H3C S3100-52P Command Manual-Release 1602(V1.01)

HomeSupportSwitchesH3C S3100 Switch SeriesReference GuidesCommand ReferencesH3C S3100-52P Command Manual-Release 1602(V1.01)
11-Port Security-Port Binding Command
Title Size Download
11-Port Security-Port Binding Command 91.8 KB

Chapter 1  Port Security Commands

 

&  Note:

 

1.1  Port Security Commands

1.1.1  display mac-address security

Syntax

display mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ]

View

Any view

Parameters

Interface interface-type interface-number: Specify a port by its type and number, of which the security MAC address information is to be displayed.

vlan vlan-id: Specify a VLAN by its ID, of which the security MAC address information is to be displayed. The value range for the vlan-id argument is 1 to 4094.

count: Displays the number of matching security MAC addresses.

Description

Use the display mac-address security command to display security MAC address entries.

If no argument is specified, the command displays information about all security MAC address entries.

For each security MAC address entry, the output of the command displays the MAC address, the VLAN that the MAC address belongs to, state of the MAC address (which is always security), port associated with the MAC address, and the remaining lifetime of the entry.

By checking the output of this command, you can verify the current configuration.

Examples

# Display information about all security MAC address entries.

<Sysname> display mac-address security

MAC ADDR        VLAN ID   STATE          PORT INDEX               AGING TIME(s)

0000-0000-0001  1        Security      Ethernet1/0/20         NOAGED

0000-0000-0002  1        Security      Ethernet1/0/20         NOAGED

0000-0000-0003  1        Security      Ethernet1/0/20         NOAGED

0000-0000-0004  1        Security      Ethernet1/0/20         NOAGED

0000-0000-0001  2        Security      Ethernet1/0/22         NOAGED

0000-0000-0007  2        Security      Ethernet1/0/22         NOAGED

 

  ---  6 mac address(es) found  ---

# Display the security MAC address entries for port Ethernet 1/0/20.

<Sysname> display mac-address security interface Ethernet 1/0/20

MAC ADDR        VLAN ID   STATE          PORT INDEX               AGING TIME(s)

0000-0000-0001  1        Security      Ethernet1/0/20         NOAGED

0000-0000-0002  1        Security      Ethernet1/0/20         NOAGED

0000-0000-0003  1        Security      Ethernet1/0/20         NOAGED

0000-0000-0004  1        Security      Ethernet1/0/20         NOAGED

 

  ---  4 mac address(es) found on port Ethernet1/0/20 ---

# Display the security MAC address entries for VLAN 1.

<Sysname> display mac-address security vlan 1

MAC ADDR        VLAN ID   STATE          PORT INDEX               AGING TIME(s)

0000-0000-0001  1        Security      Ethernet1/0/20         NOAGED

0000-0000-0002  1        Security      Ethernet1/0/20         NOAGED

0000-0000-0003  1        Security      Ethernet1/0/20         NOAGED

0000-0000-0004  1        Security      Ethernet1/0/20         NOAGED

 

  ---  4 mac address(es) found in vlan 1 ---

# Display the total number of security MAC address entries.

<Sysname> display mac-address security count

 6 mac address(es) found

# Display the number of security MAC address entries for VLAN 1.

<Sysname> display mac-address security vlan 1 count

 4 mac address(es) found in vlan 1

Table 1-1 Description on the fields of the display mac-address security command

Field

Description

MAC ADDR

Security MAC address

VLAN ID

VLAN that the MAC address belongs to

STATE

MAC address type, which is always security for a security MAC address

PORT INDEX

Port associated with the MAC address

AGING TIME(s)

Remaining lifetime of the MAC address entry

mac address(es) found

Number of matching security MAC addresses

 

1.1.2  display port-security

Syntax

display port-security [ interface interface-list ]

View

Any view

Parameters

interface interface-list: Specify a list of Ethernet ports of which the port security configurations are to be displayed. For the interface-list argument, you can specify individual ports and port ranges. An individual port takes the form of interface-type interface-number and a port range takes the form of interface-type interface-number1 to interface-type interface-number2, with interface-number2 taking a value greater than interface-number1. The total number of individual ports and port ranges defined in the list must not exceed 10.

