Welcome

Dell Sites

Dell Technologies
Premier Sign In
Partner Program Sign In
Dell Financial Services
Support

Dell Sites

Dell Technologies
Premier Sign In
Partner Program Sign In
Dell Financial Services
Support

Sign Out

Welcome to Dell

My Account

Place orders quickly and easily
View orders and track your shipping status
Enjoy members-only rewards and discounts
Create and access a list of your products
Manage your Dell EMC sites, products, and product-level contacts using Company Administration.

US/EN

Cart

Your Dell.com Carts

Products
Solutions
Services
Contact Us

Support
Product Support
Manuals

Dell EMC SmartFabric OS10 User Guide Release 10.5.1

Notes, cautions, and warnings
About this guide
- Conventions
- Related Documents
- Documentation Feedback
Change history
Getting Started with Dell EMC SmartFabric OS10
- Switch with factory-installed OS10
- Switch without OS installed
- Downgrade to Release 10.5.0.0 or earlier releases
  - Roll back from 10.5.1.0 or later release to 10.5.0.0 or earlier release
- Switch deployment options
- Remote access
CLI Basics
- CONFIGURATION mode
- Check device status
- Command help
- Candidate configuration
- Copy running configuration
- Restore startup configuration
- Reload system image
- Filter show commands
- Common OS10 commands
Advanced CLI tasks
- Command alias
- Batch mode
  - batch
- Linux shell commands
- Using OS9 commands
  - feature config-os9-style
Dell EMC SmartFabric OS10 zero-touch deployment
- ZTD DHCP server configuration
- ZTD provisioning script
- ZTD CLI batch file
- Post-ZTD script
- ZTD commands
Dell EMC SmartFabric OS10 provisioning
- Using Ansible
- Example: Configure an OS10 switch using Ansible
System management
- System banners
- User session management
  - User session management commands
- Telnet server
  - Telnet commands
    - ip telnet server enable
    - ip telnet server vrf
- Simple Network Management Protocol
- System clock
  - Time zones and UTC offset reference
  - System Clock commands
- Network Time Protocol
- Precision Time Protocol
- Dynamic Host Configuration Protocol
- Containers
Interfaces
- Ethernet interfaces
- Unified port groups
- Z9264F-ON port-group profiles
- Port-groups on S5200F-ON switches
- L2 mode configuration
- L3 mode configuration
- Fibre Channel interfaces
  - Configuring wavelength
- Management interface
  - Management interface
- VLAN interfaces
- User-configured default VLAN
- VLAN scale profile
- Loopback interfaces
- Port-channel interfaces
  - Create port-channel
  - Add port member
  - Minimum links
  - Assign Port Channel IP Address
  - Remove or disable port-channel
  - Load balance traffic
  - Change hash algorithm
- Configure interface ranges
- Switch-port profiles
  - S4148-ON Series port profiles
  - S4148U-ON port profiles
- Configure negotiation modes on interfaces
- Configure breakout mode
- Breakout auto-configuration
- Reset default configuration
- Forward error correction
- Energy-efficient Ethernet
  - Enable energy-efficient Ethernet
  - Clear EEE counters
  - View EEE status/statistics
  - EEE commands
- View interface configuration
- Digital optical monitoring
  - Enable DOM and DOM traps
- Default MTU Configuration
- Interface commands
  - channel-group
  - default interface
  - default vlan-id
  - description (Interface)
  - duplex
  - enable dom
  - enable dom traps
  - feature auto-breakout
  - fec
  - interface breakout
  - interface ethernet
  - interface loopback
  - interface mgmt
  - interface null
  - interface port-channel
  - interface range
  - interface vlan
  - link-bundle-utilization
  - mode
  - mode l3
  - mtu
  - negotiation
  - port mode Eth
  - port-group
  - profile
  - scale-profile vlan
  - show discovered-expanders
  - show interface
  - show interface transceiver “Tunable wavelength”
  - show inventory media
  - show link-bundle-utilization
