interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays port security information for all ports.

Usage guidelines

After a port is bound to a port security authentication profile, the port uses the configuration of the bound profile to perform authentication for access users. For functions available in both interface view and port security authentication profile view, the functions configured in interface view do not take effect regardless of whether they are configured in the profile view or not.

Examples

# Display port security information for all ports.

<Sysname> display port-security

Global port security parameters:

Port security : Enabled

AutoLearn aging time : 0 min

Disableport timeout : 20 sec

Blockmac timeout : 180 sec

MAC move : Denied

Authorization fail : Online

NAS-ID profile : Not configured

Dot1x-failure trap : Disabled

Dot1x-logon trap : Disabled

Dot1x-logoff trap : Enabled

Intrusion trap : Disabled

Intrusion-recover trap : Disabled

Address-learned trap : Enabled

Mac-auth-failure trap : Disabled

Mac-auth-logon trap : Enabled

Mac-auth-logoff trap : Disabled

Mac-auth-not-support trap : Disabled

AC-creation-failure trap : Disabled

ACL-author-failure trap : Disabled

ACL-author-success trap : Disabled

URL-author-failure trap : Disabled

URL-author-success trap : Disabled

NTK-ineffective trap : Disabled

Port-mode-ineffective trap : Disabled

Open authentication : Disabled

Traffic-statistics : Disabled

User aging period for preauth domain : 82800 sec

User aging period for Auth-Fail domain : 82800 sec

User aging period for critical domain : 82800 sec

Reauth period for preauth domain : 600 sec

Reauth period for Auth-Fail domain : 600 sec

MAC move for topology change protection : Denied

Topology change detection period : 5 sec

Max detection attempts : 3

OUI value list :

Index : 1 Value : 123401

GigabitEthernet1/0/1 is link-up

Authentication profile : p1

Port mode : userLogin

Pre-auth domain : test

URL-unavailable domain : domain1

NeedToKnow mode : Disabled

Intrusion protection mode : NoAction

Security MAC address attribute

Learning mode : Sticky

Aging type : Periodical

Max secure MAC addresses : 32

Current secure MAC addresses : 0

Authorization : Permitted

NAS-ID profile : Not configured

Free VLANs : Not configured

Open authentication : Disabled

MAC-move VLAN check bypass : Disabled

Reauth max-attempts

preauth domain : 10

Auth-Fail domain : 0

Server-reachable reauth

preauth domain : Enabled

Auth-Fail domain : Disabled

Table 1 Command output

Field	Description
Port security	Whether the port security feature is enabled.
AutoLearn aging time	Sticky MAC address aging timer, in minutes or seconds.
Disableport timeout	Silence period (in seconds) of the port that receives illegal packets.
Blockmac timeout	Block timer (in seconds) for MAC addresses in the blocked MAC address list.
MAC move	Status of MAC move: · Both port move and VLAN move are permitted. · Denied. · Only port move is permitted. · Only VLAN move is permitted.
Authorization fail	Action to be taken for users that fail authorization: · Online—Allows the users to go online. · Offline—Logs off the users.
NAS-ID profile	NAS-ID profile applied globally.
Dot1x-failure trap	Whether SNMP notifications for 802.1X authentication failures are enabled.
Dot1x-logon trap	Whether SNMP notifications for 802.1X authentication successes are enabled.
Dot1x-logoff trap	Whether SNMP notifications for 802.1X authenticated user logoffs are enabled.
Intrusion trap	Whether SNMP notifications for intrusion protection are enabled. If they are enabled, the device sends SNMP notifications after illegal packets are detected.
Intrusion-recover trap	Whether SNMP notifications are enabled when the MAC address block timer or port silence period for the intrusion protection action times out and the intrusion protection action recovers.
Address-learned trap	Whether SNMP notifications for MAC address learning are enabled. If they are enabled, the device sends SNMP notifications after it learns a new MAC address.
Mac-auth-failure trap	Whether SNMP notifications for MAC authentication failures are enabled.
Mac-auth-logon trap	Whether SNMP notifications for MAC authentication successes are enabled.
Mac-auth-logoff trap	Whether SNMP notifications for MAC authentication user logoffs are enabled.
Mac-not-support trap	Whether SNMP notifications are enabled when an interface does not support enabling MAC authentication.
AC-creation-failure trap	Whether SNMP notifications are enabled for AC creation failures.
ACL-author-failure trap	Whether SNMP notifications are enabled for ACL authorization failures.
ACL-author-success trap	Whether SNMP notifications are enabled for ACL authorization successes.
ACL-author-failure trap	Whether SNMP notifications are enabled for URL authorization failures.
ACL-author-success trap	Whether SNMP notifications are enabled for URL authorization successes.
NTK-ineffective trap	Whether SNMP notifications are enabled when the NTK feature does not take effect on an interface.
Port-mode-ineffective trap	Whether SNMP notifications are enabled when the port security mode does not take effect on an interface.
Open authentication	Whether global open authentication mode is enabled.
Traffic-statistics	This field is not supported in the current software version. Whether traffic statistics is enabled for 802.1X and MAC authentication users.
User aging period for preauth domain	Aging time (in seconds) for users in the preauthentication domain.
User aging period for Auth-Fail domain	Aging time (in seconds) for users in the Auth-Fail domain.
User aging period for critical domain	Aging time (in seconds) for users in the critical domain.
Reauth period for preauth domain	Reauthentication period (in seconds) for users in the preauthentication domain.
Reauth period for Auth-Fail domain	Reauthentication period (in seconds) for users in the Auth-Fail domain.
MAC move for topology change protection	Whether to permit authenticated users to move between member ports in a TC group without being authenticated again when the network topology changes: · Denied. · Permitted.
Topology change detection period	Packet detection interval when the network topology changes, in seconds.
Max detection attempts	Maximum number of attempts for sending a detection packet when the network topology changes.
OUI value list	List of OUI values allowed for authentication.
Authentication profile	Security authentication profile bound to the port. If no security authentication profile is bound to the port, this field displays Not configured.
Port mode	Port security mode: · noRestrictions. · autoLearn. · macAddressWithRadius. · macAddressElseUserLoginSecure. · macAddressElseUserLoginSecureExt. · macAddressAndUserLoginSecureExt. · secure. · userLogin. · userLoginSecure. · userLoginSecureExt. · macAddressOrUserLoginSecure. · macAddressOrUserLoginSecureExt. · userLoginWithOUI. For more information about port security modes, see Security Configuration Guide.
Pre-auth domain	Preauthentication domain for port security users.
URL-unavailable domain	Domain for users redirected to an unavailable URL.
NeedToKnow mode	Need to know (NTK) mode: · NeedToKnowOnly—Forwards only unicast frames with a known destination MAC address. · NeedToKnowWithBroadcast—Forwards only broadcast and unicast frames with a known destination MAC address. · NeedToKnowWithMulticast—Forwards only broadcast, multicast, and unicast frames with a known destination MAC address. · NeedToKnowAuto—Forwards only broadcast, multicast, and unicast frames with a known destination MAC address, and only when the port has online users. · Disabled—NTK is disabled.
Intrusion protection mode	Intrusion protection action: · BlockMacAddress—Adds the source MAC address of the illegal packet to the blocked MAC address list. · DisablePort—Shuts down the port that receives illegal packets permanently. · DisablePortTemporarily—Shuts down the port that receives illegal packets for some time. · NoAction—Does not perform intrusion protection.
Learning mode	Secure MAC address learning mode: · Dynamic. · Sticky.
Aging type	Secure MAC address aging type: · Periodical—Timer aging only. · Inactivity—Inactivity aging feature together with the aging timer.
Max secure MAC addresses	Maximum number of secure MAC addresses (or online users) that port security allows on the port.
Current secure MAC addresses	Number of secure MAC addresses stored.
Authorization	Whether the authorization information from the authentication server (RADIUS server or local device) is ignored: · Permitted—Authorization information from the authentication server takes effect. · Ignored—Authorization information from the authentication server does not take effect.
NAS-ID profile	NAS-ID profile applied to the port.
Free VLANs	VLANs in which packets will not trigger authentication. If you do not configure free VLANs, this field displays Not configured.
Open authentication	Whether open authentication mode is enabled on the port.
MAC-move VLAN check bypass	Whether the VLAN check bypass feature is enabled for users moving to the port from other ports.
Reauth max-attempts	Maximum number of user reauthentication attempts. · preauth-domain—Maximum number of reauthentication attempts for users in the preauthentication domain. · Auth-Fail domain—Maximum number of reauthentication attempts for users in the Auth-Fail domain.
Server-reachable reauth	Whether the device immediately triggers reauthentication for users when the authentication server becomes reachable. · preauth domain—Whether the device immediately triggers reauthentication for users in the preauthentication domain when the authentication server becomes reachable. · Auth-Fail domain—Whether the device immediately triggers reauthentication for users in the Auth-Fail domain when the authentication server becomes reachable.

‌

display port-security access-user

Use display port-security access-user to display entries for port security access users.

Syntax

display port-security access-user [ access-type { dot1x | mac-auth | web-auth | static } | domain domain-name | online-type { auth-fail-domain | critical-domain | preauth-domain | success | url-unavailable-domain } | slot slot-number ] * [ brief ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

access-type: Specifies an access type.

· dot1x: Specifies 802.1X authentication.

· mac-auth: Specifies MAC authentication.

· web-auth: Specifies Web authentication.

· static: Specifies static access.

· domain isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. The ISP domain name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

online-type: Specifies a type of port security access users.

· auth-fail-domain: Specifies port security access users in the Auth-Fail domain.

· critical-domain: Specifies port security access users in the critical domain.

· preauth-domain: Specifies port security access users in the preauthentication domain.

· success: Specifies port security access users that have passed authentication.

· url-unavailable-domain: Specifies port security access users assigned to the URL-unavailable domain when the redirect URL is unavailable.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify an IRF member device, this command displays entries for port security access users on all IRF member devices.

brief: Displays brief information about access users. If you do not specify this keyword, the command display detailed information about access users.

Usage guidelines

For more information about the Auth-Fail domain and critical domain, see AAA configuration in Security Configuration Guide.

If you do not specify any parameters, this command displays entries for all port security access users.

Examples

# Display detailed information for port security access users in ISP domain test.

<Sysname> display port-security access-user domain test

Total access users: 2

Username : aaa

IP address : 10.12.12.254

IPv6 address : 2:1::3

MAC address : 00e0-fcc2-0175

State : Preauth domain

Authentication result : Unauthenticated

Access type : 802.1X authentication

Authentication domain : abc

Username : abc

IP address : 10.12.12.257

IPv6 address : 2:1::4

MAC address : 00e0-fcc2-0152

State : Successful

Authentication result : Authentication succeeded

Access type : Static user access

Authentication domain : abc

# Display detailed information for port security access users in the preauthentication domain.

<Sysname> display port-security access-user online-type preauth-domain

Total access users: 1

Username : aaa

IP address : 10.12.12.254

IPv6 address : 2:1::4

MAC address : 00e0-fcc2-0175

State : Preauth domain

Authentication result : Unauthenticated

Access type : 802.1X authentication

Authentication domain : abc

Table 2 Command output

Field	Description
Total access users	Total number of access users.
Username	Name of the access user.
IP address	IP address of the access user.
IPv6 address	IPv6 address of the access user.
MAC address	MAC address of the access user.
State	Access user state: · Critical domain—The user is in the critical domain. · Auth-Fail domain—The user is in the Auth-Fail domain. · Preauth domain—The user is in the preauthentication domain. · Successful—The user passes authentication. · Open—The user has come online by using a non-existent username or incorrect password to pass open authentication.
Authentication result	Authentication result of the access user: · Unauthenticated. · Authentication succeeded. · Authentication failed. · AAA server unavailable. · URL unavailable.
Access type	Access authentication method: · 802.1X authentication. · MAC authentication. · Web authentication. · Static user access.
Authentication domain	ISP domain in which the user was authenticated.

‌

# Display brief inforamtion for port security access users in authentication domain test.

<Sysname> display port-security access-user domain test brief

Total access users: 2

Username IP address MAC address State Access type

aaa 10.12.12.254 00e0-fcc2-0175 Preauth 802.1X

bbb 2:1::3 00e0-fcc2-0172 Preauth MAC-auth

Table 3 Command output

Field	Description
IP address	IP address of the access user. If the user has both an IPv4 address and an IPv6 address, this field displays only the IPv4 address. If the user has only an IPv6 address, this field displays the IPv6 address.
State	Access user state: · Critical—The user is in the critical domain. · Auth-Fail—The user is in the Auth-Fail domain. · Preauth—The user is in the preauthentication domain. · Successful—The user passes authentication.
Access type	Access authentication method: · 802.1X—802.1X authentication. · MAC-auth—MAC authentication. · Web-auth—Web authentication. ‌ · Static—Static user access.

‌

display port-security authentication-profile

Use display port-security authentication-profile to display configuration information for port security authentication profiles.

Syntax

display port-security authentication-profile [ name profile-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

name profile-name: Specifies a port security authentication profile by its name. The profile-name argument represents the profile name, a case-insensitive string of 1 to 31 characters. If you do not specify this option, the command displays brief configuration information for all port security authentication profiles.

Usage guidelines

After completing the configuration of port security authentication profiles, you can use this command to check whether the configuration of the port security authentication profiles is correct.