Description

Use the display port-security command to display port security configurations.

If no interface is specified, the command displays the port security configurations of all Ethernet ports.

The output of the command includes the global configurations (such as whether port security is enabled on the switch and whether the sending of specified Trap messages is enabled) and port configurations (such as the security mode and the port security features).

By checking the output of this command, you can verify the current configuration.

Examples

# Display the global port security configurations and those of all ports.

<Sysname> display port-security

 Equipment port-security is enabled

 AddressLearn trap is Enabled

 Intrusion trap is Enabled

 Dot1x logon trap is Enabled

 Dot1x logoff trap is Enabled

 Dot1x logfailure trap is Enabled

 RALM logon trap is Enabled

 RALM logoff trap is Enabled

 RALM logfailure trap is Enabled

 Disableport Timeout: 20 s

 OUI value:

   Index is 5,  OUI value is 000100

 Ethernet1/0/1 is link-up

   Port mode is AutoLearn

   NeedtoKnow mode is needtoknowonly

   Intrusion mode is BlockMacaddress

   Max mac-address num is 4

   Stored mac-address num is 0

   Authorization is ignore

(The rest of the information is omitted.)

# Display the port security configurations of ports Ethernet 1/0/1 to Ethernet 1/0/3.

<Sysname> display port-security interface Ethernet 1/0/1 to Ethernet 1/0/3

 Ethernet1/0/1 is link-up

   Port mode is AutoLearn

   NeedtoKnow mode is needtoknowonly

   Intrusion mode is BlockMacaddress

   Max mac-address num is 4

   Stored mac-address num is 0

   Authorization is ignore

 Ethernet1/0/2 is link-down

   Port mode is AutoLearn

   NeedtoKnow mode is disabled

   Intrusion mode is no action

   Max mac-address num is not configured

   Stored mac-address num is 0

   Authorization is ignore

 Ethernet1/0/3 is link-down

   Port mode is AutoLearn

   NeedtoKnow mode is disabled

   Intrusion mode is BlockMacaddress

   Max mac-address num is not configured

   Stored mac-address num is 0

   Authorization is ignore          

Table 1-2 Description on the fields of the display port-security command

Field

Description

Equipment port security is enabled

Port security is enabled on the switch.

AddressLearn trap is Enabled

The sending of address-learning trap messages is enabled.

Intrusion trap is Enabled

The sending of intrusion-detection trap messages is enabled.

Dot1x logon trap is Enabled

The sending of 802.1x user authentication success trap messages is enabled.

Dot1x logoff trap is Enabled

The sending of 802.1x user logoff trap messages is enabled.

Dot1x logfailure trap is Enabled

The sending of 802.1x user authentication failure trap messages is enabled.

RALM logon trap is Enabled

The sending of MAC-based authentication success trap messages is enabled.

RALM logoff trap is Enabled

The sending of logoff trap messages for MAC-based authenticated users is enabled.

RALM logfailure trap is Enabled

The sending of MAC-based authentication failure trap messages is enabled.

Disableport Timeout: 20 s

The temporary port-disabling time is 20 seconds.

OUI value

The next line displays OUI value.

Index

OUI index

Ethernet1/0/1 is link-up

The link status of port Ethernet 1/0/1 is up.

Port mode is AutoLearn

The security mode of the port is autolearn.

NeedtoKnow mode is needtoknowonly

The NTK (Need To Know) mode is ntkonly.

Intrusion mode is BlockMacaddress

The intrusion detection mode is BlockMacaddress.

Max mac-address num is 4

The maximum number of MAC addresses allowed on the port is 4.

Stored mac-address num is 0

No MAC address is stored.

Authorization is ignore

Authorization information delivered by the Remote Authentication Dial-In User Service (RADIUS) server will not be applied to the port.

