- Table of Contents
-
- H3C Campus Fixed-Port Switches CLI-Based Quick Start Configuration Guide-6W101
- 01-H3C Devices CLI Reference
- 02-Login Management Quick Start Configuration Guide
- 03-Configuration File Management Quick Start Configruation Guide
- 04-Software Upgrade Quick Start Configuration Guide
- 05-Device Management Quick Start Configuration Guide
- 06-NTP Quick Start Configuration Guide
- 07-RBAC Quick Start Configuration Guide
- 08-IRF Quick Start Configuration Guide
- 09-Ethernet Interface Quick Start Configuration Guide
- 10-VLAN Quick Start Configuration Guide
- 11-Port Isolation Quick Start Configuration Guide
- 12-Loop Detection Quick Start Configuration Guide
- 13-QinQ Quick Start Configuration Guide
- 14-MAC Address Table Quick Start Configuration Guide
- 15-Ethernet Link Aggregation Quick Start Configuration Guide
- 16-Spanning Tree Quick Start Configuration Guide
- 17-DHCP Quick Start Configuration Guide
- 18-OSPF Quick Start Configuration Guide
- 19-Static Routing Quick Start Configuration Guide
- 20-Basic RIP Quick Start Configuration Guide
- 21-PBR Quick Start Configuration Guide
- 22-IGMP Snooping Quick Start Configuration Guide
- 23-Packet Filtering Quick Start Configuration Guide
- 24-QoS Quick Start Configuration Guide
- 25-IP Source Guard Quick Start Configuration Guide
- 26-SSH Quick Start Configuration Guide
- 27-Port Security Quick Start Configuration Guide
- 28-VRRP Quick Start Configuration Guide
- 29-PoE Quick Start Configuration Guide
- 30-Mirroring Quick Start Configuration Guide
- 31-Information Center Quick Start Configuration Guide
- 32-SNMP Quick Start Configuration Guide
- 33-LAN Networks Quick Start Configuration Guide
- Related Documents
-
Title | Size | Download |
---|---|---|
27-Port Security Quick Start Configuration Guide | 61.27 KB |
Port Security Quick Start Configuration Guide
Copyright © 2022 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
The information in this document is subject to change without notice.
Configuring port security in autoLearn mode
Introduction
The following information uses an example to describe the basic procedure for configuring a port in autoLearn mode for port security.
Network configuration
As shown in Figure 1, configure the user-attached port (Ten-GigabitEthernet 1/0/1 in this example) on the device to meet the following requirements:
· Allow up to 64 users to access the Internet through the port without authentication.
· Prevent additional users to access the Internet through the port after the number of online Internet users on the port reaches the limit.
To meet these requirements:
· Place the port in autoLearn mode. In this mode, the port learns and adds MAC addresses to the secure MAC address table until the specified limit is reached.
· Set port security's limit on the number of secure MAC addresses to 64.
· By default, secure MAC addresses do not age out. To prevent inactive or malicious users from using secure MAC table entries permanently, set a secure MAC aging timer.
· Set the intrusion protection action to disableport-temporarily. If a frame with an unknown MAC address arrives at the port when the secure MAC address table is full, shut down the port for 30 seconds.
Restrictions and guidelines
Set port security's limit on the number of secure MAC addresses on a port before you place that port in autoLearn mode. You cannot change the secure MAC address limit on a port in autoLearn mode.
Procedure
# Enable port security.
<Device> system-view
[Device] port-security enable
# Set the secure MAC aging timer to 30 minutes.
[Device] port-security timer autolearn aging 30
# Set port security's limit on the number of secure MAC addresses to 64 on Ten-GigabitEthernet 1/0/1.
[Device] interface ten-gigabitethernet 1/0/1
[Device-Ten-GigabitEthernet1/0/1] port-security max-mac-count 64
# Place the port in autoLearn mode for port security.
[Device-Ten-GigabitEthernet1/0/1] port-security port-mode autolearn
# Set the intrusion protection action to disableport-temporarily and configure port security to shut down the port for 30 seconds after intrusion protection is triggered.
[Device-Ten-GigabitEthernet1/0/1] port-security intrusion-mode disableport-temporarily
[Device-Ten-GigabitEthernet1/0/1] quit
[Device] port-security timer disableport 30
Verifying the configuration
# Execute the display port-security interface command to verify that port security is correctly configured.
[Device] display port-security interface ten-gigabitethernet 1/0/1
Global port security parameters:
Port security : Enabled
AutoLearn aging time : 30 min
Disableport timeout : 30 s
Blockmac timeout : 180 s
MAC move : Denied
Authorization fail : Online
NAS-ID profile : Not configured
Dot1x-failure trap : Disabled
Dot1x-logon trap : Disabled
Dot1x-logoff trap : Disabled
Intrusion trap : Disabled
Address-learned trap : Disabled
Mac-auth-failure trap : Disabled
Mac-auth-logon trap : Disabled
Mac-auth-logoff trap : Disabled
Open authentication : Disabled
OUI value list :
Ten-GigabitEthernet1/0/1 is link-up
Port mode : autoLearn
NeedToKnow mode : Disabled
Intrusion protection mode : DisablePortTemporarily
Security MAC address attribute
Learning mode : Sticky
Aging type : Periodical
Max secure MAC addresses : 64
Current secure MAC addresses : 5
Authorization : Permitted
NAS-ID profile : Not configured
Free VLANs : Not configured
Open authentication : Disabled
MAC-move VLAN check bypass : Disabled
The output shows that the port allows a maximum of 64 secure MAC addresses, its port security mode is autoLearn, its intrusion protection action is DisablePortTemporarily, and it will shut down for 30 seconds after the intrusion protection action is triggered.
To view the number of secure MAC addresses learned on the port, examine the Current secure MAC addresses field.
# To view information about each secure MAC address, execute the display this command on the interface view for the port.
[Device] interface ten-gigabitethernet 1/0/1
[Device-Ten-GigabitEthernet1/0/1] display this
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port-security intrusion-mode disableport-temporarily
port-security max-mac-count 64
port-security port-mode autolearn
port-security mac-address security sticky 00e0-fc00-5920 vlan 1
port-security mac-address security sticky 00e0-fc00-592a vlan 1
port-security mac-address security sticky 00e0-fc00-592b vlan 1
port-security mac-address security sticky 00e0-fc00-592c vlan 1
port-security mac-address security sticky 00e0-fc00-592d vlan 1
#
# When the number of MAC addresses learned on the port reaches 64, execute the display port-security interface command to verify that the port security mode changes to secure mode. In secure mode, the port stops learning MAC addresses. (Details not shown.)
# After the port receives a frame with an unknown MAC address, execute the display interface command to verify that the port shuts down for intrusion protection and comes up 30 seconds later. (Details not shown.)
# Delete several secure MAC addresses. Verify that the port security mode changes to autoLearn and the port can learn MAC addresses again. (Details not shown.)
Configuration files
#
port-security enable
port-security timer disableport 30
port-security timer autolearn aging 30
#
interface Ten-GigabitEthernet1/0/1
port link-mode bridge
port-security intrusion-mode disableport-temporarily
port-security max-mac-count 64
port-security port-mode autolearn
#
Related documentation
· Port security configuration in the security configuration guide for the device.
· Port security commands in the security command reference for the device.