Examples

# Display configuration information for all port security authentication profiles.

<Sysname> display port-security authentication-profile

Total number: 2

Auth-profile 802.1x acc-profile MAC acc-profile

aaa1 bbb1 ccc1

aaa2 bbb2 ccc2

# Display configuration information for port security authentication profile auth1.

<Sysname> display port-security authentication-profile name auth1

802.1x access profile : d1

MAC-authentication access profile : m1

Authentication order : dot1x-mac

Multi-authentication : Disabled

Parallel-authentication : Enabled

Pre-auth domain : test

URL-unavailable domain : domain1

MAC-move VLAN check bypass : Disabled

Link down action : Offline after a delay (10 sec)

Total interfaces bound to the profile: 3

gigabitethernet 1/0/1

gigabitethernet 1/0/2

gigabitethernet 1/0/3

Table 4 Command output

Field	Description
Auth-profile	Port security authentication profile.
802.1x acc-profile	802.1X access profile.
MAC acc-profile	MAC authentication access profile.
802.1x access profile	802.1X access profile bound to the port security authentication profile.
MAC-authentication access profile	MAC authentication access profile bound to the port security authentication profile.
Authentication order	Port security authentication mode.
Multi-authentication	Status of the multi-authentication feature. · Enabled. · Disabled.
Parallel-authentication	Status of the parallel 802.1X and MAC authentication processing feature. · Enabled. · Disabled.
Pre-auth domain	Domain used by users before performing port security authentication.
URL-unavailable domain	Domain used when the port security authentication URL is unreachable.
MAC-move VLAN check bypass	Status of VLAN check bypass during MAC move. · Enabled. · Disabled.
Link down action	Action to take on online users when the interface goes down. Options include: · Keep online. · Offline. · Offline after a delay (XX sec).
Total interfaces bound to the profile	Total number of interfaces bound to the port security authentication profile.

‌

display port-security mac-address block

Use display port-security mac-address block to display information about blocked MAC addresses.

Syntax

display port-security mac-address block [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies a port by its type and number.

vlan vlan-id: Specifies a VLAN by its ID. The value range is 1 to 4094.

count: Displays only the count of the blocked MAC addresses.

Usage guidelines

If you do not specify any parameters, this command displays information about all blocked MAC addresses.

Examples

# Display information about all blocked MAC addresses.

<Sysname> display port-security mac-address block

MAC ADDR Port VLAN ID

000f-3d80-0d2d GE1/0/1 30

--- On slot 1, 1 MAC address(es) found ---

--- 1 mac address(es) found ---

# Display the count of all blocked MAC addresses.

<Sysname> display port-security mac-address block count

--- On slot 1, 1 MAC address(es) found ---

--- 1 mac address(es) found ---

Table 5 Command output

Field	Description
MAC ADDR	Blocked MAC address.
Port	Port having received frames with the blocked MAC address being the source address.
VLAN ID	ID of the VLAN to which the port belongs.
number mac address(es) found	Number of blocked MAC addresses.

Related commands

port-security intrusion-mode

display port-security mac-address security

Use display port-security mac-address security to display information about secure MAC addresses.

Syntax

display port-security mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies a port by its type and number.

vlan vlan-id: Specifies a VLAN by its ID. The value range is 1 to 4094.

count: Displays only the count of the secure MAC addresses.

Usage guidelines

Secure MAC addresses are those that are automatically learned by the port in autoLearn mode or configured by the port-security mac-address security command.

If you do not specify any parameters, this command displays information about all secure MAC addresses.

Examples

# Display information about all secure MAC addresses.

<Sysname> display port-security mac-address security

MAC ADDR VLAN ID STATE PORT INDEX AGING TIME

0002-0002-0002 1 Secure GE1/0/1 Not aged

--- Number of secure MAC addresses: 1 ---

# Display only the count of the secure MAC addresses.

<Sysname> display port-security mac-address security count

--- Number of secure MAC addresses: 1 ---

Table 6 Command output

Field	Description
MAC ADDR	Secure MAC address.
VLAN ID	ID of the VLAN to which the port belongs.
STATE	Type of the MAC address. This field displays Secure for a secure MAC address.
PORT INDEX	Port to which the secure MAC address belongs.
AGING TIME	The remaining amount of time before the secure MAC address ages out. · If the secure MAC address is a static MAC address, this field displays Not aged. · If the secure MAC address is a sticky MAC address, this field displays the remaining lifetime. If the remaining lifetime is less than 60 seconds, the lifetime is counted in seconds. If the lifetime is not less than 60 seconds, the lifetime is counted in minutes. By default, sticky MAC addresses do not age out, and this field displays Not aged.
Number of secure MAC addresses	Number of secure MAC addresses stored.

Related commands

port-security mac-address security

display port-security static-user

Use display port-security static-user to display static user configuration information.

Syntax

display port-security static-user [ domain isp-name | interface interface-type interface-number | { ip | ipv6 } start-ip-address [ end-ip-address ] | vpn-instance vpn-instance-name ] *

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

domain isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. The ISP domain name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

interface interface-type interface-number: Specifies an interface by its type and number.

ip: Specifies a static user range by its IPv4 address range.

ipv6: Specifies a static user range by its IPv6 address range.

start-ip-address [ end-ip-address ]: Specifies the IP address range of the static user range. The start-ip-address argument represents the start IP address and the end-ip-address argument represents the end IP address. If you specify only the start IP address, the static user range contains only one static user and the start IP address is the IP address of the static user.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which static users belong. The vpn-instance-name argument represents the VPN instance name, which is a case-sensitive string of 1 to 31 characters. If the static users belong to the public network, do not specify this option.

Usage guidelines

If you do not specify any parameters, this command displays configuration information for all static users.

Examples

# Display configuration information for all static users.

<Sysname> display port-security static-user

Global Static-user parameters:

Static user IP update : Disabled

Offline detect timer : 300 seconds

ARP detect period : 200 seconds

ACL number for matching MAC addresses : 4000

GigabitEthernet1/0/1 is link-up

Static user max-user : 4294967295

Start IPv4 address : 10.1.1.6

End IPv4 address : 10.1.1.8

Interface : GE1/0/1

MAC address : 00e0-fc12-3456

VPN instance : N/A

Domain name : local

VLAN ID : 10

ARP detection : Disabled

Keep online : Disabled

Start IPv6 address : 1:1::1:2

End IPv6 address : 1:1::1:4

Interface : GE1/0/1

MAC address : 00e0-fc12-1234

VPN instance : N/A

Domain name : local

VLAN ID : 10

ARP detection : Disabled

Keep online : Disabled

Table 7 Command output

Field	Description
Static user IP update	State of static user IP update: · Enabled—Allows the device to update static user IP addresses. · Disabled—Prevents the device from updating static user IP addresses.
Offline detect timer	Offline detect period of static users, in seconds.
ARP detect period	ARP detection interval, in seconds.
ACL number for matching MAC addresses	Number of the ACL used to match the MAC addresses of static users. If no ACL is configured, this field is not available.
Static user max-user	Maximum number of static users allowed on a port.
Start IPv4 address	Start IPv4 address of the IP address range for a static user range.
End IPv4 address	End IPv4 address of the IP address range for the static user range. If no end IPv4 address is configured, this field displays N/A.
Start IPv6 address	Start IPv6 address of the IP address range for a static user range.
End IPv6 address	End IPv6 address of the IP address range for the static user range. If no end IPv6 address is configured, this field displays N/A.
Interface	Interface through which the static user range comes online. If no access interface is configured, this field displays N/A.
MAC address	MAC address of the static user range. If no MAC address is configured, this field displays N/A.
VPN instance	VPN instance to which the static user range belongs. If no VPN instance is configured, this field displays N/A.
Domain name	ISP domain to which the static user range belongs. If no ISP domain is configured, this field displays N/A.
VLAN ID	VLAN to which the static user range belongs. If no VLAN is configured, this field displays N/A.
ARP detection	ARP detection state: · Enabled. · Disabled.
Keep online	State of the static user keep-online feature: · Enabled. · Disabled.

Related commands

port-security static-user

display port-security static-user connection

Use display port-security static-user connection to display information about online static users.

Syntax

display port-security static-user connection [ [ interface interface-type interface-number | online-type { auth-fail-domain | critical-domain | preauth-domain | success } | slot slot-number | user-name user-name ] | { ip | ipv6 } ip-address | mac mac-address ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

{ ip | ipv6 } ip-address: Specifies an online static user by its IP address. If the static user has an IPv4 address, specify the ip keyword and use the ip-address argument to specify the IPv4 address of the static user. If the static user has an IPv6 address, specify the ipv6 keyword and use the ip-address argument to specify the IPv6 address of the static user.

mac mac-address: Specifies an online static user by its MAC address. The mac-address argument represents the MAC address, in the format of H-H-H.

online-type: Specifies a type of static users.

· auth-fail-domain: Specifies static users in the Auth-Fail domain.

· critical-domain: Specifies static users in the critical domain.

· preauth-domain: Specifies static users in the preauthentication domain.

· success: Specifies static users that have passed authentication.

user-name name-string: Specifies an online static user by its username, a case-sensitive string of 1 to 253 characters.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify an IRF member device, the command displays information about online static users on all IRF member devices.

Usage guidelines

If you do not specify any parameters, this command displays information about all online static users.

Examples

# Display information about all online static users.

<Sysname> display port-security static-user connection

Total connections: 2

User MAC address: 0015-e9a6-7cfe

Access interface: GigabitEthernet1/0/1

Username: ias

User access state: Successful

Authentication domain: macusers

IPv4 address: 192.168.1.1

IPv6 address: 2000:0:0:0:1:2345:6789:abcd

IPv4 address source: User packet

IPv6 address source: User packet

Initial VLAN: 1

Authorization untagged VLAN: 100

Authorization tagged VLAN: N/A

Authorization ACL number/name: 3001

Authorization dynamic ACL name: N/A

Authorization user profile: N/A

Authorization CAR: N/A

Authorization URL: N/A

Authorization IPv6 URL: N/A

Authorization temporary redirect: Disabled

Start accounting: Successful

Real-time accounting-update failures: 0

Termination action: RADIUS-request

Session timeout period: 2 sec

Offline detection: 100 sec (server-assigned)

Remaining reauth attempts: 2

Online from: 2013/03/02 13:14:15

Online duration: 0h 2m 15s

Port-down keep online: Enabled

User MAC address: 0016-e9a6-7cfe

Access interface: GigabitEthernet1/0/2

Username: i1s

User access state: Successful

Authentication domain: macusers

IPv4 address: 192.168.1.1

IPv6 address: 2000:0:0:0:1:2345:6789:abcd

IPv4 address source: User packet

IPv6 address source: User packet

Initial VLAN: 1

Authorization untagged VLAN: 100

Authorization tagged VLAN: N/A

Authorization ACL number/name: 3001

Authorization dynamic ACL name: N/A

Authorization user profile: N/A

Authorization CAR: N/A

Authorization URL: N/A

Authorization IPv6 URL: N/A

Authorization temporary redirect: Disabled

Start accounting: Successful

Real-time accounting-update failures: 0

Termination action: RADIUS-request

Session timeout period: 2 sec

Offline detection: 100 sec (server-assigned)

Remaining reauth attempts: 2

Online from: 2013/03/02 13:14:15

Online duration: 0h 2m 15s

Port-down keep online: Enabled

Table 8 Command output

Field	Description
Total connections	Total number of online static users.
User MAC address	MAC address of a static user.
Access interface	Interface through which the user access the device.
Username	Username.
User access state	Access state of the user: · Auth-Fail domain—The user is in the Auth-Fail domain. · Critical domain—The user is in the critical domain. · Preauth domain—The user is in the preauthentication domain. · Successful—The user has passed MAC authentication and accessed the network.
IPv4 address	User IPv4 address.
IPv6 address	User IPv6 address.
Initial VLAN	VLAN to which the user belongs before static user access authentication.
Authorization untagged VLAN	Untagged VLAN assigned to the user.
Authorization tagged VLAN	Tagged VLAN assigned to the user.
Authorization ACL number/name	Number or name of the static ACL assigned to the user. If no static ACL has been assigned to the user, this field displays N/A. If ACL authorization failed, this field displays (NOT effective) next to the ACL number or name.
Authorization dynamic ACL name	Name of the dynamic ACL assigned to the user. If no dynamic ACL has been assigned to the user, this field displays N/A. If ACL authorization failed, this field displays (NOT effective) next to the ACL name.
Authorization user profile	Name of the user profile assigned to the user.
Authorization CAR	This field is not supported in the current software version. If no authorization CAR attributes are assigned, this field displays N/A.
Authorization URL	Redirect URL assigned to the user.
Authorization IPv6 URL	IPv6 redirect URL assigned to the user.
Authorization temporary redirect	State of temporary redirection authorization: · Enabled—Temporary redirection is authorized. The HTTP or HTTPS redirection packets sent to the user include state code 302. · Disabled—Temporary redirection is not authorized. The HTTP or HTTPS redirection packets sent to the user include state code 200.
Start accounting	Start-accounting request result: · Successful. · Failed. The device does not support accounting for users in the preauthentication domain. For such users, this field displays N/A.
Real-time accounting-update failures	Number of consecutive real-time accounting-update failures.
Termination action	Action attribute assigned by the server to terminate the user session: · Default—Logs off the online authenticated static user when the server-assigned session timeout timer expires. This attribute does not take effect when static user periodic reauthentication is enabled and the periodic reauthentication timer is shorter than the server-assigned session timeout timer. · RADIUS-request—Reauthenticates the online user when the server-assigned session timeout timer expires, regardless of whether the static user periodic reauthentication feature is enabled or not. If the device performs local authentication, this field displays Default.
Session timeout period	Session timeout timer assigned by the server.
Offline detection	Offline detection setting for the user: · Ignore (command-configured)—The device does not perform offline detection for the user. The setting is configured from the CLI. · timer (command-configured)—Represents the offline detect timer. The timer is configured from the CLI. · Ignore (server-assigned)—The device does not perform offline detection for the user. The setting is assigned by a RADIUS server. · timer (server-assigned)—Represents the offline detect timer. The timer is assigned by a RADIUS server.
Remaining reauth attempts	Remaining number of reauthentication attempts.
Online from	Time from which the static user came online.
Online duration	Online duration of the static user.
Port-down keep online	Whether the device allows the user to stay online after the user's access interface goes down. Setting for this field depends on the state of the shutdown-keep-online proprietary attribute issued by the RADIUS server. · Enabled—The device allows the user to stay online after the access interface goes down. This state is displayed if the RADIUS server assigned the shutdown-keep-online proprietary attribute and set the attribute not to 0. · Disabled (offline)—The device logs off the user when the access interface goes down. This state is displayed if the RADIUS server assigned the shutdown-keep-online proprietary attribute and set the attribute to 0, or the RADIUS server did not assign the attribute.

