Syntax
display mac-address security [ interface interface-type interface-number ]
[ vlan vlan-id ] [ count ]
View
Any view
Parameters
Interface interface-type interface-number: Specify
a port by its type and number, of which the security MAC address information is
to be displayed.
vlan vlan-id: Specify a VLAN by its ID, of which the security MAC address
information is to be displayed. The value range for the vlan-id argument
is 1 to 4094.
count:
Displays the number of matching security MAC addresses.
Description
Use the display mac-address security command
to display security MAC address entries.
If no argument is specified, the command
displays information about all security MAC address entries.
For each security MAC address entry, the
output of the command displays the MAC address, the VLAN that the MAC address
belongs to, state of the MAC address (which is always security), port
associated with the MAC address, and the remaining lifetime of the entry.
By checking the output of this command, you
can verify the current configuration.
Examples
# Display information about all security
MAC address entries.
<Sysname> display mac-address
security
MAC ADDR VLAN ID
STATE PORT INDEX AGING TIME(s)
0000-0000-0001 1 Security
GigabitEthernet1/0/20 NOAGED
0000-0000-0002 1 Security
GigabitEthernet1/0/20 NOAGED
0000-0000-0003 1 Security
GigabitEthernet1/0/20 NOAGED
0000-0000-0004 1 Security
GigabitEthernet1/0/20 NOAGED
0000-0000-0001 2 Security
GigabitEthernet1/0/22 NOAGED
0000-0000-0007 2 Security
GigabitEthernet1/0/22 NOAGED
--- 6 mac address(es) found ---
# Display the security MAC address entries
for port GigabitEthernet 1/0/20.
<Sysname> display mac-address
security interface GigabitEthernet 1/0/20
MAC ADDR VLAN ID
STATE PORT INDEX AGING TIME(s)
0000-0000-0001 1 Security
GigabitEthernet1/0/20 NOAGED
0000-0000-0002 1
Security GigabitEthernet1/0/20 NOAGED
0000-0000-0003 1
Security GigabitEthernet1/0/20 NOAGED
0000-0000-0004 1
Security GigabitEthernet1/0/20 NOAGED
--- 4 mac address(es) found on
port GigabitEthernet1/0/20 ---
# Display the security MAC address entries
for VLAN 1.
<Sysname> display mac-address
security vlan 1
MAC ADDR VLAN ID
STATE PORT INDEX AGING TIME(s)
0000-0000-0001 1
Security GigabitEthernet1/0/20 NOAGED
0000-0000-0002 1
Security GigabitEthernet1/0/20 NOAGED
0000-0000-0003 1
Security GigabitEthernet1/0/20 NOAGED
0000-0000-0004 1 Security
GigabitEthernet1/0/20 NOAGED
--- 4 mac address(es) found in
vlan 1 ---
# Display the total number of security MAC
address entries.
<Sysname> display mac-address
security count
6 mac address(es) found
# Display the number of security MAC address
entries for VLAN 1.
<Sysname> display mac-address
security vlan 1 count
4 mac address(es) found in vlan 1
Table 1-1
Description on the fields of the display
mac-address security command
|
Field
|
Description
|
|
MAC ADDR
|
Security MAC address
|
|
VLAN ID
|
VLAN that the MAC address belongs to
|
|
STATE
|
MAC address type, which is always
security for a security MAC address
|
|
PORT INDEX
|
Port associated with the MAC address
|
|
AGING TIME(s)
|
Remaining lifetime of the MAC address
entry
|
|
mac address(es) found
|
Number of matching security MAC addresses
|
Syntax
display port-security
[ interface interface-list ]
View
Any view
Parameters
interface interface-list: Specify a list of
Ethernet ports of which the port security configurations are to be displayed. For
the interface-list argument, you can specify individual ports and port
ranges. An individual port takes the form of interface-type interface-number
and a port range takes the form of interface-type interface-number1 to
interface-type interface-number2, with interface-number2 taking a
value greater than interface-number1. The total number of individual
ports and port ranges defined in the list must not exceed 10.
Description
Use the display port-security
command to display port security configurations.
If no interface is specified, the command
displays the port security configurations of all Ethernet ports.