 

1.1.3  mac-address security

Syntax

In system view:

mac-address security mac-address interface interface-type interface-number vlan vlan-id

undo mac-address security [ [ mac-address [ interface interface-type interface-number ] ] vlan vlan-id ]

In Ethernet port view:

mac-address security mac-address vlan vlan-id

undo mac-address security [ [ mac-address ] vlan vlan-id ]

View

System view, Ethernet port view

Parameters

mac-address: Security MAC address, in the H-H-H format.

interface interface-type interface-number: Specify the port on which the security MAC address is to be added. The interface-type interface-number arguments indicate the port type and port number.

vlan vlan-id: Specify the VLAN to which the MAC address belongs. The vlan-id argument specifies a VLAN ID in the range 1 to 4094.

Description

Use the mac-address security command to create a security MAC address entry.

Use the undo mac-address security command to remove a security MAC address.

By default, no security MAC address entry is configured.

 

&  Note:

l      The mac-address security command can be configured successfully only when port security is enabled and the security mode is autolearn.

l      To create a security MAC address entry successfully, you must make sure that the specified VLAN is carried on the specified port.

 

Examples

# Enable port security; configure the port security mode of Ethernet 1/0/1 as autolearn and create a security MAC address entry for 0001-0001-0001, setting the associated port to Ethernet 1/0/1 and assigning the MAC address to VLAN 1.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] port-security enable

[Sysname] interface Ethernet1/0/1

[Sysname-Ethernet1/0/1] port-security max-mac-count 100

[Sysname-Ethernet1/0/1] port-security port-mode autolearn

[Sysname-Ethernet1/0/1] mac-address security 0001-0001-0001 vlan 1

# Use the display mac-address interface command to verify the configuration result.

[Sysname]display mac-address interface Ethernet 1/0/1

MAC ADDR        VLAN ID   STATE          PORT INDEX               AGING TIME(s)

0001-0001-0001  1         Security    Ethernet1/0/1            NOAGED

 

  ---  1 mac address(es) found on port Ethernet1/0/1 ---

1.1.4  port-security enable

Syntax

port-security enable

undo port-security enable

View

System view

Parameters

None

Description

Use the port-security enable command to enable port security.

Use the undo port-security enable command to disable port security.

By default, port security is disabled.

 

  Caution:

Enabling port security resets the following configurations on the ports to the defaults (as shown in parentheses below):

l      802.1x (disabled), port access control method (macbased), and port access control mode (auto)

l      MAC authentication (disabled)

In addition, you cannot perform the above-mentioned configurations manually because these configurations change with the port security mode automatically.

 

Related commands: display port-security.

Examples

# Enable port security.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] port-security enable

 Notice: The port-control of 802.1x will be restricted to auto when port-security is enabled.

 Please wait... Done.

1.1.5  port-security intrusion-mode

Syntax

port-security intrusion-mode { blockmac | disableport | disableport-temporarily }

undo port-security intrusion-mode

View

Ethernet port view

Parameters

blockmac: Adds the source MAC addresses of illegal packets to the blocked MAC address list. As a result, the packets sourced from the blocked MAC addresses will be filtered out. A blocked MAC address will be unblocked three minutes (not user configurable) after the block action.

disableport: Disables a port permanently once an illegal frame or event is detected on it.

disableport-temporarily: Disables a port for a specified period of time after an illegal frame or event is detected on it. You can set the period with the port-security timer disableport command.

Description

Use the port-security intrusion-mode command to set intrusion protection.

Use the undo port-security intrusion-mode command to disable intrusion protection.

By default, intrusion protection is not configured.

 

&  Note:

By checking the source MAC addresses in inbound data frames or the username and password in 802.1x authentication requests on a port, intrusion protection detects illegal packets (packets with illegal MAC address) or events and takes a pre-set action accordingly. The actions you can set include: disconnecting the port temporarily/permanently and blocking packets with invalid MAC addresses.

The following cases can trigger intrusion protection on a port:

l      A packet with unknown source MAC address is received on the port while MAC address learning is disabled on the port.

l      A packet with unknown source MAC address is received on the port while the amount of security MAC addresses on the port has reached the preset maximum number.

l      The user fails the 802.1x or MAC address authentication.

