interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays port security information for all ports.

Examples

# Display port security information for all ports.

<Sysname> display port-security

Global port security parameters:

Port security : Enabled

M-LAG load sharing mode (criterion) : Distributed (local)

M-LAG member's authentication scope : Local M-LAG interfaces

M-LAG member configuration conflict : Unknown

AutoLearn aging time : 0 min

Disableport timeout : 20 sec

Blockmac timeout : 180 sec

MAC move : Denied

Authorization fail : Online

NAS-ID profile : Not configured

Dot1x-failure trap : Disabled

Dot1x-logon trap : Disabled

Dot1x-logoff trap : Enabled

Intrusion trap : Disabled

Address-learned trap : Enabled

Mac-auth-failure trap : Disabled

Mac-auth-logon trap : Enabled

Mac-auth-logoff trap : Disabled

Open authentication : Disabled

Traffic-statistics : Disabled

User aging period for preauth domain : 82800 sec

User aging period for Auth-Fail domain : 82800 sec

User aging period for critical domain : 82800 sec

Reauth period for preauth domain : 600 sec

Reauth period for Auth-Fail domain : 600 sec

OUI value list :

Index : 1 Value : 123401

Ten-GigabitEthernet1/0/1 is link-up

Port mode : userLogin

Pre-auth domain : test

URL-unavailable domain : domain1

NeedToKnow mode : Disabled

Intrusion protection mode : NoAction

Security MAC address attribute

Learning mode : Sticky

Aging type : Periodical

Max secure MAC addresses : 32

Current secure MAC addresses : 0

Authorization : Permitted

NAS-ID profile : Not configured

Free VLANs : Not configured

Open authentication : Disabled

MAC-move VLAN check bypass : Disabled

Table 1 Command output

Field	Description
Port security	Whether the port security feature is enabled.
M-LAG load sharing mode (criterion)	Authentication load sharing mode for users attached to M-LAG interfaces: · Centralized—In this mode, the primary M-LAG member device processes authentication services for all users attached to any M-LAG interfaces in the system. · Distributed—In a distributed mode, both M-LAG member devices provide authentication services for users attached to the M-LAG interfaces. Port security provides the following distributed authentication processing modes: ¡ local—Each M-LAG member device processes authentication for users attached to their local M-LAG interfaces. ¡ odd source MAC—Uses the local device to process authentication services for users with odd MAC addresses and attached to any M-LAG interfaces in the M-LAG system. ¡ even source MAC—Uses the local device to process authentication services for users with even MAC addresses and attached to any M-LAG interfaces in the M-LAG system.
M-LAG member's authentication scope	Scope for the local M-LAG member device to authenticate users attached to M-LAG interfaces: · None—The device does not authenticate any users attached to M-LAG interfaces. · Odd source MACs—The device process authentication services only for users with odd MAC addresses and attached to both the local and peer M-LAG interfaces. · Even source MACs—The device process authentication services only for users with even MAC addresses and attached to both the local and peer M-LAG interfaces. · Local M-LAG interfaces—The device process authentication services only for users attached to the local M-LAG interfaces. · All—The device process authentication services for all users attached to any M-LAG interfaces in the M-LAG system.
M-LAG member configuration conflict	M-LAG member configuration check result: · Conflicted—The configuration on one M-LAG member device conflicts with that on the other M-LAG member device. · Not conflicted—The configuration on one M-LAG member device does not conflict with that on the other M-LAG member device. · Unknown—The system cannot detect whether the configuration on one M-LAG member device conflicts with that on the other M-LAG member device.
AutoLearn aging time	Sticky MAC address aging timer, in minutes or seconds.
Disableport timeout	Silence period (in seconds) of the port that receives illegal packets.
Blockmac timeout	Block timer (in seconds) for MAC addresses in the blocked MAC address list.
MAC move	Status of MAC move: · Both port move and VLAN move are permitted. · Denied. · Only port move is permitted. · Only VLAN move is permitted.
Authorization fail	Action to be taken for users that fail authorization: · Online—Allows the users to go online. · Offline—Logs off the users.
NAS-ID profile	NAS-ID profile applied globally.
Dot1x-failure trap	Whether SNMP notifications for 802.1X authentication failures are enabled.
Dot1x-logon trap	Whether SNMP notifications for 802.1X authentication successes are enabled.
Dot1x-logoff trap	Whether SNMP notifications for 802.1X authenticated user logoffs are enabled.
Intrusion trap	Whether SNMP notifications for intrusion protection are enabled. If they are enabled, the device sends SNMP notifications after illegal packets are detected.
Address-learned trap	Whether SNMP notifications for MAC address learning are enabled. If they are enabled, the device sends SNMP notifications after it learns a new MAC address.
Mac-auth-failure trap	Whether SNMP notifications for MAC authentication failures are enabled.
Mac-auth-logon trap	Whether SNMP notifications for MAC authentication successes are enabled.
Mac-auth-logoff trap	Whether SNMP notifications for MAC authentication user logoffs are enabled.
Open authentication	Whether global open authentication mode is enabled.
Traffic-statistics	This field is not supported in the current software version. Whether traffic statistics is enabled for 802.1X and MAC authentication users.
User aging period for preauth domain	Aging time (in seconds) for users in the preauthentication domain.
User aging period for Auth-Fail domain	Aging time (in seconds) for users in the Auth-Fail domain.
User aging period for critical domain	Aging time (in seconds) for users in the critical domain.
Reauth period for preauth domain	Reauthentication period (in seconds) for users in the preauthentication domain.
Reauth period for Auth-Fail domain	Reauthentication period (in seconds) for users in the Auth-Fail domain.
OUI value list	List of OUI values allowed for authentication.
Port mode	Port security mode: · noRestrictions. · autoLearn. · macAddressWithRadius. · macAddressElseUserLoginSecure. · macAddressElseUserLoginSecureExt. · macAddressAndUserLoginSecureExt. · secure. · userLogin. · userLoginSecure. · userLoginSecureExt. · macAddressOrUserLoginSecure. · macAddressOrUserLoginSecureExt. · userLoginWithOUI. For more information about port security modes, see Security Configuration Guide.
Pre-auth domain	Preauthentication domain for port security users.
URL-unavailable domain	Domain for users redirected to an unavailable URL.
NeedToKnow mode	Need to know (NTK) mode: · NeedToKnowOnly—Forwards only unicast frames with a known destination MAC address. · NeedToKnowWithBroadcast—Forwards only broadcast and unicast frames with a known destination MAC address. · NeedToKnowWithMulticast—Forwards only broadcast, multicast, and unicast frames with a known destination MAC address. · NeedToKnowAuto—Forwards only broadcast, multicast, and unicast frames with a known destination MAC address, and only when the port has online users. · Disabled—NTK is disabled.
Intrusion protection mode	Intrusion protection action: · BlockMacAddress—Adds the source MAC address of the illegal packet to the blocked MAC address list. · DisablePort—Shuts down the port that receives illegal packets permanently. · DisablePortTemporarily—Shuts down the port that receives illegal packets for some time. · NoAction—Does not perform intrusion protection.
Learning mode	Secure MAC address learning mode: · Dynamic. · Sticky.
Aging type	Secure MAC address aging type: · Periodical—Timer aging only. · Inactivity—Inactivity aging feature together with the aging timer.
Max secure MAC addresses	Maximum number of secure MAC addresses (or online users) that port security allows on the port.
Current secure MAC addresses	Number of secure MAC addresses stored.
Authorization	Whether the authorization information from the authentication server (RADIUS server or local device) is ignored: · Permitted—Authorization information from the authentication server takes effect. · Ignored—Authorization information from the authentication server does not take effect.
NAS-ID profile	NAS-ID profile applied to the port.
Free VLANs	This field is not supported in the current software version. VLANs in which packets will not trigger authentication. If you do not configure free VLANs, this field displays Not configured.
Open authentication	Whether open authentication mode is enabled on the port.
MAC-move VLAN check bypass	This field is not supported in the current software version. Whether the VLAN check bypass feature is enabled for users moving to the port from other ports.

‌

display port-security access-user

Use display port-security access-user to display entries for port security access users.

Syntax

display port-security access-user [ m-lag [ local | peer ] ] [ access-type { dot1x | mac-auth | web-auth | static } | domain domain-name | online-type { auth-fail-domain | critical-domain | preauth-domain | success | url-unavailable-domain } | slot slot-number ] *

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

m-lag [ local | peer ]: Specifies port security access users on M-LAG interfaces. If you do not specify these keywords, the command does not distinguish port security access users on M-LAG interfaces and non-M-LAG interfaces. If you specify the m-lag keyword without the local or peer keyword, the command displays entries for port security access users on both the local and peer M-LAG member devices.

· local: Displays entries for port security access users on the local M-LAG member device.

· peer: Displays entries for port security access users on the peer M-LAG member device.

access-type: Specifies an access type.

· dot1x: Specifies 802.1X authentication.

· mac-auth: Specifies MAC authentication.

· web-auth: Specifies Web authentication.

· static: Specifies static access.

· domain isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. The ISP domain name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

online-type: Specifies a type of port security access users.

· auth-fail-domain: Specifies port security access users in the Auth-Fail domain.

· critical-domain: Specifies port security access users in the critical domain.

· preauth-domain: Specifies port security access users in the preauthentication domain.

· success: Specifies port security access users that have passed authentication.

· url-unavailable-domain: Specifies port security access users assigned to the URL-unavailable domain when the redirect URL is unavailable.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify an IRF member device, this command displays entries for port security access users on all IRF member devices.

Usage guidelines

For more information about the Auth-Fail domain and critical domain, see AAA configuration in Security Configuration Guide.

If you do not specify any parameters, this command displays entries for all port security access users.

Examples

# Display entries for port security access users in ISP domain test.

<Sysname> display port-security access-user domain test

Total access users: 2

Username : aaa

IP address : 10.12.12.254

IPv6 address : 2:1::3

MAC address : 00e0-fcc2-0175

State : Preauth domain

Authentication result : Unauthenticated

Access type : 802.1X authentication

M-LAG NAS-IP type : Local

M-LAG user state : Active

Authentication domain : abc

Username : abc

IP address : 10.12.12.257

IPv6 address : 2:1::4

MAC address : 00e0-fcc2-0152

State : Successful

Authentication result : Authentication succeeded

Access type : Static user access

M-LAG NAS-IP type : Local

M-LAG user state : Active

Authentication domain : abc

# Display entries for port security access users in the preauthentication domain.

<Sysname> display port-security access-user online-type preauth-domain

Total access users: 1

Username : aaa

IP address : 10.12.12.254

IPv6 address : 2:1::4

MAC address : 00e0-fcc2-0175

State : Preauth domain

Authentication result : Unauthenticated

Access type : 802.1X authentication

M-LAG NAS-IP type : Local

M-LAG user state : Active

Authentication domain : abc

Table 2 Command output

Field	Description
Total access users	Total number of access users.
Username	Name of the access user.
IP address	IP address of the access user.
IPv6 address	IPv6 address of the access user.
MAC address	MAC address of the access user.
State	Access user state: · Critical domain—The user is in the critical domain. · Auth-Fail domain—The user is in the Auth-Fail domain. · Preauth domain—The user is in the preauthentication domain. · Successful—The user passes authentication. · Open—The user has come online by using a non-existent username or incorrect password to pass open authentication.
Authentication result	Authentication result of the access user: · Unauthenticated. · Authentication succeeded. · Authentication failed. · AAA server unavailable. · URL unavailable.
Access type	Access authentication method: · 802.1X authentication. · MAC authentication. · Web authentication. · Static user access.
M-LAG NAS-IP type	NAS-IP address type for the user if the user was authenticated on an M-LAG interface of the M-LAG system. · Local—Local NAS-IP address. The source IP address of outgoing RADIUS packets is an IP address on the local M-LAG member device. · Peer—Peer NAS-IP address. The source IP address of outgoing RADIUS packets is an IP address on the peer M-LAG member device.
M-LAG user state	Local state of the user on the M-LAG interface: · Active—The local M-LAG member device exchanges user authentication information with the AAA server. · Inactive—The peer M-LAG member device exchanges user authentication information with the AAA server.
Authentication domain	ISP domain in which the user was authenticated.

