Login
- Table of Contents
-
- H3C S5500-SI Series Ethernet Switches Command Manual(V1.01)
- 00-1Cover
- 01-Login Commands
- 02-VLAN Commands
- 03-IP Addressing and IP Performance Commands
- 04-QinQ-BPDU TUNNEL Commands
- 05-Port Correlation Commands
- 06-Link Aggregation Commands
- 07-MAC Address Table Management Commands
- 08-Port Security Commands
- 09-MSTP Commands
- 10-IPv6 Commands
- 11-IP Routing Overview Commands
- 12-IPv4 Routing Commands
- 13-IPv6 Routing Commands
- 14-Multicast Commands
- 15-802.1x-HABP-MAC Authentication Commands
- 16-AAA RADIUS HWTACACS Commands
- 17-ARP Commands
- 18-DHCP Commands
- 19-ACL Commands
- 20-QoS Commands
- 21-Port Mirroring Commands
- 22-UDP Helper Commands
- 23-Cluster Management Commands
- 24-SNMP-RMON Commands
- 25-NTP Commands
- 26-DNS Commands
- 27-File System Management Commands
- 28-Information Center Commands
- 29-System Maintaining and Debugging Commands
- 30-NQA Commands
- 31-SSH Commands
- 32-Track Commands
- 33-PoE Commands
- 34-SSL-HTTPS Commands
- 35-PKI Commands
- 36-Stack Management Commands
- 37-Appendix
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 08-Port Security Commands | 61 KB |
Table of Contents
Chapter 1 Port Security Configuration Commands
1.1 Port Security Configuration Commands
1.1.2 display port-security mac-address block
1.1.3 display port-security mac-address security
1.1.4 port-security authorization ignore
1.1.6 port-security intrusion-mode
1.1.7 port-security mac-address security
1.1.8 port-security max-mac-count
1.1.11 port-security port-mode
1.1.12 port-security timer disableport
Chapter 1 Port Security Configuration Commands
1.1 Port Security Configuration Commands
1.1.1 display port-security
Syntax
display port-security [ interface interface-list ]
View
Any view
Parameters
interface-list: Ethernet port list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> means that you can specify up to 10 port or port ranges. The starting port and ending port of a port range must be of the same type and the ending port number must be greater than the starting port number.
Description
Use the display port-security command to display port security configuration information, operation information, and statistics about one or more specified ports or all ports.
Related commands: port-security enable, port-security port-mode, port-security ntk-mode, port-security intrusion-mode, port-security max-mac-count, port-security mac-address security, port-security authorization ignore, port-security oui, port-security trap.
Examples
# Display port security configuration information, operation information, and statistics about all ports.
<Sysname> display port-security
Equipment port-security is enabled
AddressLearn trap is enabled
Intrusion trap is enabled
Dot1x logon trap is enabled
Dot1x logoff trap is enabled
Dot1x logfailure trap is enabled
RALM logon trap is enabled
RALM logoff trap is enabled
RALM logfailure trap is enabled
Disableport Timeout: 20s
OUI value:
Index is 1, OUI value is 000d1a
Index is 2, OUI value is 003c12
GigabitEthernet1/0/1 is link-down
Port mode is UserloginWithOUI
NeedtoKnow mode is needtoknowonly
Intrusion mode is disableport
Max MAC address number is 50
Stored MAC address number is 0
Authorization is ignored
GigabitEthernet1/0/2 is link-down
Port mode is noRestriction
NeedtoKnow mode is disabled
Intrusion mode is no action
Max MAC address number is not configured
Stored MAC address number is 0
Authorization is permitted
Table 1-1 Description on the fields of the display port-security command
|
Field |
Description |
|
Equipment port-security is enabled |
Port security is enabled. |
|
AddressLearn trap is enabled |
Address learning trap is enabled. |
|
Intrusion trap is enabled |
Intrusion protection trap is enabled. |
|
Dot1x logon trap is enabled |
802.1x logon trap is enabled. |
|
Dot1x logoff trap is enabled |
802.1x logoff trap is enabled. |
|
Dot1x logfailure is enabled |
802.1x authentication failure trap is enabled. |
|
RALM logon trap is enabled |
MAC authentication success trap is enabled. |
|
RALM logoff trap is enabled |
MAC authenticated user logoff trap is enabled. |
|
RALM logfailure trap is enabled |
MAC authentication failure trap is enabled. |
|
Disableport Timeout: 20 s |
The silence timeout is 20 seconds. |
|
OUI value |
24-bit OUI value |
|
Index |
OUI index |
|
Port mode is UserloginWithOUI |
The port security mode is UserloginWithOUI. |
|
NeedtoKnow mode is needtoknowonly |
The NTK mode is needtoknowonly. |
|
Intrusion mode is disableport |
Intrusion protection action is set to disableport. |
|
Max MAC address number |
Maximum number of secure MAC addresses allowed on the port |
|
Stored MAC address number |
Number of MAC addresses stored |
|
Authorization is ignored |
Authorization information from the server is ignored. |
1.1.2 display port-security mac-address block
Syntax
display port-security mac-address block [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ]
View
Any view
Parameters
interface interface-type interface-number: Specifies a port by its type and number.
