Omada Pro Logo official website Vigi Logo official website
Contact Us
Nordic / English

How to configure Port Security on Omada Switches

Knowledgebase
Configuration Guide
BookmarksCopy Link
02-12-2026
184

Contents

Introduction

Requirements

Configuration

In Standalone Mode

Using CLI in Omada Controller

Verification

Conclusion

Introduction

Port Security allows you to set a limit on the number of MAC addresses that can be learned on a switch port, preventing MAC table exhaustion caused by malicious flooding attacks and ensuring stable network performance. When the number of learned MAC addresses exceeds the configured threshold, the switch can block unauthorized addresses, restrict abnormal traffic, or send alerts to administrators for timely response, preventing‑table exhaustion caused by malicious flooding attacks and ensuring stable network performance.

This feature is commonly used in enterprise access networks to control endpoint connections, in high security environments to mitigate MAC flooding risks, and in shared or public access areas—such as meeting rooms, hotels, or multitenant networks—to prevent unauthorized device access and maintain reliable service.‑security environments to mitigate MAC flooding risks, and in shared or public access areas—such as meeting rooms, hotels, or multi‑tenant networks—to prevent unauthorized device access and maintain reliable service.

Requirements

  • Omada Access, Access Plus, Access Pro, Access Max, Aggregation, Campus Switch
  • Omada Controller (Software Controller / Hardware Controller / Cloud Based Controller, V6.0 and above)

Configuration

In Standalone Mode

Step 1. Log in to the Switch Device Web Page and navigate to Security > Port Security.

The position of Port Security in the standalone page.

Step 2. Select one or more ports and configure the following parameters. Click Apply.

Configure the parameters of port config.

The explanation of parameters is as follows:

Port

Displays the port number.

Max Learned Number of MAC

Specify the maximum number of MAC addresses that can be learned on the port. When the learned MAC address number reaches the limit, the port will stop learning. It ranges from 0 to 64. The default value is 64.

Current Learned MAC

Displays the current number of MAC addresses that have been learned on the port.

Exceed Max Learned Trap

Enable Exceed Max Learned, and when the maximum number of learned MAC addresses on the specified port is exceeded, a notification will be generated and sent to the management host.

Learn Address Mode

Select the learn mode of the MAC addresses on the port. Three modes are provided:

Delete on Timeout: The switch will delete the MAC addresses that are not used or updated within the aging time. It is the default setting.

Delete on Reboot: The learned MAC addresses are out of the influence of the aging time and can only be deleted manually. The learned entries will be cleared after the switch is rebooted.

Permanent: The learned MAC addresses are out of the influence of the aging time and can only be deleted manually. The learned entries will be saved even if the switch is rebooted.

Status

Select the status of Port Security. Three kinds of status can be selected:

Drop: When the number of learned MAC addresses reaches the limit, the port will stop learning and discard the packets with the MAC addresses that have not been learned.

Forward: When the number of learned MAC addresses reaches the limit, the port will stop learning but send the packets with the MAC addresses that have not been learned.

Disable: The number limit on the port is not effective, and the switch follows the original forwarding rules. It is the default setting.

Note: Port Security cannot be enabled on the member ports of a LAG, and the port with Port Security enabled cannot be added to a LAG.

On one port, Port Security and 802.1x cannot be enabled at the same time.

Using CLI in Omada Controller

Step 1. Log in to the Controller web page and switch to the Site view. Navigate to Devices > Config > Device CLI.

The position of Device CLI.

Step 2. Enter the commands.

Enter interface configuration mode:

interface { fastEthernet port | range fastEthernet port-list | gigabitEthernet port | range gigabitEthernet port-list | ten-gigabitEthernet port | range ten-gigabitEthernet port-list }

Enable the port security feature of the port and configure the related parameters:

mac address-table max-mac-count { [max-number num] [exceed-max-learned enable | disable] [mode { dynamic | static | permanent } ] [ status { forward | drop | disable } ]}

The explanation of parameters is as follows:

max-number

Default Setting: 64

The maximum number of MAC addresses that can be learned on the port.

num

The valid values are from 0 to 64. The default value is 64.

exceed-max-learned

Default Setting: Disable

With exceed-max-learned enabled, when the maximum number of MAC addresses on the specified port is exceeded, a notification will be generated and sent to the management host.