  - show port-channel summary
  - show port-group
  - show switch-port-profile
  - show system
  - show unit-provision
  - show vlan
  - shutdown
  - speed (Fibre Channel)
  - speed (Management)
  - switch-port-profile
  - switchport access vlan
  - switchport mode
  - switchport trunk allowed vlan
  - unit-provision
  - wavelength
  - default mtu
  - show default mtu
PowerEdge MX Ethernet I/O modules
- Operating modes
- Changing operating modes
- Restrictions
- Port groups on I/O modules
- Double-density QSFP28 interfaces
- Virtual ports
- Single-density QSFP28 interfaces
- Server-facing interfaces
- Replace MX Ethernet I/O modules
- MX-IOM Hardware Replacement
- View SmartFabric Services configuration
Fibre Channel
- Fibre Channel over Ethernet
  - Configure FIP snooping
- Terminology
- Virtual fabric
- Fibre Channel zoning
- F_Port on Ethernet
- Pinning FCoE traffic to a specific port of a port-channel
- Multiswitch fabric (E Port)
- Multi-hop FIP-snooping bridge
- Configuration guidelines
- NPIV Proxy Gateway cascading
- Support for untagged VLAN in FCoE
- Rebalance FC sessions (NPG)
- Load balancing after system reboot
- F_Port commands
- NPG commands
- F_Port and NPG commands
- FIP-snooping commands
- FCoE commands
Layer 2
- 802.1X
- Far-end failure detection
- Link Aggregation Control Protocol
- Link Layer Discovery Protocol
- Media Access Control
- Spanning-tree protocol
- Virtual LANs
- Port monitoring
Layer 3
- Virtual routing and forwarding
- Bidirectional Forwarding Detection
- Border Gateway Protocol
- Equal cost multi-path
- IPv4 routing
- IPv6 routing
- Open shortest path first
- Object tracking manager
- Policy-based routing
- Virtual Router Redundancy Protocol
Multicast
- Important notes
- Configure multicast routing
- Unknown multicast flood control
  - Enable multicast flood control
- Multicast Commands
  - multicast snooping flood-restrict
- Internet Group Management Protocol
- Multicast Listener Discovery Protocol
  - MLD snooping
  - MLD snooping commands
- Protocol Independent Multicast
- Multicast VRF sample configuration
- VLT multicast routing
VXLAN
- VXLAN concepts
- VXLAN as NVO solution
- Configure VXLAN
- L3 VXLAN route scaling
- DHCP relay on VTEPs
- View VXLAN configuration
- VXLAN MAC addresses
- VXLAN commands
- VXLAN MAC commands
- Example: VXLAN with static VTEP
- BGP EVPN for VXLAN
- Controller-provisioned VXLAN
UFT modes
- Configure UFT modes
  - IPv6 extended prefix routes
- UFT commands
Security
- Switch security
- Network security
OpenFlow
- OpenFlow logical switch instance
- OpenFlow controller
- OpenFlow version 1.3
- OpenFlow use cases
- Configure OpenFlow
  - Establish TLS connection
- OpenFlow commands
- OpenFlow-only mode commands
Access Control Lists
- IP ACLs
- MAC ACLs
- Control-plane ACLs
  - Control-plane ACL qualifiers
- IP fragment handling
- L3 ACL rules
- Assign sequence number to filter
- Delete ACL rule
- L2 and L3 ACLs
- Assign and apply ACL filters
- Ingress ACL filters
- Egress ACL filters
- VTY ACLs
- SNMP ACLs
- Clear access-list counters
- IP prefix-lists
- Route-maps
- Match routes
- Set conditions
- Continue clause
- ACL flow-based monitoring
- Enable flow-based monitoring
- View ACL table utilization report
  - Known behavior
- ACL logging
  - Important notes
- ACL commands
  - clear ip access-list counters
  - clear ipv6 access-list counters
  - clear mac access-list counters
  - deny
  - deny (IPv6)
  - deny (MAC)
  - deny icmp
  - deny icmp (IPv6)
  - deny ip
  - deny ipv6
  - deny tcp
  - deny tcp (IPv6)
  - deny udp
  - deny udp (IPv6)
  - description
  - ip access-group
  - ip access-list
  - ip as-path access-list
  - ip community-list standard deny
  - ip community–list standard permit
  - ip extcommunity-list standard deny
  - ip extcommunity-list standard permit
  - ip prefix-list description
  - ip prefix-list deny