‌

display port-security statistics

Use display port-security statistics to display port security statistics.

Syntax

display port-security statistics [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify an IRF member device, this command displays port security statistics on all IRF member devices.

Examples

# Display port security statistics.

<Sysname> display port-security statistics

Slot ID: 0

Entries received from IPCIM:

Entries notified to be added : 0

Entries notified to be deleted : 0

Entries actually added : 0

Entries actually deleted : 0

Table 9 Command output

Field	Description
Slot ID	Member device number.
Entries received from IPCIM	Number of entries received by the port security module from the IP client information management (IPCIM) module. Values include: · Entries notified to be added—Number of user entries that IPCIM notified port security to add. · Entries notified to be deleted—Number of user entries that IPCIM notified port security to delete. · Entries actually added—Number of user entries that port security actually added. · Entries actually deleted—Number of user entries that port security actually deleted.

Field

Description

Slot ID

Member device number.

Entries received from IPCIM

Number of entries received by the port security module from the IP client information management (IPCIM) module. Values include:

· Entries notified to be added—Number of user entries that IPCIM notified port security to add.

· Entries notified to be deleted—Number of user entries that IPCIM notified port security to delete.

· Entries actually added—Number of user entries that port security actually added.

· Entries actually deleted—Number of user entries that port security actually deleted.

Related commands

reset port-security statistics

port-security access-user log enable

Use port-security access-user log enable to enable port security user logging.

Use undo port-security access-user log enable to disable port security user logging.

Syntax

port-security access-user log enable [ failed-authorization | mac-learning | violation | vlan-mac-limit ] *

undo port-security access-user log enable [ failed-authorization | mac-learning | violation | vlan-mac-limit ] *

Default

Port security user logging is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

failed-authorization: Logs authorization failures of 802.1X or MAC authentication users.

mac-learning: Logs MAC address learning events.

violation: Logs intrusion protection events.

vlan-mac-limit: Logs the first access attempt from a new MAC access in a VLAN after port security's MAC address limit for that VLAN is reached. For each VLAN, the system does not log any access attempts from new MAC addresses except the first one after the MAC address limit is reached.

Usage guidelines

To prevent excessive port security user log entries, use this feature only if you need to analyze abnormal port security user events.

If you do not specify any parameters, this command enables all types of port security user logs.

Examples

# Enable intrusion protection event logging.

<Sysname> system-view

[Sysname] port-security access-user log enable violation

Related commands

info-center source portsec logfile deny (Network Management and Monitoring Command Reference)

port-security authentication open

Use port-security authentication open to enable open authentication mode on a port.

Use undo port-security authentication open to disable open authentication mode on a port.

Syntax

port-security authentication open

undo port-security authentication open

Default

Open authentication mode is disabled on a port.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Usage guidelines

This command enables access users (802.1X or MAC authentication users) of a port to come online and access the network even if they use nonexistent usernames or incorrect passwords.

Access users that come online in open authentication mode are called open users. Authorization and accounting are not available for open users. To display open user information, use the following commands:

· display dot1x connection open.

· display mac-authentication connection open.

Open authentication mode does not affect the access of users that use correct user information on the port.

The open authentication mode setting has lower priority than the 802.1X Auth-Fail VLAN and the MAC authentication guest VLAN. Open authentication mode does not take effect on a port if the port is also configured with the 802.1X Auth-Fail VLAN or the MAC authentication guest VLAN.

For information about 802.1X authentication or MAC authentication, see Security Configuration Guide.

Examples

# Enable open authentication mode on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security authentication open

Related commands

display dot1x connection

display mac-authentication connection

port-security authentication open global

Use port-security authentication open global to enable global open authentication mode.

Use undo port-security authentication open global to disable global open authentication mode.

Syntax

port-security authentication open global

undo port-security authentication open global

Default

Global open authentication mode is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command enables access users (802.1X or MAC authentication users) to come online and access the network even if they use nonexistent usernames or incorrect passwords.

· display dot1x connection open.

· display mac-authentication connection open.

Open authentication mode does not affect the access of users that use correct user information.

For information about 802.1X authentication or MAC authentication, see Security Configuration Guide.

Examples

# Enable global open authentication mode.

<Sysname> system-view

[Sysname] port-security authentication open global

Related commands

display dot1x connection

display mac-authentication connection

port-security authentication open

port-security authentication-profile

Use port-security authentication-profile to bind an interface to a port security authentication profile.

Use undo port-security authentication-profile to restore the default.

Syntax

port-security authentication-profile profile-name

undo port-security authentication-profile profile-name

Default

No port security authentication profile is bound to an interface.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

profile-name: Specifies the name of a port security authentication profile, a case-insensitive string of 1 to 31 characters.

Usage guidelines

Operating mechanism

After an interface is bound to a port security authentication profile, the interface uses the configuration of the bound profile to perform authentication for access users.

· For functions available in both interface view and port security authentication profile view (commands might differ), the functions configured in interface view are deleted regardless of whether they are configured in the profile view or not. To use those functions on the interface, configure them in the bound port security authentication profile.

· For the functions available only in interface view, they can take effect on the interface after being configured.

· The authentication mode used on a port is determined by the 802.1X access profile and MAC authentication access profile bound to the port security authentication profile.

After an interface is bound to a port security authentication profile, the interface supports only MAC-based authentication. If you bind a MAC authentication access profile to the port security authentication profile, the interface will use MAC authentication. If you bind an 802.1X access profile to the port security authentication profile, the interface will use 802.1X authentication in MAC-based access control.

Prerequisites

To bind an interface to a port security authentication profile, first create the profile by using the port-security authentication-profile name command in system view.

Restrictions and guidelines

A port security authentication profile can be bound to different interfaces. An interface can be bound to only one port security authentication profile. To change the bound port security authentication profile of an interface, you must first unbind the profile from the interface.

As a best practice to avoid authentication anomalies on an interface, do not both apply a port security authentication profile and configure 802.1X port-based access control on the interface. (The 802.1X port-based access control is configured by using the dot1x port-method portbased command.)

Examples

# Bind GigabitEthernet 1/0/1 to port security authentication profile 123.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security authentication-profile 123

Related commands

display port-security authentication-profile

port-security authentication-profile name

Use port-security authentication-profile name to create a port security authentication profile and enter its view, or enter the view of an existing port security authentication profile.

Use undo port-security authentication-profile name to delete a port security authentication profile.

Syntax

port-security authentication-profile name profile-name

undo port-security authentication-profile name profile-name

Default

No port security authentication profiles exist.

Views

System view

Predefined user roles

network-admin

Parameters

profile-name: Specifies the name of a port security authentication profile, a case-insensitive string of 1 to 31 characters.

Usage guidelines

Application scenarios

To implement fast port security authentication on users, the device uses port security authentication profiles for unified management of the access authentication configuration. In a port security authentication profile, you can bind 802.1X and MAC authentication access profiles and configure the authentication order to control user access.

Restrictions and guidelines

After the authentication profile bound to an interface takes effect, deleting the bound authentication profile will cause abnormal disconnection of online users on the interface.

Examples

# Create port security authentication profile aaa and enter its view.

<Sysname> system-view

[Sysname] port-security authentication-profile name aaa

[Sysname-portsec-auth-prof-aaa]

Related commands

display port-security authentication-profile

port-security authorization ignore

Use port-security authorization ignore to configure a port to ignore the authorization information received from the authentication server (a RADIUS server or the local device).

Use undo port-security authorization ignore to restore the default.

Syntax

port-security authorization ignore

undo port-security authorization ignore

Default

A port uses the authorization information from the server.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Usage guidelines

After a user passes RADIUS or local authentication, the server performs authorization based on the authorization attributes configured for the user account. For example, the server can assign a VLAN. If you do not want the port to use such authorization attributes for users, use this command to ignore the authorization information from the server.

For 802.1X and MAC authentication users, this command ignores all attributes assigned by the server except the Termination-Action and Session-Timeout attributes. For Web authentication users, this command ignores all attributes assigned by the server.

Examples

# Configure GigabitEthernet 1/0/1 to ignore the authorization information from the authentication server.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security authorization ignore

Related commands

display port-security

port-security authorization-fail offline

Use port-security authorization-fail offline to enable the authorization-fail-offline feature.

Use undo port-security authorization-fail offline to disable the authorization-fail-offline feature.

Syntax

port-security authorization-fail offline [ quiet-period ]

undo port-security authorization-fail offline

Default

The authorization-fail-offline feature is disabled. The device does not log off users that have failed authorization.

Views

System view

Predefined user roles

network-admin

Parameters

quiet-period: Enables the quiet timer for 802.1X or MAC authentication users that are logged off by the authorization-fail-offline feature. The device adds these users to the 802.1X or MAC authentication quiet queue. Within the quiet timer, the device does not process packets from these users or authenticate them. If you do not specify this keyword, the quiet timer feature is disabled for users that are logged off by the authorization-fail-offline feature. The device immediately authenticates these users upon receiving packets from them.

Usage guidelines

The authorization-fail-offline feature logs off port security users that have failed ACL or user profile authorization.

A user fails ACL or user profile authorization in the following situations:

· The device or server fails to assign the specified ACL or user profile to the user.

· The device or server assigns an ACL or user profile that does not exist on the device to the user.

If this feature is disabled, the device does not log off users that have failed ACL or user profile authorization. However, the device outputs messages to report the failure.

For the quiet-period keyword to take effect, complete the following tasks:

· For 802.1X users, use the dot1x quiet-period command to enable the quiet timer and use the dot1x timer quiet-period command to set the timer.

· For MAC authentication users, use the mac-authentication timer quiet command to set the quiet timer for MAC authentication.

Examples

# Enable the authorization-fail-offline feature.

<Sysname> system-view

[Sysname] port-security authorization-fail offline

Related commands

display port-security

dot1x quiet-period

dot1x timer quiet-period

mac-authentication timer

port-security auth-order

Use port-security auth-order to configure the port security authentication order.

Use undo port-security auth-order to restore the default.

Syntax

port-security auth-order { dot1x-mac [ parallel ] | mac-dot1x [ multiple ] }

undo port-security auth-order

Default

After a port receives a packet with unknown source MAC address, it performs 802.1X authentication and then MAC authentication for the user.

Views

Port security authentication profile view

Predefined user roles

network-admin

Parameters

dot1x-mac: Performs 802.1X authentication and then MAC authentication.

parallel: Enables parallel 802.1X and MAC authentication processing. The port performs 802.1X authentication and MAC authentication simultaneously, and once either authentication is successful, the user can go online. If you do not specify this keyword, a user can perform MAC authentication only after it completes 802.1X authentication.

mac-dot1x: Performs MAC address authentication and then 802.1X authentication.

multiple: Enables multi-authentication mode. To go online, a user must pass MAC authentication successfully and then pass 802.1X authentication successfully. If do not specify this keyword, a user can go online after passing either MAC or 802.1X authentication.

Usage guidelines

Operating mechanism

You can configure the access authentication order on a port enabled with both 802.1X and MAC authentication methods.

· In dot1x-mac order, for a port to perform MAC authentication and assign an authorization VLAN before it joins the 802.1X guest VLAN, enable parallel 802.1X and MAC authentication processing by using the parallel keyword and enable 802.1X guest VLAN assignment delay. For information about the commands for enabling 802.1X guest VLAN assignment delay, see 802.1X commands.

· In mac-dot1x order, to allow a user to go online only after the user passes both MAC and 802.1X authentication, enable multi-authentication mode by using the multiple keyword.

Prerequisites

To use combined 802.1X and MAC authentication on a port, you must enable both authentication methods and configure the access control method of 802.1X authentication as macbased.

Restrictions and guidelines

Changing the access authentication order by using the port-security auth-order command will result in authentication failure for users that are currently being authenticated. The users must trigger authentication again in order to go online. To avoid such authentication failures, change the authentication order only when necessary.

If parallel 802.1X and MAC authentication processing is enabled, do not configure MAC authentication delay as a best practice.

Examples

# Enable MAC and 802.1X multi-authentication mode in port security authentication profile 123.

<Sysname> system-view

[Sysname] port-security authentication-profile name 123

[Sysname-portsec-auth-profile-123] port-security auth-order mac-dot1x multiple

Related commands

mac-authentication parallel-with-dot1x

port-security triple-auth-order mac-dot1x-web

port-security port-mode mac-and-userlogin-secure-ext

port-security enable

Use port-security enable to enable port security.

Use undo port-security enable to disable port security.

