- Table of Contents
-
- H3C S3600 Series Ethernet Switches Command Manual-Release 1510(V1.04)
- 00-1Cover
- 01-CLI Command
- 02-Login Command
- 03-Configuration File Management Command
- 04-VLAN Command
- 05-IP Address and Performance Configuration Command
- 06-Management VLAN Command
- 07-Voice VLAN Command
- 08-GVRP Command
- 09-Port Basic Configuration Command
- 10-Link Aggregation Command
- 11-Port Isolation Command
- 12-Port Security-Port Binding Command
- 13-DLDP Command
- 14-MAC Address Table Command
- 15-Auto Detect Command
- 16-MSTP Command
- 17-Routing Protocol Command
- 18-Multicast Command
- 19-802.1x Command
- 20-AAA-RADIUS-HWTACACS-EAD Command
- 21-VRRP Command
- 22-Centralized MAC Address Authentication Command
- 23-ARP Command
- 24-DHCP Command
- 25-ACL Command
- 26-QoS-QoS Profile Command
- 27-Web Cache Redirection Command
- 28-Mirroring Command
- 29-IRF Fabric Command
- 30-Cluster Command
- 31-PoE-PoE Profile Command
- 32-UDP Helper Command
- 33-SNMP-RMON Command
- 34-NTP Command
- 35-SSH Terminal Service Command
- 36-File System Management Command
- 37-FTP and TFTP Command
- 38-Information Center Command
- 39-System Maintenance and Debugging Command
- 40-VLAN-VPN Command
- 41-HWPing Command
- 42-DNS Command
- 43-Access Management Command
- 44-Appendix
- Related Documents
-
Title | Size | Download |
---|---|---|
12-Port Security-Port Binding Command | 117 KB |
Table of Contents
Chapter 1 Port Security Commands
1.1.1 display mac-address security
1.1.5 port-security intrusion-mode
1.1.6 port-security authorization ignore
1.1.7 port-security max-mac-count
1.1.10 port-security port-mode
1.1.11 port-security timer disableport
Chapter 2 Port Binding Commands
Chapter 1 Port Security Commands
1.1 Port Security Commands
1.1.1 display mac-address security
Syntax
display mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ]
View
Any view
Parameter
interface-type: Port type.
interface-number: Port number.
vlan-id: VLAN ID, in the range of 1 to 4094.
count: Displays the number of security MAC addresses.
Description
Use the display mac-address security command to display information about security MAC addresses. Each piece of information for a port includes: secure MAC address on the port, VLAN ID of the port, current port state, port index, and MAC address aging time.
By checking the output of this command, you can verify the current configuration.
Example
# Display the security MAC address configuration on Ethernet1/0/1 port.
<H3C> display mac-address security interface Ethernet1/0/1
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
0001-0001-0001 1 Security Ethernet1/0/1 NOAGED
--- 1 mac address(es) found on port Ethernet1/0/1 ---
1.1.2 display port-security
Syntax
display port-security [ interface interface-list ]
View
Any view
Parameter
interface-list: Ethernet port list, which can contain multiple Ethernet ports. The interface-list argument is in the format of { interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type represents the port type, interface-number represents the port number, and & <1-10> means that you can provide up to 10 port indexes/port index ranges in this argument.
Description
Use the display port-security command to display information about port security configuration (including global configuration, and configuration on specified or all ports).
By checking the output of this command, you can verify the current configuration.
Caution:
l This command will display global and all ports' security configuration information if the interface-list argument is not specified.
l This command will display global and particular port's security configuration information if the interface-list argument is specified.
Example
# Display global and all ports' security configuration information.
<H3C> display port-security
Equipment port-security is enabled
AddressLearn trap is Enabled
Intrusion trap is Enabled
Dot1x logon trap is Enabled
Dot1x logoff trap is Enabled
Dot1x logfailure trap is Enabled
RALM logon trap is Enabled
RALM logoff trap is Enabled
RALM logfailure trap is Enabled
Vlan id assigned is NULL
Disableport Timeout: 20 s
OUI value:
Index is 5, OUI value is 00efec
Ethernet1/0/1 is link-down
Port mode is Userlogin
NeedtoKnow mode is needtoknowonly
Intrusion mode is disableport
Max mac-address num is 100
Stored mac-address num is 0
Authorization is permit
(Any display that follows is omitted.)