The output of the command includes the
global configurations (such as whether port security is enabled on the switch
and whether the sending of specified Trap messages is enabled) and port configurations
(such as the security mode and the port security features).
By checking the output of this command, you
can verify the current configuration.
Examples
# Display the global port security configurations
and those of all ports.
<Sysname> display port-security
Equipment port-security is enabled
AddressLearn trap is Enabled
Intrusion trap is Enabled
Dot1x logon trap is Enabled
Dot1x logoff trap is Enabled
Dot1x logfailure trap is Enabled
RALM logon trap is Enabled
RALM logoff trap is Enabled
RALM logfailure trap is Enabled
Disableport Timeout: 20 s
OUI value:
Index is 5, OUI value is 000100
GigabitEthernet1/0/1 is link-up
Port mode is AutoLearn
NeedtoKnow mode is needtoknowonly
Intrusion mode is BlockMacaddress
Max mac-address num is 4
Stored mac-address num is 0
Authorization is ignore
(The rest of the information is omitted.)
# Display the port security configurations of
ports GigabitEthernet 1/0/1 to GigabitEthernet 1/0/3.
<Sysname> display port-security
interface GigabitEthernet 1/0/1 to GigabitEthernet 1/0/3
GigabitEthernet1/0/1 is link-up
Port mode is AutoLearn
NeedtoKnow mode is needtoknowonly
Intrusion mode is BlockMacaddress
Max mac-address num is 4
Stored mac-address num is 0
Authorization is ignore
GigabitEthernet1/0/2 is link-down
Port mode is AutoLearn
NeedtoKnow mode is disabled
Intrusion mode is no action
Max mac-address num is not
configured
Stored mac-address num is 0
Authorization is ignore
GigabitEthernet1/0/3 is link-down
Port mode is AutoLearn
NeedtoKnow mode is disabled
Intrusion mode is BlockMacaddress
Max mac-address num is not
configured
Stored mac-address num is 0
Authorization is ignore
Table 1-2 Description on the fields of the display port-security command
|
Field
|
Description
|
|
Equipment port security is
enabled
|
Port security is enabled on the
switch.
|
|
AddressLearn trap is Enabled
|
The sending of address-learning
trap messages is enabled.
|
|
Intrusion trap is Enabled
|
The sending of
intrusion-detection trap messages is enabled.
|
|
Dot1x logon trap is Enabled
|
The sending of 802.1x user
authentication success trap messages is enabled.
|
|
Dot1x logoff trap is Enabled
|
The sending of 802.1x user logoff
trap messages is enabled.
|
|
Dot1x logfailure trap is Enabled
|
The sending of 802.1x user
authentication failure trap messages is enabled.
|
|
RALM logon trap is Enabled
|
The sending of MAC-based authentication
success trap messages is enabled.
|
|
RALM logoff trap is Enabled
|
The sending of logoff trap messages
for MAC-based authenticated users is enabled.
|
|
RALM logfailure trap is Enabled
|
The sending of MAC-based authentication
failure trap messages is enabled.
|
|
Disableport Timeout: 20 s
|
The
temporary port-disabling time is 20 seconds.
|
|
OUI value
|
The
next line displays OUI value.
|
|
Index
|
OUI
index
|
|
GigabitEthernet1/0/1 is link-up
|
The
link status of port GigabitEthernet 1/0/1 is up.
|
|
Port mode is AutoLearn
|
The
security mode of the port is autolearn.
|
|
NeedtoKnow mode is needtoknowonly
|
The
NTK (Need To Know) mode is ntkonly.
|
|
Intrusion mode is BlockMacaddress
|
The
intrusion detection mode is BlockMacaddress.
|
|
Max mac-address num is 4
|
The
maximum number of MAC addresses allowed on the port is 4.
|
|
Stored mac-address num is 0
|
No MAC address is stored.
|
|
Authorization is ignore
|
Authorization information
delivered by the Remote Authentication Dial-In User
Service (RADIUS) server will not be applied to the
port.
|
Syntax
In system view:
mac-address security mac-address interface
interface-type interface-number vlan vlan-id
undo mac-address security [ [ mac-address [ interface interface-type
interface-number ] ] vlan vlan-id ]
In Ethernet port view:
mac-address security mac-address vlan vlan-id
undo mac-address security [ [ mac-address ] vlan vlan-id ]
View
System view, Ethernet port view
Parameters
mac-address:
Security MAC address, in the H-H-H format.
interface
interface-type interface-number: Specify the port on
which the security MAC address is to be added. The interface-type
interface-number arguments indicate the port type and port number.
vlan
vlan-id: Specify the VLAN to which the MAC address
belongs. The vlan-id argument specifies a VLAN ID in the range 1 to
4094.