  - ip prefix-list permit
  - ip prefix-list seq deny
  - ip prefix-list seq permit
  - ipv6 access-group
  - ipv6 access-list
  - ipv6 prefix-list deny
  - ipv6 prefix-list description
  - ipv6 prefix-list permit
  - ipv6 prefix-list seq deny
  - ipv6 prefix-list seq permit
  - mac access-group
  - mac access-list
  - permit
  - permit (IPv6)
  - permit (MAC)
  - permit icmp
  - permit icmp (IPv6)
  - permit ip
  - permit ipv6
  - permit tcp
  - permit tcp (IPv6)
  - permit udp
  - permit udp (IPv6)
  - remark
  - seq deny
  - seq deny (IPv6)
  - seq deny (MAC)
  - seq deny icmp
  - seq deny icmp (IPv6)
  - seq deny ip
  - seq deny ipv6
  - seq deny tcp
  - seq deny tcp (IPv6)
  - seq deny udp
  - seq deny udp (IPv6)
  - seq permit
  - seq permit (IPv6)
  - seq permit (MAC)
  - seq permit icmp
  - seq permit icmp (IPv6)
  - seq permit ip
  - seq permit ipv6
  - seq permit tcp
  - seq permit tcp (IPv6)
  - seq permit udp
  - seq permit udp (IPv6)
  - show access-group
  - show access-lists
  - show acl-table-usage detail
  - show ip as-path-access-list
  - show ip community-list
  - show ip extcommunity-list
  - show ip prefix-list
  - show logging access-list
- Route-map commands
  - continue
  - match as-path
  - match community
  - match extcommunity
  - match interface
  - match ip address
  - match ip next-hop
  - match ipv6 address
  - match ipv6 next-hop
  - match metric
  - match origin
  - match route-type
  - match tag
  - route-map
  - set comm-list add
  - set comm-list delete
  - set community
  - set extcomm-list add
  - set extcomm-list delete
  - set extcommunity
  - set local-preference
  - set metric
  - set metric-type
  - set next-hop
  - set origin
  - set tag
  - set weight
  - show route-map
Quality of service
- Configure quality of service
- Ingress traffic classification
  - Data traffic classification
  - Control-plane policing
- Egress traffic classification
- Policing traffic
- Mark Traffic
- Color traffic
- Modify packet fields
- Shaping traffic
- Bandwidth allocation
- Strict priority queuing
- Rate adjustment
- Buffer management
- Congestion avoidance
- Storm control
- RoCE for faster access and lossless connectivity
- Port to port-pipe and MMU mapping
- QoS commands
Virtual Link Trunking
- Terminology
- VLT domain
- VLT interconnect
- Graceful LACP with VLT
- Configure VLT
- Configure VRRP Active-Active mode
- Migrate VMs across data centers with eVLT
- View VLT information
- VLT commands
Uplink Failure Detection
- Configure uplink failure detection
- Uplink failure detection on VLT
  - Sample configurations of UFD on VLT
- UFD commands
Converged data center services
- Priority flow control
- Enhanced transmission selection
- Data center bridging eXchange
- Internet small computer system interface
- Converged network DCB example
sFlow
- Enable sFlow
- Max-header size configuration
- Collector configuration
- Polling-interval configuration
- Sample-rate configuration
- Source interface configuration
- View sFlow information
- sFlow commands
Telemetry
- Telemetry terminology
- YANG-modeled telemetry data
- Configure telemetry
- View telemetry configuration
- Telemetry commands
- Example: Configure streaming telemetry
RESTCONF API
- Configure RESTCONF API
- RESTCONF request of CLI command
  - Obtain RESTCONF API documentation from OS10
  - Translated RESTCONF requests example
- REST Token-Based Authentication
- CLI commands for RESTCONF API
- RESTCONF API tasks
  - View XML structure of CLI commands
  - RESTCONF API Examples
    - System
    - Interface
Troubleshoot Dell EMC SmartFabric OS10
- Diagnostic tools
- Recover Linux password
- Recover OS10 user name password
- Restore factory defaults
- SupportAssist
- Support bundle
  - Event notifications
  - generate support-bundle
- System monitoring
- Log into OS10 device
- Frequently asked questions
Support resources

