv set interface swp1 port-security mac-limit 100
nv set interface <interface-id> port-security sticky-mac
Enables (enabled
) and disables (disabled
) sticky MAC port security to track specific dynamically learned MAC addresses on a port.
Cumulus Linux maintains learned sticky MAC addresses through interface flaps and reboots if the source MAC address is still sending traffic; otherwise learned sticky MAC addresses age out according to the sticky MAC aging time.
Command Syntax
Syntax | Description |
---|---|
<interface-id> | The interface you want to configure. |
Version History
Introduced in Cumulus Linux 5.7.0
Example
cumulus@switch:~$ nv set interface swp1 port-security sticky-mac enabled
nv set interface <interface-id> port-security sticky-timeout
Configures the time period after which learned sticky MAC addresses age out and no longer have access to the port. You can specify a value between 0 and 3600 minutes. The default setting is 1800 minutes.
Command Syntax
Syntax | Description |
---|---|
<interface-id> | The interface you want to configure. |
Version History
Introduced in Cumulus Linux 5.7.0
Example
cumulus@switch:~$ nv set interface swp1 port-security sticky-timeout 20
nv set interface <interface-id> port-security sticky-ageing
Enables (enabled
) and disables (disabled
) sticky MAC aging on the specified interface.
Command Syntax
Syntax | Description |
---|---|
<interface-id> | The interface you want to configure. |
Version History
Introduced in Cumulus Linux 5.7.0
Example
cumulus@switch:~$ nv set interface swp1 port-security sticky-ageing enabled
nv set interface <interface-id> port-security violation-mode
Configures violation mode on the specified interface to put a port into a protodown state (protodown
) or to drop packets (restrict
).
Command Syntax
Syntax | Description |
---|---|
<interface-id> | The interface you want to configure. |
Version History
Introduced in Cumulus Linux 5.7.0
Example
cumulus@switch:~$ nv set interface swp1 port-security violation-mode protodown
nv set interface <interface-id> port-security violation-timeout
Configures the number of minutes after which the violation mode times out. You can specify a value between 0 and 60 minutes. The default value is 30 minutes.
Command Syntax
Syntax | Description |
---|---|
<interface-id> | The interface you want to configure. |
Version History
Introduced in Cumulus Linux 5.7.0
Example
cumulus@switch:~$ nv set interface swp1 port-security violation-timeout 60