Description
Use the mac-address security command
to create a security MAC address entry.
Use the undo mac-address security
command to remove a security MAC address.
By default,
no security MAC address entry is configured.
l
The mac-address security command can be
configured successfully only when port security is enabled and the security
mode is autolearn.
l
To create a security MAC address entry successfully,
you must make sure that the specified VLAN is carried on the specified port.
Examples
# Enable port security; configure the port
security mode of GigabitEthernet 1/0/1 as autolearn and create a
security MAC address entry for 0001-0001-0001, setting the associated port to GigabitEthernet
1/0/1 and assigning the MAC address to VLAN 1.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] port-security enable
[Sysname] interface GigabitEthernet1/0/1
[Sysname-GigabitEthernet1/0/1]
port-security max-mac-count 100
[Sysname-GigabitEthernet1/0/1]
port-security port-mode autolearn
[Sysname-GigabitEthernet1/0/1] mac-address
security 0001-0001-0001 vlan 1
# Use the display mac-address interface command
to verify the configuration result.
[Sysname]display mac-address
interface GigabitEthernet 1/0/1
MAC ADDR VLAN ID
STATE PORT INDEX AGING TIME(s)
0001-0001-0001 1 Security GigabitEthernet1/0/1
NOAGED
--- 1 mac address(es) found on
port GigabitEthernet1/0/1 ---
Syntax
port-security enable
undo port-security enable
View
System view
Parameters
None
Description
Use the port-security enable command
to enable port security.
Use the undo port-security enable
command to disable port security.
By default, port security is disabled.
Caution:
Enabling port
security resets the following configurations on the ports to the defaults (as
shown in parentheses below):
l
802.1x (disabled), port access control method (macbased),
and port access control mode (auto)
l
MAC authentication (disabled)
In addition, you
cannot perform the above-mentioned configurations manually
because these configurations change with the port security mode automatically.
Related commands: display port-security.
Examples
# Enable port security.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] port-security enable
Notice: The port-control of 802.1x
will be restricted to auto when port-security is enabled.
Please wait... Done.
Syntax
port-security intrusion-mode { blockmac | disableport | disableport-temporarily }
undo port-security intrusion-mode
View
Ethernet port view
Parameters
blockmac:
Adds the source MAC addresses of illegal packets to the blocked MAC address
list. As a result, the packets sourced from the blocked MAC addresses will be
filtered out. A blocked MAC address will be unblocked three minutes (not user
configurable) after the block action.
disableport:
Disables a port permanently once an illegal frame or event is detected on it.
disableport-temporarily: Disables a port for a specified period of time after an illegal frame
or event is detected on it. You can set the period with the port-security
timer disableport command.
Description
Use the port-security intrusion-mode
command to set intrusion protection.
Use the undo port-security
intrusion-mode command to disable intrusion protection.
By default, intrusion protection is not configured.
By checking the
source MAC addresses in inbound data frames or the username and password in
802.1x authentication requests on a port, intrusion protection detects illegal
packets (packets with illegal MAC address) or events and takes a pre-set action
accordingly. The actions you can set include: disconnecting the port
temporarily/permanently and blocking packets with invalid MAC addresses.
The following cases
can trigger intrusion protection on a port:
l
A packet with unknown source MAC address is
received on the port while MAC address learning is disabled on the port.
l
A packet with unknown source MAC address is
received on the port while the amount of security MAC addresses on the port has
reached the preset maximum number.
l
The user fails the 802.1x or MAC address
authentication.
After executing the port-security intrusion-mode
blockmac command, you can only use the display port-security command
to view blocked MAC addresses.
Related commands: display port-security,
port-security timer disableport.