vlan vlan-id: Specifies a VLAN by its number, which is in the range 1 to 4094.
count: Displays only the count of the blocked MAC addresses.
Description
Use the display port-security mac-address block command to display information about blocked MAC addresses.
With no keyword or argument specified, the command displays information about all blocked MAC addresses.
Related commands: port-security intrusion-mode.
Examples
# Display information about all blocked MAC addresses.
<Sysname> display port-security mac-address block
MAC ADDR From Port VLAN ID
0002-0002-0002 GigabitEthernet1/0/1 1
000d-88f8-0577 GigabitEthernet1/0/1 1
--- 2 mac address(es) found ---
# Display the count of all blocked MAC addresses.
<Sysname> display port-security mac-address block count
2 mac address(es) found
# Display information about all blocked MAC addresses in VLAN 1.
<Sysname> display port-security mac-address block vlan 1
MAC ADDR From Port VLAN ID
0002-0002-0002 GigabitEthernet1/0/1 1
000d-88f8-0577 GigabitEthernet1/0/1 1
--- 2 mac address(es) found ---
# Display information about all blocked MAC addresses of port GigabitEthernet 1/0/1.
<Sysname> display port-security mac-address block interface GigabitEthernet1/0/1
MAC ADDR From Port VLAN ID
000d-88f8-0577 GigabitEthernet1/0/1 1
--- 1 mac address(es) found ---
# Display information about all blocked MAC addresses of port GigabitEthernet 1/0/1 in VLAN 1.
<Sysname> display port-security mac-address block interface GigabitEthernet 1/0/1 vlan 1
MAC ADDR From Port VLAN ID
000d-88f8-0577 GigabitEthernet1/0/1 1
--- 1 mac address(es) found ---
Table 1-2 Description on the fields of display port-security mac-address block
|
Field |
Description |
|
MAC ADDR |
Blocked MAC address |
|
From Port |
Port having received frames with the blocked MAC address being the source address |
|
VLAN ID |
ID of the VLAN to which the port belongs |
|
2 mac address(es) found |
Number of blocked MAC addresses |
1.1.3 display port-security mac-address security
Syntax
display port-security mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ]
View
Any view
Parameters
interface interface-type interface-number: Specifies a port by its type and number.
vlan vlan-id: Specifies a VLAN by its number, which is in the range 1 to 4094.
count: Displays only the count of the secure MAC addresses.
Description
Use the display port-security mac-address security command to display information about secure MAC addresses.
With no keyword or argument specified, the command displays information about all secure MAC addresses.
Related commands: port-security mac-address security.