PDF

Loading, Please wait

Port security

Use the port security feature to restrict the number of workstations that can send traffic through an interface and to control MAC address movement.

Port security is a package of the following sub features that provide added security to the system:

MAC address learning limit (MLL)
Sticky MAC
MAC address movement control

Use the port security feature to define the number of workstations that can send traffic through an interface. MAC addresses that are learnt or statically configured on a port security enabled interface are called secure MAC addresses.

NOTE: Port security features are not supported in a VLT setup.

There are three types of Secure MAC addresses :

Static secure MAC addresses are configured manually. These MAC addresses are stored both in the MAC address table and in the running configuration of the switch. Similar to static MAC addresses, when the system reloads, the system does not remove the static secure MAC addresses. When you enable port security on an interface, all existing static MAC addresses become static secure MAC addresses. These static secure MAC addresses remain in the system until you remove them.
Dynamic secure MAC addresses are dynamically-learned by the switch and stored in the MAC address table. These MAC addresses are removed from the MAC address table when the switch restarts. By default, dynamic secure MAC addresses do not age out.
Sticky secure MAC addresses are learned dynamically but are saved in the running configuration. Secure sticky MAC addresses never age out.

After you enable port security on an interface, by default, the maximum number of MAC address that the interface can learn is one. This is applicable for both dynamic and static secure MAC addresses. After you enable port security on an interface, by default, sticky MAC addresses and MAC movement are disabled on the interface.

MAC address learning limit

Using the MAC address learning limit method, you can set an upper limit on the number of allowed MAC addresses on an interface. Limiting the MAC addresses protects switches from MAC address flooding attacks. After the configured limit is reached on an interface, by default, the system drops all traffic from any unknown device.

When you configure MAC address learning limit, ensure that the number of static MAC addresses present on the system is not greater than the MAC address learning limit that you configure. If the number of dynamically-learned MAC addresses is greater than your MAC address limit, the system flushes all dynamically-learned MAC addresses.

You can configure an interface to learn a maximum of 3072 MAC addresses. You can also disable the MAC address learning limit feature so that the interface can learn the maximum number MAC addresses that the system supports. Disabling the MAC address learning limit feature does not remove the previously learned or configured secure MAC addresses.

MAC address movement

A MAC address movement happens when the system detects the same MAC address on an interface which it has already learned through another port security-enabled interface on the same broadcast domain. MAC address movement is not allowed for secure static and sticky MAC addresses. By default, MAC address movement for dynamically-learned MAC address is disabled on the system.

Secure dynamic MAC address movement is allowed between port-security-enabled and port-security-disabled interfaces.

Sticky MAC addresses

When you reload the system, port security removes the dynamically learned secure MAC addresses. You can use the sticky feature to make the dynamically learned secure MAC addresses persist even after a system reboot so that the interface does not have to learn these MAC addresses again. Use the copy running-configuration startup-configuration command to save the sticky secure MAC addresses.