Table 1-1 Description on the fields of the display port-security command
Field |
Description |
Equipment port security is enabled |
Port security is enabled on the switch. |
AddressLearn trap is Enabled |
The sending of address-learning trap messages is enabled. |
Intrusion trap is Enabled |
The sending of intrusion-detection trap messages is enabled. |
Dot1x logon trap is Enabled |
The sending of 802.1x user authentication success trap messages is enabled. |
Dot1x logoff trap is Enabled |
The sending of 802.1x user logoff trap messages is enabled. |
Dot1x logfailure trap is Enabled |
The sending of 802.1x user authentication failure trap messages is enabled. |
RALM logon trap is Enabled |
The sending of RALM authentication success trap messages is enabled. |
RALM logoff trap is Enabled |
The sending of RALM logoff trap messages is enabled. |
RALM logfailure trap is Enabled |
The sending of RALM authentication failure trap messages is enabled. |
Vlan id assigned is NULL |
The delivered VLAN ID is null. |
Disableport Timeout: 20 s |
The temporary port-disabling time is 20 seconds. |
OUI value |
The next line displays OUI value. |
Ethernet1/0/1 is link-down |
The link status of the port Ethernet 1/0/1 is "down". |
Port mode is Userlogin |
The security mode of the port is Userlogin. |
NeedtoKnow mode is needtoknowonly |
The NTK mode is ntkonly. |
Intrusion mode is disableport |
The intrusion detection mode is disableport. |
Max mac-address num is 100 |
The maximum number of MAC addresses allowed on the port is 100. |
Stored mac-address num is 0 |
No MAC address is stored. |
Authorization is permit |
Authorization information delivered by the RADIUS server will be applied to the port. |
1.1.3 mac-address security
Syntax
mac-address security mac-address [ interface interface-type interface-number ] vlan vlan-id
undo mac-address security mac-address [ interface interface-type interface-number ] vlan vlan-id
View
System view, Ethernet port view
Parameter
interface-type: Port type.
interface-number: Port number.
& Note:
When executing the command in system view, you must use the parameter interface interface-type interface-number.
vlan-id: VLAN ID, in the range of 1 to 4094.
Description
Use the mac-address security command to manually add a security MAC address to a port.
Use the undo mac-address security command to remove a security MAC address from a port.
By default, no security MAC address is manually added.
& Note:
You can manually add a security MAC address to a port only when port security is enabled globally and the port-security port-mode autolearn command is configured on the port.
Example
# Enter system view.
<H3C> system-view
System View: return to User View with Ctrl+Z.
# Enable port security globally.
[H3C] port-security enable
# Enter the Ethernet1/0/1 port view.
[H3C] interface Ethernet1/0/1
# Configure the maximum number of MAC addresses allowed on the port to 100.
[H3C-Ethernet1/0/1] port-security max-mac-count 100
# Configure the port mode to autolearn.
[H3C-Ethernet1/0/1] port-security port-mode autolearn
# Add the security MAC address 0001-0001-0001 to this port in VLAN 1.
[H3C-Ethernet1/0/1] mac-address security 0001-0001-0001 vlan 1
1.1.4 port-security enable
Syntax
port-security enable
undo port-security enable
View
System view
Parameter
None
Description
Use the port-security enable command to enable port security.
Use the undo port-security enable command to disable port security.
By default, port security is disabled.
Caution:
To avoid confliction, the following restrictions on 802.1x authentication and MAC address authentication occur after port security is enabled:
l The access control mode (set by the dot1x port-control command) automatically changes to auto.
l The dot1x, dot1x port-method, dot1x port-control and mac-authentication commands cannot be used.
Example
# Enter system view.
<H3C> system-view
System View: return to User View with Ctrl+Z.