Examples
# Display information about all secure MAC addresses.
<Sysname> display port-security mac-address security
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
0002-0002-0002 1 Security GigabitEthernet1/0/1 NOAGED
000d-88f8-0577 1 Security GigabitEthernet1/0/1 NOAGED
--- 2 mac address(es) found ---
# Display only the count of the secure MAC addresses.
<Sysname> display port-security mac-address count
2 mac address(es) found
# Display information about secure MAC addresses in the specified VLAN.
<Sysname> display port-security mac-address security vlan 1
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
0002-0002-0002 1 Security GigabitEthernet1/0/1 NOAGED
000d-88f8-0577 1 Security GigabitEthernet1/0/1 NOAGED
--- 2 mac address(es) found ---
# Display information about secure MAC addresses on the specified port.
<Sysname> display port-security mac-address security interface GigabitEthernet1/0/1
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
000d-88f8-0577 1 Security GigabitEthernet1/0/1 NOAGED
--- 1 mac address(es) found ---
# Display information about secure MAC addresses that are on the specified port and in the specified VLAN.
<Sysname> display port-security mac-address security interface GigabitEthernet 1/0/1 vlan 1
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
000d-88f8-0577 1 Security GigabitEthernet1/0/1 NOAGED
--- 1 mac address(es) found ---
Table 1-3 Description on the fields of display port-security mac-address
|
Field |
Description |
|
MAC ADDR |
Secure MAC address |
|
VLAN ID |
VLAN to which the port belongs |
|
STATE |
Type of the MAC address added |
|
PORT INDEX |
Port to which the secure MAC address belongs |
|
AGING TIME(s) |
Period of time before the secure MAC address ages out |
|
xxx mac address(es) found |
Number of secure MAC addresses stored |
1.1.4 port-security authorization ignore
Syntax
port-security authorization ignore
undo port-security authorization ignore
View
Layer 2 Ethernet port view
Parameters
None
Description
Use the port-security authorization ignore command to configure a port to ignore the authorization information from the RADIUS server.
Use the undo port-security port-mode ignore command to restore the default.
By default, a port uses the authorization information from the RADIUS server.
Related commands: display port-security.
Examples
# Configure port GigabitEthernet 1/0/1 to ignore the authorization information from the RADIUS server.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] port-security authorization ignore
1.1.5 port-security enable
Syntax
port-security enable
undo port-security enable
View
System view
Parameters
None
Description
Use the port-security enable command to enable port security.
Use the undo port-security enable command to disable port security.
By default, port security is disabled.
Note that:
1) Port security cannot be enabled when 802.1x or MAC authentication is enabled globally.
2) Enabling port security resets the following configurations on a port to the defaults bracketed, making them dependent completely on the port security mode:
l 802.1x (disabled), port access control method (macbased), and port access control mode (auto)
l MAC authentication (disabled)
3) Disabling port security resets the following configurations on a port to the defaults bracketed:
l Port security mode (noRestrictions)
l 802.1x (disabled), port access control method (macbased), and port access control mode (auto)
l MAC authentication (disabled)
4) Port security cannot be disabled if there is any user present on a port.
Related commands: display port-security, and these commands in 802.1x-HABP-MAC Authentication Commands: dot1x, dot1x port-method, dot1x port-control, and mac-authentication.
Examples
# Enable port security.
<Sysname> system-view
[Sysname] port-security enable
1.1.6 port-security intrusion-mode
Syntax
port-security intrusion-mode { blockmac | disableport | disableport-temporarily }
undo port-security intrusion-mode
View
Layer 2 Ethernet Port view
Parameters
blockmac: Adds the source MAC addresses of illegal frames to the blocked MAC address list and discards frames with blocked source MAC addresses. A blocked MAC address is restored to normal after being blocked for three minutes, which is fixed and cannot be changed.
disableport: Disables the port permanently upon detecting an illegal frame received on the port.
disableport-temporarily: Disables the port for a specified period of time whenever it receives an illegal frame. Use the port-security timer disableport command to set the period.
Description
Use the port-security intrusion-mode command to configure the intrusion protection feature.
Use the undo port-security intrusion-mode command to restore the default.
By default, intrusion protection is disabled.
Related commands: display port-security, port-security timer disableport.