‌

display port-security mac-address block

Use display port-security mac-address block to display information about blocked MAC addresses.

Syntax

display port-security mac-address block [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies a port by its type and number.

vlan vlan-id: Specifies a VLAN by its ID. The value range is 1 to 4094.

count: Displays only the count of the blocked MAC addresses.

Usage guidelines

If you do not specify any parameters, this command displays information about all blocked MAC addresses.

Examples

# Display information about all blocked MAC addresses.

<Sysname> display port-security mac-address block

MAC ADDR Port VLAN ID

000f-3d80-0d2d XGE1/0/1 30

--- On slot 1, 1 MAC address(es) found ---

--- 1 mac address(es) found ---

# Display the count of all blocked MAC addresses.

<Sysname> display port-security mac-address block count

--- On slot 1, 1 MAC address(es) found ---

--- 1 mac address(es) found ---

Table 3 Command output

Field	Description
MAC ADDR	Blocked MAC address.
Port	Port having received frames with the blocked MAC address being the source address.
VLAN ID	ID of the VLAN to which the port belongs.
number mac address(es) found	Number of blocked MAC addresses.

Related commands

port-security intrusion-mode

display port-security mac-address security

Use display port-security mac-address security to display information about secure MAC addresses.

Syntax

display port-security mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies a port by its type and number.

vlan vlan-id: Specifies a VLAN by its ID. The value range is 1 to 4094.

count: Displays only the count of the secure MAC addresses.

Usage guidelines

Secure MAC addresses are those that are automatically learned by the port in autoLearn mode or configured by the port-security mac-address security command.

If you do not specify any parameters, this command displays information about all secure MAC addresses.

Examples

# Display information about all secure MAC addresses.

<Sysname> display port-security mac-address security

MAC ADDR VLAN ID STATE PORT INDEX AGING TIME

0002-0002-0002 1 Secure XGE1/0/1 Not aged

--- Number of secure MAC addresses: 1 ---

# Display only the count of the secure MAC addresses.

<Sysname> display port-security mac-address security count

--- Number of secure MAC addresses: 1 ---

Table 4 Command output

Field	Description
MAC ADDR	Secure MAC address.
VLAN ID	ID of the VLAN to which the port belongs.
STATE	Type of the MAC address. This field displays Secure for a secure MAC address.
PORT INDEX	Port to which the secure MAC address belongs.
AGING TIME	The remaining amount of time before the secure MAC address ages out. · If the secure MAC address is a static MAC address, this field displays Not aged. · If the secure MAC address is a sticky MAC address, this field displays the remaining lifetime. If the remaining lifetime is less than 60 seconds, the lifetime is counted in seconds. If the lifetime is not less than 60 seconds, the lifetime is counted in minutes. By default, sticky MAC addresses do not age out, and this field displays Not aged.
Number of secure MAC addresses	Number of secure MAC addresses stored.

Related commands

port-security mac-address security

display port-security static-user

Use display port-security static-user to display static user configuration information.

Syntax

display port-security static-user [ domain isp-name | interface interface-type interface-number | { ip | ipv6 } start-ip-address [ end-ip-address ] | vpn-instance vpn-instance-name ] *

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

domain isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. The ISP domain name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

interface interface-type interface-number: Specifies an interface by its type and number.

ip: Specifies a static user range by its IPv4 address range.

ipv6: Specifies a static user range by its IPv6 address range.

start-ip-address [ end-ip-address ]: Specifies the IP address range of the static user range. The start-ip-address argument represents the start IP address and the end-ip-address argument represents the end IP address. If you specify only the start IP address, the static user range contains only one static user and the start IP address is the IP address of the static user.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which static users belong. The vpn-instance-name argument represents the VPN instance name, which is a case-sensitive string of 1 to 31 characters. If the static users belong to the public network, do not specify this option.

Usage guidelines

If you do not specify any parameters, this command displays configuration information for all static users.

Examples

# Display configuration information for all static users.

<Sysname> display port-security static-user

Global Static-user parameters:

Static user IP update : Disabled

Offline detect timer : 300 seconds

ARP detect period : 200 seconds

ACL number for matching MAC addresses : 4000

Ten-GigabitEthernet1/0/1 is link-up

Static user max-user : 4294967295

Start IPv4 address : 10.1.1.6

End IPv4 address : 10.1.1.8

Interface : XGE1/0/1

MAC address : 00e0-fc12-3456

VPN instance : N/A

Domain name : local

VLAN ID : 10

ARP detection : Disabled

Keep online : Disabled

Start IPv6 address : 1:1::1:2

End IPv6 address : 1:1::1:4

Interface : XGE1/0/1

MAC address : 00e0-fc12-1234

VPN instance : N/A

Domain name : local

VLAN ID : 10

ARP detection : Disabled

Keep online : Disabled

Table 5 Command output

Field	Description
Static user IP update	State of static user IP update: · Enabled—Allows the device to update static user IP addresses. · Disabled—Prevents the device from updating static user IP addresses.
Offline detect timer	Offline detect period of static users, in seconds.
ARP detect period	ARP detection interval, in seconds.
ACL number for matching MAC addresses	Number of the ACL used to match the MAC addresses of static users. If no ACL is configured, this field is not available.
Static user max-user	Maximum number of static users allowed on a port.
Start IPv4 address	Start IPv4 address of the IP address range for a static user range.
End IPv4 address	End IPv4 address of the IP address range for the static user range. If no end IPv4 address is configured, this field displays N/A.
Start IPv6 address	Start IPv6 address of the IP address range for a static user range.
End IPv6 address	End IPv6 address of the IP address range for the static user range. If no end IPv6 address is configured, this field displays N/A.
Interface	Interface through which the static user range comes online. If no access interface is configured, this field displays N/A.
MAC address	MAC address of the static user range. If no MAC address is configured, this field displays N/A.
VPN instance	VPN instance to which the static user range belongs. If no VPN instance is configured, this field displays N/A.
Domain name	ISP domain to which the static user range belongs. If no ISP domain is configured, this field displays N/A.
VLAN ID	VLAN to which the static user range belongs. If no VLAN is configured, this field displays N/A.
ARP detection	ARP detection state: · Enabled. · Disabled.
Keep online	State of the static user keep-online feature: · Enabled. · Disabled.

Related commands

port-security static-user

display port-security static-user connection

Use display port-security static-user connection to display information about online static users.

Syntax

display port-security static-user connection [ [ m-lag [ local | peer ] ] [ interface interface-type interface-number | online-type { auth-fail-domain | critical-domain | preauth-domain | success } | slot slot-number | user-name user-name ] | { ip | ipv6 } ip-address | mac mac-address ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

m-lag [ local | peer ]: Specifies online static users on M-LAG interfaces. If you do not specify these keywords, the command does not distinguish online static users on M-LAG interfaces and non-M-LAG interfaces. If you specify the m-lag keyword without the local or peer keyword, the command displays information about online static users on both the local and peer M-LAG member devices.

· local: Displays information about online static users on the local M-LAG member device.

· peer: Displays information about online static users on the peer M-LAG member device.

interface interface-type interface-number: Specifies an interface by its type and number.

{ ip | ipv6 } ip-address: Specifies an online static user by its IP address. If the static user has an IPv4 address, specify the ip keyword and use the ip-address argument to specify the IPv4 address of the static user. If the static user has an IPv6 address, specify the ipv6 keyword and use the ip-address argument to specify the IPv6 address of the static user.

mac mac-address: Specifies an online static user by its MAC address. The mac-address argument represents the MAC address, in the format of H-H-H.

online-type: Specifies a type of static users.

· auth-fail-domain: Specifies static users in the Auth-Fail domain.

· critical-domain: Specifies static users in the critical domain.

· preauth-domain: Specifies static users in the preauthentication domain.

· success: Specifies static users that have passed authentication.

user-name name-string: Specifies an online static user by its username, a case-sensitive string of 1 to 253 characters.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify an IRF member device, the command displays information about online static users on all IRF member devices.

Usage guidelines

If you do not specify any parameters, this command displays information about all online static users.

Examples

# Display information about all online static users.

<Sysname> display port-security static-user connection

Total connections: 2

User MAC address: 0015-e9a6-7cfe

M-LAG NAS-IP type: Local

M-LAG user state: Active

Access interface: Ten-GigabitEthernet1/0/1

Username: ias

User access state: Successful

Authentication domain: macusers

IPv4 address: 192.168.1.1

IPv6 address: 2000:0:0:0:1:2345:6789:abcd

IPv4 address source: User packet

IPv6 address source: User packet

Initial VLAN: 1

Authorization untagged VLAN: 100

Authorization tagged VLAN: N/A

Authorization VSI: N/A

Authorization ACL number/name: 3001

Authorization dynamic ACL name: N/A

Authorization user profile: N/A

Authorization CAR:

Average input rate: 102400 bps

Peak input rate: 204800 bps

Average output rate: 102400 bps

Peak output rate: 204800 bps

Authorization URL: N/A

Authorization IPv6 URL: N/A

Authorization temporary redirect: Disabled

Start accounting: Successful

Real-time accounting-update failures: 0

Termination action: RADIUS-request

Session timeout period: 2 sec

Offline detection: 100 sec (server-assigned)

Online from: 2013/03/02 13:14:15

Online duration: 0h 2m 15s

Port-down keep online: Enabled

User MAC address: 0016-e9a6-7cfe

M-LAG NAS-IP type: Local

M-LAG user state: Active

Access interface: Ten-GigabitEthernet1/0/2

Username: i1s

User access state: Successful

Authentication domain: macusers

IPv4 address: 192.168.1.1

IPv6 address: 2000:0:0:0:1:2345:6789:abcd

IPv4 address source: User packet

IPv6 address source: User packet

Initial VLAN: 1

Authorization untagged VLAN: 100

Authorization tagged VLAN: N/A

Authorization VSI: N/A

Authorization ACL number/name: 3001

Authorization dynamic ACL name: N/A

Authorization user profile: N/A

Authorization CAR:

Average input rate: 102400 bps

Peak input rate: 204800 bps

Average output rate: 102400 bps

Peak output rate: 204800 bps

Authorization URL: N/A

Authorization IPv6 URL: N/A

Authorization temporary redirect: Disabled

Start accounting: Successful

Real-time accounting-update failures: 0

Termination action: RADIUS-request

Session timeout period: 2 sec

Offline detection: 100 sec (server-assigned)