# Enable port security.
[H3C] port-security enable
Ethernet1/0/1
Notice: The port-control of 802.1x will be restricted to auto when port-security is enabled.
Please wait... Done.
1.1.5 port-security intrusion-mode
Syntax
port-security intrusion-mode { disableport | disableport-temporarily | blockmac }
undo port-security intrusion-mode
View
Ethernet port view
Parameter
disableport: Specifies to permanently disable the port.
disableport-temporarily: Specifies to temporarily disable the port, and enable the port after a pre-set time.
blockmac: Specifies to discard the packets with illegal source MAC addresses.
& Note:
If intrusion protection mode is set to disableport-temporarily on the port, the time set by the port-security timer disableport command determines how long the system temporarily disables the port when intrusion protection is triggered on the port.
Description
Use the port-security intrusion-mode command to set the action to be taken by the device when intrusion protection is triggered on the port.
Use the undo port-security intrusion-mode command to cancel the action setting.
By default, no action is set.
& Note:
By checking the source MAC addresses in inbound data frames or the username and password in 802.1x authentication requests on a port, intrusion protection detects illegal packets (packets with illegal MAC address) or events and takes a pre-set action accordingly. The actions you can set include: disconnecting the port temporarily/permanently and blocking packets with invalid MAC addresses.
The following cases can trigger intrusion protection on a port:
l A packet with unknown source MAC address is received on the port while MAC address learning is disabled on the port.
l A packet with unknown source MAC address is received on the port while the amount of security MAC addresses on the port has reached the preset maximum number.
l The user fails the 802.1x or MAC address authentication.
After executing the port-security intrusion-mode blockmac command, you can only use the display port-security command to view blocked MAC addresses, which you cannot configure as static MAC addresses.
Example
# Enter system view.
<H3C> system-view
System View: return to User View with Ctrl+Z.
# Enable port security.
[H3C] port-security enable
# Enter Ethernet1/0/1 port view.
[H3C] interface Ethernet1/0/1
# Configure the switch to disable Ethernet1/0/1 when intrusion protection is triggered on the port.
[H3C-Ethernet1/0/1] port-security intrusion-mode disableport
1.1.6 port-security authorization ignore
Syntax
port-security authorization ignore
undo port-security authorization ignore
View
Ethernet port view
Parameter
None
Description
Use the port-security authorization ignore command to configure the port to ignore the authorization information delivered by the RADIUS server.
Use the undo port-security authorization ignore command to restore the default configuration.
By default, the port uses (does not ignore) the authorization information delivered by the RADIUS server.
l With the port-security authorization ignore command executed, issuing the display port-security interface command will display "Authorization is ignore" in the output information.
l With the undo port-security authorization ignore command executed, issuing the display port-security interface command will display "Authorization is permit" in the output information.
Example
# Configure Ethernet1/0/2 to ignore the authorization information delivered from the RADIUS server.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] interface Ethernet1/0/2
[H3C-Ethernet1/0/2] port-security authorization ignore
1.1.7 port-security max-mac-count
Syntax
port-security max-mac-count count-value
undo port-security max-mac-count
View
Ethernet port view
Parameter
count-value: Maximum number of MAC addresses allowed on the port, in the range of 1 to 1024.
Description
Use the port-security max-mac-count command to set the maximum number of MAC addresses allowed on the port. The number is the sum of the following:
l Number of MAC addresses that pass 802.1x authentication
l Number of MAC addresses that pass MAC address authentication
l Number of security MAC addresses
Use the undo port-security max-mac-count command to cancel this limit.
By default, there is no limit on the number of MAC addresses allowed on the port.
Example
# Enter system view.
<H3C> system-view
System View: return to User View with Ctrl+Z.