 

After executing the port-security intrusion-mode blockmac command, you can only use the display port-security command to view blocked MAC addresses.

Related commands: display port-security, port-security timer disableport.

Examples

# Configure the intrusion protection mode on Ethernet 1/0/1 as blockmac.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] interface Ethernet 1/0/1

[Sysname-Ethernet1/0/1] port-security intrusion-mode blockmac

# Display information about blocked MAC addresses after intrusion protection is triggered.

<Sysname> display port-security

 Equipment port-security is enabled

 AddressLearn trap is Enabled

 Intrusion trap is Enabled

 Dot1x logon trap is Enabled

 Dot1x logoff trap is Enabled

 Dot1x logfailure trap is Enabled

 RALM logon trap is Enabled

 RALM logoff trap is Enabled

 RALM logfailure trap is Enabled

 Disableport Timeout: 20 s

 OUI value:

   Index is 5,  OUI value is 000100

 Blocked Mac info:

          MAC ADDR             From Port                  Vlan

          --- On unit 1, 2 blocked mac address(es) found. ---

          0000-0000-0003       Ethernet1/0/1              1

          0000-0000-0004       Ethernet1/0/1              1

          --- 2 blocked mac address(es) found. ---

Ethernet1/0/1 is link-up

   Port mode is Secure

   NeedtoKnow mode is disabled

   Intrusion mode is BlockMacaddress

   Max mac-address num is 2

   Stored mac-address num is 2

   Authorization is permit     

For description on the output information, refer to Table 1-2.

# Configure the intrusion protection mode on Ethernet 1/0/1 as disableport-temporarily. As a result, the port will be disconnected when intrusion protection is triggered and then re-enabled 30 seconds later.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] port-security timer disableport 30

[Sysname] interface Ethernet 1/0/1

[Sysname-Ethernet1/0/1] port-security intrusion-mode disableport-temporarily

# Configure the intrusion protection mode on Ethernet 1/0/1 as disableport. As a result, when intrusion protection is triggered, the port will be disconnected permanently.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] interface Ethernet 1/0/1

[Sysname-Ethernet1/0/1] port-security intrusion-mode disableport

 

&  Note:

You can bring up a port that has been permanently disabled by running the undo shutdown command or disabling port security on the port.

 

1.1.6  port-security authorization ignore

Syntax

port-security authorization ignore

undo port-security authorization ignore

View

Ethernet port view

Parameters

None

Description

Use the port-security authorization ignore command to configure the port to ignore the authorization information delivered by the RADIUS server.

Use the undo port-security authorization ignore command to restore the default configuration.

By default, the port uses (does not ignore) the authorization information delivered by the RADIUS server.

You can use the display port-security command to check whether the port will use the authorization information delivered by the RADIUS server.

 

&  Note:

After a RADIUS user passes authentication, the RADIUS server authorizes the attributes configured for the user account such as the dynamic VLAN configuration. For more information, refer to AAA Command.

 

Examples

# Configure Ethernet 1/0/2 to ignore the authorization information delivered by the RADIUS server.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] interface Ethernet 1/0/2

[Sysname-Ethernet1/0/2] port-security authorization ignore

1.1.7  port-security max-mac-count

Syntax

port-security max-mac-count count-value

undo port-security max-mac-count

View

Ethernet port view

Parameters

count-value: Maximum number of MAC addresses allowed on the port, in the range of 1 to 1024.

Description

Use the port-security max-mac-count command to set the maximum number of MAC addresses allowed on the port.

Use the undo port-security max-mac-count command to cancel this limit.

By default, there is no limit on the number of MAC addresses allowed on the port.

 

&  Note:

By configuring the maximum number of MAC addresses allowed on a port, you can:

l      Limit the number of users accessing the network through the port.

l      Limit the number of security MAC addresses that can be added on the port.

When the maximum number of MAC addresses allowed on a port is reached, the port will not allow more users to access the network through this port.