Online from: 2013/03/02 13:14:15

Online duration: 0h 2m 15s

Port-down keep online: Enabled

Table 6 Command output

Field	Description
Total connections	Total number of online static users.
User MAC address	MAC address of a static user.
M-LAG NAS-IP type	NAS-IP address type for the user if the user was authenticated on an M-LAG interface of the M-LAG system. · Local—Local NAS-IP address. The source IP address of outgoing RADIUS packets is an IP address on the local M-LAG member device. · Peer—Peer NAS-IP address. The source IP address of outgoing RADIUS packets is an IP address on the peer M-LAG member device.
M-LAG user state	Local state of the user on the M-LAG interface: · Active—The local M-LAG member device exchanges user authentication information with the AAA server. · Inactive—The peer M-LAG member device exchanges user authentication information with the AAA server.
Access interface	Interface through which the user access the device.
Username	Username.
User access state	Access state of the user: · Auth-Fail domain—The user is in the Auth-Fail domain. · Critical domain—The user is in the critical domain. · Preauth domain—The user is in the preauthentication domain. · Successful—The user has passed MAC authentication and accessed the network.
IPv4 address	User IPv4 address.
IPv6 address	User IPv6 address.
Initial VLAN	VLAN to which the user belongs before static user access authentication.
Authorization untagged VLAN	Untagged VLAN assigned to the user.
Authorization tagged VLAN	Tagged VLAN assigned to the user.
Authorization VSI	VSI assigned to the user.
Authorization ACL number/name	Number or name of the static ACL assigned to the user. If no static ACL has been assigned to the user, this field displays N/A. If ACL authorization failed, this field displays (NOT effective) next to the ACL number or name.
Authorization dynamic ACL name	Name of the dynamic ACL assigned to the user. If no dynamic ACL has been assigned to the user, this field displays N/A. If ACL authorization failed, this field displays (NOT effective) next to the ACL name.
Authorization user profile	Name of the user profile assigned to the user.
Authorization CAR	Authorization CAR attributes assigned by the server to the user: · Average input rate—Average rate of inbound traffic in bps. · Peak input rate—Peak rate of inbound traffic in bps. · Average output rate—Average rate of outbound traffic in bps. · Peak output rate—Peak rate of outbound traffic in bps. If the device fails to assign the CAR attributes to the user, the Authorization CAR field displays (NOT effective). If the server does not assign the peak rates, the peak rates by default are the same as the assigned average rates. In the current software version, the device does not support exclusive assignment of peak rates from the server. If no authorization CAR attributes are assigned, this field displays N/A.
Authorization URL	Redirect URL assigned to the user.
Authorization IPv6 URL	IPv6 redirect URL assigned to the user.
Authorization temporary redirect	State of temporary redirection authorization: · Enabled—Temporary redirection is authorized. The HTTP or HTTPS redirection packets sent to the user include state code 302. · Disabled—Temporary redirection is not authorized. The HTTP or HTTPS redirection packets sent to the user include state code 200.
Start accounting	Start-accounting request result: · Successful. · Failed. The device does not support accounting for users in the preauthentication domain. For such users, this field displays N/A.
Real-time accounting-update failures	Number of consecutive real-time accounting-update failures.
Termination action	Action attribute assigned by the server to terminate the user session: · Default—Logs off the online authenticated static user when the server-assigned session timeout timer expires. This attribute does not take effect when static user periodic reauthentication is enabled and the periodic reauthentication timer is shorter than the server-assigned session timeout timer. · RADIUS-request—Reauthenticates the online user when the server-assigned session timeout timer expires, regardless of whether the static user periodic reauthentication feature is enabled or not. If the device performs local authentication, this field displays Default.
Session timeout period	Session timeout timer assigned by the server.
Offline detection	Offline detection setting for the user: · Ignore (command-configured)—The device does not perform offline detection for the user. The setting is configured from the CLI. · timer (command-configured)—Represents the offline detect timer. The timer is configured from the CLI. · Ignore (server-assigned)—The device does not perform offline detection for the user. The setting is assigned by a RADIUS server. · timer (server-assigned)—Represents the offline detect timer. The timer is assigned by a RADIUS server.
Online from	Time from which the static user came online.
Online duration	Online duration of the static user.
Port-down keep online	Whether the device allows the user to stay online after the user's access interface goes down. Setting for this field depends on the state of the shutdown-keep-online proprietary attribute issued by the RADIUS server. · Enabled—The device allows the user to stay online after the access interface goes down. This state is displayed if the RADIUS server assigned the shutdown-keep-online proprietary attribute and set the attribute not to 0. · Disabled (offline)—The device logs off the user when the access interface goes down. This state is displayed if the RADIUS server assigned the shutdown-keep-online proprietary attribute and set the attribute to 0, or the RADIUS server did not assign the attribute.

‌

display port-security statistics

Use display port-security statistics to display port security statistics.

Syntax

display port-security statistics [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify an IRF member device, this command displays port security statistics on all IRF member devices.

Examples

# Display port security statistics.

<Sysname> display port-security statistics

Slot ID: 0

Entries received from IPCIM:

Entries notified to be added : 0

Entries notified to be deleted : 0

Entries actually added : 0

Entries actually deleted : 0

Table 7 Command output

Field	Description
Slot ID	Slot number.
Entries received from IPCIM	Number of entries received by the port security module from the IP client information management (IPCIM) module. Values include: · Entries notified to be added—Number of user entries that IPCIM notified port security to add. · Entries notified to be deleted—Number of user entries that IPCIM notified port security to delete. · Entries actually added—Number of user entries that port security actually added. · Entries actually deleted—Number of user entries that port security actually deleted.

Field

Description

Slot ID

Slot number.

Entries received from IPCIM

Number of entries received by the port security module from the IP client information management (IPCIM) module. Values include:

· Entries notified to be added—Number of user entries that IPCIM notified port security to add.

· Entries notified to be deleted—Number of user entries that IPCIM notified port security to delete.

· Entries actually added—Number of user entries that port security actually added.

· Entries actually deleted—Number of user entries that port security actually deleted.

Related commands

reset port-security statistics

port-security access-user log enable

Use port-security access-user log enable to enable port security user logging.

Use undo port-security access-user log enable to disable port security user logging.

Syntax

port-security access-user log enable [ failed-authorization | mac-learning | violation | vlan-mac-limit ] *

undo port-security access-user log enable [ failed-authorization | mac-learning | violation | vlan-mac-limit ] *

Default

Port security user logging is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

failed-authorization: Logs authorization failures of 802.1X or MAC authentication users.

mac-learning: Logs MAC address learning events.

violation: Logs intrusion protection events.

vlan-mac-limit: Logs the first access attempt from a new MAC access in a VLAN after port security's MAC address limit for that VLAN is reached. For each VLAN, the system does not log any access attempts from new MAC addresses except the first one after the MAC address limit is reached.

Usage guidelines

To prevent excessive port security user log entries, use this feature only if you need to analyze abnormal port security user events.

If you do not specify any parameters, this command enables all types of port security user logs.

Examples

# Enable intrusion protection event logging.

<Sysname> system-view

[Sysname] port-security access-user log enable violation

Related commands

info-center source portsec logfile deny (Network Management and Monitoring Command Reference)

port-security authentication open

Use port-security authentication open to enable open authentication mode on a port.

Use undo port-security authentication open to disable open authentication mode on a port.

Syntax

port-security authentication open

undo port-security authentication open

Default

Open authentication mode is disabled on a port.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

This command enables access users (802.1X or MAC authentication users) of a port to come online and access the network even if they use nonexistent usernames or incorrect passwords.

Access users that come online in open authentication mode are called open users. Authorization and accounting are not available for open users. To display open user information, use the following commands:

· display dot1x connection open.

· display mac-authentication connection open.

Open authentication mode does not affect the access of users that use correct user information on the port.

The open authentication mode setting has lower priority than the 802.1X Auth-Fail VLAN and the MAC authentication guest VLAN. Open authentication mode does not take effect on a port if the port is also configured with the 802.1X Auth-Fail VLAN or the MAC authentication guest VLAN.

The open authentication mode setting has lower priority than the 802.1X Auth-Fail VSI and the MAC authentication guest VSI. Open authentication mode does not take effect on a port if the port is also configured with the 802.1X Auth-Fail VSI or the MAC authentication guest VSI.

For information about 802.1X authentication or MAC authentication, see Security Configuration Guide.

Examples

# Enable open authentication mode on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] port-security authentication open

Related commands

display dot1x connection

display mac-authentication connection

port-security authentication open global

Use port-security authentication open global to enable global open authentication mode.

Use undo port-security authentication open global to disable global open authentication mode.

Syntax

port-security authentication open global

undo port-security authentication open global

Default

Global open authentication mode is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command enables access users (802.1X or MAC authentication users) to come online and access the network even if they use nonexistent usernames or incorrect passwords.

· display dot1x connection open.

· display mac-authentication connection open.

Open authentication mode does not affect the access of users that use correct user information.

For information about 802.1X authentication or MAC authentication, see Security Configuration Guide.

Examples

# Enable global open authentication mode.

<Sysname> system-view

[Sysname] port-security authentication open global

Related commands

display dot1x connection

display mac-authentication connection

port-security authentication open

port-security authorization ignore

Use port-security authorization ignore to configure a port to ignore the authorization information received from the authentication server (a RADIUS server or the local device).

Use undo port-security authorization ignore to restore the default.

Syntax

port-security authorization ignore

undo port-security authorization ignore

Default

A port uses the authorization information from the server.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

After a user passes RADIUS or local authentication, the server performs authorization based on the authorization attributes configured for the user account. For example, the server can assign a VLAN. If you do not want the port to use such authorization attributes for users, use this command to ignore the authorization information from the server.

For 802.1X and MAC authentication users, this command ignores all attributes assigned by the server except the Termination-Action and Session-Timeout attributes. For Web authentication users, this command ignores all attributes assigned by the server.

Examples

# Configure Ten-GigabitEthernet 1/0/1 to ignore the authorization information from the authentication server.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] port-security authorization ignore

Related commands

display port-security

port-security authorization-fail offline

Use port-security authorization-fail offline to enable the authorization-fail-offline feature.

Use undo port-security authorization-fail offline to disable the authorization-fail-offline feature.

Syntax

port-security authorization-fail offline [ quiet-period ]

undo port-security authorization-fail offline

Default

The authorization-fail-offline feature is disabled. The device does not log off users that have failed authorization.

Views

System view

Predefined user roles

network-admin

Parameters

quiet-period: Enables the quiet timer for 802.1X or MAC authentication users that are logged off by the authorization-fail-offline feature. The device adds these users to the 802.1X or MAC authentication quiet queue. Within the quiet timer, the device does not process packets from these users or authenticate them. If you do not specify this keyword, the quiet timer feature is disabled for users that are logged off by the authorization-fail-offline feature. The device immediately authenticates these users upon receiving packets from them.

Usage guidelines

The authorization-fail-offline feature logs off port security users that have failed ACL or user profile authorization.

A user fails ACL or user profile authorization in the following situations:

· The device or server fails to assign the specified ACL or user profile to the user.

· The device or server assigns an ACL or user profile that does not exist on the device to the user.

If this feature is disabled, the device does not log off users that have failed ACL or user profile authorization. However, the device outputs messages to report the failure.

For the quiet-period keyword to take effect, complete the following tasks:

· For 802.1X users, use the dot1x quiet-period command to enable the quiet timer and use the dot1x timer quiet-period command to set the timer.

· For MAC authentication users, use the mac-authentication timer quiet command to set the quiet timer for MAC authentication.

Examples

# Enable the authorization-fail-offline feature.

<Sysname> system-view

[Sysname] port-security authorization-fail offline

Related commands

display port-security

dot1x quiet-period

dot1x timer quiet-period

mac-authentication timer

port-security m-lag load-sharing-mode

Use port-security m-lag load-sharing-mode to configure the authentication load sharing mode for users attached to M-LAG interfaces.

Use undo port-security m-lag load-sharing-mode to restore the default.

Syntax

port-security m-lag load-sharing-mode { centralized | distributed { even-mac | local | odd-mac } }

undo port-security m-lag load-sharing-mode

Default

Local mode applies. Each M-LAG member device authenticates users on its local M-LAG interfaces.

Views

System view

Predefined user roles

network-admin

Parameters

centralized: Specifies centralized mode. In this mode, the primary M-LAG member device processes authentication services for all users attached to any M-LAG interfaces in the system.

distributed { even-mac | local | odd-mac }: Specifies distributed mode and sets the distributed authentication processing mode. In a distributed mode, both M-LAG member devices provide authentication services for users attached to the M-LAG interfaces according to the distributed authentication processing mode.

even-mac: Specifies the even-source MAC distribution authentication processing mode. If you set this mode on an M-LAG member device, the M-LAG member device will process authentication services for all users with even MAC addresses and attached to any M-LAG interfaces in the M-LAG system.

local: Uses the local device to process authentication for users attached to the local M-LAG interfaces.

odd-mac: Specifies the odd-source MAC distribution authentication processing mode. If you set this mode on an M-LAG member device, the M-LAG member device will process authentication services for all users with odd MAC addresses and attached to any M-LAG interfaces in the M-LAG system.

Usage guidelines

CAUTION:

To avoid user logoffs caused by configuration conflicts, do not change the authentication load sharing mode for users on M-LAG interfaces when port security, 802.1X, Web authentication, or MAC authentication is enabled.