Syntax

port-security enable

undo port-security enable

Default

Port security is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

You must disable global 802.1X and MAC authentication before you enable port security on a port.

Enabling or disabling port security resets the following security settings to the default:

· 802.1X access control mode is MAC-based.

· Port authorization state is auto.

When online users are present on a port, disabling port security logs off the online users.

Examples

# Enable port security.

<Sysname> system-view

[Sysname] port-security enable

Related commands

display port-security

dot1x

dot1x port-control

dot1x port-method

mac-authentication

port-security free-vlan

Use port-security free-vlan to configure free VLANs for port security.

Use undo port-security free-vlan to restore the default.

Syntax

port-security free-vlan vlan-id-list

undo port-security free-vlan [ vlan-id-list ]

Default

No free VLANs are configured for port security on a port. Authentication will be triggered by packets from users in any VLAN on the port that is configured with 802.1X, MAC authentication, or a port security authentication mode.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

vlan-id-list: Specifies a space-separated list of up to 10 VLAN items. Each VLAN item specifies a VLAN by VLAN ID or specifies a range of VLANs in the form of start-vlan-id to end-vlan-id. The value range for VLAN IDs is 1 to 4094. The end VLAN ID must be equal to or greater than the start VLAN ID.

Usage guidelines

This command allows packets from the specified VLANs to not trigger 802.1X or MAC authentication on a port configured with any of the following features:

· 802.1X authentication.

· MAC authentication.

· Any of the following port security modes:

¡ userLogin.

¡ userLoginSecure.

¡ userLoginWithOUI.

¡ userLoginSecureExt.

¡ macAddressWithRadius.

¡ macAddressOrUserLoginSecure.

¡ macAddressElseUserLoginSecure.

¡ macAddressOrUserLoginSecureExt.

¡ macAddressElseUserLoginSecureExt.

Execute this command multiple times to specify multiple free VLANs for port security.

If you do not specify the vlan-id-list argument when executing the undo port-security free-vlan command, the command deletes all free VLANs.

Examples

# Configure free VLANs for port security on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security free-vlan 2 3

Related commands

display port-security

port-security intrusion-mode

Use port-security intrusion-mode to configure the intrusion protection action to take when intrusion protection detects illegal frames on a port.

Use undo port-security intrusion-mode to restore the default.

Syntax

port-security intrusion-mode { blockmac | disableport | disableport-temporarily }

undo port-security intrusion-mode

Default

Intrusion protection is disabled.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

blockmac: Adds the source MAC addresses of illegal frames to the blocked MAC address list and discards frames with blocked source MAC addresses for a period set by the block timer. A blocked MAC address will be unblocked when the block timer expires. The timer is configurable with the port-security timer blockmac command. To display the blocked MAC address list, use the display port-security mac-address block command.

disableport: Disables the port permanently when an illegal frame is received on the port.

disableport-temporarily: Disables the port for a period of time whenever it receives an illegal frame. You can use the port-security timer disableport command to set the period.

Usage guidelines

To bring up the port disabled by the intrusion protection feature, use the undo shutdown command.

Examples

# Configure GigabitEthernet 1/0/1 to block the source MAC addresses of illegal frames after intrusion protection detects the illegal frames.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security intrusion-mode blockmac

Related commands

display port-security

display port-security mac-address block

port-security timer blockmac

port-security timer disableport

port-security link-down action

Use port-security link-down action to configure the action to be taken on online users when their access ports go down.

Use undo port-security link-down action to restore the default.

Syntax

port-security link-down action { keep-online | offline-delay delay-value }

undo port-security link-down action

Default

The device immediately logs off online users when their access ports go down.

Views

Port security authentication profile view

Predefined user roles

network-admin

Parameters

keep-online: Allows online users to stay online when their access ports go down.

offline-delay delay-value: Delays logging off online users when their access ports go down. The delay-value argument represents the logoff delay time, in the range of 0 to 60 seconds.

Usage guidelines

Application scenarios

By default, the device immediately logs off online users when their access ports go down. When the ports come up, the users must be reauthenticated to come online. To prevent users from having to repeatedly be reauthenticated and come online in the event of frequent port flapping, you can configure the following actions for online users as needed:

· keep-online—Allows online users to stay online when their access ports go down. When the ports come up, the users can come online without being reauthenticated.

· offline-delay—Delays logging off online users when their access ports go down.

¡ If the access ports come up before the delay time expires, the users can come online without being reauthenticated.

¡ If the access ports do not come up before the delay time expires, the users are logged off when the delay time expires. When the ports come up, the users must be reauthenticated to come online.

Restrictions and guidelines

This command takes effect for online users on a port only when the port automatically goes down due to link abnormalities. It does not take effect when the port goes down manually by executing the shutdown command.

This command takes effect for online users on a port only if you configure it when that access port is up. It does not take effect for online users on a port if that access port is down when you configure it. In this case, any modification or deletion to the command configuration cannot take effect on that access port.

Examples

# Delay logging off online users by 5 seconds when their access ports go down.

<Sysname> system-view

[Sysname] port-security authentication-profile name abc

Port security authentication profile created.

[Sysname-portsec-auth-prof-abc] port-security link-down action offline-delay 5

Related commands

port-security authentication-profile name

port-security mac-address aging-type inactivity

Use port-security mac-address aging-type inactivity to enable inactivity aging for secure MAC addresses.

Use undo port-security mac-address aging-type inactivity to disable inactivity aging for secure MAC addresses.

Syntax

port-security mac-address aging-type inactivity

undo port-security mac-address aging-type inactivity

Default

The inactivity aging feature is disabled for secure MAC addresses.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Usage guidelines

This command enables the device to periodically detect traffic data from secure MAC addresses.

If only the aging timer is configured, the aging timer counts up regardless of whether traffic data has been sent from the secure MAC addresses. When you use the aging timer together with the inactivity aging feature, the aging timer restarts once traffic data is detected from the secure MAC addresses. A secure MAC address ages out when its lifetime expires because no traffic has been detected from it.

The inactivity aging feature prevents the unauthorized use of a secure MAC address when the authorized user is offline. The feature also removes outdated secure MAC addresses so that new secure MAC addresses can be learned or configured.

If this feature is enabled on a Layer 2 Ethernet interface, the lifetime of a secure MAC address depends on the aging timer (configured by using the port-security timer autolearn aging command).

· If the aging timer is equal to or greater than 60 seconds, port security detects traffic from the secure MAC addresses on the interface at intervals of 30 seconds. The lifetime of a secure MAC address is a multiple of 30.

¡ If the aging timer is also a multiple of 30, the lifetime of a secure MAC address is equal to the aging timer.

¡ If the aging timer is not a multiple of 30, the lifetime of a secure MAC address is equal to the aging timer rounded up to the nearest multiple of 30.

For example, if the aging timer is 80 seconds, the lifetime of a secure MAC address will be 90 seconds.

· If the aging timer is less than 60 seconds, the traffic detection interval equals the aging timer. The lifetime of a secure MAC address is equal to the aging timer.

This command takes effect only on sticky MAC addresses and dynamic secure MAC addresses.

Examples

# Enable inactivity aging for secure MAC addresses on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security mac-address aging-type inactivity

Related commands

display port-security

port-security mac-address dynamic

Use port-security mac-address dynamic to enable the dynamic secure MAC feature.

Use undo port-security mac-address dynamic to disable the dynamic secure MAC feature.

Syntax

port-security mac-address dynamic

undo port-security mac-address dynamic

Default

The dynamic secure MAC feature is disabled. Sticky MAC addresses can be saved to the configuration file. Once saved, they survive a device reboot.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Usage guidelines

The dynamic secure MAC feature converts sticky MAC addresses to dynamic and disables saving them to the configuration file.

After you execute this command, you cannot manually configure sticky MAC addresses, and secure MAC addresses learned by a port in autoLearn mode are dynamic. All dynamic MAC addresses are lost at reboot. Use this command when you want to clear all sticky MAC addresses after a device reboot.

You can display dynamic secure MAC addresses by using the display port-security mac-address security command.

The undo port-security mac-address dynamic command converts all dynamic secure MAC addresses on the port to sticky MAC addresses. You can manually configure sticky MAC addresses.

Examples

# Enable the dynamic secure MAC feature on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security mac-address dynamic

Related commands

display port-security

display port-security mac-address security

port-security mac-address security

Use port-security mac-address security to add a secure MAC address.

Use undo port-security mac-address security to remove a secure MAC address.

Syntax

In Layer 2 Ethernet interface view:

port-security mac-address security [ sticky ] mac-address vlan vlan-id

undo port-security mac-address security [ sticky ] mac-address vlan vlan-id

In system view:

port-security mac-address security [ sticky ] mac-address interface interface-type interface-number vlan vlan-id

undo port-security mac-address security [ [ mac-address [ interface interface-type interface-number ] ] vlan vlan-id ]

Default

No manually configured secure MAC address entries exist.

Views

System view

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

sticky: Specifies the MAC address type as sticky. If you do not specify this keyword, the command configures a static secure MAC address.

mac-address: Specifies a MAC address, in H-H-H format.

interface interface-type interface-number: Specifies a port by its type and number.

vlan vlan-id: Specifies the VLAN to which the secure MAC address belongs. The value range for the vlan-id argument is 1 to 4094.

Usage guidelines

Secure MAC addresses are MAC addresses configured or learned in autoLearn mode, and if saved, can survive a device reboot. You can bind a secure MAC address only to one port in a VLAN.

You can add important or frequently used MAC addresses as sticky or static secure MAC addresses to avoid the secure MAC address limit causing authentication failure. To successfully add secure MAC addresses on a port, first complete the following tasks:

· Enable port security on the port.

· Set the port security mode to autoLearn.

· Configure the port to permit packets of the specified VLAN to pass or add the port to the VLAN. Make sure the VLAN already exists.

Sticky MAC addresses can be manually configured or automatically learned in autoLearn mode. Sticky MAC addresses do not age out by default. You can use the port-security timer autolearn aging command to set an aging timer for the sticky MAC addresses. When the timer expires, the sticky MAC addresses are removed.

Static secure MAC addresses never age out unless you perform the following operations:

· Remove these MAC addresses by using the undo port-security mac-address security command.

· Change the port security mode.

· Disable the port security feature.

You cannot change the type of a secure address entry that has been added or add two entries that are identical except for their entry type. For example, you cannot add the port-security mac-address security sticky 1-1-1 vlan 10 entry when a port-security mac-address security 1-1-1 vlan 10 entry exists. To add the new entry, you must delete the old entry.

Examples

# Enable port security, set GigabitEthernet 1/0/1 to operate in autoLearn mode, and configure the port to support a maximum number of 100 secure MAC addresses.

<Sysname> system-view

[Sysname] port-security enable

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security max-mac-count 100

[Sysname-GigabitEthernet1/0/1] port-security port-mode autolearn

# Specify MAC address 0001-0002-0003 in VLAN 4 as a sticky MAC address.

[Sysname-GigabitEthernet1/0/1] port-security mac-address security sticky 0001-0002-0003 vlan 4

[Sysname-GigabitEthernet1/0/1] quit

# In system view, specify MAC address 0001-0001-0002 in VLAN 10 as a secure MAC address for GigabitEthernet 1/0/1.

[Sysname] port-security mac-address security 0001-0001-0002 interface gigabitethernet 1/0/1 vlan 10

Related commands

display port-security

port-security timer autolearn aging

port-security mac-limit

Use port-security mac-limit to set the maximum number of MAC addresses that port security allows for specific VLANs on a port.

Use undo port-security mac-limit to restore the default.

Syntax

port-security mac-limit max-number per-vlan vlan-id-list

undo port-security mac-limit max-number per-vlan vlan-id-list

Default

No limit is set to the number of MAC addresses that port security allows for specific VLANs on a port.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

max-number: Specifies the maximum number of MAC addresses. The value range is 1 to 2147483647.

per-vlan vlan-id-list: Applies the maximum number to a VLAN list on per-VLAN basis. The vlan-id-list argument specifies a space-separated list of up to 10 VLAN items. Each VLAN item specifies a VLAN by VLAN ID or specifies a range of VLANs in the form of vlan-id1 to vlan-id2. The value range for the VLAN IDs is 1 to 4094. The value for the vlan-id2 argument must be equal to or greater than the value for the vlan-id1 argument.

Usage guidelines

This command limits the number of MAC addresses that port security allows to access a port through specific VLANs. Use this command to prevent resource contentions among MAC addresses and ensure reliable performance for each access user on the port. When the number of MAC addresses in a VLAN on the port reaches the upper limit, the device denies any subsequent MAC addresses in the VLAN on the port.

Port security allows the access of the following types of MAC addresses on a port:

· MAC addresses that pass 802.1X authentication or MAC authentication.

· MAC addresses in the MAC authentication guest or critical VLAN.

· MAC addresses in the 802.1X guest, Auth-Fail, or critical VLAN.

· MAC addresses that pass Web authentication and MAC addresses in the Web authentication Auth-Fail VLAN.

On a port, the maximum number of MAC addresses in a VLAN cannot be smaller than the number of existing MAC addresses in the VLAN. If the specified maximum number is smaller, the setting does not take effect.

Examples

# On GigabitEthernet 1/0/1, configure VLAN 1, VLAN 5, and VLANs 10 through 20 each to allow a maximum of 32 MAC authentication and 802.1X users.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security mac-limit 32 per-vlan 1 5 10 to 20

Related commands

display dot1x

display mac-authentication

port-security mac-move bypass-vlan-check

Use port-security mac-move bypass-vlan-check to enable VLAN check bypass for users moving to a port from other ports.