 

  Caution:

l      The port-security max-mac-count command is irrelevant to the maximum number of MAC addresses that can be learned on a port configured in MAC address management.

l      When there are online users on a port, you cannot perform the port-security max-mac-count command on the port.

 

Examples

# Set the maximum number of MAC addresses allowed on the port to 100.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] port-security enable

[Sysname] interface Ethernet 1/0/1

[Sysname-Ethernet1/0/1] port-security max-mac-count 100

1.1.8  port-security ntk-mode

Syntax

port-security ntk-mode { ntkonly | ntk-withbroadcasts | ntk-withmulticasts }

undo port-security ntk-mode

View

Ethernet port view

Parameters

ntkonly: Allows the port to transmit only unicast packets with successfully-authenticated destination MAC addresses.

ntk-withbroadcasts: Allows the port to transmit broadcast packets and unicast packets with successfully-authenticated destination MAC addresses.

ntk-withmulticasts: Allows the port to transmit multicast packets, broadcast packets and unicast packets with successfully-authenticated destination MAC addresses.

Description

Use the port-security ntk-mode command to configure the NTK feature on the port.

Use the undo port-security ntk-mode command to restore the default setting.

Be default, NTK is disabled on a port, namely all frames are allowed to be sent.

 

&  Note:

By checking the destination MAC addresses of the data frames to be sent from a port, the NTK feature ensures that only successfully authenticated devices can obtain data frames from the port, thus preventing illegal devices from intercepting network data.

 

Examples

# Set the NTK feature to ntk-withbroadcasts on Ethernet 1/0/1.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] port-security enable

[Sysname] interface Ethernet 1/0/1

[Sysname-Ethernet1/0/1] port-security ntk-mode ntk-withbroadcasts

1.1.9  port-security oui

Syntax

port-security oui OUI-value index index-value

undo port-security oui index index-value

View

System view

Parameters

OUI-value: OUI value. You can input a 48-bit MAC address in the form of H-H-H for this argument and the system will take the first 24 bits as the OUI value and ignore the rest.

index-value: OUI index, ranging from 1 to 16.

 

&  Note:

The organizationally unique identifiers (OUIs) are assigned by the IEEE to different vendors. Each OUI uniquely identifies an equipment vendor in the world and is the higher 24 bits of a MAC address.

 

Description

Use the port-security oui command to set an OUI value for authentication.

Use the undo port-security oui command to cancel the OUI value setting.

By default, no OUI value is set for authentication.

 

  Caution:

l           The OUI value set by this command takes effect only when the security mode of the port is set to userLoginWithOUI by the port-security port-mode command.

l      The OUI value set by this command cannot be a multicast MAC address.

 

Related commands: port-security port-mode.

Examples

# Configure an OUI value of 00ef-ec00-0000, setting the OUI index to 5.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] port-security oui 00ef-ec00-0000 index 5

1.1.10  port-security port-mode

Syntax

port-security port-mode { autolearn | mac-and-userlogin-secure | mac-and-userlogin-secure-ext | mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secure-ext | secure | userlogin | userlogin-secure | userlogin-secure-ext | userlogin-secure-or-mac | userlogin-secure-or-mac-ext | userlogin-withoui }

undo port-security port-mode

View

Ethernet port view

Parameters

Table 1-3 shows the description on the security mode keywords.

Table 1-3 Keyword description

Keyword

Security mode

Description

autolearn

autolearn

In this mode, MAC addresses learned on the port become security MAC addresses.

When the number of security MAC addresses exceeds the maximum number of MAC addresses configured by the port-security max-mac-count command, the port security mode changes to secure automatically.

After that, no more security MAC addresses can be added to the port and only the packets whose source MAC addresses are the security MAC addresses or already configured dynamic MAC addresses can pass through the port.

mac-and-userlogin-secure

macAddressAndUserLoginSecure

In this mode, users trying to assess the network through the port must first pass MAC address authentication and then 802.1x authentication.