This command takes effect only on 802.1X, Web authentication, and MAC authentication users attached to M-LAG interfaces in an M-LAG environment.

One M-LAG member device automatically synchronizes user data to the other M-LAG member device upon each successful user authentication. This ensures that when one M-LAG member device fails, the other member device can take over to process authentication services for all users.

Make sure the M-LAG member devices are consistent in authentication load sharing settings for users attached to M-LAG interfaces.

· Centralized mode—Configure both devices to operate in centralized mode for user authentication.

· Distributed local mode—Configure both M-LAG member devices to operate in distributed local mode for user authentication.

· Distributed even-/odd-MAC mode—Configure one M-LAG member device in distributed even-MAC mode and the other to operate in distributed odd-MAC mode for user authentication.

In an M-LAG system, the M-LAG member devices exchange configuration information with each other to check for configuration conflicts. If a configuration conflict exists, the M-LAG member devices do not allow new users to come online.

To ensure correct user data processing, follow these guidelines when you configure the peer aggregate interfaces on each remote access device connected to the M-LAG interfaces:

· If the M-LAG system uses distributed local mode for user authentication, link-aggregation load sharing on the access device can only be based on one of the following criteria:

¡ Destination IP address.

¡ Destination MAC address.

¡ Source IP address.

¡ Source MAC address.

· In an 802.1X authentication scenario, you must configure the access device to ignore all packet fields except the source MAC if it uses the default link-aggregation load sharing mode.

In centralized mode, if all member ports of an M-LAG interface belong only to one M-LAG member device and the M-LAG interface forwards authentication traffic, users attached to the M-LAG interface cannot come online. To ensure that users attached to such M-LAG interfaces can come online, do not set the authentication load sharing mode to centralized mode.

For more information about M-LAG, see Layer 2—LAN Switching Configuration Guide. For more information about link aggregation load sharing, see Ethernet link aggregation in Layer 2—LAN Switching Configuration Guide.

Examples

# Set the authentication load sharing mode to centralized for users attached to M-LAG interfaces.

<Sysname> system-view

[Sysname] port-security m-lag load-sharing-mode centralized

Changing the load sharing mode will log off all online users on M-LAG interfaces. Continue? [Y/N]:y

[Sysname]

Related commands

display port-security

link-aggregation global load-sharing mode (Layer 2—LAN Switching Command Reference)

link-aggregation load-sharing ignore (Layer 2—LAN Switching Command Reference)

port-security enable

Use port-security enable to enable port security.

Use undo port-security enable to disable port security.

Syntax

port-security enable

undo port-security enable

Default

Port security is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

You must disable global 802.1X and MAC authentication before you enable port security on a port.

Enabling or disabling port security resets the following security settings to the default:

· 802.1X access control mode is MAC-based.

· Port authorization state is auto.

When online users are present on a port, disabling port security logs off the online users.

Examples

# Enable port security.

<Sysname> system-view

[Sysname] port-security enable

Related commands

display port-security

dot1x

dot1x port-control

dot1x port-method

mac-authentication

port-security escape critical-vsi

Use port-security escape critical-vsi to enable the escape critical VSI feature for 802.1X and MAC authentication users on a port.

Use undo port-security escape critical-vsi to disable the escape critical VSI feature for 802.1X and MAC authentication users on a port.

Syntax

port-security escape critical-vsi

undo port-security escape critical-vsi

Default

The escape critical VSI feature is disabled on a port.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

The escape critical VSI feature operates on VXLAN networks. It enables 802.1X and MAC authentication users to escape the authentication failure that occurs because the RADIUS server is malfunctioning.

You can enable this feature temporarily to prevent 802.1X and MAC authentication service interruption while you are troubleshooting a malfunctioning RADIUS server.

Before enabling the escape critical VSI feature on a port, configure an 802.1X critical VSI and a MAC authentication critical VSI on the port. For more information about critical VSI configuration, see 802.1X and MAC authentication in Security Configuration Guide.

For the escape critical VSI feature to work correctly on a port, make sure the port does not have the following settings:

· Web authentication.

· Guest, Auth-Fail, or critical VLAN for 802.1X authentication.

· Guest or critical VLAN for MAC authentication.

The escape critical VSI feature does not affect 802.1X or MAC authentication users that have been online before this feature is enabled.

If the mac-authentication critical vsi critical-vsi-name url-user-logoff command is used in conjunction with this feature, MAC authentication users that have been assigned authorization URLs on the port will be logged off. For more information, see MAC authentication in Security Configuration Guide.

The escape critical VSI feature does not take effect on a new 802.1X or MAC authentication user if any of the following conditions exists:

· The 802.1X client and the device use different EAP message handling methods.

· 802.1X MAC address binding is enabled on the user's access port, but the MAC address of the 802.1X user is not bound to that port.

· The user's MAC address is an all-zero, all-F, or multicast MAC address.

When you disable the escape critical VSI feature on a port, the device handles users in the critical VSIs on the port as follows:

· If the global escape critical VSI feature is enabled, the users are not removed from the critical VSIs on the port.

· If the global escape critical VSI feature is disabled, the users are removed from the critical VSIs on the port. The users must perform authentication to come online again on the port.

Examples

# Enable the escape critical VSI on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] port-security escape critical-vsi

Please make sure the port is configured with the 802.1X and MAC authentication critical VSIs. Continue? [Y/N]:y

Related commands

dot1x critical vsi

mac-authentication critical vsi

port-security global escape critical-vsi

vsi (VXLAN Command Reference)

port-security global escape critical-vsi

Use port-security global escape critical-vsi to enable the escape critical VSI feature globally for 802.1X and MAC authentication users.

Use undo port-security global escape critical-vsi to disable the escape critical VSI feature globally for 802.1X and MAC authentication users.

Syntax

port-security global escape critical-vsi

undo port-security global escape critical-vsi

Default

The global escape critical VSI feature is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

You can enable this feature temporarily to prevent 802.1X and MAC authentication service interruption while you are troubleshooting a malfunctioning RADIUS server.

Before enabling the global escape critical VSI feature, configure an 802.1X critical VSI and a MAC authentication critical VSI on the access port of each 802.1X or MAC authentication user. For more information about critical VSI configuration, see 802.1X and MAC authentication in Security Configuration Guide.

For the global escape critical VSI feature to work correctly on a port, make sure the port does not have the following settings:

· Web authentication.

· Guest, Auth-Fail, or critical VLAN for 802.1X authentication.

· Guest or critical VLAN for MAC authentication.

The global escape critical VSI feature does not affect 802.1X or MAC authentication users that have been online before this feature is enabled.

The global escape critical VSI feature does not take effect on a new 802.1X or MAC authentication user if any of the following conditions exists:

· The 802.1X client and the device use different EAP message handling methods.

· 802.1X MAC address binding is enabled on the user's access port, but the MAC address of the 802.1X user is not bound to that port.

· The user's MAC address is an all-zero, all-F, or multicast MAC address.

When you disable the global escape critical VSI feature, the device handles users in the critical VSIs on each port as follows:

· If the escape critical VSI feature is enabled on the port, the users on the port are not removed from the critical VSIs.

· If the escape critical VSI feature is disabled on the port, the users on the port are removed from the critical VSIs. The users must perform authentication to come online again on the port.

Examples

# Enable the global escape critical VSI feature.

<Sysname> system-view

[Sysname] port-security global escape critical-vsi

Please make sure critical VSI settings exist. Continue? [Y/N]:y

Related commands

dot1x critical vsi

mac-authentication critical vsi

port-security escape critical-vsi

vsi (VXLAN Command Reference)

port-security intrusion-mode

Use port-security intrusion-mode to configure the intrusion protection action to take when intrusion protection detects illegal frames on a port.

Use undo port-security intrusion-mode to restore the default.

Syntax

port-security intrusion-mode { blockmac | disableport | disableport-temporarily }

undo port-security intrusion-mode

Default

Intrusion protection is disabled.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

blockmac: Adds the source MAC addresses of illegal frames to the blocked MAC address list and discards frames with blocked source MAC addresses for a period set by the block timer. A blocked MAC address will be unblocked when the block timer expires. The timer is configurable with the port-security timer blockmac command. To display the blocked MAC address list, use the display port-security mac-address block command.

disableport: Disables the port permanently when an illegal frame is received on the port.

disableport-temporarily: Disables the port for a period of time whenever it receives an illegal frame. You can use the port-security timer disableport command to set the period.

Usage guidelines

To bring up the port disabled by the intrusion protection feature, use the undo shutdown command.

Examples

# Configure Ten-GigabitEthernet 1/0/1 to block the source MAC addresses of illegal frames after intrusion protection detects the illegal frames.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] port-security intrusion-mode blockmac

Related commands

display port-security

display port-security mac-address block

port-security timer blockmac

port-security timer disableport

port-security mac-address aging-type inactivity

Use port-security mac-address aging-type inactivity to enable inactivity aging for secure MAC addresses.

Use undo port-security mac-address aging-type inactivity to disable inactivity aging for secure MAC addresses.

Syntax

port-security mac-address aging-type inactivity

undo port-security mac-address aging-type inactivity

Default

The inactivity aging feature is disabled for secure MAC addresses.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

This command enables the device to periodically detect traffic data from secure MAC addresses.

If only the aging timer is configured, the aging timer counts up regardless of whether traffic data has been sent from the secure MAC addresses. When you use the aging timer together with the inactivity aging feature, the aging timer restarts once traffic data is detected from the secure MAC addresses. A secure MAC address ages out when its lifetime expires because no traffic has been detected from it.

The inactivity aging feature prevents the unauthorized use of a secure MAC address when the authorized user is offline. The feature also removes outdated secure MAC addresses so that new secure MAC addresses can be learned or configured.

If this feature is enabled on a Layer 2 Ethernet interface, the lifetime of a secure MAC address depends on the aging timer (configured by using the port-security timer autolearn aging command).

· If the aging timer is equal to or greater than 60 seconds, port security detects traffic from the secure MAC addresses on the interface at intervals of 30 seconds. The lifetime of a secure MAC address is a multiple of 30.

¡ If the aging timer is also a multiple of 30, the lifetime of a secure MAC address is equal to the aging timer.

¡ If the aging timer is not a multiple of 30, the lifetime of a secure MAC address is equal to the aging timer rounded up to the nearest multiple of 30.

For example, if the aging timer is 80 seconds, the lifetime of a secure MAC address will be 90 seconds.

· If the aging timer is less than 60 seconds, the traffic detection interval equals the aging timer. The lifetime of a secure MAC address is equal to the aging timer.

This secure MAC lifetime calculation mechanism on Layer 2 Ethernet interfaces also applies to Layer 2 aggregate interfaces except that a compensation mechanism is introduced.

This compensation mechanism adds 90 seconds to the initial lifetime of a secure MAC address when the aging timer is equal to or greater than 60 seconds. For example, if the aging timer is 80 seconds, the initial lifetime of a secure MAC address will be 180 (90 + 90) seconds.

This 90-second compensation time is added only to the initial lifetime of each secure MAC address. If traffic is received from a secure MAC address before its initial lifetime expires, its lifetime will be renewed without a 90-second compensation. For example, if the aging timer is 80 seconds, the renewed lifetime of that secure MAC address will be 90 seconds.

This command takes effect only on sticky MAC addresses and dynamic secure MAC addresses.

Examples

# Enable inactivity aging for secure MAC addresses on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] port-security mac-address aging-type inactivity

Related commands

display port-security

port-security mac-address dynamic

Use port-security mac-address dynamic to enable the dynamic secure MAC feature.

Use undo port-security mac-address dynamic to disable the dynamic secure MAC feature.

Syntax

port-security mac-address dynamic

undo port-security mac-address dynamic

Default

The dynamic secure MAC feature is disabled. Sticky MAC addresses can be saved to the configuration file. Once saved, they survive a device reboot.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

The dynamic secure MAC feature converts sticky MAC addresses to dynamic and disables saving them to the configuration file.