enable

Enable exceed-max-learned.

disable

Disable exceed-max-learned.

mode

Default Setting: Delete on Timeout

Learn mode of the MAC address. There are three modes

dynamic

The switch will delete the MAC addresses that are not used or updated within the aging time.

static

The learned MAC addresses are out of the influence of the aging time and can only be deleted manually. The learned entries will be cleared after the switch is rebooted.

permanent

The learned MAC address is out of the influence of the aging time and can only be deleted manually. The learned entries will be saved even the switch is rebooted.

status

Default Setting: Disable

Status of port security feature. By default, it is disabled.

forward

When the number of learned MAC addresses reaches the limit, the port will stop learning but send the packets with the MAC addresses that have not been learned.

drop

When the number of learned MAC addresses reaches the limit, the port will stop learning and discard the packets with the MAC addresses that have not been learned.

disable

The number limit on the port is not effective, and the switch follows the original forwarding rules. It is the default setting.

Enter the command in the CLI window, then click Save.

Fill in commands in the CLI interface.

Step 3. Apply the commands.

Apply the commands.

Verification

If the command takes effect:

Step 1. Navigate to Devices, then show the running config of the switch configured with the command.

The position of Show Running Config.

Step 2. Find the configuration port, and you can see that the command of Port Security is included.

Port configuration details in running config.

If the configuration fails:

Step 1. A pop-up notification appears in the upper-right corner of the controller.

The details of failure notification in the Omada controller.

Step 2. Navigate to Devices>Configuration Result to check the details and failure cases.

The position of Configuration Result.

Conclusion

This article introduces how to configure the Port Security feature in standalone mode and Omada controller.

Get to know more details of each function and configuration please go to Download Center to download the manual of your product.

Please Rate this Document

Related Documents

How to Configure Port Mirroring on Omada Switches

Configuration Guide
02-12-2026
177

How to configure port security function

Configuration Guide
06-29-2022
20800

How to Configure Port Isolation on Omada Switches

Configuration Guide
02-12-2026
161

How to configure sFlow on Omada Switches

Configuration Guide
09-16-2025
8742

How to configure Switch Port Mirroring on Omada Controller

Configuration Guide
10-29-2024
18343

SubscriptionTP-Link takes your privacy seriously. For further details on TP-Link's privacy practices, see TP-Link's Privacy Policy.

Email Error

Follow Us

About
Press
Learning Center
TP-Link Omada Omada Pro VIGI
Nordic / English

Copyright © 2026 TP-LINK Enterprises Nordic AB. All rights reserved.

This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy .

Your Privacy Choices

This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy .

Basic Cookies

These cookies are necessary for the website to function and cannot be deactivated in your systems.

TP-Link

SESSION, JSESSIONID, accepted_local_switcher, tp_privacy_banner, tp_privacy_base, tp_privacy_marketing, tp_top-banner, tp_popup-bottom, tp_popup-center, tp_popup-right-middle, tp_popup-right-bottom, tp_productCategoryType

Youtube

id, VISITOR_INFO1_LIVE, LOGIN_INFO, SIDCC, SAPISID, APISID, SSID, SID, YSC, __Secure-1PSID, __Secure-1PAPISID, __Secure-1PSIDCC, __Secure-3PSID, __Secure-3PAPISID, __Secure-3PSIDCC, 1P_JAR, AEC, NID, OTZ

Zendesk

OptanonConsent, __cf_bm, __cfruid, _cfuvid, _help_center_session, _pendo___sg__.<container-id>, _pendo_meta.<container-id>, _pendo_visitorId.<container-id>, _zendesk_authenticated, _zendesk_cookie, _zendesk_session, _zendesk_shared_session, ajs_anonymous_id, cf_clearance

Analysis and Marketing Cookies

Analysis cookies enable us to analyze your activities on our website in order to improve and adapt the functionality of our website.

The marketing cookies can be set through our website by our advertising partners in order to create a profile of your interests and to show you relevant advertisements on other websites.

Google Analytics & Google Tag Manager

_gid, _ga_<container-id>, _ga, _gat_gtag_<container-id>

Google Ads & DoubleClick

test_cookie, _gcl_au