Use undo port-security mac-move bypass-vlan-check to disable VLAN check bypass for users moving to a port from other ports.

Syntax

port-security mac-move bypass-vlan-check

undo port-security mac-move bypass-vlan-check

Default

VLAN check bypass is disabled for users moving to a port from other ports. When reauthenticating a user that has moved to the port, the device examines whether the VLAN to which the user belongs is permitted by the port.

Views

Layer 2 Ethernet interface view

Port security authentication profile view

Predefined user roles

network-admin

Usage guidelines

VLAN check bypass skips checking VLAN information in the packets that trigger authentication for users moving to the port from other ports.

On the destination port, an authenticated user will reauthenticate in the VLAN authorized on the source port if the source port is enabled with MAC-based VLAN. If that VLAN is not permitted to pass through on the destination port, reauthentication will fail. To avoid this situation, enable VLAN check bypass on the destination port.

When you configure VLAN check bypass, follow these guidelines:

· To ensure a successful reauthentication, enable VLAN check bypass on a destination port if the source port is enabled with MAC-based VLAN.

· If the destination port is an 802.1X-enabled trunk port, you must configure it to send 802.1X protocol packets without VLAN tags.

Examples

# Enable VLAN check bypass for users moving to GigabitEthernet 1/0/1 from other ports.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security mac-move bypass-vlan-check

Related commands

display port-security

dot1x eapol untag

port-security mac-move permit

Use port-security mac-move permit to enable MAC move on the device.

Use undo port-security mac-move permit to disable MAC move on the device.

Syntax

port-security mac-move permit [ port | vlan ]

undo port-security mac-move permit

Default

MAC move is disabled on the device.

Views

System view

Predefined user roles

network-admin

Parameters

port: Specifies the inter-port MAC move.

vlan: Specifies the inter-VLAN MAC move.

Usage guidelines

Port security MAC move takes effect on online users authenticated through 802.1X authentication, MAC authentication, or Web authentication in the following scenarios:

· Inter-port move on a device—An authenticated online user moves between ports on the device. The user VLAN or authentication method might change or stay unchanged after the move.

· Inter-VLAN move on a port—An authenticated online user moves between VLANs on a trunk or hybrid port. This mode takes effect only when the packets that trigger authentication are VLAN tagged.

Port security MAC move allows an authenticated online user on one port or VLAN to be reauthenticated and come online on another port or VLAN without going offline first. After the user passes authentication on the new port or VLAN, the system removes the authentication session of the user on the original port or VLAN. This action ensures that the user stays online on only one port in one VLAN.

NOTE:

For MAC authentication, the MAC move feature applies only when MAC authentication single-VLAN mode is used. The MAC move feature does not apply to MAC authentication users that move between VLANs on a port with MAC authentication multi-VLAN mode enabled.

If this feature is disabled, authenticated users must go offline first before they can be reauthenticated successfully on a new port or VLAN to come online.

Authenticated users cannot move between ports on a device or between VLANs on a port if the maximum number of online users on the authentication server has been reached.

If you do not specify any parameters, this command enables both the inter-port and inter-VLAN MAC moves.

Examples

# Enable MAC move.

<Sysname> system-view

[Sysname] port-security mac-move permit

Related commands

display port-security

mac-authentication host-mode multi-vlan

port-security max-mac-count

Use port-security max-mac-count to set the maximum number of secure MAC addresses that port security allows on a port.

Use undo port-security max-mac-count to restore the default.

Syntax

port-security max-mac-count max-count [ vlan [ vlan-id-list ] ]

undo port-security max-mac-count [ vlan [ vlan-id-list ] ]

Default

Port security does not limit the number of secure MAC addresses on a port.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

max-count: Specifies the maximum number of secure MAC addresses that port security allows on the port. The value range is 1 to 2147483647.

vlan [ vlan-id-list ]: Specifies a space-separated list of up to 10 VLAN items. Each VLAN item specifies a VLAN ID or a range of VLAN IDs in the form of start-vlan-id to end-vlan-id. The end VLAN ID cannot be smaller than the start VLAN ID. The value range for VLAN IDs is 1 to 4094. If you do not specify the vlan keyword, this command sets the maximum number of secure MAC addresses that port security allows on a port. If you do not specify the vlan-id-list argument, this command sets the maximum number of secure MAC addresses for each VLAN on the port. This option takes effect only on a port that operates in autoLearn mode.

Usage guidelines

For autoLearn mode, this command sets the maximum number of secure MAC addresses (both configured and automatically learned) on the port.

In any other mode that enables 802.1X, MAC authentication, or both, this command sets the maximum number of authenticated MAC addresses on the port. The actual maximum number of concurrent users that the port accepts equals the smaller of the following values:

· The value set by using this command.

· The maximum number of concurrent users allowed by the authentication mode in use.

For example, in userLoginSecureExt mode, if 802.1X allows more concurrent users than port security's limit on the number of MAC addresses, port security's limit takes effect.

When you configure this command, follow these guidelines and restrictions:

· Make sure the maximum number of secure MAC addresses for a VLAN is not less than the number of MAC addresses currently saved for the VLAN.

· If you execute this command multiple times to set the maximum number of secure MAC addresses for the same VLAN, the most recent configuration takes effect.

· You cannot change port security's limit on the number of MAC addresses when the port is operating in autoLearn mode.

Examples

# Set the maximum number of secure MAC address port security allows on GigabitEthernet 1/0/1 to 100.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security max-mac-count 100

Related commands

display port-security

port-security nas-id-profile

Use port-security nas-id-profile to apply a NAS-ID profile to global or port-based port security.

Use undo port-security nas-id-profile to restore the default.

Syntax

port-security nas-id-profile profile-name

undo port-security nas-id-profile

Default

No NAS-ID profile is applied to port security globally or on any port.

Views

System view

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

profile-name: Specifies a NAS-ID profile by its name. The argument is a case-sensitive string of 1 to 31 characters.

Usage guidelines

A NAS-ID profile defines NAS-ID and VLAN bindings. You can create a NAS-ID profile by using the aaa nas-id profile command.

The device selects a NAS-ID profile for a port in the following order:

1. The port-specific NAS-ID profile.

2. The NAS-ID profile applied globally.

If no NAS-ID profile is applied or no matching binding is found in the selected profile, the device uses the device name as the NAS-ID.

Examples

# Apply NAS-ID profile aaa to GigabitEthernet 1/0/1 for port security.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security nas-id-profile aaa

# Globally apply NAS-ID profile aaa to port security.

<Sysname> system-view

[Sysname] port-security nas-id-profile aaa

Related commands

aaa nas-id profile

port-security ntk-mode

Use port-security ntk-mode to configure the NTK feature.

Use undo port-security ntk-mode to restore the default.

Syntax

port-security ntk-mode { ntk-withbroadcasts | ntk-withmulticasts | ntkauto | ntkonly }

undo port-security ntk-mode

Default

The NTK feature is not configured on a port and all frames are allowed to be sent.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

ntk-withbroadcasts: Forwards only broadcast and unicast frames with a known destination MAC address.

ntk-withmulticasts: Forwards only broadcast, multicast, and unicast frames with a known destination MAC address.

ntkauto: Forwards only broadcast, multicast, and unicast frames with a known destination MAC address, and only when the port has online users.

ntkonly: Forwards only unicast frames with a known destination MAC address.

Usage guidelines

The NTK feature checks the destination MAC addresses in outbound frames. This feature allows frames to be sent only to devices with a known MAC address, preventing illegal devices from intercepting network traffic.

Examples

# Set the NTK mode of GigabitEthernet 1/0/1 to ntkonly, allowing the port to forward the unicast packets with a known destination MAC address.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security ntk-mode ntkonly

Related commands

display port-security

port-security oui

Use port-security oui to configure an OUI value for user authentication.

Use undo port-security oui to delete the OUI value with the specified OUI index.

Syntax

port-security oui index index-value mac-address oui-value

undo port-security oui index index-value

Default

No OUI values are configured.

Views

System view

Predefined user roles

network-admin

Parameters

index-value: Specifies the OUI index, in the range of 1 to 16.

oui-value: Specifies an OUI string, a 48-bit MAC address in the H-H-H format. The system uses only the 24 high-order bits as the OUI value.

Usage guidelines

You can configure multiple OUI values.

An OUI, the first 24 binary bits of a MAC address, is assigned by IEEE to uniquely identify a device vendor. Use this command to allow devices of specific vendors to access the network without being authenticated. For example, you can specify the OUIs of IP phones and printers.

The OUI values configured by this command apply only to the ports operating in userLoginWithOUI mode. In userLoginWithOUI mode, a port allows only one 802.1X user and one user whose MAC address matches one of the configured OUI values.

Examples

# Configure an OUI value of 000d2a, and set the index to 4.

<Sysname> system-view

[Sysname] port-security oui index 4 mac-address 000d-2a10-0033

Related commands

display port-security

port-security packet-detect arp-source-ip factor

Use port-security packet-detect arp-source-ip factor to specify an IP address and mask for calculating the source IP of ARP detection packets.

Use undo port-security packet-detect arp-source-ip factor to restore the default.

Syntax

port-security packet-detect arp-source-ip factor ip-address { mask | mask-length }

undo port-security packet-detect arp-source-ip factor

Default

No IP address or mask is specified for calculating the source IP of ARP detection packets. The source IP of ARP detection packets is 0.0.0.0.

Views

System view

Predefined user roles

network-admin

Parameters

ip-address { mask | mask-length }: Specifies an IP address and mask for calculating the source IP of ARP detection packets. The mask argument represents the IP address mask, in dotted decimal notation. The mask cannot be 255.255.255.255. The mask-length argument represents the IP address mask length, in the range of 0 to 31.

Usage guidelines

By default, the device uses 0.0.0.0 as the source IP address of ARP detection packets. The network might have users that cannot respond to ARP detection packets with source IP address 0.0.0.0. As a result, the device inadequately determines that these users have gone offline. To resolve the issue, use this command to specify an IP address and mask for calculating the source IP of ARP detection packets sent to a user in conjunction with the user's IP address.

The device uses the following formula to calculate the source IP address of ARP detection packets: source IP = (user IP & specified mask) | (specified IP & ~specified mask). The ~mask parameter represents the reverse of a mask. For example, the reverse mask of 255.255.255.0 is 0.0.0.255. If the IP address of a user is 192.168.8.1/24 and the IP address and mask specified by using this command is 1.1.1.11/255.255.255.0, the source IP address of ARP detection packets is 192.168.8.11/24.

To avoid the source IP address of ARP detection packets being the same as the destination IP address, follow these restrictions and guidelines:

· The mask length specified by using this command must be equal to or longer than the mask length of users' IP addresses.

· The mask cannot be 255.255.255.255.

This command takes effect only on users that come online after this command is executed.

Examples

# Specify 0.0.0.11/24 for calculating the source IP of ARP detection packets.

<Sysname> system-view

[Sysname] port-security packet-detect arp-source-ip factor 0.0.0.11 24

Related commands

mac-authentication packet-detect retry

dot1x packet-detect retry

port-security port-mode

Use port-security port-mode to set the port security mode of a port.

Use undo port-security port-mode to restore the default.

Syntax

port-security port-mode { autolearn | mac-and-userlogin-secure-ext | mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secure-ext | secure | userlogin | userlogin-secure | userlogin-secure-ext | userlogin-secure-or-mac | userlogin-secure-or-mac-ext | userlogin-withoui }

undo port-security port-mode

Default

A port operates in noRestrictions mode, where port security does not take effect.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

Keyword	Security mode	Description
autolearn	autoLearn	A port in this mode can learn MAC addresses. The automatically learned MAC addresses are not added to the MAC address table as dynamic MAC address. Instead, the MAC addresses are added to the secure MAC address table as secure MAC addresses. You can also configure secure MAC addresses by using the port-security mac-address security command. A port in autoLearn mode allows frames sourced from the following MAC addresses to pass: · Secure MAC addresses. · MAC addresses configured by using the mac-address dynamic and mac-address static commands. When the number of secure MAC addresses reaches the upper limit set by the port-security max-mac-count command, the port changes to secure mode.
mac-and-userlogin-secure-ext	macAddressAndUserLoginSecureExt	In this mode, a user must pass both MAC authentication and 802.1X authentication to access the authorized network resources. The device uses the following process to handle an access user on a port operating in this mode: 1. Performs MAC authentication for the user. 2. Marks the user as a temporary MAC authentication user when the user passes MAC authentication. A temporary MAC authentication user can access only resources in the 802.1X guest VLAN. 3. After receiving 802.1X protocol packets from the user on the port, the device performs 802.1X authentication for the user. 4. After the user passes 802.1X authentication on the port, the device removes the temporary MAC authentication user entry. Then, the user comes online as an 802.1X user.
mac-authentication	macAddressWithRadius	In this mode, a port performs MAC authentication for users and services multiple users.
mac-else-userlogin-secure	macAddressElseUserLoginSecure	This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority. In this mode, the port allows one 802.1X authentication user and multiple MAC authentication users to log in. · Upon receiving a non-802.1X frame, a port in this mode performs only MAC authentication. · Upon receiving an 802.1X frame, the port performs MAC authentication and then, if MAC authentication fails, 802.1X authentication.
mac-else-userlogin-secure-ext	macAddressElseUserLoginSecureExt	Same as the macAddressElseUserLoginSecure mode except that a port in this mode supports multiple 802.1X and MAC authentication users.
secure	secure	In this mode, MAC address learning is disabled on the port and you can configure MAC addresses by using the mac-address static and mac-address dynamic commands. The port permits only frames sourced from the following MAC addresses to pass: · Secure MAC addresses. · MAC addresses configured by using the mac-address static and mac-address dynamic commands.
userlogin	userLogin	In this mode, a port performs 802.1X authentication and implements port-based access control. If one 802.1X user passes authentication, all the other 802.1X users of the port can access the network without authentication.
userlogin-secure	userLoginSecure	In this mode, a port performs 802.1X authentication and implements MAC-based access control. The port services only one user passing 802.1X authentication.
userlogin-secure-ext	userLoginSecureExt	Same as the userLoginSecure mode, except that this mode supports multiple online 802.1X users.
userlogin-secure-or-mac	macAddressOrUserLoginSecure	This mode is the combination of the userLoginSecure and macAddressWithRadius modes. In this mode, the port allows one 802.1X authentication user and multiple MAC authentication users to log in. In this mode, the port performs 802.1X authentication first. By default, if 802.1X authentication fails, MAC authentication is performed. However, the port in this mode processes authentication differently when the following conditions exist: · The port is enabled with parallel processing of MAC authentication and 802.1X authentication. · The port is enabled with the 802.1X unicast trigger. · The port receives a packet from an unknown MAC address. Under such conditions, the port sends a unicast EAP-Request/Identity packet to the MAC address to initiate 802.1X authentication. After that, the port immediately processes MAC authentication without waiting for the 802.1X authentication result.
userlogin-secure-or-mac-ext	macAddressOrUserLoginSecureExt	Same as the macAddressOrUserLoginSecure mode, except that a port in this mode supports multiple 802.1X and MAC authentication users.
userlogin-withoui	userLoginWithOUI	Similar to the userLoginSecure mode. In addition, a port in this mode also permits frames from a user whose MAC address contains a specific OUI. In this mode, the port performs OUI check at first. If the OUI check fails, the port performs 802.1X authentication. The port permits frames that pass OUI check or 802.1X authentication.