After you execute this command, you cannot manually configure sticky MAC addresses, and secure MAC addresses learned by a port in autoLearn mode are dynamic. All dynamic MAC addresses are lost at reboot. Use this command when you want to clear all sticky MAC addresses after a device reboot.

You can display dynamic secure MAC addresses by using the display port-security mac-address security command.

The undo port-security mac-address dynamic command converts all dynamic secure MAC addresses on the port to sticky MAC addresses. You can manually configure sticky MAC addresses.

Examples

# Enable the dynamic secure MAC feature on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] port-security mac-address dynamic

Related commands

display port-security

display port-security mac-address security

port-security mac-address security

Use port-security mac-address security to add a secure MAC address.

Use undo port-security mac-address security to remove a secure MAC address.

Syntax

In Layer 2 Ethernet interface view or Layer 2 aggregate interface view:

port-security mac-address security [ sticky ] mac-address vlan vlan-id

undo port-security mac-address security [ sticky ] mac-address vlan vlan-id

In system view:

port-security mac-address security [ sticky ] mac-address interface interface-type interface-number vlan vlan-id

undo port-security mac-address security [ [ mac-address [ interface interface-type interface-number ] ] vlan vlan-id ]

Default

No manually configured secure MAC address entries exist.

Views

System view

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

sticky: Specifies the MAC address type as sticky. If you do not specify this keyword, the command configures a static secure MAC address.

mac-address: Specifies a MAC address, in H-H-H format.

interface interface-type interface-number: Specifies a port by its type and number.

vlan vlan-id: Specifies the VLAN to which the secure MAC address belongs. The value range for the vlan-id argument is 1 to 4094.

Usage guidelines

Secure MAC addresses are MAC addresses configured or learned in autoLearn mode, and if saved, can survive a device reboot. You can bind a secure MAC address only to one port in a VLAN.

You can add important or frequently used MAC addresses as sticky or static secure MAC addresses to avoid the secure MAC address limit causing authentication failure. To successfully add secure MAC addresses on a port, first complete the following tasks:

· Enable port security on the port.

· Set the port security mode to autoLearn.

· Configure the port to permit packets of the specified VLAN to pass or add the port to the VLAN. Make sure the VLAN already exists.

Sticky MAC addresses can be manually configured or automatically learned in autoLearn mode. Sticky MAC addresses do not age out by default. You can use the port-security timer autolearn aging command to set an aging timer for the sticky MAC addresses. When the timer expires, the sticky MAC addresses are removed.

Static secure MAC addresses never age out unless you perform the following operations:

· Remove these MAC addresses by using the undo port-security mac-address security command.

· Change the port security mode.

· Disable the port security feature.

You cannot change the type of a secure address entry that has been added or add two entries that are identical except for their entry type. For example, you cannot add the port-security mac-address security sticky 1-1-1 vlan 10 entry when a port-security mac-address security 1-1-1 vlan 10 entry exists. To add the new entry, you must delete the old entry.

If you use the hardware-resource vxlan command to set the VXLAN hardware resource mode to border mode, the S6800 switch series does not support using the port-security mac-address security command to add secure MAC addresses for untagged packets.

Examples

# Enable port security, set Ten-GigabitEthernet 1/0/1 to operate in autoLearn mode, and configure the port to support a maximum number of 100 secure MAC addresses.

<Sysname> system-view

[Sysname] port-security enable

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] port-security max-mac-count 100

[Sysname-Ten-GigabitEthernet1/0/1] port-security port-mode autolearn

# Specify MAC address 0001-0002-0003 in VLAN 4 as a sticky MAC address.

[Sysname-Ten-GigabitEthernet1/0/1] port-security mac-address security sticky 0001-0002-0003 vlan 4

[Sysname-Ten-GigabitEthernet1/0/1] quit

# In system view, specify MAC address 0001-0001-0002 in VLAN 10 as a secure MAC address for Ten-GigabitEthernet 1/0/1.

[Sysname] port-security mac-address security 0001-0001-0002 interface ten-gigabitethernet 1/0/1 vlan 10

Related commands

display port-security

port-security timer autolearn aging

port-security mac-limit

Use port-security mac-limit to set the maximum number of MAC addresses that port security allows for specific VLANs on a port.

Use undo port-security mac-limit to restore the default.

Syntax

port-security mac-limit max-number per-vlan vlan-id-list

undo port-security mac-limit max-number per-vlan vlan-id-list

Default

The maximum number is 2147483647.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

max-number: Specifies the maximum number of MAC addresses. The value range is 1 to 2147483647.

per-vlan vlan-id-list: Applies the maximum number to a VLAN list on per-VLAN basis. The vlan-id-list argument specifies a space-separated list of up to 10 VLAN items. Each VLAN item specifies a VLAN by VLAN ID or specifies a range of VLANs in the form of vlan-id1 to vlan-id2. The value range for the VLAN IDs is 1 to 4094. The value for the vlan-id2 argument must be equal to or greater than the value for the vlan-id1 argument.

Usage guidelines

This command limits the number of MAC addresses that port security allows to access a port through specific VLANs. Use this command to prevent resource contentions among MAC addresses and ensure reliable performance for each access user on the port. When the number of MAC addresses in a VLAN on the port reaches the upper limit, the device denies any subsequent MAC addresses in the VLAN on the port.

Port security allows the access of the following types of MAC addresses on a port:

· MAC addresses that pass 802.1X authentication or MAC authentication.

· MAC addresses in the MAC authentication guest or critical VLAN, MAC addresses in the MAC authentication guest or critical VSI,.

· MAC addresses in the 802.1X guest, Auth-Fail, or critical VLAN and MAC addresses in the 802.1X guest, Auth-Fail, or critical VSI.

· MAC addresses that pass Web authentication and MAC addresses in the Web authentication Auth-Fail VLAN.

On a port, the maximum number of MAC addresses in a VLAN cannot be smaller than the number of existing MAC addresses in the VLAN. If the specified maximum number is smaller, the setting does not take effect.

Examples

# On Ten-GigabitEthernet 1/0/1, configure VLAN 1, VLAN 5, and VLANs 10 through 20 each to allow a maximum of 32 MAC authentication and 802.1X users.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] port-security mac-limit 32 per-vlan 1 5 10 to 20

Related commands

display dot1x

display mac-authentication

port-security mac-move bypass-vlan-check

Use port-security mac-move bypass-vlan-check to enable VLAN check bypass for users moving to a port from other ports.

Use undo port-security mac-move bypass-vlan-check to disable VLAN check bypass for users moving to a port from other ports.

Syntax

port-security mac-move bypass-vlan-check

undo port-security mac-move bypass-vlan-check

Default

VLAN check bypass is disabled for users moving to a port from other ports. When reauthenticating a user that has moved to the port, the device examines whether the VLAN to which the user belongs is permitted by the port.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Usage guidelines

VLAN check bypass skips checking VLAN information in the packets that trigger authentication for users moving to the port from other ports.

On the destination port, an authenticated user will reauthenticate in the VLAN authorized on the source port if the source port is enabled with MAC-based VLAN. If that VLAN is not permitted to pass through on the destination port, reauthentication will fail. To avoid this situation, enable VLAN check bypass on the destination port.

When you configure VLAN check bypass, follow these guidelines:

· To ensure a successful reauthentication, enable VLAN check bypass on a destination port if the source port is enabled with MAC-based VLAN.

· If the destination port is an 802.1X-enabled trunk port, you must configure it to send 802.1X protocol packets without VLAN tags.

Examples

# Enable VLAN check bypass for users moving to Ten-GigabitEthernet 1/0/1 from other ports.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] port-security mac-move bypass-vlan-check

Related commands

display port-security

dot1x eapol untag

port-security mac-move permit

Use port-security mac-move permit to enable MAC move on the device.

Use undo port-security mac-move permit to disable MAC move on the device.

Syntax

port-security mac-move permit [ port | vlan ]

undo port-security mac-move permit

Default

MAC move is disabled on the device.

Views

System view

Predefined user roles

network-admin

Parameters

port: Specifies the inter-port MAC move.

vlan: Specifies the inter-VLAN MAC move.

Usage guidelines

Port security MAC move takes effect on online users authenticated through 802.1X authentication, MAC authentication, or Web authentication in the following scenarios:

· Inter-port move on a device—An authenticated online user moves between ports on the device. The user VLAN or authentication method might change or stay unchanged after the move.

· Inter-VLAN move on a port—An authenticated online user moves between VLANs on a trunk or hybrid port. This mode takes effect only when the packets that trigger authentication are VLAN tagged.

Port security MAC move allows an authenticated online user on one port or VLAN to be reauthenticated and come online on another port or VLAN without going offline first. After the user passes authentication on the new port or VLAN, the system removes the authentication session of the user on the original port or VLAN. This action ensures that the user stays online on only one port in one VLAN.

NOTE:

For MAC authentication, the MAC move feature applies only when MAC authentication single-VLAN mode is used. The MAC move feature does not apply to MAC authentication users that move between VLANs on a port with MAC authentication multi-VLAN mode enabled.

If this feature is disabled, authenticated users must go offline first before they can be reauthenticated successfully on a new port or VLAN to come online.

Authenticated users cannot move between ports on a device or between VLANs on a port if the maximum number of online users on the authentication server has been reached.

If you do not specify any parameters, this command enables both the inter-port and inter-VLAN MAC moves.

Examples

# Enable MAC move.

<Sysname> system-view

[Sysname] port-security mac-move permit

Related commands

display port-security

mac-authentication host-mode multi-vlan

port-security max-mac-count

Use port-security max-mac-count to set the maximum number of secure MAC addresses that port security allows on a port.

Use undo port-security max-mac-count to restore the default.

Syntax

port-security max-mac-count max-count [ vlan [ vlan-id-list ] ]

undo port-security max-mac-count [ vlan [ vlan-id-list ] ]

Default

Port security does not limit the number of secure MAC addresses on a port.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

max-count: Specifies the maximum number of secure MAC addresses that port security allows on the port. The value range is 1 to 2147483647.

vlan [ vlan-id-list ]: Specifies a space-separated list of up to 10 VLAN items. Each VLAN item specifies a VLAN ID or a range of VLAN IDs in the form of start-vlan-id to end-vlan-id. The end VLAN ID cannot be smaller than the start VLAN ID. The value range for VLAN IDs is 1 to 4094. If you do not specify the vlan keyword, this command sets the maximum number of secure MAC addresses that port security allows on a port. If you do not specify the vlan-id-list argument, this command sets the maximum number of secure MAC addresses for each VLAN on the port. This option takes effect only on a port that operates in autoLearn mode.

Usage guidelines

For autoLearn mode, this command sets the maximum number of secure MAC addresses (both configured and automatically learned) on the port.

In any other mode that enables 802.1X, MAC authentication, or both, this command sets the maximum number of authenticated MAC addresses on the port. The actual maximum number of concurrent users that the port accepts equals the smaller of the following values:

· The value set by using this command.

· The maximum number of concurrent users allowed by the authentication mode in use.

For example, in userLoginSecureExt mode, if 802.1X allows more concurrent users than port security's limit on the number of MAC addresses, port security's limit takes effect.

When you configure this command, follow these guidelines and restrictions:

· Make sure the maximum number of secure MAC addresses for a VLAN is not less than the number of MAC addresses currently saved for the VLAN.

· If you execute this command multiple times to set the maximum number of secure MAC addresses for the same VLAN, the most recent configuration takes effect.

· You cannot change port security's limit on the number of MAC addresses when the port is operating in autoLearn mode.

Examples

# Set the maximum number of secure MAC address port security allows on Ten-GigabitEthernet 1/0/1 to 100.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] port-security max-mac-count 100

Related commands

display port-security

port-security nas-id-profile

Use port-security nas-id-profile to apply a NAS-ID profile to global or port-based port security.

Use undo port-security nas-id-profile to restore the default.

Syntax

port-security nas-id-profile profile-name

undo port-security nas-id-profile

Default

No NAS-ID profile is applied to port security globally or on any port.