In this mode, only one user can access the network through the port at a time.

mac-and-userlogin-secure-ext

macAddressAndUserLoginSecureExt

This mode is similar to the macAddressAndUserLoginSecure mode, except that in this mode, more than one user can access the network through the port in this mode.

mac-authentication

macAddressWithRadius

In this mode, MAC address authentication is applied on users trying to access the network.

mac-else-userlogin-secure

macAddressElseUserLoginSecure

In this mode, MAC address authentication is first applied on users. If the authentication succeeds, the users can access the network successfully. If not, 802.1x authentication is applied.

In this mode, only one 802.1x-authenticated user can access the network through the port. But at the same time, there can be more than one MAC-address-authenticated user on the port.

mac-else-userlogin-secure-ext

macAddressElseUserLoginSecureExt

This mode is similar to the macAddressElseUserLoginSecure mode, except that in this mode, there can be more than one 802.1x-authenticated user on the port.

secure

secure

In this mode, MAC address learning is disabled on the current port. Only packets whose source MAC addresses are security MAC addresses, already configured static or dynamic MAC addresses can pass through the port.

userlogin

userlogin

In this mode, 802.1x authentication is applied on users trying to access the network through the current port.

userlogin-secure

userLoginSecure

In this mode, MAC-based 802.1x authentication is applied on users trying to access the network through the port. The port will be enabled when the authentication succeeds and allow packets from authenticated users to pass through.

In this mode, only one 802.1x-authenticated user can access the network through the port.

When the security mode of the port changes from noRestriction to this mode, the old dynamic MAC address entries and authenticated MAC address entries kept on the port are deleted automatically.

userlogin-secure-ext

userLoginSecureExt

This mode is similar to the userLoginSecure mode, except that in this mode, there can be more than one 802.1x-authenticated user on the port.

userlogin-secure-or-mac

macAddressOrUserLoginSecure

MAC address authentication and 802.1x authentication can coexist on a port, with 802.1x authentication having higher priority.

802.1x authentication can be applied on users who have already passed MAC address authentication.

However, users who have already passed 802.1x authentication do not need to go through MAC address authentication.

In this mode, only one 802.1x-authenticated user can access the network through the port. However, there can be more than one MAC-address-authenticated user on the port.

userlogin-secure-or-mac-ext

macAddressOrUserLoginSecureExt

This mode is similar to the macAddressOrUserLoginSecure mode, except that in this mode, there can be more than one 802.1x-authenticated user on the port.

userlogin-withoui

userLoginWithOUI

Similar to the userLoginSecure mode, in this mode, there can be only one 802.1x-authenticated user on the port. However, the port also allows packets with the OUI address to pass through.

When the security mode of the port changes from noRestriction to this mode, the old dynamic MAC address entries and authenticated MAC address entries kept on the port are deleted automatically.

 

Description

Use the port-security port-mode command to set the security mode of the port.

Use the undo port-security port-mode command to restore the default mode.

By default, the port is in the noRestriction mode, namely access to the port is not restricted.

 

&  Note:

l      Before setting the security mode to autolearn, you need to use the port-security max-mac-count command to configure the maximum number of MAC addresses allowed on the port.

l      When a port operates in the autolearn mode, you cannot change the maximum number of MAC addresses allowed on the port.

l      After setting the security mode to autolearn, you cannot configure static or blackhole MAC addresses on the port.

l      When the port security mode is not noRestriction, you need to use the undo port-security port-mode command to change it back to noRestriction before you change the port security mode to other modes.

 

On a port configured with a security mode, you cannot do the following:

l           Configure the maximum number of MAC addresses that can be learned.

l           Configure the port as a reflector port for port mirroring.

l           Configure link aggregation.

Related commands: display port-security.

Examples

# Set the security mode of Ethernet 1/0/1 on the switch to userLogin.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] port-security enable

[Sysname] interface Ethernet 1/0/1

[Sysname-Ethernet1/0/1] port-security port-mode userlogin

1.1.11  port-security timer disableport

Syntax

port-security timer disableport timer

undo port-security timer disableport

View

System view

Parameters

timer: This argument ranges from 20 to 300, in seconds.

Description

Use the port-security timer disableport command to set the time during which the system temporarily disables a port.