Examples
# Configure the intrusion protection mode
on GigabitEthernet 1/0/1 as blockmac.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] interface GigabitEthernet 1/0/1
[Sysname-GigabitEthernet1/0/1]
port-security intrusion-mode blockmac
# Display information about blocked MAC
addresses after intrusion protection is triggered.
<Sysname> display port-security
Equipment port-security is enabled
AddressLearn trap is Enabled
Intrusion trap is Enabled
Dot1x logon trap is Enabled
Dot1x logoff trap is Enabled
Dot1x logfailure trap is Enabled
RALM logon trap is Enabled
RALM logoff trap is Enabled
RALM logfailure trap is Enabled
Disableport Timeout: 20 s
OUI value:
Index is 5, OUI value is 000100
Blocked Mac info:
MAC ADDR From
Port Vlan
--- On unit 1, 2 blocked
mac address(es) found. ---
0000-0000-0003 GigabitEthernet1/0/1
1
0000-0000-0004 GigabitEthernet1/0/1
1
--- 2 blocked mac
address(es) found. ---
GigabitEthernet1/0/1 is link-up
Port mode is Secure
NeedtoKnow mode is disabled
Intrusion mode is BlockMacaddress
Max mac-address num is 2
Stored mac-address num is 2
Authorization is permit
For description on the output information,
refer to Table 1-2.
# Configure the intrusion protection mode
on GigabitEthernet 1/0/1 as disableport-temporarily. As a result, the
port will be disconnected when intrusion protection is triggered and then re-enabled
30 seconds later.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] port-security timer
disableport 30
[Sysname] interface GigabitEthernet
1/0/1
[Sysname-GigabitEthernet1/0/1] port-security
intrusion-mode disableport-temporarily
# Configure the intrusion protection mode
on GigabitEthernet 1/0/1 as disableport. As a result, when intrusion
protection is triggered, the port will be disconnected permanently.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] interface GigabitEthernet
1/0/1
[Sysname-GigabitEthernet1/0/1] port-security
intrusion-mode disableport
You can bring up a
port that has been permanently disabled by running the undo shutdown command
or disabling port security on the port.
Syntax
port-security authorization ignore
undo port-security authorization ignore
View
Ethernet port view
Parameters
None
Description
Use the port-security authorization
ignore command to configure the port to ignore the authorization
information delivered by the RADIUS server.
Use the undo port-security authorization
ignore command to restore the default configuration.
By default, the port uses (does not ignore)
the authorization information delivered by the RADIUS server.
You can use the display port-security command
to check whether the port will use the authorization information delivered by the
RADIUS server.
After a RADIUS user
passes authentication, the RADIUS server authorizes the attributes configured
for the user account such as the dynamic VLAN configuration. For more information,
refer to AAA Command.
Examples
# Configure GigabitEthernet 1/0/2 to ignore
the authorization information delivered by the RADIUS server.
<Sysname> system-view
System View: return to User View
with Ctrl+Z.
[Sysname] interface GigabitEthernet
1/0/2
[Sysname-GigabitEthernet1/0/2]
port-security authorization ignore
Syntax
port-security max-mac-count count-value
undo port-security max-mac-count
View
Ethernet port view
Parameters
count-value:
Maximum number of MAC addresses allowed on the port, in the range of 1 to 1024.
Description
Use the port-security max-mac-count
command to set the maximum number of MAC addresses allowed on the port.
Use the undo port-security max-mac-count
command to cancel this limit.
By default, there is no limit on the number
of MAC addresses allowed on the port.
By configuring the maximum number of MAC addresses allowed on a
port, you can:
l
Limit the number of users accessing the network
through the port.
l
Limit the number of security MAC addresses that
can be added on the port.
When the maximum number of MAC addresses allowed on a port is
reached, the port will not allow more users to access the network through this
port.
Caution:
l
The port-security max-mac-count command
is irrelevant to the maximum number of MAC addresses that can be learned on a
port configured in MAC address management.
l
When there are online users on a port, you
cannot perform the port-security max-mac-count command on the port.