Views

System view

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

profile-name: Specifies a NAS-ID profile by its name. The argument is a case-sensitive string of 1 to 31 characters.

Usage guidelines

A NAS-ID profile defines NAS-ID and VLAN bindings. You can create a NAS-ID profile by using the aaa nas-id profile command.

The device selects a NAS-ID profile for a port in the following order:

1. The port-specific NAS-ID profile.

2. The NAS-ID profile applied globally.

If no NAS-ID profile is applied or no matching binding is found in the selected profile, the device uses the device name as the NAS-ID.

Examples

# Apply NAS-ID profile aaa to Ten-GigabitEthernet 1/0/1 for port security.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] port-security nas-id-profile aaa

# Globally apply NAS-ID profile aaa to port security.

<Sysname> system-view

[Sysname] port-security nas-id-profile aaa

Related commands

aaa nas-id profile

port-security ntk-mode

Use port-security ntk-mode to configure the NTK feature.

Use undo port-security ntk-mode to restore the default.

Syntax

port-security ntk-mode { ntk-withbroadcasts | ntk-withmulticasts | ntkauto | ntkonly }

undo port-security ntk-mode

Default

The NTK feature is not configured on a port and all frames are allowed to be sent.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

ntk-withbroadcasts: Forwards only broadcast and unicast frames with a known destination MAC address.

ntk-withmulticasts: Forwards only broadcast, multicast, and unicast frames with a known destination MAC address.

ntkauto: Forwards only broadcast, multicast, and unicast frames with a known destination MAC address, and only when the port has online users.

ntkonly: Forwards only unicast frames with a known destination MAC address.

Usage guidelines

The NTK feature checks the destination MAC addresses in outbound frames. This feature allows frames to be sent only to devices with a known MAC address, preventing illegal devices from intercepting network traffic.

Examples

# Set the NTK mode of Ten-GigabitEthernet 1/0/1 to ntkonly, allowing the port to forward the unicast packets with a known destination MAC address.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] port-security ntk-mode ntkonly

Related commands

display port-security

port-security oui

Use port-security oui to configure an OUI value for user authentication.

Use undo port-security oui to delete the OUI value with the specified OUI index.

Syntax

port-security oui index index-value mac-address oui-value

undo port-security oui index index-value

Default

No OUI values are configured.

Views

System view

Predefined user roles

network-admin

Parameters

index-value: Specifies the OUI index, in the range of 1 to 16.

oui-value: Specifies an OUI string, a 48-bit MAC address in the H-H-H format. The system uses only the 24 high-order bits as the OUI value.

Usage guidelines

You can configure multiple OUI values.

An OUI, the first 24 binary bits of a MAC address, is assigned by IEEE to uniquely identify a device vendor. Use this command to allow devices of specific vendors to access the network without being authenticated. For example, you can specify the OUIs of IP phones and printers.

The OUI values configured by this command apply only to the ports operating in userLoginWithOUI mode. In userLoginWithOUI mode, a port allows only one 802.1X user and one user whose MAC address matches one of the configured OUI values.

Examples

# Configure an OUI value of 000d2a, and set the index to 4.

<Sysname> system-view

[Sysname] port-security oui index 4 mac-address 000d-2a10-0033

Related commands

display port-security

port-security port-mode

Use port-security port-mode to set the port security mode of a port.

Use undo port-security port-mode to restore the default.

Syntax

port-security port-mode { autolearn | mac-and-userlogin-secure-ext | mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secure-ext | secure | userlogin | userlogin-secure | userlogin-secure-ext | userlogin-secure-or-mac | userlogin-secure-or-mac-ext | userlogin-withoui }

undo port-security port-mode

Default

A port operates in noRestrictions mode, where port security does not take effect.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

Keyword	Security mode	Description
autolearn	autoLearn	A port in this mode can learn MAC addresses. The automatically learned MAC addresses are not added to the MAC address table as dynamic MAC address. Instead, the MAC addresses are added to the secure MAC address table as secure MAC addresses. You can also configure secure MAC addresses by using the port-security mac-address security command. A port in autoLearn mode allows frames sourced from the following MAC addresses to pass: · Secure MAC addresses. · MAC addresses configured by using the mac-address dynamic and mac-address static commands. When the number of secure MAC addresses reaches the upper limit set by the port-security max-mac-count command, the port changes to secure mode.
mac-and-userlogin-secure-ext	macAddressAndUserLoginSecureExt	In this mode, a user must pass both MAC authentication and 802.1X authentication to access the authorized network resources. The device uses the following process to handle an access user on a port operating in this mode: 1. Performs MAC authentication for the user. 2. Marks the user as a temporary MAC authentication user when the user passes MAC authentication. A temporary MAC authentication user can access only resources in the 802.1X guest VLAN or VSI. 3. After receiving 802.1X protocol packets from the user on the port, the device performs 802.1X authentication for the user. 4. After the user passes 802.1X authentication on the port, the device removes the temporary MAC authentication user entry. Then, the user comes online as an 802.1X user.
mac-authentication	macAddressWithRadius	In this mode, a port performs MAC authentication for users and services multiple users.
mac-else-userlogin-secure	macAddressElseUserLoginSecure	This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority. In this mode, the port allows one 802.1X authentication user and multiple MAC authentication users to log in. · Upon receiving a non-802.1X frame, a port in this mode performs only MAC authentication. · Upon receiving an 802.1X frame, the port performs MAC authentication and then, if MAC authentication fails, 802.1X authentication.
mac-else-userlogin-secure-ext	macAddressElseUserLoginSecureExt	Same as the macAddressElseUserLoginSecure mode except that a port in this mode supports multiple 802.1X and MAC authentication users.
secure	secure	In this mode, MAC address learning is disabled on the port and you can configure MAC addresses by using the mac-address static and mac-address dynamic commands. The port permits only frames sourced from the following MAC addresses to pass: · Secure MAC addresses. · MAC addresses configured by using the mac-address static and mac-address dynamic commands.
userlogin	userLogin	In this mode, a port performs 802.1X authentication and implements port-based access control. If one 802.1X user passes authentication, all the other 802.1X users of the port can access the network without authentication.
userlogin-secure	userLoginSecure	In this mode, a port performs 802.1X authentication and implements MAC-based access control. The port services only one user passing 802.1X authentication.
userlogin-secure-ext	userLoginSecureExt	Same as the userLoginSecure mode, except that this mode supports multiple online 802.1X users.
userlogin-secure-or-mac	macAddressOrUserLoginSecure	This mode is the combination of the userLoginSecure and macAddressWithRadius modes. In this mode, the port allows one 802.1X authentication user and multiple MAC authentication users to log in. In this mode, the port performs 802.1X authentication first. By default, if 802.1X authentication fails, MAC authentication is performed. However, the port in this mode processes authentication differently when the following conditions exist: · The port is enabled with parallel processing of MAC authentication and 802.1X authentication. · The port is enabled with the 802.1X unicast trigger. · The port receives a packet from an unknown MAC address. Under such conditions, the port sends a unicast EAP-Request/Identity packet to the MAC address to initiate 802.1X authentication. After that, the port immediately processes MAC authentication without waiting for the 802.1X authentication result.
userlogin-secure-or-mac-ext	macAddressOrUserLoginSecureExt	Same as the macAddressOrUserLoginSecure mode, except that a port in this mode supports multiple 802.1X and MAC authentication users.
userlogin-withoui	userLoginWithOUI	Similar to the userLoginSecure mode. In addition, a port in this mode also permits frames from a user whose MAC address contains a specific OUI. In this mode, the port performs OUI check at first. If the OUI check fails, the port performs 802.1X authentication. The port permits frames that pass OUI check or 802.1X authentication.

NOTE:

· The secure and userlogin-withoui keywords are not supported on Layer 2 aggregate interfaces.

‌

Usage guidelines

To change the security mode for a port security enabled port, you must set the port in noRestrictions mode first. Do not change port security mode when the port has online users.

IMPORTANT:

If you are configuring the autoLearn mode, first set port security's limit on the number of secure MAC addresses on the port by using the port-security max-mac-count (without specifying the vlan keyword) command. You cannot change the setting when the port is operating in autoLearn mode.

When port security is enabled, you cannot enable 802.1X or MAC authentication, or change the access control mode or port authorization state. The port security automatically modifies these settings in different security modes.

As a best practice, do not enable the mac-else-userlogin-secure or mac-else-userlogin-secure-ext mode on the port where MAC authentication delay is enabled. The two modes are mutually exclusive with the MAC authentication delay feature. For more information about MAC authentication delay, see "MAC authentication commands."

When the port security mode is macAddressAndUserLoginSecureExt on a port, follow these restrictions and guidelines:

· To make sure the 802.1X clients attached to the port can initiate authentication, enable unicast trigger on the port by using the dot1x unicast-trigger command.

· The guest VLAN or VSI for MAC authentication on the port does not take effect. For the temporary MAC authentication users to access a limited set of resources, configure an 802.1X guest VLAN or VSI on the port.

· If accounting is not required for the temporary MAC authentication users, configure different ISP domains for MAC authentication users and 802.1X users. In the ISP domain for MAC authentication users, set the accounting method to none.

If a port operating in macAddressAndUserLoginSecureExt mode is configured with an 802.1X guest VLAN, you must use the port-security mac-move permit command to enable inter-VLAN MAC move on the port. If you do not use this command, a user cannot pass 802.1X authentication to come online after it passes MAC authentication when the user initial VLAN and guest VLAN are different VLANs.

Examples

# Enable port security, and set Ten-GigabitEthernet 1/0/1 to operate in secure mode.

<Sysname> system-view

[Sysname] port-security enable

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] port-security port-mode secure

# Change the port security mode of Ten-GigabitEthernet 1/0/1 to userLogin.

[Sysname-Ten-GigabitEthernet1/0/1] undo port-security port-mode

[Sysname-Ten-GigabitEthernet1/0/1] port-security port-mode userlogin

Related commands

display port-security

port-security max-mac-count

port-security pre-auth domain

Use port-security pre-auth domain to specify a preauthentication domain for port security users on a port.

Use undo port-security pre-auth domain to restore the default.

Syntax

port-security pre-auth domain isp-name

undo port-security pre-auth domain

Default

No preauthentication domain is specified for port security users on a port.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. The ISP domain name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

Usage guidelines

A preauthentication domain accommodates 802.1X, Web authentication, and MAC authentication users that have not performed authentication. A preauthentication domain is applicable to the following scenarios:

· A user accesses the network for the first time. This scenario is applicable only to 802.1X and Web authentication users.

· A user fails authentication, but no Auth-Fail domain is configured.

· No server is reachable, but the critical domain is not configured.

When a port is configured with a preauthentication domain, authentication users that access that port will be assigned authorization attributes (including ACL, VLAN, and VSI) in the preauthentication domain after they are assigned to the preauthentication domain. They can access only network resources permitted in the preauthentication domain. If they pass authentication, AAA will assign new authorization information to them.

If the ACL, VLAN, and VSI authorization settings in the current preauthentication domain have changes, the changes take effect only on users that are assigned to the preauthentication domain after the changes are made. Users that have been assigned to the preauthentication domain before the changes are made still use the original settings.

On a port, a user that fails MAC authentication is still assigned to the preauthentication domain as a MAC authentication user after 802.1X authentication is triggered for the user if the following conditions exist:

· 802.1X authentication and MAC authentication are both enabled on the port.

· No Auth-Fail domain is configured on the port.

802.1X and MAC authentication users support the VLAN, ACL, and VSI authorization attributes in the preauthentication domain. Web authentication users support the VLAN and ACL authorization attributes in the preauthentication domain.

Users in the preauthentication domain belong to online users. They consume online user resources on the port.

Users in the preauthentication domain do not support features triggered by AAA server. These features include DMs, CoA messages, and RADIUS session-control.

Examples

# Specify ISP domain bbb as the preauthentication domain for port security users on Ten-GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] port-security pre-auth domain bbb

Related commands

display port-security

port-security static-user

Use port-security static-user to configure a static user range for port access authentication.