Usage guidelines

To change the security mode for a port security enabled port, you must set the port in noRestrictions mode first. Do not change port security mode when the port has online users.

IMPORTANT:

If you are configuring the autoLearn mode, first set port security's limit on the number of secure MAC addresses on the port by using the port-security max-mac-count (without specifying the vlan keyword) command. You cannot change the setting when the port is operating in autoLearn mode.

When port security is enabled, you cannot enable 802.1X or MAC authentication, or change the access control mode or port authorization state. The port security automatically modifies these settings in different security modes.

As a best practice, do not enable the mac-else-userlogin-secure or mac-else-userlogin-secure-ext mode on the port where MAC authentication delay is enabled. The two modes are mutually exclusive with the MAC authentication delay feature. For more information about MAC authentication delay, see "MAC authentication commands."

When the port security mode is macAddressAndUserLoginSecureExt on a port, follow these restrictions and guidelines:

· To make sure the 802.1X clients attached to the port can initiate authentication, enable unicast trigger on the port by using the dot1x unicast-trigger command.

· The guest VLAN for MAC authentication on the port does not take effect. For the temporary MAC authentication users to access a limited set of resources, configure an 802.1X guest VLAN on the port.

· If accounting is not required for the temporary MAC authentication users, configure different ISP domains for MAC authentication users and 802.1X users. In the ISP domain for MAC authentication users, set the accounting method to none.

If a port operating in macAddressAndUserLoginSecureExt mode is configured with an 802.1X guest VLAN, you must use the port-security mac-move permit command to enable inter-VLAN MAC move on the port. If you do not use this command, a user cannot pass 802.1X authentication to come online after it passes MAC authentication when the user initial VLAN and guest VLAN are different VLANs.

Examples

# Enable port security, and set GigabitEthernet 1/0/1 to operate in secure mode.

<Sysname> system-view

[Sysname] port-security enable

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security port-mode secure

# Change the port security mode of GigabitEthernet 1/0/1 to userLogin.

[Sysname-GigabitEthernet1/0/1] undo port-security port-mode

[Sysname-GigabitEthernet1/0/1] port-security port-mode userlogin

Related commands

display port-security

port-security max-mac-count

port-security pre-auth domain

Use port-security pre-auth domain to specify a preauthentication domain for port security users on a port.

Use undo port-security pre-auth domain to restore the default.

Syntax

port-security pre-auth domain isp-name

undo port-security pre-auth domain

Default

No preauthentication domain is specified for port security users on a port.

Views

Layer 2 Ethernet interface view

Port security authentication profile view

Predefined user roles

network-admin

Parameters

isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. The ISP domain name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

Usage guidelines

A preauthentication domain accommodates 802.1X, Web authentication, and MAC authentication users that have not performed authentication. A preauthentication domain is applicable to the following scenarios:

· A user accesses the network for the first time. This scenario is applicable only to 802.1X and Web authentication users.

· A user fails authentication, but no Auth-Fail domain is configured.

· No server is reachable, but the critical domain is not configured.

When a port is configured with a preauthentication domain, authentication users that access that port will be assigned authorization attributes (including ACL and VLAN) in the preauthentication domain after they are assigned to the preauthentication domain. They can access only network resources permitted in the preauthentication domain. If they pass authentication, AAA will assign new authorization information to them.

If the ACL and VLAN authorization settings in the current preauthentication domain have changes, the changes take effect only on users that are assigned to the preauthentication domain after the changes are made. Users that have been assigned to the preauthentication domain before the changes are made still use the original settings.

On a port, a user that fails MAC authentication is still assigned to the preauthentication domain as a MAC authentication user after 802.1X authentication is triggered for the user if the following conditions exist:

· 802.1X authentication and MAC authentication are both enabled on the port.

· No Auth-Fail domain is configured on the port.

802.1X, MAC authentication, and Web authentication users support the VLAN and ACL authorization attributes in the preauthentication domain.

Users in the preauthentication domain belong to online users. They consume online user resources on the port.

Users in the preauthentication domain do not support features triggered by AAA server. These features include DMs, CoA messages, and RADIUS session-control.

Examples

# Specify ISP domain bbb as the preauthentication domain for port security users on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security pre-auth domain bbb

Related commands

display port-security

port-security reauth-trigger server-reachable

Use port-security reauth-trigger server-reachable to have the device immediately trigger reauthentication for users in the preauthentication domain or Auth-Fail domain when the authentication server becomes reachable.

Use undo port-security reauth-trigger server-reachable to restore the default.

Syntax

port-security reauth-trigger server-reachable { auth-fail-domain | preauth-domain }

undo port-security reauth-trigger server-reachable { auth-fail-domain | preauth-domain }

Default

When the authentication server changes from unreachable to reachable, the device does not immediately trigger reauthentication for users.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

auth-fail-domain: Immediately triggers reauthentication for users in the Auth-Fail domain when the authentication server becomes reachable.

preauth-domain: Immediately triggers reauthentication for users in the preauthentication domain when the authentication server becomes reachable.

Usage guidelines

Application scenarios

On a port, users might be assigned to the preauthentication domain or Auth-Fail domain when all the authentication servers are unreachable or have failed. To have the device immediately trigger reauthentication for these users when any one of the authentication servers become reachable, use this feature.

When the device triggers reauthentication for preauthentication or Auth-Fail domain users, the device sets the maximum reauthentication attempts for them to the value set by using the port-security re-authenticate max-attempt command.

Prerequisites

Execute the port-security timer { reauth-period { auth-fail-domain | preauth-domain } command to set the periodic reauthentication timers for users in the preauthentication and Auth-Fail domains to non-zero values.

Examples

# Enable immediate reauthentication for preauthentication domain users on port GigabitEthernet 1/0/1 after the authentication server becomes reachable.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security reauth-trigger server-reachable preauth-domain

Related commands

port-security re-authenticate max-attempt

port-security timer reauth-period { auth-fail-domain | preauth-domain }

port-security re-authenticate max-attempt

Use port-security re-authenticate max-attempt to specify the maximum number of user reauthentication attempts.

Use undo port-security re-authenticate max-attempt to restore the default.

Syntax

port-security re-authenticate max-attempt { auth-fail-domain | preauth-domain } max-attempt

undo port-security re-authenticate max-attempt { auth-fail-domain | preauth-domain }

Default

The device does not limit the number of reauthentication attempts.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

auth-fail-domain: Sets the maximum number of reauthentication attempts for users in the Auth-Fail domain.

preauth-domain: Sets the maximum number of reauthentications for users in the preauthentication domain.

max-attempt: Specifies the maximum number of reauthentication attempts a user can make. The value range is 0 to 14400. A value of 0 indicates that no reauthentication is performed.

Usage guidelines

Application scenarios

By default, the device performs periodic reauthentication for users in the preauthentication domain and Auth-Fail domain, and the number of reauthentications is not limited. Because of limited system resources, unlimited number of reauthentications without success can lead to resource contention and degraded device performance. To ensure device performance, use this feature to set the maximum number of reauthentication attempts, preventing users from occupying system resources for an extended period.

With this feature, after the maximum number of reauthentications is reached for a preauthentication or Auth-Fail domain user, the device will not trigger periodic reauthentication for that user. The user remains in the current domain and can initiate reauthentication from the client.

Prerequisites

Execute the port-security timer { reauth-period -fail-domain | preauth-domain } command to set the periodic reauthentication timers for users in the preauthentication and Auth-Fail domains to non-zero values.

Restrictions and guidelines

This command takes effect only on users who join the preauthentication domain or Auth-Fail domain after the command is executed.

Examples

# Set the maximum number of authentication attempts to 10 for Auth-Fail domain users on port GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security re-authenticate max-attempt preauth-domain 10

Related commands

port-security timer reauth-period { auth-fail-domain | preauth-domain }

port-security single-access enable

Use port-security single-access enable to enable single-access authentication.

Use undo port-security single-access enable to disable single-access authentication.

Syntax

port-security single-access enable

undo port-security single-access enable

Default

When multiple authentication methods are configured on an interface, users can proceed with other methods of authentication after passing one.

Views

Interface view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

By default, when multiple authentication methods are configured on an interface, a user can proceed with other methods after passing one. For more information, see configuring triple authentication in Security Configuration Guide. For example, if a client sends an EAP message after the client user has come online through MAC authentication, the device performs 802.1X authentication for the user. If 802.1X authentication succeeds, the user will come online as an 802.1X user.

If single-access authentication is enabled, users will not undergo any other authentication methods after they have authenticated with one method.

Restrictions and guidelines

If multi-authentication mode is used, this feature does not take effect.

Examples

# Enable single-authentication mode on port GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security single-access enable

port-security static-user

Use port-security static-user to configure a static user range for port access authentication.

Use undo port-security static-user to restore the default.

Syntax

port-security static-user { ip | ipv6 } start-ip-address [ end-ip-address ] [ vpn-instance vpn-instance-name ] [ domain isp-name | [ interface interface-type interface-number [ detect ] ] vlan vlan-id | mac mac-address | keep-online ] *

undo port-security static-user { ip | ipv6 } start-ip-address [ end-ip-address ] [ vpn-instance vpn-instance-name ]

Default

No static user ranges are configured.

Views

System view

Predefined user roles

network-admin

Parameters

ip: Specifies the IPv4 addresses of the static user range.

ipv6: Specifies the IPv6 addresses of the static user range.

start-ip-address [ end-ip-address ]: Specifies the IP address range of the static user range. The start-ip-address argument represents the start IP address and the end-ip-address argument represents the end IP address. If you specify only the start IP address, the static user range contains only one static user and the specified start IP address is the IP address of the static user.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the static user range belongs. The vpn-instance-name argument represents the VPN instance name, which is a case-sensitive string of 1 to 31 characters. If the static user range belongs to the public network, do not specify this option.

interface interface-type interface-number: Specifies an interface by its type and number.

detect: Allows the device to periodically send ARP messages to trigger authentication for static users in the static user range when the static users are not online.

vlan vlan-id: Specifies a VLAN by its ID in the range of 1 to 4094.

mac mac-address: Specifies the MAC address of the static user range, in the format of H-H-H.

keep-online: Always allow the static user range to stay online. With this keyword, the device does not perform offline detection on the static user range. If you do not specify this keyword, the device performs offline detection on the static user range.

Usage guidelines

When you configure a static user range, follow these restrictions and guidelines:

· In the public network or the same VPN instance, the IP address ranges for all static user ranges cannot overlap.

· When you use the undo port-security static-user command to delete a static user range, you must specify an IP address range the same as that specified when the static user range was configured. You cannot delete only partial of the IP addresses in the IP address range.

· Modification to a static user range does not affect online static users. The modification takes effect only on static users that will come online.

The device supports a maximum of 50000 static user ranges.

When the maximum number of static users is reached on a port, the port denies subsequent static users. The subsequent static users cannot come online through other access authentication methods on the port.

Examples

# Configure IP address range 20.20.20.20 to 20.20.20.30 for a static user range. Users at IP addresses in the IP address range will come online as static users.

<Sysname> system-view

[Sysname] port-security static-user ip 20.20.20.20 20.20.20.30

Related commands

display port-security static-user

port-security static-user match-mac acl

Use port-security static-user match-mac acl to specify an ACL to match the MAC addresses of static users.

Use undo port-security static-user match-mac acl to restore the default.

Syntax

port-security static-user match-mac acl acl-number

undo port-security static-user match-mac acl

Default

No ACL is specified to match the MAC addresses of static users.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Typically, endpoints that match static user IP ranges come online as static users. However, the device recognizes the endpoints as MAC authentication users instead of static users in the following situations:

· The first packet sent by an endpoint is a Layer 2 packet that does not contain an IP address. In this situation, the packet triggers MAC authentication first.