Examples
# Set the maximum number of MAC addresses
allowed on the port to 100.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] port-security enable
[Sysname] interface GigabitEthernet
1/0/1
[Sysname-GigabitEthernet1/0/1]
port-security max-mac-count 100
Syntax
port-security ntk-mode { ntkonly | ntk-withbroadcasts | ntk-withmulticasts
}
undo port-security ntk-mode
View
Ethernet port view
Parameters
ntkonly: Allows the port to transmit only unicast packets with
successfully-authenticated destination MAC addresses.
ntk-withbroadcasts: Allows the port to transmit broadcast packets and unicast packets
with successfully-authenticated destination MAC addresses.
ntk-withmulticasts: Allows the port to transmit multicast packets, broadcast packets
and unicast packets with successfully-authenticated destination MAC addresses.
Description
Use the port-security ntk-mode
command to configure the NTK feature on the port.
Use the undo port-security ntk-mode
command to restore the default setting.
Be default, NTK is disabled on a port, namely
all frames are allowed to be sent.
By checking the destination MAC addresses of the data frames to be
sent from a port, the NTK feature ensures that only successfully authenticated
devices can obtain data frames from the port, thus preventing illegal devices
from intercepting network data.
Examples
# Set the NTK feature to ntk-withbroadcasts
on GigabitEthernet 1/0/1.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] port-security enable
[Sysname] interface GigabitEthernet
1/0/1
[Sysname-GigabitEthernet1/0/1]
port-security ntk-mode ntk-withbroadcasts
Syntax
port-security oui OUI-value index index-value
undo port-security oui index
index-value
View
System view
Parameters
OUI-value:
OUI value. You can input a 48-bit MAC address in the form of H-H-H for this
argument and the system will take the first 24 bits as the OUI value and ignore
the rest.
index-value:
OUI index, ranging from 1 to 16.
The
organizationally unique identifiers (OUIs) are assigned by the IEEE to different
vendors. Each OUI uniquely identifies an equipment vendor in the world and is
the higher 24 bits of a MAC address.
Description
Use the port-security oui command
to set an OUI value for authentication.
Use the undo port-security oui
command to cancel the OUI value setting.
By default, no OUI value is set for authentication.
Caution:
l
The OUI value set by this command takes effect
only when the security mode of the port is set to userLoginWithOUI by
the port-security port-mode command.
l
The OUI value set by this command cannot be a
multicast MAC address.
Related commands: port-security port-mode.
Examples
# Configure an OUI value of 00ef-ec00-0000,
setting the OUI index to 5.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] port-security oui
00ef-ec00-0000 index 5
Syntax
port-security port-mode { autolearn | mac-and-userlogin-secure |
mac-and-userlogin-secure-ext | mac-authentication |
mac-else-userlogin-secure | mac-else-userlogin-secure-ext | secure
| userlogin | userlogin-secure | userlogin-secure-ext
| userlogin-secure-or-mac | userlogin-secure-or-mac-ext |
userlogin-withoui }
undo port-security port-mode
View
Ethernet port view
Parameters
Table 1-3 shows the
description on the security mode keywords.
Table 1-3 Keyword description
|
Keyword
|
Security mode
|
Description
|
|
autolearn
|
autolearn
|
In this mode, MAC addresses learned on
the port become security MAC addresses.
When the number of security MAC addresses
exceeds the maximum number of MAC addresses configured by the port-security
max-mac-count command, the port security mode changes to secure automatically.
After
that, no more security MAC addresses can be added to the port and only the packets
whose source MAC addresses are the security MAC addresses or already configured
dynamic MAC addresses can pass through the port.
|
|
mac-and-userlogin-secure
|
macAddressAndUserLoginSecure
|
In this mode, users trying to assess the
network through the port must first pass MAC address authentication and then 802.1x
authentication.
In this mode, only one user can access
the network through the port at a time.
|
|
mac-and-userlogin-secure-ext
|
macAddressAndUserLoginSecureExt
|
This mode is similar to the macAddressAndUserLoginSecure
mode, except that in this mode, more than one user can access the network
through the port in this mode.
|
|
mac-authentication
|
macAddressWithRadius
|
In this mode, MAC address authentication
is applied on users trying to access the network.
|
|
mac-else-userlogin-secure
|
macAddressElseUserLoginSecure
|
In this mode, MAC address authentication
is first applied on users. If the authentication succeeds, the users can
access the network successfully. If not, 802.1x authentication is applied.