Use undo port-security static-user to restore the default.

Syntax

port-security static-user { ip | ipv6 } start-ip-address [ end-ip-address ] [ vpn-instance vpn-instance-name ] [ domain isp-name | [ interface interface-type interface-number [ detect ] ] vlan vlan-id | mac mac-address | keep-online ] *

undo port-security static-user { ip | ipv6 } start-ip-address [ end-ip-address ] [ vpn-instance vpn-instance-name ]

Default

No static user ranges are configured.

Views

System view

Predefined user roles

network-admin

Parameters

ip: Specifies the IPv4 addresses of the static user range.

ipv6: Specifies the IPv6 addresses of the static user range.

start-ip-address [ end-ip-address ]: Specifies the IP address range of the static user range. The start-ip-address argument represents the start IP address and the end-ip-address argument represents the end IP address. If you specify only the start IP address, the static user range contains only one static user and the specified start IP address is the IP address of the static user.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the static user range belongs. The vpn-instance-name argument represents the VPN instance name, which is a case-sensitive string of 1 to 31 characters. If the static user range belongs to the public network, do not specify this option.

interface interface-type interface-number: Specifies an interface by its type and number.

detect: Allows the device to periodically send ARP messages to trigger authentication for static users in the static user range when the static users are not online.

vlan vlan-id: Specifies a VLAN by its ID in the range of 1 to 4094.

mac mac-address: Specifies the MAC address of the static user range, in the format of H-H-H.

keep-online: Always allow the static user range to stay online. With this keyword, the device does not perform offline detection on the static user range. If you do not specify this keyword, the device performs offline detection on the static user range.

Usage guidelines

When you configure a static user range, follow these restrictions and guidelines:

· In the public network or the same VPN instance, the IP address ranges for all static user ranges cannot overlap.

· When you use the undo port-security static-user command to delete a static user range, you must specify an IP address range the same as that specified when the static user range was configured. You cannot delete only partial of the IP addresses in the IP address range.

· Modification to a static user range does not affect online static users. The modification takes effect only on static users that will come online.

The device supports a maximum of 50000 static user ranges.

When the maximum number of static users is reached on a port, the port denies subsequent static users. The subsequent static users cannot come online through other access authentication methods on the port.

Examples

# Configure IP address range 20.20.20.20 to 20.20.20.30 for a static user range. Users at IP addresses in the IP address range will come online as static users.

<Sysname> system-view

[Sysname] port-security static-user ip 20.20.20.20 20.20.20.30

Related commands

display port-security static-user

port-security static-user match-mac acl

Use port-security static-user match-mac acl to specify an ACL to match the MAC addresses of static users.

Use undo port-security static-user match-mac acl to restore the default.

Syntax

port-security static-user match-mac acl acl-number

undo port-security static-user match-mac acl

Default

No ACL is specified to match the MAC addresses of static users.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Typically, endpoints that match static user IP ranges come online as static users. However, the device recognizes the endpoints as MAC authentication users instead of static users in the following situations:

· The first packet sent by an endpoint is a Layer 2 packet that does not contain an IP address. In this situation, the packet triggers MAC authentication first.

· An endpoint has both IPv4 and IPv6 addresses and the first packet sent by the endpoint is an IPv6 packet, but only static user IPv4 ranges are configured on the device. In this situation, the packet triggers MAC authentication first.

To resolve the issues, use this command to use MAC address as the criterion to match static users. With this command, the device allows users that match the specified ACL to trigger authentication and come online only as static users. The users cannot trigger other authentication processes.

The specified ACL must be a Layer 2 ACL. The ACL can contain only permit rules with the source MAC range criteria.

Examples

# Specify ACL 4001 to match the MAC addresses of static users.

<Sysname> system-view

[Sysname] port-security static-user match-mac acl 4001

Related commands

port-security static-user

acl

port-security static-user max-user

Use port-security static-user max-user to set the maximum number of concurrent static users allowed on a port.

Use undo port-security static-user max-user to restore the default.

Syntax

port-security static-user max-user max-number

undo port-security static-user max-user

Default

A port supports a maximum of 4294967295 concurrent static users.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

max-number: Sets the maximum number of concurrent static users allowed on a port. The value range is 1 to 4294967295.

Usage guidelines

Set the maximum number of concurrent static users on a port to prevent the system resources from being overused. When the maximum number is reached, the port denies subsequent static users.

Examples

# Configure Ten-GigabitEthernet 1/0/1 to support a maximum of 32 concurrent static users.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[sysname-Ten-GigabitEthernet1/0/1] port-security static-user max-user 32

Related commands

display port-security static-user

port-security static-user password

Use port-security static-user password to configure a password for static users.

Use undo port-security static-user password to restore the default.

Syntax

port-security static-user password { cipher | simple } string

undo port-security static-user password

Default

No password is configured for static users.

Views

System view

Predefined user roles

network-admin

Parameters

cipher: Specifies a password in encrypted form.

simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.

string: Specifies the password string that cannot contain a question mark (?) or space. Its plaintext form is a case-sensitive string of 1 to 63 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

After a static user triggers authentication, the access device sends the configured password as the user's password to the authentication server.

This command takes effect only on static users that come online after this command is used.

Examples

# Configure the password as 123456 for static users.

<Sysname> system-view

[Sysname] port-security static-user password simple 123456

Related commands

display port-security static-user

port-security static-user timer detect-period

Use port-security static-user timer detect-period to set the interval at which the device actively sends ARP packets to trigger authentication for static users.

Use undo port-security static-user timer detect-period to restore the default.

Syntax

port-security static-user timer detect-period time-value

undo port-security static-user timer detect-period

Default

The device actively sends ARP packets to trigger authentication for static users at intervals of 3 minutes.

Views

System view

Predefined user roles

network-admin

Parameters

time-value: Sets the interval at which the device actively sends ARP packets to trigger authentication for static users. The value range for the interval is 60 to 2147483647, in seconds.

Usage guidelines

If you specify the detect keyword when using the port-security static-user command to configure a static user range, the device enables ARP detection for the static user range. With the port-security static-user timer detect-period command, the device sends ARP packets to the IP addresses specified by using the port-security static-user command at intervals as configured. These ARP packets trigger authentication for static users that have not come online.

If a large number of static users are configured, set the ARP detection interval to a larger value as a best practice. This configuration ensures that the device can detect all IP addresses in one interval.

Modification to the ARP detection interval takes effect only after the timer for the old ARP detection interval expires.

Examples

# Configure the device to actively send ARP packets to trigger authentication for static users at intervals of 100 seconds.

<Sysname> system-view

[Sysname] port-security static-user timer detect-period 100

Related commands

display port-security static-user

port-security static-user timer offline-detect

Use port-security static-user timer offline-detect to set the offline detect period for static users.

Use undo port-security static-user timer offline-detect to restore the default.

Syntax

port-security static-user timer offline-detect time-value

undo port-security static-user timer offline-detect

Default

The offline detect period is 5 minutes for static users.

Views

System view

Predefined user roles

network-admin

Parameters

time-value: Sets the offline detect period, in the range of 60 to 2147483647 seconds.

Usage guidelines

If you do not specify the keep online keywords when using the port-security static-user command to configure a static user range, the device enables offline detection for online static users in the range. If the device fails to receive any traffic from an online static user within an offline detect period, the device logs off that user and requests the RADIUS accounting server to stop accounting for the user.

Examples

# Set the offline detect period to 100 seconds for static users.

<Sysname> system-view

[Sysname] port-security static-user timer offline-detect 100

Related commands

display port-security static-user

port-security static-user update-ip enable

Use port-security static-user update-ip enable to enable static user IP update.

Use undo port-security static-user update-ip enable to restore the default.

Syntax

port-security static-user update-ip enable

undo port-security static-user update-ip enable

Default

Static user IP update is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

After you use the port-security static-user command to configure an IP address range for a static user range, endpoints at IP addresses in the specified IP address range will come online as static users. If the IP address of an endpoint changes, the endpoint might send abnormal ARP packets to the access device when it comes online. The source IP address of these ARP packets does not belong to the specified IP address range. This issue triggers the device to update the IP address of the endpoint when static user IP update is enabled. After address update, the endpoint is no longer a static user. As a result, the endpoint is logged off.

By default, the device does not update IP addresses for static users when it receives ARP packets with source IP address not belonging to the specified IP address range from these users. This setting prevents the ARP packets from logging off online static users. To trace IP address changes for endpoints, you can enable static user IP update to allow the device to update the IP addresses of static users.

Use static user IP update in conjunction with DHCP snooping, ARP snooping, DHCPv6 snooping, or ND snooping. To receive notifications about IP address changes from a snooping module, you must enable the corresponding snooping feature.

Examples

# Enable static user IP update.

<Sysname> system-view

[Sysname] port-security static-user update-ip enable

Related commands

display port-security static-user

port-security static-user user-name-format

Use port-security static-user user-name-format to configure the username format used by static users when they come online.

Use undo port-security static-user user-name-format to restore the default.

Syntax

port-security static-user user-name-format { ip-address | mac-address | system-name }

undo port-security static-user user-name-format

Default

The username of each static user is in the format of SysnameIP, in which Sysname is the name of the access device and IP is the user IP address. For example, if the name of the access device is test and the IP address of a static user is 1.1.1.1, the username of that static user is test1.1.1.1.

Views

System view

Predefined user roles

network-admin

Parameters

ip-address: Uses the IP address of each static user as their usernames.

mac-address: Uses the MAC address of each static user as their usernames.

system-name: Uses the name of the access device to which each static user accesses as their usernames.

Usage guidelines

After a static user triggers authentication, the access device sends the username in the configured format to the authentication server.

If the device name is longer than 16 characters, the system only uses the first 16 characters to form a username.

When the usernames of static users are their IP or MAC addresses, do not enable RESTful server-assisted automatic MAC authentication user recovery. If you enable RESTful server-assisted automatic MAC authentication user recovery, the device will recover static users as MAC authentication users after the device reboots or recovers from a failure. For more information about RESTful server-assisted automatic MAC authentication user recovery, see MAC authentication configuration in Security Configuration Guide.

This command takes effect only on static users that come online after this command is used.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure static users to use their IP addresses as usernames when they come online.

<Sysname> system-view

[Sysname] port-security static-user user-name-format ip-address

Related commands

display port-security static-user

port-security static-user user-name-format mac-address

Use port-security static-user user-name-format mac-address to configure the user account format when MAC addresses of static users are used as their usernames.

Use undo port-security static-user user-name-format mac-address to restore the default.

Syntax

port-security static-user user-name-format mac-address { one-section | { six-section | three-section } delimiter { colon | hyphen } } [ uppercase ] [ password-with-mac ]

undo port-security static-user user-name-format mac-address

Default

The username of each static user is in the format of SysnameIP, in which Sysname is the name of the access device and IP is the user IP address.

Views

System view

Predefined user roles

network-admin

Parameters

one-section: Specifies the one-section MAC address format, for example, xxxxxxxxxxxx or XXXXXXXXXXXX.

six-section: Specifies the six-section MAC address format, for example, xx-xx-xx-xx-xx-xx or XX-XX-XX-XX-XX-XX.

three-section: Specifies three-section MAC address format, for example, xxxx-xxxx-xxxx or XXXX-XXXX-XXXX.

delimiter: Specifies a delimiter to separate the sections in a MAC address.

· colon: Uses the colon (:) as the delimiter.

· hyphen: Uses the hyphen (_) as the delimiter.

uppercase: Uses letters in upper case. If you do not specify this keyword, letters in a MAC address are in lower case.

password-with-mac: Specifies whether to use the MAC address of each static user as their passwords when their MAC addresses are used as their usernames. If you do not specify this keyword, the device uses the password configured by using the port-security static-user password command as the password of the static users.

Usage guidelines

This command has higher priority than the port-security static-user user-name-format and port-security static-user password commands.