When you enable sticky MAC address learning on an interface, all existing dynamically-learned MAC addresses and MAC addresses that are learned in the future are converted to sticky MAC addresses.

To enable sticky MAC address learning on an interface, ensure that the mac learn no-limit command is not configured.

Port security violations

There are two types of port security violations.

Mac address learning limit violation
Mac address move violation

Mac address learning limit violation

After the number of secure MAC address reaches the maximum configured, if an interface receives a frame with the source MAC address different from any of the learned MAC addresses, the system considers this as a MAC address learning limit violation.

You can configure MAC address learning limit violation actions.

log — The system drops the packet and displays a log message with the VLAN, interface, and the source MAC address that caused the violation.
drop — The system drops the packet and does not display a log message.
forward — The system forwards the packet without learning the source MAC address or displaying a log message.
shutdown — The system shuts down the port.

Mac address move violation

If the system detects the same MAC address in a port-security-enabled interface which it has already learned through another port-security-enabled interface, by default, the system considers this as a MAC address move violation. You can configure MAC address move violation actions. You can also configure the system to permit MAC address movement across port security-enabled interfaces.

You can configure MAC address move violation actions.

log — The system drops the packet and displays a log message with the VLAN, interface, and the source MAC address that caused the violation.
drop — The system drops the packet and does not display a log message.
shutdown-both — The system shuts down both the original and offending interfaces.
shutdown-offending — The system shuts down the offending interface.
shutdown-original — The system shuts down the interface that originally learned the MAC address that moved.

MAC address aging

By default, dynamically-learned secure MAC addresses do not age out. You can enable aging for secure MAC addresses so that the dynamically-learned MAC addresses are deleted from the MAC address table after the configured aging period.

Enable port security on the system

To enable port security on the system globally:

Enter the following command in CONFIGURATION mode:
```
switchport port-security
```
NOTE: By default, port security is enabled globally. To disable the port security feature on the system, use the no switchport port-security command in CONFIGURATION mode.

Enable port security on an interface

To enable port security on an interface:

Enter the following command in INTERFACE mode:
```
switchport port-security
```
Enable port security in CONFIGURATION-PORT-SECURITY mode:
```
no disable
```
NOTE: To disable the port security feature on an interface, use the disable command in CONFIGURATION-PORT-SECURITY mode.

Configure the MAC address learning limit

After you enable port security on an interface, the interface can learn one secure MAC address by default. This limit is applicable for both secure dynamic and secure static MAC addresses.

To configure the MAC address learning limit:

Enter the following command in INTERFACE mode:
```
switchport port-security
```
Configure the number of secure MAC addresses that an interface can learn in INTERFACE PORT SECURITY mode:
```
mac-learn {limit | no-limit}
```
For the limit keyword, the range is from 0 to 3072. To enable the interface to learn the maximum number of MAC addresses that the hardware supports, use the no-limit keyword.

MAC address learning limit example

OS10# configure terminal
OS10(config)#interface ethernet 1/1/1
OS10(config-if-eth1/1/1)#switchport port-security 
OS10(config-if-port-sec)# no disable
OS10(config-if-port-sec)#mac-learn limit 100

Configure MAC address learning limit violation actions

Use the following commands in INTERFACE PORT SECURITY mode:

To display which MAC address causes a violation, use the log option. The system also drops the packet.
```
OS10(config-if-port-sec)#mac-learn limit violation log
```
To drop the packet when a MAC address learning limit violation occurs, use the drop option.
```
OS10(config-if-port-sec)#mac-learn limit violation drop
```
To forward the packet when a MAC address learning limit violation occurs, use the flood option. The system does not learn the MAC address.
```
OS10(config-if-port-sec)#mac-learn limit violation forward
```
To shut down an interface on a MAC address learning limit violation, use the shutdown option.
```
OS10(config-if-port-sec)#mac-learn limit violation shutdown
```