· An endpoint has both IPv4 and IPv6 addresses and the first packet sent by the endpoint is an IPv6 packet, but only static user IPv4 ranges are configured on the device. In this situation, the packet triggers MAC authentication first.

To resolve the issues, use this command to use MAC address as the criterion to match static users. With this command, the device allows users that match the specified ACL to trigger authentication and come online only as static users. The users cannot trigger other authentication processes.

The specified ACL must be a Layer 2 ACL. The ACL can contain only permit rules with the source MAC range criteria.

Examples

# Specify ACL 4001 to match the MAC addresses of static users.

<Sysname> system-view

[Sysname] port-security static-user match-mac acl 4001

Related commands

port-security static-user

acl

port-security static-user max-user

Use port-security static-user max-user to set the maximum number of concurrent static users allowed on a port.

Use undo port-security static-user max-user to restore the default.

Syntax

port-security static-user max-user max-number

undo port-security static-user max-user

Default

A port supports a maximum of 4294967295 concurrent static users.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

max-number: Sets the maximum number of concurrent static users allowed on a port. The value range is 1 to 4294967295.

Usage guidelines

Set the maximum number of concurrent static users on a port to prevent the system resources from being overused. When the maximum number is reached, the port denies subsequent static users.

Examples

# Configure GigabitEthernet 1/0/1 to support a maximum of 32 concurrent static users.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[sysname-GigabitEthernet1/0/1] port-security static-user max-user 32

Related commands

display port-security static-user

port-security static-user password

Use port-security static-user password to configure a password for static users.

Use undo port-security static-user password to restore the default.

Syntax

port-security static-user password { cipher | simple } string

undo port-security static-user password

Default

No password is configured for static users.

Views

System view

Predefined user roles

network-admin

Parameters

cipher: Specifies a password in encrypted form.

simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.

string: Specifies the password string that cannot contain a question mark (?) or space. Its plaintext form is a case-sensitive string of 1 to 63 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

After a static user triggers authentication, the access device sends the configured password as the user's password to the authentication server.

This command takes effect only on static users that come online after this command is used.

Examples

# Configure the password as 123456 for static users.

<Sysname> system-view

[Sysname] port-security static-user password simple 123456

Related commands

display port-security static-user

port-security static-user timer detect-period

Use port-security static-user timer detect-period to set the interval at which the device actively sends ARP packets to trigger authentication for static users.

Use undo port-security static-user timer detect-period to restore the default.

Syntax

port-security static-user timer detect-period time-value

undo port-security static-user timer detect-period

Default

The device actively sends ARP packets to trigger authentication for static users at intervals of 3 minutes.

Views

System view

Predefined user roles

network-admin

Parameters

time-value: Sets the interval at which the device actively sends ARP packets to trigger authentication for static users. The value range for the interval is 60 to 2147483647, in seconds.

Usage guidelines

If you specify the detect keyword when using the port-security static-user command to configure a static user range, the device enables ARP detection for the static user range. With the port-security static-user timer detect-period command, the device sends ARP packets to the IP addresses specified by using the port-security static-user command at intervals as configured. These ARP packets trigger authentication for static users that have not come online.

If a large number of static users are configured, set the ARP detection interval to a larger value as a best practice. This configuration ensures that the device can detect all IP addresses in one interval.

Modification to the ARP detection interval takes effect only after the timer for the old ARP detection interval expires.

Examples

# Configure the device to actively send ARP packets to trigger authentication for static users at intervals of 100 seconds.

<Sysname> system-view

[Sysname] port-security static-user timer detect-period 100

Related commands

display port-security static-user

port-security static-user timer offline-detect

Use port-security static-user timer offline-detect to set the offline detect period for static users.

Use undo port-security static-user timer offline-detect to restore the default.

Syntax

port-security static-user timer offline-detect time-value

undo port-security static-user timer offline-detect

Default

The offline detect period is 5 minutes for static users.

Views

System view

Predefined user roles

network-admin

Parameters

time-value: Sets the offline detect period, in the range of 60 to 2147483647 seconds.

Usage guidelines

If you do not specify the keep online keywords when using the port-security static-user command to configure a static user range, the device enables offline detection for online static users in the range. If the device fails to receive any traffic from an online static user within an offline detect period, the device logs off that user and requests the RADIUS accounting server to stop accounting for the user.

Examples

# Set the offline detect period to 100 seconds for static users.

<Sysname> system-view

[Sysname] port-security static-user timer offline-detect 100

Related commands

display port-security static-user

port-security static-user update-ip enable

Use port-security static-user update-ip enable to enable static user IP update.

Use undo port-security static-user update-ip enable to restore the default.

Syntax

port-security static-user update-ip enable

undo port-security static-user update-ip enable

Default

Static user IP update is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

After you use the port-security static-user command to configure an IP address range for a static user range, endpoints at IP addresses in the specified IP address range will come online as static users. If the IP address of an endpoint changes, the endpoint might send abnormal ARP packets to the access device when it comes online. The source IP address of these ARP packets does not belong to the specified IP address range. This issue triggers the device to update the IP address of the endpoint when static user IP update is enabled. After address update, the endpoint is no longer a static user. As a result, the endpoint is logged off.

By default, the device does not update IP addresses for static users when it receives ARP packets with source IP address not belonging to the specified IP address range from these users. This setting prevents the ARP packets from logging off online static users. To trace IP address changes for endpoints, you can enable static user IP update to allow the device to update the IP addresses of static users.

Use static user IP update in conjunction with DHCP snooping, ARP snooping, DHCPv6 snooping, or ND snooping. To receive notifications about IP address changes from a snooping module, you must enable the corresponding snooping feature.

Examples

# Enable static user IP update.

<Sysname> system-view

[Sysname] port-security static-user update-ip enable

Related commands

display port-security static-user

port-security static-user user-name-format

Use port-security static-user user-name-format to configure the username format used by static users when they come online.

Use undo port-security static-user user-name-format to restore the default.

Syntax

port-security static-user user-name-format { ip-address | mac-address | system-name }

undo port-security static-user user-name-format

Default

The username of each static user is in the format of SysnameIP, in which Sysname is the name of the access device and IP is the user IP address. For example, if the name of the access device is test and the IP address of a static user is 1.1.1.1, the username of that static user is test1.1.1.1.

Views

System view

Predefined user roles

network-admin

Parameters

ip-address: Uses the IP address of each static user as their usernames.For example, if the IP address of a static user is 1.1.1.1, its username is 1.1.1.1.

mac-address: Uses the MAC address of each static user as their usernames. For example, if the MAC address of a static user is 1a46-6209-0100 and no MAC-based user account format is configured, its username is 1a46-6209-0100.

system-name: Uses the name of the access device to which each static user accesses as their usernames. For example, if the access device name of a static user is test, its username is test.

Usage guidelines

After a static user triggers authentication, the access device sends the username in the configured format to the authentication server.

If the device name is longer than 16 characters, the system only uses the first 16 characters to form a username.

When the usernames of static users are their IP or MAC addresses, do not enable RESTful server-assisted automatic MAC authentication user recovery. If you enable RESTful server-assisted automatic MAC authentication user recovery, the device will recover static users as MAC authentication users after the device reboots or recovers from a failure. For more information about RESTful server-assisted automatic MAC authentication user recovery, see MAC authentication configuration in Security Configuration Guide.

This command takes effect only on static users that come online after this command is used.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure static users to use their IP addresses as usernames when they come online.

<Sysname> system-view

[Sysname] port-security static-user user-name-format ip-address

Related commands

display port-security static-user

port-security static-user user-name-format mac-address

Use port-security static-user user-name-format mac-address to configure the user account format when MAC addresses of static users are used as their usernames.

Use undo port-security static-user user-name-format mac-address to restore the default.

Syntax

port-security static-user user-name-format mac-address { one-section | { six-section | three-section } delimiter { colon | hyphen } } [ uppercase ] [ password-with-mac ]

undo port-security static-user user-name-format mac-address

Default

A static user does not have a password when its MAC address is used as its username. The MAC address contains three hyphen-separated sections and letters in the MAC address are in lower case.

Views

System view

Predefined user roles

network-admin

Parameters

one-section: Specifies the one-section MAC address format, for example, xxxxxxxxxxxx or XXXXXXXXXXXX.

six-section: Specifies the six-section MAC address format, for example, xx-xx-xx-xx-xx-xx or XX-XX-XX-XX-XX-XX.

three-section: Specifies three-section MAC address format, for example, xxxx-xxxx-xxxx or XXXX-XXXX-XXXX.

delimiter: Specifies a delimiter to separate the sections in a MAC address.

· colon: Uses the colon (:) as the delimiter.

· hyphen: Uses the hyphen (_) as the delimiter.

uppercase: Uses letters in upper case. If you do not specify this keyword, letters in a MAC address are in lower case.

password-with-mac: Specifies whether to use the MAC address of each static user as their passwords when their MAC addresses are used as their usernames. If you do not specify this keyword, the device uses the password configured by using the port-security static-user password command as the password of the static users.

Usage guidelines

This command has higher priority than the port-security static-user user-name-format and port-security static-user password commands.

Examples

# Configure static users to use six-section MAC addresses as their usernames for authentication. Letters in the MAC addresses are in upper case and the sections in the MAC addresses are separated by hyphen (-). The MAC addresses of static users are also used as their passwords.

<Sysname> system-view

[Sysname] port-security static-user user-name-format mac-address six-section delimiter hyphen uppercase password-with-mac

Related commands

display port-security static-user

port-security timer

Use port-security timer to set port security timers.

Use undo port-security timer to restore the default.

Syntax

port-security timer { reauth-period { auth-fail-domain | preauth-domain } | user-aging { auth-fail-domain | critical-domain | preauth-domain } } time-value

undo port-security timer { reauth-period { auth-fail-domain | preauth-domain } | user-aging { auth-fail-domain | critical-domain | preauth-domain } }

Default

The period for the periodic reauthentication timer is 600 seconds. The period for the user aging timer is 23 hours.

Views

System view

Predefined user roles

network-admin

Parameters

reauth-period: Specifies the periodic reauthentication timer.

preauth-domain: Specifies the preauthentication domain.

auth-fail-domain: Specifies the Auth-Fail domain.

critical-domain: Specifies the critical domain.

user-aging: Sets the user aging timer.

time-value: Specifies the timer period, in integer. The value for the periodic reauthentication period is 0 or in the range of 30 to 7200, in seconds. Value 0 indicates that periodic reauthentication is disabled. The value for the user aging period is 0 or in the range of 60 to 4294860, in seconds. Value 0 indicates that the specified users will not age out.

Usage guidelines

If the periodic reauthentication period (reauth-period) is not 0, periodic reauthentication is enabled. The device initiates reauthentication for online users on a port at intervals as configured.

If the user aging period (user-aging) is not 0 for a specific domain, user entries in the domain will age out. When the aging timer expires, the users will leave the specified domain.

The periodic reauthentication period does not take effect on Web authentication users.

The users that are allowed to stay online by the authen-radius-recover online command are controlled by the user aging timer in the critical domain. When the user aging timer expires, the users will go offline. For more information about the authen-radius-recover online command, see "AAA commands."

Examples

# Set the user aging period to 60 seconds for users in the preauthentication domain.

<Sysname> system-view

[Sysname] port-security timer user-aging preauth-domain 60

Related commands

display port-security

authen-radius-recover online

port-security timer autolearn aging

Use port-security timer autolearn aging to set the secure MAC aging timer.

Use undo port-security timer autolearn aging to restore the default.

Syntax

port-security timer autolearn aging [ second ] time-value

undo port-security timer autolearn aging

Default

Secure MAC addresses do not age out.

Views

System view

Predefined user roles

network-admin

Parameters

second: Specifies the aging timer in seconds for secure MAC addresses. If you do not specify this keyword, the command sets the aging timer in minutes for secure MAC addresses.

time-value: Specifies the aging timer. The value range is 0 to 129600 if the unit is minute. To disable the aging timer, set the timer to 0. The value range is 10 to 7776000 if the unit is second.

Usage guidelines

The timer applies to all sticky secure MAC addresses and those automatically learned by a port.

The effective aging timer varies by the aging timer setting:

· If the aging timer is set in seconds, the effective aging timer can be either of the following values:

¡ The nearest multiple of 30 seconds to the configured aging timer if the configured timer is not less than 60 seconds. The effective aging timer is not less than the configured aging timer.

¡ The configured aging timer if the configured timer is less than 60 seconds.

· If the aging timer is set in minutes, the effective aging timer is the configured aging timer.

A short aging time improves port access security and port resource utility but affects online user stability. Set an appropriate secure MAC address aging timer according to your device performance and the network environment.

When a short aging time (less than 60 seconds) works with inactivity aging, do not assign a large value to the maximum number of secure MAC addresses on a port. A large value in this case might affect device performance.

Examples

# Set the secure MAC aging timer to 30 minutes.

<Sysname> system-view

[Sysname] port-security timer autolearn aging 30

# Set the secure MAC aging timer to 50 seconds.

<Sysname> system-view

[Sysname] port-security timer autolearn aging second 50

Related commands

display port-security

port-security mac-address security

port-security timer blockmac

Use port-security timer blockmac to set the block timer for MAC addresses in the blocked MAC address list.

Use undo port-security timer blockmac to restore the default.

Syntax

port-security timer blockmac time-value

undo port-security timer blockmac

Default

The block timer for blocked MAC addresses is 180 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

time-value: Sets a timer value in the range of 1 to 3600 seconds.