Examples
# Configure port GigabitEthernet 1/0/1 to block the source MAC addresses of illegal frames after intrusion protection is triggered.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] port-security intrusion-mode blockmac
1.1.7 port-security mac-address security
Syntax
In Layer 2 Ethernet port view:
port-security mac-address security mac-address vlan vlan-id
In system view:
port-security mac-address security mac-address interface interface-type interface-number vlan vlan-id
undo port-security mac-address security [ [ mac-address [ interface interface-type interface-number ] ] vlan vlan-id ]
View
Layer 2 Ethernet Port view, system view
Parameters
mac-address: Secure MAC address, in the H-H-H format.
interface interface-type interface-number: Specifies a Layer 2 Ethernet port by its type and number.
vlan-id: ID of the VLAN to which the secure MAC address belongs, in the range 1 to 4094.
Description
Use the port-security mac-address security command to add a secure MAC address.
Use the undo port-security mac-address security command to remove specified secure MAC address.
By default, no secure MAC address is configured.
Note that:
l You can configure a secure MAC address only if port security is enabled and the specified port operates in autoLearn mode.
l The undo port-security mac-address security command can be used in system view only.
Related commands: display port-security.
Examples
# In system view, add a secure MAC address of 0001-0001-0002 (belonging to VLAN 10) to port GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] port-security mac-address security 0001-0001-0002 interface gigabitethernet 1/0/1 vlan 10
# In Ethernet port view, add a secure MAC address of 0001-0002-0003 (belonging to VLAN 4) to port GigabitEthernet 1/0/1.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] port-security mac-address security 0001-0002-0003 vlan 4
1.1.8 port-security max-mac-count
Syntax
port-security max-mac-count count-value
undo port-security max-mac-count
View
Layer 2 Ethernet port view
Parameters
count-value: Maximum number of secure MAC addresses allowed on the port, ranging 1 to 1,024.
Description
Use the port-security max-mac-count command to set the maximum number of secure MAC addresses allowed on the port.
Use the undo port-security max-mac-count command to restore the default setting.
By default, the maximum number of secure MAC addresses is not limited.
Note the following:
l The autoLearn mode cannot be enabled if this value is not configured.
l The maximum number of secure MAC addresses allowed on a port does not include or limit that of the static MAC addresses manually configured.
l The maximum number of secure MAC addresses allowed on a port must not be less than the number of MAC addresses stored on the port.
Related commands: display port-security.
Examples
# Set the maximum number of secure MAC addresses allowed on port GigabitEthernet 1/0/1 to 100.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] port-security max-mac-count 100
1.1.9 port-security ntk-mode
Syntax
port-security ntk-mode { ntk-withbroadcasts | ntk-withmulticasts | ntkonly }
undo port-security ntk-mode
View
Ethernet port view
Parameters
ntk-withbroadcasts: Sends only frames destined for authenticated MAC addresses or the broadcast address.
ntk-withmulticasts: Sends only frames destined for authenticated MAC addresses, multicast addresses, or the broadcast address.
ntkonly: Sends only frames destined for authenticated MAC addresses.
Description
Use the port-security ntk-mode command to configure the NTK feature.
Use the undo port-security ntk-mode command to restore the default.
Be default, NTK is disabled on a port and all frames are allowed to be sent.
Related commands: display port-security.
Examples
# Set the NTK mode of port GigabitEthernet 1/0/1 to ntkonly.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] port-security ntk-mode ntkonly
1.1.10 port-security oui
Syntax
port-security oui oui-value index index-value
undo port-security oui index index-value
View
System view
Parameters
oui-value: Organizationally unique identifier (OUI) string, a 48-bit MAC address in the H-H-H format. The system automatically uses only the 24 high-order bits as the OUI value.
index-value: OUI index, in the range 1 to 16.
Description
Use the port-security oui command to configure an OUI value for user authentication. This value is used when the port security mode is UserLoginWithOUI.
Use the undo port-security oui command to delete an OUI value with the specified OUI index.
By default, no OUI value is configured.
Note that an OUI value configured by using the port-security oui command takes effect only when the security mode is userLoginWithOUI.