Examples

# Configure static users to use six-section MAC addresses as their usernames for authentication. Letters in the MAC addresses are in upper case and the sections in the MAC addresses are separated by hyphen (-). The MAC addresses of static users are also used as their passwords.

<Sysname> system-view

[Sysname] port-security static-user user-name-format mac-address six-section delimiter hyphen uppercase password-with-mac

Related commands

display port-security static-user

port-security timer

Use port-security timer to set port security timers.

Use undo port-security timer to restore the default.

Syntax

port-security timer { reauth-period { auth-fail-domain | preauth-domain } | user-aging { auth-fail-domain | critical-domain | preauth-domain } } time-value

undo port-security timer { reauth-period { auth-fail-domain | preauth-domain } | user-aging { auth-fail-domain | critical-domain | preauth-domain } }

Default

The period for the periodic reauthentication timer is 600 seconds. The period for the user aging timer is 23 hours.

Views

System view

Predefined user roles

network-admin

Parameters

reauth-period: Specifies the periodic reauthentication timer.

preauth-domain: Specifies the preauthentication domain.

auth-fail-domain: Specifies the Auth-Fail domain.

critical-domain: Specifies the critical domain.

user-aging: Sets the user aging timer.

time-value: Specifies the timer period, in integer. The value for the periodic reauthentication period is 0 or in the range of 30 to 7200, in seconds. Value 0 indicates that periodic reauthentication is disabled. The value for the user aging period is 0 or in the range of 60 to 4294860, in seconds. Value 0 indicates that the specified users will not age out.

Usage guidelines

If the periodic reauthentication period (reauth-period) is not 0, periodic reauthentication is enabled. The device initiates reauthentication for online users on a port at intervals as configured.

If the user aging period (user-aging) is not 0 for a specific domain, user entries in the domain will age out. When the aging timer expires, the users will leave the specified domain.

The periodic reauthentication period does not take effect on Web authentication users.

The users that are allowed to stay online by the authen-radius-recover online command are controlled by the user aging timer in the critical domain. When the user aging timer expires, the users will go offline. For more information about the authen-radius-recover online command, see "AAA commands."

Examples

# Set the user aging period to 60 seconds for users in the preauthentication domain.

<Sysname> system-view

[Sysname] port-security timer user-aging preauth-domain 60

Related commands

display port-security

authen-radius-recover online

port-security timer autolearn aging

Use port-security timer autolearn aging to set the secure MAC aging timer.

Use undo port-security timer autolearn aging to restore the default.

Syntax

port-security timer autolearn aging [ second ] time-value

undo port-security timer autolearn aging

Default

Secure MAC addresses do not age out.

Views

System view

Predefined user roles

network-admin

Parameters

second: Specifies the aging timer in seconds for secure MAC addresses. If you do not specify this keyword, the command sets the aging timer in minutes for secure MAC addresses.

time-value: Specifies the aging timer. The value range is 0 to 129600 if the unit is minute. To disable the aging timer, set the timer to 0. The value range is 10 to 7776000 if the unit is second.

Usage guidelines

The timer applies to all sticky secure MAC addresses and those automatically learned by a port.

The effective aging timer varies by the aging timer setting:

· If the aging timer is set in seconds, the effective aging timer can be either of the following values:

¡ The nearest multiple of 30 seconds to the configured aging timer if the configured timer is not less than 60 seconds. The effective aging timer is not less than the configured aging timer.

¡ The configured aging timer if the configured timer is less than 60 seconds.

· If the aging timer is set in minutes, the effective aging timer is the configured aging timer.

A short aging time improves port access security and port resource utility but affects online user stability. Set an appropriate secure MAC address aging timer according to your device performance and the network environment.

When a short aging time (less than 60 seconds) works with inactivity aging, do not assign a large value to the maximum number of secure MAC addresses on a port. A large value in this case might affect device performance.

Examples

# Set the secure MAC aging timer to 30 minutes.

<Sysname> system-view

[Sysname] port-security timer autolearn aging 30

# Set the secure MAC aging timer to 50 seconds.

<Sysname> system-view

[Sysname] port-security timer autolearn aging second 50

Related commands

display port-security

port-security mac-address security

port-security timer blockmac

Use port-security timer blockmac to set the block timer for MAC addresses in the blocked MAC address list.

Use undo port-security timer blockmac to restore the default.

Syntax

port-security timer blockmac time-value

undo port-security timer blockmac

Default

The block timer for blocked MAC addresses is 180 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

time-value: Sets a timer value in the range of 1 to 3600 seconds.

Usage guidelines

Use the block timer in conjunction with the intrusion protection action that blocks the source MAC addresses of illegal frames.

The block timer sets the amount of time that a MAC address must remain in the blocked MAC address list before it is unblocked.

Examples

# Configure the intrusion protection action on Ten-GigabitEthernet 1/0/1 as blocking source MAC addresses of illegal frames, and set the block timer to 60 seconds.

<Sysname> system-view

[Sysname] port-security timer blockmac 60

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] port-security intrusion-mode blockmac

Related commands

display port-security

port-security intrusion-mode

port-security timer disableport

Use port-security timer disableport to set the silence period during which the port remains disabled.

Use undo port-security timer disableport to restore the default.

Syntax

port-security timer disableport time-value

undo port-security timer disableport

Default

The port silence period is 20 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

time-value: Specifies the silence period in seconds during which the port remains disabled. The value is in the range of 20 to 300.

Usage guidelines

If you configure the intrusion protection action as disabling the port temporarily, use this command to set the silence period.

Examples

# Configure the intrusion protection action on Ten-GigabitEthernet 1/0/1 as disabling the port temporarily, and set the port silence period to 30 seconds.

<Sysname> system-view

[Sysname] port-security timer disableport 30

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] port-security intrusion-mode disableport-temporarily

Related commands

display port-security

port-security intrusion-mode

port-security triple-auth-order mac-dot1x-web

Use port-security triple-auth-order mac-dot1x-web to configure the trigger order for authentication methods on a port as MAC authentication, 802.1X authentication, and Web authentication in a triple authentication environment.

Use undo port-security triple-auth-order to restore the default.

Syntax

port-security triple-auth-order mac-dot1x-web

undo port-security triple-auth-order

Default

In a triple authentication environment, the authentication that is triggered first depends on the type of packets sent from endpoints.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Usage guidelines

This command takes effect only on ports with triple authentication enabled. Triple authentication allows Web authentication, MAC authentication, and 802.1X authentication to be enabled concurrently on a Layer 2 port for user access. Different types of endpoint packets trigger different types of authentication first. For more information, see triple authentication in Security Configuration Guide.

To enable any endpoint packets to trigger MAC authentication first, use this command.

A port can run authentication processes concurrently for multiple authentication methods. The failure of one authentication does not affect the processes for other authentication methods. However, if an endpoint passes one authentication on a port, the device handles processes for other authentication methods on the port as follows:

· If the endpoint passes MAC authentication, the device generates a MAC authentication user entry on the port and continues to perform 802.1X authentication for the endpoint on the port. However, the device cannot continue Web authentication for the endpoint on the port.

¡ If the endpoint passes 802.1X authentication after MAC authentication, the device generates an 802.1X user entry for the endpoint on the port. The 802.1X user entry overwrites the MAC authentication user entry.

¡ If the endpoint does not pass 802.1X authentication after MAC authentication, the MAC authentication user entry is retained on the port. The endpoint can trigger 802.1X authentication again, but it cannot trigger Web authentication.

· If the endpoint fails MAC authentication but passes 802.1X or Web authentication, the device immediately stops all authentication methods on the port except the one the endpoint has passed. In addition, the device can no longer trigger authentication processes for the stopped authentication methods for the endpoint on the port.

This command causes users that are being authenticated to fail authentication. The users must retrigger authentication to come online. As a best practice to avoid users failing to come online, use this command with caution.

Examples

# Configure the trigger order for authentication methods on Ten-GigabitEthernet 1/0/1 as MAC authentication, 802.1X authentication, and Web authentication.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] port-security triple-auth-order mac-dot1x-web

Related commands

mac-authentication

dot1x

web-auth enable

port-security url-unavailable domain

Use port-security url-unavailable domain to specify a domain for port security users redirected to an unavailable URL.

Use undo port-security url-unavailable domain to restore the default.

Syntax

port-security url-unavailable domain isp-name

undo port-security url-unavailable domain

Default

No domain is specified for port security users redirected to an unavailable URL.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

Parameters

isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

Usage guidelines

This command takes effect only on MAC authentication and Web authentication users.

During user authentication, if the Web server specified by the redirect URL is unavailable, users cannot be redirected to the Web authentication page on the Web server. As a result, the users cannot come online. To allow users to access the resources in an ISP domain when the redirect URL is unavailable, use this command to specify that ISP domain for the users.

The configuration for this command is mutually exclusive with the following 802.1X, MAC authentication, and Web authentication settings:

· Guest VLAN and VSI settings.

· Auth-Fail VLAN and VSI settings.

· Critical VLAN and VSI settings.

Examples

# On Ten-GigabitEthernet 1/0/1, specify domain bbb for port security users redirected to an unavailable URL.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 1/0/1

[Sysname-Ten-GigabitEthernet1/0/1] port-security url-unavailable domain bbb

Related commands

display port-security

reset port-security static-user

Use reset port-security static-user to log off online static users.

Syntax

reset port-security static-user [ interface interface-type interface-number | { ip | ipv6 } ip-address | mac mac-address | online-type { auth-fail-domain | critical-domain | preauth-domain | success } | user-name user-name ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

mac mac-address: Specifies an online static user by its MAC address. The mac-address argument represents the MAC address, in the format of H-H-H.

online-type: Specifies a type of online static users.

· auth-fail-domain: Specifies online static users in the Auth-Fail domain.

· critical-domain: Specifies online static users in the critical domain.

· preauth-domain: Specifies online static users in the preauthentication domain.

· success: Specifies online static users that have passed authentication.

user-name user-name: Specifies an online static user by its username, a case-sensitive string of 1 to 253 characters.

Usage guidelines

If you do not specify any parameters, this command logs off all online static users.

Examples

# Log off all online static users on Ten-GigabitEthernet 1/0/1.

<Sysname> reset port-security static-user interface ten-gigabitethernet 1/0/1

Related commands

display port-security static-user

reset port-security statistics

Use reset port-security statistics to clear port security statistics.

Syntax

reset port-security statistics

Views

User view

Predefined user roles

network-admin

Examples

# Clear port security statistics.

<Sysname> reset port-security statistics

Related commands

display port-security statistics

snmp-agent trap enable port-security

Use snmp-agent trap enable port-security to enable SNMP notifications for port security.

Use undo snmp-agent trap enable port-security to disable SNMP notifications for port security.

Syntax

Default

All port security SNMP notifications are disabled.

Views

System view

Predefined user roles

network-admin

Parameters

address-learned: Specifies notifications about MAC address learning.

dot1x-failure: Specifies notifications about 802.1X authentication failures.

dot1x-logoff: Specifies notifications about 802.1X user logoffs.

dot1x-logon: Specifies notifications about 802.1X authentication successes.

intrusion: Specifies notifications about illegal frame detection.

mac-auth-failure: Specifies notifications about MAC authentication failures.

mac-auth-logoff: Specifies notifications about MAC authentication user logoffs.

mac-auth-logon: Specifies notifications about MAC authentication successes.

Usage guidelines

To report critical port security events to an NMS, enable SNMP notifications for port security. For port security event notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see Network Management and Monitoring Configuration Guide.

If you do not specify a notification, this command enables all SNMP notifications for port security.

For the intrusion keyword to take effect, make sure the intrusion protection feature is configured by using the port-security intrusion-mode command.

Examples

# Enable SNMP notifications about MAC address learning.

<Sysname> system-view

[Sysname] snmp-agent trap enable port-security address-learned

Related commands

display port-security

port-security enable

09-Security Command Reference

Port security commands

port-security m-lag load-sharing-mode

port-security oui

port-security static-user update-ip enable

port-security timer autolearn aging

port-security timer blockmac

port-security triple-auth-order mac-dot1x-web

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us