Usage guidelines

Use the block timer in conjunction with the intrusion protection action that blocks the source MAC addresses of illegal frames.

The block timer sets the amount of time that a MAC address must remain in the blocked MAC address list before it is unblocked.

Examples

# Configure the intrusion protection action on GigabitEthernet 1/0/1 as blocking source MAC addresses of illegal frames, and set the block timer to 60 seconds.

<Sysname> system-view

[Sysname] port-security timer blockmac 60

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security intrusion-mode blockmac

Related commands

display port-security

port-security intrusion-mode

port-security timer disableport

Use port-security timer disableport to set the silence period during which the port remains disabled.

Use undo port-security timer disableport to restore the default.

Syntax

port-security timer disableport time-value

undo port-security timer disableport

Default

The port silence period is 20 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

time-value: Specifies the silence period in seconds during which the port remains disabled. The value is in the range of 20 to 300.

Usage guidelines

If you configure the intrusion protection action as disabling the port temporarily, use this command to set the silence period.

Examples

# Configure the intrusion protection action on GigabitEthernet 1/0/1 as disabling the port temporarily, and set the port silence period to 30 seconds.

<Sysname> system-view

[Sysname] port-security timer disableport 30

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security intrusion-mode disableport-temporarily

Related commands

display port-security

port-security intrusion-mode

port-security topology-change detect-period

Use port-security topology-change detect-period to set the interval at which the device actively sends ARP or NS detection packets when the network topology changes.

Use undo port-security topology-change detect-period to restore the default.

Syntax

port-security topology-change detect-period time-value

undo port-security topology-change detect-period

Default

The device actively sends ARP or NS detection packets at intervals of 5 seconds when the network topology changes.

Views

System view

Predefined user roles

network-admin

Parameters

time-value: Sets the interval at which the device actively sends ARP or NS detection packets. The value range is 1 to 3600, in seconds.

Usage guidelines

The device sends ARP or NS packets to online users on a member port in a TC group at detection intervals through the other member port in that TC group if the following conditions exist:

· The member port receives TC event messages sent by the STP module.

· The device permits MAC move between member ports in a TC group.

As a best practice, set the detection interval to a large value if a large number of online users exist. The configuration avoids starting the second round of detection before the first round of detection packets are sent out completely.

The modification to the detection interval takes effect at the next detection interval.

Examples

# Configure the device to actively send ARP or NS detection packets at intervals of 100 seconds when the network topology changes.

<Sysname> system-view

[Sysname] port-security topology-change detect-period 100

Related commands

display port-security

port-security topology-change free-mac-move

port-security topology-change retry

port-security topology-change detect-retry

Use port-security topology-change detect-retry to set the maximum number of attempts for sending a detection packet when the network topology changes.

Use undo port-security topology-change detect-retry to restore the default.

Syntax

port-security topology-change detect-retry retries

undo port-security topology-change detect-retry

Default

The device attempts to send a detection packet for a maximum of three times when the network topology changes.

Views

System view

Predefined user roles

network-admin

Parameters

retries: Sets the maximum number of attempts for sending a detection packet. The value range is 1 to 10.

Usage guidelines

The device sends ARP or NS packets to online users on a member port in a TC group at detection intervals through the other member port in that TC group if the following conditions exist:

· The member port receives TC event messages sent by the STP module.

· The device permits MAC move between member ports in a TC group.

If the device does not receive any response packets for a user after it has made the maximum number of attempts for sending a detection packet, it determines that the network topology of the TC group does not change. It does not move the user to the other member port.

Examples

# Configure the device to attempt to send a detection packet for a maximum of eight times when the network topology changes.

<Sysname> system-view

[Sysname] port-security topology-change detect-retry 8

Related commands

display port-security

port-security topology-change detect-period

port-security topology-change free-mac-move

Use port-security topology-change free-mac-move to permit MAC move between member ports in a TC group when the network topology changes.

Use undo port-security topology-change free-mac-move to restore the default.

Syntax

port-security topology-change free-mac-move

undo port-security topology-change free-mac-move

Default

MAC move is denied between member ports in a TC group when the network topology changes.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

When the network topology changes, the STP module sends a topology change (TC) event message to notify relevant devices that the network topology has changed. TC events might cause traffic forwarding exceptions on a member port in a TC group.

To resolve this issue, use this feature to permit MAC move between member ports in a TC group when the network topology changes. MAC move allows authenticated online users on a member port in a TC group to move to the other member port in the same TC group without being authenticated again. The process is as described in "Operating mechanism."

Use this feature on the device if the device is connected to users that cannot actively send packets to trigger MAC move when the network topology changes.

Operating mechanism

The operating mechanism of this feature is as follows:

· If a member port in a TC group is up and receives a TC event message, the device searches for online authenticated users that come online from that port. In addition, the device sends ARP or NS detection packets to these users at detection intervals through the other member port in the same TC group.

¡ If the other member port receives a response packet for a user, that user moves to the other member port and comes online without being authenticated.

¡ If the other member port does not receive any response packets for a user after the device has made the maximum number of attempts for sending a detection packet, the device determines that the network topology of that TC group does not change. It does not move the user to the other member port.

· If the network topology changes because a member port in a TC group goes down, the device does not wait to receive TC event messages sent by the STP module or actively detect online authenticated users on that port from the other member port. Instead, it immediately moves the online authenticated users on that port to the other member port without authenticating them. To detect whether the users can come online correctly on the other member port, you can enable offline detection or ARP or NS packet detection on the other member port.

For more information about TC groups, see spanning tree configuration in Layer 2—LAN Switching Configuration Guide.

Restrictions and guidelines

This feature takes effect only on static users, MAC authentication users, and 802.1X users.

As a best practice to ensure successful MAC move between member ports in a TC group, the member ports in that TC group must use the same settings.

Examples

# Permit MAC move between member ports in a TC group when the network topology changes.

<Sysname> system-view

[Sysname] port-security topology-change free-mac-move

Related commands

port-security topology-change detect-period

port-security topology-change retry

stp tc-group (Layer 2—LAN Switching Command Reference)

port-security triple-auth-order mac-dot1x-web

Use port-security triple-auth-order mac-dot1x-web to configure the trigger order for authentication methods on a port as MAC authentication, 802.1X authentication, and Web authentication in a triple authentication environment.

Use undo port-security triple-auth-order to restore the default.

Syntax

port-security triple-auth-order mac-dot1x-web

undo port-security triple-auth-order

Default

In a triple authentication environment, the authentication that is triggered first depends on the type of packets sent from endpoints.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Usage guidelines

This command takes effect only on ports with triple authentication enabled. Triple authentication allows Web authentication, MAC authentication, and 802.1X authentication to be enabled concurrently on a Layer 2 port for user access. Different types of endpoint packets trigger different types of authentication first. For more information, see triple authentication in Security Configuration Guide.

To enable any endpoint packets to trigger MAC authentication first, use this command.

A port can run authentication processes concurrently for multiple authentication methods. The failure of one authentication does not affect the processes for other authentication methods. However, if an endpoint passes one authentication on a port, the device handles processes for other authentication methods on the port as follows:

· If the endpoint passes MAC authentication, the device generates a MAC authentication user entry on the port and continues to perform 802.1X authentication for the endpoint on the port. However, the device cannot continue Web authentication for the endpoint on the port.

¡ If the endpoint passes 802.1X authentication after MAC authentication, the device generates an 802.1X user entry for the endpoint on the port. The 802.1X user entry overwrites the MAC authentication user entry.

¡ If the endpoint does not pass 802.1X authentication after MAC authentication, the MAC authentication user entry is retained on the port. The endpoint can trigger 802.1X authentication again, but it cannot trigger Web authentication.

· If the endpoint fails MAC authentication but passes 802.1X or Web authentication, the device immediately stops all authentication methods on the port except the one the endpoint has passed. In addition, the device can no longer trigger authentication processes for the stopped authentication methods for the endpoint on the port.

This command causes users that are being authenticated to fail authentication. The users must retrigger authentication to come online. As a best practice to avoid users failing to come online, use this command with caution.

Examples

# Configure the trigger order for authentication methods on GigabitEthernet 1/0/1 as MAC authentication, 802.1X authentication, and Web authentication.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security triple-auth-order mac-dot1x-web

Related commands

mac-authentication

dot1x

web-auth enable

port-security url-unavailable domain

Use port-security url-unavailable domain to specify a domain for port security users redirected to an unavailable URL.

Use undo port-security url-unavailable domain to restore the default.

Syntax

port-security url-unavailable domain isp-name

undo port-security url-unavailable domain

Default

No domain is specified for port security users redirected to an unavailable URL.

Views

Layer 2 Ethernet interface view

Port security authentication profile view

Predefined user roles

network-admin

Parameters

isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

Usage guidelines

This command takes effect only on MAC authentication and Web authentication users.

During user authentication, if the Web server specified by the redirect URL is unavailable, users cannot be redirected to the Web authentication page on the Web server. As a result, the users cannot come online. To allow users to access the resources in an ISP domain when the redirect URL is unavailable, use this command to specify that ISP domain for the users.

The configuration for this command is mutually exclusive with the following 802.1X, MAC authentication, and Web authentication settings:

· Guest VLAN settings.

· Auth-Fail VLAN settings.

· Critical VLAN settings.

Examples

# On GigabitEthernet 1/0/1, specify domain bbb for port security users redirected to an unavailable URL.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security url-unavailable domain bbb

Related commands

display port-security

reset port-security static-user

Use reset port-security static-user to log off online static users.

Syntax

reset port-security static-user [ interface interface-type interface-number | { ip | ipv6 } ip-address | mac mac-address | online-type { auth-fail-domain | critical-domain | preauth-domain | success } | user-name user-name ]

Views

User view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

mac mac-address: Specifies an online static user by its MAC address. The mac-address argument represents the MAC address, in the format of H-H-H.

online-type: Specifies a type of online static users.

· auth-fail-domain: Specifies online static users in the Auth-Fail domain.

· critical-domain: Specifies online static users in the critical domain.

· preauth-domain: Specifies online static users in the preauthentication domain.

· success: Specifies online static users that have passed authentication.

user-name user-name: Specifies an online static user by its username, a case-sensitive string of 1 to 253 characters.

Usage guidelines

If you do not specify any parameters, this command logs off all online static users.

Examples

# Log off all online static users on GigabitEthernet 1/0/1.

<Sysname> reset port-security static-user interface gigabitethernet 1/0/1

Related commands

display port-security static-user

reset port-security statistics

Use reset port-security statistics to clear port security statistics.

Syntax

reset port-security statistics

Views

User view

Predefined user roles

network-admin

Examples

# Clear port security statistics.

<Sysname> reset port-security statistics

Related commands

display port-security statistics

snmp-agent trap enable port-security

Use snmp-agent trap enable port-security to enable SNMP notifications for port security.

Use undo snmp-agent trap enable port-security to disable SNMP notifications for port security.

Syntax

Default

All port security SNMP notifications are disabled.

Views

System view

Predefined user roles

network-admin

Parameters

ac-creation-failure: Specifies notifications about AC creation failures.

acl-author-failure: Specifies notifications about ACL authorization failures.

acl-author-success: Specifies notifications about successful ACL authorizations.

address-learned: Specifies notifications about MAC address learning.

dot1x-failure: Specifies notifications about 802.1X authentication failures.

dot1x-ip-change: Specifies notifications about IP address changes of 802.1X users.

dot1x-logoff: Specifies notifications about 802.1X user logoffs.

dot1x-logon: Specifies notifications about 802.1X authentication successes.

intrusion: Specifies notifications about illegal frame detection.

intrusion-recover: Specifies notifications about the MAC unblock action and port state restoration upon expiration of the silence timeout and MAC block timers used in intrusion protection.

mac-auth-failure: Specifies notifications about MAC authentication failures.

mac-auth-ip-change: Specifies notifications about IP address changes of MAC authentication users.

mac-auth-logoff: Specifies notifications about MAC authentication user logoffs.

mac-auth-logon: Specifies notifications about MAC authentication successes.

mac-auth-not-support: Specifies notifications about unavailability of MAC authentication on an interface.

ntk-ineffective: Specifies notifications about the effectiveness of the NTK feature on interfaces.

port-mode-ineffective: Specifies notifications about ineffectiveness of a port security mode on an interface.

url-author-failure: Specifies notifications about URL authorization failures.

url-author-success: Specifies notifications about successful URL authorizations.

Usage guidelines

To report critical port security events to an NMS, enable SNMP notifications for port security. For port security event notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see Network Management and Monitoring Configuration Guide.

If you do not specify a notification, this command enables all SNMP notifications for port security.

For the intrusion or intrusion-recover keyword to take effect, make sure the intrusion protection feature is configured by using the port-security intrusion-mode command.

Examples

# Enable SNMP notifications about MAC address learning.

<Sysname> system-view

[Sysname] snmp-agent trap enable port-security address-learned

Related commands

display port-security

port-security enable

09-Security Command Reference

Port security commands

Operating mechanism

Prerequisites

Restrictions and guidelines

Application scenarios

Restrictions and guidelines

Operating mechanism

Prerequisites

Restrictions and guidelines

Application scenarios

Restrictions and guidelines

port-security oui

Application scenarios

Prerequisites

Application scenarios

Prerequisites

Restrictions and guidelines

Application scenarios

Restrictions and guidelines

port-security static-user update-ip enable

port-security timer autolearn aging

port-security timer blockmac

Application scenarios

Restrictions and guidelines

port-security triple-auth-order mac-dot1x-web

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us