MAC address learning limit violation actions configuration example

OS10# configure terminal
OS10(config)#interface ethernet 1/1/1
OS10(config-if-eth1/1/1)#switchport port-security 
OS10(config-if-port-sec)#no disable
OS10(config-if-port-sec)#mac-learn limit 100
OS10(config-if-port-sec)#mac-learn limit violation shutdown

Configure sticky MAC addresses

To enable sticky MAC address learning on an interface:

Enter the following command in INTERFACE PORT SECURITY mode:

sticky

NOTE: Before enabling sticky MAC address learning, ensure that you restrict the number of MAC address that an interface can learn using the mac-learn limit command.

Sticky MAC addresses configuration example

OS10# configure terminal
OS10(config)#interface ethernet 1/1/1
OS10(config-if-eth1/1/1)#switchport port-security 
OS10(config-if-port-sec)#no disable
OS10(config-if-port-sec)#mac-learn limit 100
OS10(config-if-port-sec)#sticky

Permit MAC address movement

Use the following command in INTERFACE PORT SECURITY mode:

OS10(config-if-port-sec)#mac-move allow

MAC address movement configuration example

OS10# configure terminal
OS10(config)#interface ethernet 1/1/1
OS10(config-if-eth1/1/1)#switchport port-security 
OS10(config-if-port-sec)#no disable
OS10(config-if-port-sec)#mac-learn limit 100
OS10(config-if-port-sec)#mac-move allow

Configure MAC address movement violation actions

Use the following commands in INTERFACE PORT SECURITY mode:

To display which MAC address causes a violation, use the log option. The system also drops the packet.
```
OS10(config-if-port-sec)#mac-move violation log
```
To drop the packet when a MAC address movement violation occurs, use the drop option.
```
OS10(config-if-port-sec)#mac-move violation drop
```
To shut down the original interface that learned the MAC address on a MAC movement violation, use the shutdown-original option.
```
OS10(config-if-port-sec)#mac-move violation shutdown-original
```
To shut down the interface that detected a MAC address that is already learned by another interface, use the shutdown-offending option.
```
OS10(config-if-port-sec)#mac-move violation shutdown-offending
```
To shut down both original and offending interfaces, use the shutdown-both option.
```
OS10(config-if-port-sec)#mac-move violation shutdown-both
```

Recover an error-disabled interface

Shut down the interface in INTERFACE mode.
```
shutdown
```
Bring the interface up in INTERFACE mode.
```
no shutdown
```

Clear an error-disabled state of all interfaces

To clear the error-disabled state of all interfaces that was caused by a MAC address learning limit violation, use the following command in CONFIGURATION mode:
```
errdisable reset cause mac-learn-limit violation
```
To clear the error-disabled state of all interfaces that was caused by a MAC address movement violation, use the following command in CONFIGURATION mode:
```
errdisable reset cause mac-move-violation
```
To clear the error-disabled state of all interfaces that was caused by all violation incidents, use the following command in CONFIGURATION mode:
```
errdisable reset cause all
```

Recover an error-disabled state of interfaces automatically

To automatically recover error-disabled interfaces that was caused by a MAC address learning limit violation, use the following command in CONFIGURATION mode:
```
errdisable recovery cause mac-learn-limit violation
```
To automatically recover error-disabled interfaces that was caused by a MAC address movement violation, use the following command in CONFIGURATION mode:
```
errdisable recovery cause mac-move-violation
```
Configure the recovery interval timer to delay the recovery of an error-disabled interface in CONFIGURATION mode. The range is from 30 to 65,535 in seconds.
```
errdisable recovery interval 30
```

Configure secure static MAC addresses

To configure a secure static MAC address, use the following command in CONFIGURATION mode:
```
mac address-table static mac-address vlan vlan-id interface {ethernet node/slot/port[:subport] | port-channel number}
```
NOTE: The configured MAC address becomes secure MAC address only if you enable the port security feature on the interface.