# Enable port security.
[H3C] port-security enable
# Enter Ethernet1/0/1 port view.
[H3C] interface Ethernet1/0/1
# Set the maximum number of MAC addresses allowed on the port to 100.
[H3C-Ethernet1/0/1] port-security max-mac-count 100
1.1.8 port-security ntk-mode
Syntax
port-security ntk-mode { ntkonly | ntk-withbroadcasts | ntk-withmulticasts }
undo port-security ntk-mode
View
Ethernet port view
Parameter
ntkonly: Allows the port to transmit only unicast packets with successfully-authenticated destination MAC addresses.
ntk-withbroadcasts: Allows the port to transmit broadcast packets and unicast packets with successfully-authenticated destination MAC addresses.
ntk-withmulticasts: Allows the port to transmit multicast packets, broadcast packets and unicast packets with successfully-authenticated destination MAC addresses.
Description
Use the port-security ntk-mode command to set the packet transmission mode the port adopts when the NTK feature is triggered.
Use the undo port-security ntk-mode command to cancel the setting of packet transmission mode.
By default, no transmission mode is set on the port.
Table 1-2 shows the trigger conditions of the NTK feature.
& Note:
By checking the destination MAC addresses of the data frames to be sent from a port, the NTK feature ensures that only successfully authenticated devices can obtain data frames from the port, thus preventing illegal devices from intercepting network data.
Example
# Enter system view.
<H3C> system-view
System View: return to User View with Ctrl+Z.
# Enable port security.
[H3C] port-security enable
# Enter Ethernet1/0/1 port view.
[H3C] interface Ethernet1/0/1
# Set the packet transmission mode of the NTK feature to ntk-withbroadcasts on the current port.
[H3C-Ethernet1/0/1] port-security ntk-mode ntk-withbroadcasts
1.1.9 port-security oui
Syntax
port-security oui OUI-value index index-value
undo port-security oui index id-value
View
System view
Parameter
OUI-value: OUI value. You can input a full MAC address (in hexadecimal format) for this argument and the system will calculate the OUI value from your input and it cannot be a multicast MAC address.
index-value: OUI index, ranging from 1 to 16.
& Note:
l The organizationally unique identifiers (OUIs) are assigned by IEEE to different manufacturers. Each OUI uniquely identifies an equipment manufacturer in the world and is the higher 24 bits of MAC address.
l You need only to input a full MAC address in hexadecimal format for the OUI-value argument in this command, and the system will automatically convert the address from hexadecimal format to binary format and then take the higher 24 bits of the resulting binary data as the OUI value.
Description
Use the port-security oui command to set an OUI value for authentication.
Use the undo port-security oui command to cancel the OUI value setting.
Caution:
The OUI value set by this command takes effect only when the security mode of the port is set to userlogin-withoui by the port-security port-mode command.
Related command: port-security port-mode.
Example
# Set an OUI value by specifying the MAC address 00ef-ec00-0000, with an OUI index of 5.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] port-security oui 00ef-ec00-0000 index 5
1.1.10 port-security port-mode
Syntax
port-security port-mode mode
undo port-security port-mode
View
Ethernet port view
Parameter
mode: Security mode of the port. See Table 1-2 for the values of this argument.
Description
Use the port-security port-mode command to set the security mode of the port.
Use the undo port-security port-mode command to restore the port to the normal operating mode.
Port security defines various security modes that allow devices to learn legal source MAC addresses, in order for you to implement different network security management as needed. With port security, packets whose source MAC addresses cannot be learned by your switch in a security mode, or packets that fail to pass 802.1x authentication are considered illegal.