In this mode, only one 802.1x-authenticated
user can access the network through the port. But at the same time, there can
be more than one MAC-address-authenticated user on the port.
|
|
mac-else-userlogin-secure-ext
|
macAddressElseUserLoginSecureExt
|
This mode is similar to the macAddressElseUserLoginSecure
mode, except that in this mode, there can be more than one 802.1x-authenticated
user on the port.
|
|
secure
|
secure
|
In
this mode, MAC address learning is disabled on the current port. Only packets
whose source MAC addresses are security MAC addresses, already configured
static or dynamic MAC addresses can pass through the port.
|
|
userlogin
|
userlogin
|
In
this mode, 802.1x authentication is applied on users trying to access the
network through the current port.
|
|
userlogin-secure
|
userLoginSecure
|
In this mode, MAC-based 802.1x
authentication is applied on users trying to access the network through the
port. The port will be enabled when the authentication succeeds and allow
packets from authenticated users to pass through.
In this mode, only one 802.1x-authenticated
user can access the network through the port.
When
the security mode of the port changes from noRestriction to this mode,
the old dynamic MAC address entries and authenticated MAC address entries
kept on the port are deleted automatically.
|
|
userlogin-secure-ext
|
userLoginSecureExt
|
This
mode is similar to the userLoginSecure mode, except that in this mode,
there can be more than one 802.1x-authenticated user on the port.
|
|
userlogin-secure-or-mac
|
macAddressOrUserLoginSecure
|
MAC address authentication and 802.1x
authentication can coexist on a port, with 802.1x authentication having
higher priority.
802.1x authentication can be applied on
users who have already passed MAC address authentication.
However, users who have already passed 802.1x
authentication do not need to go through MAC address authentication.
In this mode, only one 802.1x-authenticated
user can access the network through the port. However, there can be more than
one MAC-address-authenticated user on the port.
|
|
userlogin-secure-or-mac-ext
|
macAddressOrUserLoginSecureExt
|
This mode is similar to the macAddressOrUserLoginSecure
mode, except that in this mode, there can be more than one 802.1x-authenticated
user on the port.
|
|
userlogin-withoui
|
userLoginWithOUI
|
Similar to the userLoginSecure
mode, in this mode, there can be only one 802.1x-authenticated user on the
port. However, the port also allows packets with the OUI address to pass
through.
When
the security mode of the port changes from noRestriction to this mode,
the old dynamic MAC address entries and authenticated MAC address entries
kept on the port are deleted automatically.
|
Description
Use the port-security port-mode
command to set the security mode of the port.
Use the undo port-security port-mode
command to restore the default mode.
By default, the port is in the noRestriction
mode, namely access to the port is not restricted.
l Before setting the security mode to autolearn, you need to
use the port-security max-mac-count command to configure the maximum
number of MAC addresses allowed on the port.
l When a port operates in the autolearn mode, you cannot change
the maximum number of MAC addresses allowed on the port.
l After setting the security mode to autolearn, you cannot
configure static or blackhole MAC addresses on the port.
l When the port security mode is not noRestriction, you need to
use the undo port-security port-mode command to change it back to noRestriction
before you change the port security mode to other modes.
l Fabric devices do not support configuring the security mode to autolearn.
On a port configured with a security mode,
you cannot do the following:
l
Configure the maximum number of MAC addresses
that can be learned.
l
Configure the port as a reflector port for port
mirroring.
l
Configure the port as a Fabric port.
l
Configure link aggregation.
Related commands: display port-security.
Examples
# Set the security mode of GigabitEthernet 1/0/1
on the switch to userLogin.
<Sysname> system-view
System View: return to User View with
Ctrl+Z.
[Sysname] port-security enable
[Sysname] interface GigabitEthernet
1/0/1
[Sysname-GigabitEthernet1/0/1]
port-security port-mode userlogin
Syntax
port-security timer disableport timer
undo port-security timer disableport
View
System view
Parameters
timer: This
argument ranges from 20 to 300, in seconds.
Description
Use the port-security timer disableport
command to set the time during which the system temporarily disables a port.
Use undo port-security timer disableport
command restore the default time.
By default, the system disables a port for
20 seconds.
The port-security
timer disableport command is used in conjunction with the port-security
intrusion