Secure static MAC addresses configuration example

OS10# configure terminal
OS10(config)#interface port-channel 1
OS10(conf-if-po-1)#switchport port-security 
OS10(config-if-port-sec)#no disable
OS10(config-if-po-1)#exit
OS10(config)#  mac address-table static 03:ab:cd:21:ba:01 vlan 1 interface port-channel 1

Remove statically-configured secure MAC addresses

To remove statically-configured secure MAC addresses, use the following command in EXEC mode:

clear mac address-table secure {{dynamic | sticky} {address mac_addr | vlan vlan-id | interface {ethernet node/slot/port[:subport] | port-channel}} | all}

Remove statically-configured secure MAC addresses configuration example

OS10# clear mac address-table secure sticky vlan 1
OS10#clear mac address-table secure sticky interface port-channel 128
OS10#clear mac address-table secure sticky address 00:00:00:00:00:01 vlan 100

View statically-configured secure MAC addresses

To view the statically-configured secure MAC addresses, use the following command in EXEC mode:

show mac address-table secure {{dynamic | static | sticky} {vlan vlan-id | interface {ethernet node/slot/port[:subport] | port-channel}}}

View statically-configured secure MAC addresses example

OS10# show mac address-table secure sticky

VlanId   MAC Address                    Type                    Interface
1        4c:76:25:e5:4f:51            sticky                   ethernet1/1/5
1        4c:76:25:e5:4f:55            sticky                   ethernet1/1/6
1        4c:76:25:e5:4f:59            sticky                   ethernet1/1/7

os10# show mac address-table secure dynamic

VlanId   MAC Address                    Type                    Interface
10       4c:76:25:e5:4f:51           dynamic                port-channel120
11       4c:76:25:e5:4f:55            dynamic               ethernet1/1/6
12       4c:76:25:e5:4f:59            dynamic                   ethernet1/1/7

os10# show mac address-table secure  static

VlanId   MAC Address                    Type                    Interface
10       4c:76:25:e5:4f:51            static                port-channel120
11       4c:76:25:e5:4f:55              static               ethernet1/1/6
12       4c:76:25:e5:4f:59            static                   ethernet1/1/7

View the number of secure MAC addresses on the system

To view the number of secure MAC addresses on the system, use the following command in EXEC mode:

show mac address-table count [interface {ethernet slot/port:subport | port-channel number | vlan vlan-id}]

View the number of secure MAC addresses on the system example

OS10# show MAC address-table count 
MAC Entries for all vlans :
Dynamic Address Count: 10000
Total secure dynamic MAC addresses: 5000 of (10000)
Static Address (User-defined) Count : 5000
Total secure static MAC addresses:200 of (5000)
Total secure sticky MAC addresses :0
Total MAC Addresses in Use: 15000

View port-security parameters for all interfaces

To view port-security parameters for all interfaces, use the following command in EXEC mode:

show switchport port-security [interface {ethernet node/slot/port[:subport] | port-channel port-channel-number}]

View port-security parameters for all interfaces example

OS10# show switchport port-security

Global Port-security status       :Enable

Interface name                    : eth1/1/1

Port Security                     :Enabled
Port Status                       :Error-Disable
Mac learn limit                   :100
Mac-learn limit-Violation action  :Shutdown
Sticky                            :Disabled  
Mac-move-allow                    :Not Allowed
mac-move-violation action         :shutdown-both
Aging                             :Enabled
Total MAC Addresses               :10
Secure static MAC Addresses       :0
Sticky MAC Addresses              :10
Secure Dynamic MAC addresses      :0

Interface name                    : eth1/1/10

Port Security                     :Enabled 
Port Status                       :Error-Disable
Mac learn limit                   :100
Mac-learn-limit-Violation action  :Shutdown
Sticky                            :Disabled 
Mac-move-allow                    :Not Allowed
mac-move-violation action         :shutdown-both
Aging                             :Enabled
Total MAC Addresses               :11
Secure static MAC Addresses       :0
Sticky MAC Addresses              :0
Secure Dynamic MAC addresses      :11

