Dell Networking SONiC How to configure Port Security

Summary: How to configure Port Security in Dell Networking SONiC. This article is tested in Dell Networking SONiC 4.2 Edge Standard.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

Prerequisites
This article is using standard interface naming to demonstrate the Concepts. See the article Dell Networking S-Series: Basic Interface Configuration - SONiC 4.0 for more information regarding interface naming

Index

What is port security
  Set the maximum number of MAC address allowed in a Port
  Port security Violation
  Defaults
Configuration Syntax
Sample configuration
Verify

What is port security

 Port security protects a port by limiting the number of MAC learns on a user-specified port. 

  • Port security is not supported in vlan
  • Port security is supported in Ethernet port and PortChannel which is configured as switchport.
  • Port security is not supported in nonswitchports.  

Set the maximum number of MAC address allowed in a Port

 Using the MAC learning feature, user can set the maximum limit on the number of MAC addresses that can be allowed on an interface. Limiting the MAC addresses provides security from MAC flooding. When the maximum allowed MAC threshold is exceeded, the system generates a warning syslog notification, and a port security violation occurs.


NOTE: You can disable the MAC learning limit to restore the default number of allowed MAC addresses per port. 

Port security Violation

 A port security violation happens when a port learns more MAC addresses than the configured limit. You can configure the action that should be taken during a violation.
In Dell SONiC, the action which can be taken when a violation happens is protect. When protect mode is activated, it disables MAC learning on the port when the number of MAC addresses on the interface reaches the configured limit. All packets with unknown source addresses on the port are dropped at this stage.
What action can be taken on port security violation happens?
You can take any of below actions. 
-->After finding and removing the devices causing excess mac address, We can clear mac address table in the interface to clear the violation state.
Command syntax

DELLSONiC# clear mac address-table dynamic interface Eth <slot/port>

-->Increase allowed mac address limit if needed 
Command syntax

DELLSONiC# configure
DELLSONiC(config)# interface Eth X/X
DELLSONiC(config-if-EthX/X)# port-security maximum <number of mac address>

-->Disable Port Security if needed.
Command syntax

DELLSONiC# configure
DELLSONiC(config)# interface Eth X/X
DELLSONiC(config-if-EthX/X)# no port-security enable


How can i find the mac address blocked by Port security?
We can find the details of mac address, which got blocked by port security from Log Messages. Refer below example (Date/Time and mac address masked)
 

DELLSONiC# show logging | grep "Port Mac Security violation"
XXX XX XX:XX:XX.XXXXXXXXXXXX XXXX DELLSONiC WARNING syncd#syncd: :- port_mac_sec_add_mac: Port Mac Security violation by MAC YY:YY:YY:YY:YY:YY Port Eth1/1

Defaults

Port security on a port Disabled
Maximum number of MAC addresses per port 1
Violation mode Protect

Configuration Syntax

Command Explanation 
admin@DELLSONiC:~$ sonic-cli
Enter Dell Management Command-Line Interface. 
DELLSONiC# configure terminal
Enter Configuration Mode. 
DELLSONiC(config)# interface <Eth slot/port>
Configure Interface. 
DELLSONiC(config-if-EthX/X)# port-security violation protect
Set action to be taken in the event of violation.
 		 
DELLSONiC(config-if-EthX/X)# port-security maximum <number of mac address>
Set Maximum no of secure MACs allowed on this interface.
(1-4097)
 		 
DELLSONiC(config-if-EthX/X)# port-security enable
 Enables Port security at interface level. 
DELLSONiC(config-if-EthX/X)# no port-security enable
 Disable Port security at interface level.

Sample configuration

Consider we have two mac address learning in the port Eth 1/1.
Before Configuring Port security on Port Eth 1/1 (mac address masked)

DELLSONiC# show mac address-table interface Eth 1/1
-----------------------------------------------------------
VLAN         MAC-ADDRESS         TYPE         INTERFACE           
-----------------------------------------------------------
2500        XX:XX:XX:XX:XX:XX   DYNAMIC       Eth1/1             
2500        YY:YY:YY:YY:YY:YY   DYNAMIC       Eth1/1

Lets configure port Eth 1/1 to not allow more than maximum one mac address

admin@DELLSONiC:~$ sonic-cli
DELLSONiC# configure
DELLSONiC(config)# interface Eth 1/1
DELLSONiC(config-if-Eth1/1)# port-security violation protect
DELLSONiC(config-if-Eth1/1)# port-security maximum 1
DELLSONiC(config-if-Eth1/1)# port-security enable
DELLSONiC(config-if-Eth1/1)# shutdown
DELLSONiC(config-if-Eth1/1)# no shutdown
DELLSONiC(config-if-Eth1/1)# end

After Configuring Port security, we can see that only one mac address is learned. First received frame MAC is learned.

DELLSONiC# show mac address-table interface Eth 1/1
-----------------------------------------------------------
VLAN         MAC-ADDRESS         TYPE         INTERFACE           
-----------------------------------------------------------
2500        XX:XX:XX:XX:XX:XX   DYNAMIC       Eth1/1

Verify

Use the following commands to verify. 

Command Explanation 
DELLSONiC# show port-security
Show port security in all interfaces. 
DELLSONiC# show port-security interface Eth <slot/port>
Show port security in a particular interface. 
DELLSONiC# show logging | grep "Port Mac Security violation"
 Get details of the mac address which violated from logs.

Sample Output (shows Port security Violation)

DELLSONiC# show port-security

Secure Port         isEnabled    MaxSecureAddr   FdbCount    ViolationCount    SecurityAction
--------------------------------------------------------------------------------------------------
    Eth1/1              Y            1               1           1                 PROTECT
 
DELLSONiC# show port-security interface Eth1/1

Interface : Eth1/1
Port MAC Security is Enabled : True
Maximum allowed Secure MAC   : 1
Action taken on Violation    : PROTECT
Total MAC address            : 1
Security Violation Count     : 1

Log Message (Date/Time and mac address masked)

DELLSONiC# show logging | grep "Port Mac Security violation"
XXX XX XX:XX:XX.XXXXXXXXXXXX XXXX DELLSONiC WARNING syncd#syncd: :- port_mac_sec_add_mac: Port Mac Security violation by MAC YY:YY:YY:YY:YY:YY Port Eth1/1

Affected Products

Enterprise SONiC Distribution, PowerSwitch E3200-ON Series, Dell EMC Networking N3200-ON, PowerSwitch S5212F-ON, PowerSwitch S5224F-ON, PowerSwitch S5232F-ON, PowerSwitch S5248F-ON, PowerSwitch S5296F-ON, PowerSwitch Z9264F-ON, PowerSwitch Z9332F-ON , PowerSwitch Z9432F-ON ...
Article Properties
Article Number: 000218833
Article Type: How To
Last Modified: 27 Jun 2025
Version:  3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.