Table 1-2 describes the available security modes:
Table 1-2 Description of port security modes
Security mode |
Description |
Feature |
autolearn |
In this mode, the port automatically learns MAC addresses and changes them to security MAC addresses. This security mode will automatically change to the secure mode after the amount of security MAC addresses on the port reaches the maximum number configured with the port-security max-mac-count command. After changing to the secure mode, only those packets whose source MAC addresses are security MAC addresses learned or dynamic MAC addresses configured can pass through the port. |
In either mode, the device will trigger NTK and intrusion protection upon detecting an illegal packet. |
secure |
In this mode, the port is disabled from learning MAC addresses. Only those packets whose source MAC addresses are security MAC addresses learned or static MAC addresses configured can pass through the port. |
|
userlogin |
In this mode, port-based 802.1x authentication is performed for access users. |
In this mode, neither NTK nor intrusion protection will be triggered. |
userlogin-secure |
The port is enabled only after an access user passes the 802.1x authentication. When the port is enabled, only the packets of the successfully authenticated user can pass through the port. In this mode, only one 802.1x-authenticated user is allowed to access the port. When the port changes from the normal mode to this security mode, the system automatically removes the existing dynamic MAC address entries and authenticated MAC address entries on the port. |
In any of these modes, the device will trigger NTK and intrusion protection upon detecting an illegal packet. |
userlogin-withoui |
This mode is similar to the userlogin-secure mode, except that, besides the packets of the single 802.1x-authenticated user, the packets whose source MAC addresses have a particular OUI are also allowed to pass through the port. When the port changes from the normal mode to this security mode, the system automatically removes the existing dynamic/authenticated MAC address entries on the port. |
|
mac-authentication |
In this mode, MAC address–based authentication is performed for access users. |
|
userlogin-secure-or-mac |
In this mode, if either of the mac-authentication and userlogin-secure modes succeeds, the user passes the authentication. |
|
mac-else-userlogin-secure |
In this mode, first the MAC-based authentication is performed. If this authentication succeeds, the mac-authentication mode is adopted, or else, the authentication in userlogin-secure mode is performed. |
|
userlogin-secure-ext |
This mode is similar to the userlogin-secure mode, except that there can be more than one 802.1x-authenticated user on the port. |
|
userlogin-secure-or-mac-ext |
This mode is similar to the userlogin-secure-or-mac mode, except that there can be more than one 802.1x-authenticated user on the port. |
|
mac-else-userlogin-secure-ext |
This mode is similar to the mac-else-userlogin-secure mode, except that there can be more than one 802.1x-authenticated user on the port. |
By default, no security mode is set on the port.
Example
# Enter system view.
<H3C> system-view
System View: return to User View with Ctrl+Z.
# Enable port security.
[H3C] port-security enable
# Enter Ethernet1/0/1 port view.
[H3C] interface Ethernet1/0/1
# Set the security mode on Ethernet1/0/1 to userlogin.
[H3C-Ethernet1/0/1] port-security port-mode userlogin
1.1.11 port-security timer disableport
Syntax
port-security timer disableport timer
undo port-security timer disableport
View
System view
Parameter
timer: This argument ranges from 20 to 300 and defaults to 20 (in seconds).
Description
Use the port-security timer disableport command to set the time during which the system temporarily disables a port.
Use undo port-security timer disableport command restore the default time.
& Note:
After the port-security intrusion-mode disableport-temporarily command is executed on a port, the time set by the port-security timer disableport timer command determines how long the port can be temporarily disabled.
Example
# Set the time during which the system temporarily disables a port to 50 seconds.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] port-security timer disableport 50
1.1.12 port-security trap
Syntax
port-security trap { addresslearned | intrusion | dot1xlogon | dot1xlogoff | dot1xlogfailure | ralmlogon | ralmlogoff | ralmlogfailure }*
undo port-security trap { addresslearned | intrusion | dot1xlogon | dot1xlogoff | dot1xlogfailure | ralmlogon | ralmlogoff | ralmlogfailure }*
View
System view
Parameter
addresslearned: Enables/disables the sending of MAC address learning trap messages.
intrusion: Enables/disables the sending of intrusion packet discovery trap messages.
dot1xlogon: Enables/disables the sending of 802.1x user logon trap messages.
dot1xlogoff: Enables/disables the sending of 802.1x user logoff trap messages.
dot1xlogfailure: Enables/disables the sending of 802.1x user authentication failure trap messages.
ralmlogon: Enables/disables the sending of RALM user logon trap messages.
ralmlogoff: Enables/disables the sending of RALM user logoff trap messages.
ralmlogfailure: Enables/disables the sending of RALM user authentication failure trap messages.