OS10# show switchport port-security interface ethernet 1/1/1

Global Port-security status       :Enable

Interface name                    : ethernet1/1/1

Port Security                     :Enabled
Port Status                       :Error-Disable
Mac-learn limit                   :1024
MaC-learn-limit-Violation Action  :Shutdown
Sticky                            :Enabled
Mac-move-allow                    :Not Allowed
Mac-move-violation                :shutdown-both
Aging                             :Disbaled
Total MAC Addresses               :10
Secure static MAC Addresses       :0
Sticky MAC Addresses              :10
Secure Dynamic MAC addresses      :0

OS10# show switchport port-security interface port-channel 120

Interface name                    : port-channel 120

Port Security                     :Disabled
Port Status                       : Up
mac-learn limit                :1024
Mac-learn-limit-Violation Action  :Flood
Sticky                            :Enabled
Mac-move-allow                    :Allowed
Mac-move-violation                :shutdown-offending
Aging                             :Disabled
Total MAC Addresses               :11
Secure static MAC Addresses       :0
Sticky MAC Addresses              :11
Secure Dynamic MAC addresses      :0

View the error disabled state of interfaces

The Errdisable Cause column displays one or more reasons for the error-disabled state of an interface. If an interface is put in to the Error Disabled state for multiple reasons, the interface does not come up unless you enable automatic recovery for all the reasons.

OS10# show errdisable recovery

Error-Disable Recovery Timer Interval : 300 seconds

Error-Disable Reason Recovery Status
----------------------------------------
bpduguard                     Enabled
MLL violation                 Enabled
MAC-move-violation            Enabled

                                                          Recovery Time Left
Interface          Errdisable Cause                       (seconds)
-----------------------------------------------------------------------
ethernet1/1/1:1    bpduguard                              30
ethernet1/1/1:2    bpduguard                              1
ethernet1/1/10     bpduguard/mac-learn limit/mac-move     10
port-channel100    Mac-learn limit                        50
port-channel128    mac-move                               49

Rate this content

All fields are required unless marked otherwise.

Accurate

not accurate

somewhat accurate

mostly accurate

accurate

very accurate

Useful

not useful

somewhat useful

mostly useful

useful

very useful

Easy to understand

not easy

somewhat easy

mostly easy

easy

very-easy

Was this article helpful?

Yes

Send us feedback (Optional)

0/3000 characters

Comments cannot contain these special characters: <>()\

Sorry, our feedback system is currently down. Please try again later.

Thank you for your feedback.

Please provide ratings (1-5 stars).

Please select whether the article was helpful or not.

Comments cannot contain these special characters: <>()\

US/EN

Site Map

Account

My Account
Order Status
My Products
Make a Payment
Dell Rewards Balance

Support

Support Home
Contact Technical Support
Returns

Connect with Us

Community
Contact Us
X (Twitter)
LinkedIn
Instagram
YouTube

Site Map

US/EN

Our Offerings

APEX
Products
Solutions
Services
Deals

Our Company

Who We Are
Careers
Dell Technologies Capital
Investors
Newsroom
Perspectives
Recycling
ESG & Impact
Customer Stories

Our Partners

Find a Partner
Find a Reseller
OEM Solutions
Partner Program

Resources

Blog
Dell Rewards
Events
Email Sign-Up
Dell Learning Center
Glossary
Privacy Center
Resource Library
Security & Trust Center
Trial Software Downloads

Dell Technologies
Dell Premier
Dell Financial Services

Terms of Sale
Privacy Statement
Do Not Sell or Share My Personal Information
Cookies, Ads & Emails
Legal & Regulatory
Accessibility
Anti-Slavery & Human Trafficking