Port Security

The nv unset commands remove the configuration you set with the equivalent nv set commands. This guide only describes an nv unset command if it differs from the nv set command.

nv set interface <interface-id> port-security static-mac

Configures specific MAC addresses allowed to access the specified port.

Command Syntax

SyntaxDescription
<interface-id>The interface you want to configure.

Version History

Introduced in Cumulus Linux 5.7.0

Example

cumulus@switch:~$ nv set interface swp1 port-security static-mac 00:02:00:00:00:05

nv set interface <interface-id> port-security enable

Enables (on) and disables (off) port security on an interface.

Command Syntax

SyntaxDescription
<interface-id>The interface you want to configure.

Version History

Introduced in Cumulus Linux 5.7.0

Example

cumulus@switch:~$ nv set interface swp1 port-security enable on

nv set interface <interface-id> port-security mac-limit

Configures the maximum number of MAC addresses allowed to access the specified port. You can specify a value between 1 and 512. The default value is 32.

Command Syntax

SyntaxDescription
<interface-id>The interface you want to configure.

Version History

Introduced in Cumulus Linux 5.7.0

Example

cumulus@switch:~$ nv set interface swp1 port-security mac-limit 100

nv set interface <interface-id> port-security sticky-mac

Enables (enabled) and disables (disabled) sticky MAC port security to track specific dynamically learned MAC addresses on a port.

Cumulus Linux maintains learned sticky MAC addresses through interface flaps and reboots if the source MAC address is still sending traffic; otherwise learned sticky MAC addresses age out according to the sticky MAC aging time.

Command Syntax

SyntaxDescription
<interface-id>The interface you want to configure.

Version History

Introduced in Cumulus Linux 5.7.0

Example

cumulus@switch:~$ nv set interface swp1 port-security sticky-mac enabled

nv set interface <interface-id> port-security sticky-timeout

Configures the time period after which learned sticky MAC addresses age out and no longer have access to the port. You can specify a value between 0 and 3600 minutes. The default setting is 1800 minutes.

Command Syntax

SyntaxDescription
<interface-id>The interface you want to configure.

Version History

Introduced in Cumulus Linux 5.7.0

Example

cumulus@switch:~$ nv set interface swp1 port-security sticky-timeout 20

nv set interface <interface-id> port-security sticky-ageing

Enables (enabled) and disables (disabled) sticky MAC aging on the specified interface.

Command Syntax

SyntaxDescription
<interface-id>The interface you want to configure.

Version History

Introduced in Cumulus Linux 5.7.0

Example

cumulus@switch:~$ nv set interface swp1 port-security sticky-ageing enabled

nv set interface <interface-id> port-security violation-mode

Configures violation mode on the specified interface to put a port into a protodown state (protodown) or to drop packets (restrict).

Command Syntax

SyntaxDescription
<interface-id>The interface you want to configure.

Version History

Introduced in Cumulus Linux 5.7.0

Example

cumulus@switch:~$ nv set interface swp1 port-security violation-mode protodown

nv set interface <interface-id> port-security violation-timeout

Configures the number of minutes after which the violation mode times out. You can specify a value between 0 and 60 minutes. The default value is 30 minutes.

Command Syntax

SyntaxDescription
<interface-id>The interface you want to configure.

Version History

Introduced in Cumulus Linux 5.7.0

Example

cumulus@switch:~$ nv set interface swp1 port-security violation-timeout 60