Related commands: display port-security.
Examples
# Configure an OUI value of 000d2a, setting the index to 4.
<Sysname> system-view
[Sysname] port-security oui 000d-2a10-0033 index 4
1.1.11 port-security port-mode
Syntax
port-security port-mode { autolearn | mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secure-ext | secure | userlogin | userlogin-secure | userlogin-secure-ext | userlogin-secure-or-mac | userlogin-secure-or-mac-ext | userlogin-withoui }
undo port-security port-mode
View
Ethernet port view
Parameters
autolearn: Operates in autoLearn mode.
mac-authentication: Operates in macAddressWithRadius mode.
mac-else-userlogin-secure: Operates in macAddressElseUserLoginSecure mode.
mac-else-userlogin-secure-ext: Operates in macAddressElseUserLoginSecureExt mode.
secure: Operates in secure mode.
userlogin: Operates in userLogin mode.
userlogin-secure: Operates in userLoginSecure mode.
userlogin-secure-ext: Operates in userLoginSecureExt mode.
userlogin-secure-or-mac: Operates in macAddressOrUserLoginSecure mode.
userlogin-secure-or-mac-ext: Operates in macAddressOrUserLoginSecureExt mode.
userlogin-withoui: Operates in userLoginWithOUI mode.
Description
Use the port-security port-mode command to set the port security mode of a port.
Use the undo port-security port-mode command to restore the default.
By default, a port operates in noRestrictions mode, where port security does not take effect.
Note that:
l Configuration of port security mode on a port is mutually exclusive with the configuration of 802.1x authentication, port access control method, port access control mode, and MAC authentication on the port.
l With port security enabled, you can change the port security mode of a port only when the port is operating in noRestrictions mode, the default mode. You can use the undo port-security port-mode command to restore the default port security mode.
l You cannot change the port security mode of a port when any user is present on the port.
Related commands: display port-security.
Examples
# Configure the port security mode of port GigabitEthernet 1/0/1 as secure.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] port-security port-mode secure
# Change the port security mode of port GigabitEthernet 1/0/1 to userLogin.
[Sysname-GigabitEthernet1/0/1] undo port-security port-mode
[Sysname-GigabitEthernet1/0/1] port-security port-mode userlogin
1.1.12 port-security timer disableport
Syntax
port-security timer disableport time-value
undo port-security timer disableport
View
System view
Parameters
time-value: Silence timeout during which the port remains disabled, in seconds. It ranges from 20 to 300.
Description
Use the port-security timer disableport command to set the silence timeout during which the port remains disabled.
Use the undo port-security timer disableport command to restore the default.
By default, the silence timeout is 20 seconds.
Related commands: display port-security.
Examples
# Set the silence timeout period to 30 seconds.
<Sysname> system-view
[Sysname] port-security timer disableport 30
1.1.13 port-security trap
Syntax
port-security trap { addresslearned | dot1xlogfailure | dot1xlogoff | dot1xlogon | intrusion | ralmlogfailure | ralmlogoff | ralmlogon }
undo port-security trap { addresslearned | dot1xlogfailure | dot1xlogoff | dot1xlogon | intrusion | ralmlogfailure | ralmlogoff | ralmlogon }
View
System view
Parameters
addresslearned: Address learning trap. When enabled, this trap allows the system to send a trap message when a port learns a new MAC address.
dot1xlogfailure: Trap for 802.1x authentication failure.
dot1xlogon: Trap for successful 802.1x authentication.
dot1xlogoff: Trap for 802.1x user logoff events.
intrusion: Trap for illegal frames.
ralmlogfailure: Trap for MAC authentication failure.
ralmlogoff: Trap for MAC authentication user logoff events.
ralmlogon: Trap for successful MAC authentication.
Description
Use the port-security trap command to enable port security traps.
Use the undo port-security trap command to disable port security traps.
By default, no port security trap is enabled.
Related commands: display port-security.
Examples
# Enable address learning trap.
<Sysname> system-view
[Sysname] port-security trap addresslearned