& Note:
RADIUS authenticated login using MAC-address (RALM) refers to MAC address–based RADIUS authentication.
Description
Use the port-security trap command to enable the sending of specified type(s) of trap messages.
Use the undo port-security trap command to disable the sending of specified type(s) of trap messages.
By default, the system disables the sending of any types of trap messages.
& Note:
This command is based on the device tracking feature, which enables the switch to send trap messages when special data packets (generated by illegal intrusion, abnormal user logon/logoff, or other special activities) are passing through a port, so as to help the network administrator to monitor special activities.
When you use the display port-security command to display global information, the system will display which types of trap messages are allowed to send.
Related command: display port-security.
Example
# Allow the sending of intrusion packet discovery trap messages.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] port-security trap intrusion
Chapter 2 Port Binding Commands
2.1 Port Binding Commands
2.1.1 am user-bind interface
Syntax
am user-bind mac-addr mac-address ip-addr ip-address interface interface-type interface-number
undo am user-bind mac-addr mac-address ip-addr ip-address interface interface-type interface-number
View
System view
Parameter
mac-address: MAC address to be bound.
ip-address: IP address to be bound.
interface-type: Type of the port to be bound to.
interface-number: Number of the port to be bound to.
Description
Use the am user-bind interface command to bind the MAC and IP addresses of a legal user to a specified port.
Use the undo am user-bind interface command to cancel the binding.
After such a binding operation, only the user whose device MAC address is identical with the bound MAC address can use the bound IP address to access the network through the port.
& Note:
An IP address can be bound with only one MAC address, and vice versa.
Example
# Bind the MAC address 00e0-fc00-5101 and IP address 10.153.1.1 (supposing they are MAC and IP addresses of a legal user) to Ethernet1/0/1 port.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] am user-bind mac-addr 00e0-fc00-5101 ip-addr 10.153.1.1 interface GigabitEthernet1/0/1
2.1.2 am user-bind
Syntax
am user-bind mac-addr mac-address ip-addr ip-address
undo am user-bind mac-addr mac-address ip-addr ip-address
View
Ethernet port view
Parameter
mac-address: MAC address to be bound.
ip-address: IP address to be bound.
Description
Use the am user-bind command to bind the MAC and IP addresses of a legal user to the current port.
Use the undo am user-bind command to cancel the binding.
After such a binding operation, only the user whose device MAC address is identical with the bound MAC address can use the bound IP address to access the network through the port.
& Note:
An IP address can be bound with only one MAC address, and vice versa.
Example
# Bind the MAC address 00e0-fc00-5102 and IP address 10.153.1.2 (supposing they are MAC and IP addresses of a legal user) to Ethernet1/0/2 port.
<H3C> system-view
System View: return to User View with Ctrl+Z.
[H3C] interface Ethernet1/0/2
[H3C-Ethernet1/0/2] am user-bind mac-addr 00e0-fc00-5102 ip-addr 10.153.1.2
2.1.3 display am user-bind
Syntax
display am user-bind [ interface interface-type interface-number | mac-addr mac-addr | ip-addr ip-addr ]
View
Any view
Parameter
interface: Displays binding information on a specified port.
interface-type: Port type.
interface-number: Port number.
mac-addr mac-addr: Displays only the binding information of a specified MAC address.
ip-addr ip-addr: Displays only the binding information of a specified IP address.
Description
Use the display am user-bind command to display port binding information.
Example
# Display the current system port binding information.
<H3C> display am user-bind
Following User address bind have been configured:
Mac IP Port
00e0-fc00-5101 10.153.1.1 Ethernet1/0/1
00e0-fc00-5102 10.153.1.2 Ethernet1/0/2
Unit 1:Total 2 found, 2 listed.
Total: 2 found.
The above output displays that two port binding settings exist on unit 1:
l MAC address 00e0-fc00-5101 and IP address 10.153.1.1 are bound to Ethernet1/0/1.
l MAC address 00e0-fc00-5102 and IP address 10.153.1.2 are bound to Ethernet1/0/2.