Use undo port-security timer disableport command restore the default time.

By default, the system disables a port for 20 seconds.

 

&  Note:

The port-security timer disableport command is used in conjunction with the port-security intrusion-mode disableport-temporarily command to set the length of time during which the port remains disabled.

 

Related commands: port-security intrusion-mode.

Examples

# Set the intrusion protection mode on Ethernet 1/0/1 to disableport-temporarily. It is required that when intrusion protection is triggered, the port be shut down temporarily and then go up 30 seconds later.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] port-security timer disableport 30

[Sysname] interface Ethernet 1/0/1

[Sysname-Ethernet1/0/1] port-security intrusion-mode disableport-temporarily

1.1.12  port-security trap

Syntax

port-security trap { addresslearned | dot1xlogfailure | dot1xlogoff | dot1xlogon | intrusion | ralmlogfailure | ralmlogoff | ralmlogon }

undo port-security trap { addresslearned | dot1xlogfailure | dot1xlogoff | dot1xlogon | intrusion | ralmlogfailure | ralmlogoff | ralmlogon }

View

System view

Parameters

addresslearned: Enables/disables sending traps for MAC addresses learning events.

dot1xlogfailure: Enables/disables sending traps for 802.1x authentication failures.

dot1xlogoff: Enables/disables sending traps for 802.1x-authenticated user logoff events.

dot1xlogon: Enables/disables sending traps for 802.1x-authenticated user logon events.

intrusion: Enables/disables sending traps for detections of intrusion packets.

ralmlogfailure: Enables/disables sending traps for MAC authentication failures.

ralmlogoff: Enables/disables sending traps for MAC-authenticated user logoff events.

ralmlogon: Enables/disables sending traps for MAC-authenticated user logon events.

 

&  Note:

RADIUS authenticated login using MAC-address (RALM) refers to MAC-based RADIUS authentication.

 

Description

Use the port-security trap command to enable the sending of specified type(s) of trap messages.

Use the undo port-security trap command to disable the sending of specified type(s) of trap messages.

By default, the system disables the sending of any types of trap messages.

 

&  Note:

This command is based on the device tracking feature, which enables the switch to send trap messages when special data packets (generated by illegal intrusion, abnormal user logon/logoff, or other special activities) are passing through a port, so as to help the network administrator to monitor special activities.

 

When you use the display port-security command to display global information, the system will display which types of trap messages are allowed to send.

Related commands: display port-security.

Examples

# Allow the sending of intrusion packet-detected trap messages.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] port-security trap intrusion

# Use the display port-security command to display the related configuration information.

<Sysname> display port-security

 Equipment port-security is enabled

 Intrusion trap is Enabled

 Disableport Timeout: 20 s

 OUI value:

 Ethernet1/0/1 is link-down

   Port mode is AutoLearn

   NeedtoKnow mode is needtoknowonly

   Intrusion mode is disableportTemporarily

   Max mac-address num is 4

   Stored mac-address num is 0

   Authorization is ignore

The rest of the information is omitted, if any.

For description of the output information, refer to Table 1-2.

 


Chapter 2  Port Binding Commands

2.1  Port Binding Commands

2.1.1  am user-bind

Syntax

In system view:

am user-bind mac-addr mac-address ip-addr ip-address interface interface-type interface-number

undo am user-bind mac-addr mac-address ip-addr ip-address interface interface-type interface-number

In Ethernet port view:

am user-bind mac-addr mac-address ip-addr ip-address

undo am user-bind mac-addr mac-address ip-addr ip-address

View

System view, Ethernet port view

Parameters

interface interface-type interface-number: Specify the port to be bound. The interface-type interface-number arguments specify the port type and port number.

ip-addr ip-address: Specify the IP address to be bound.

mac-addr mac-address: Specify the MAC address to be bound. The mac-address argument is in the form of H-H-H.

Description

Use the am user-bind command to bind the MAC address and IP address of a user to a specified port.

Use the undo am user-bind command to cancel the binding.

After the binding, the switch forwards only the packets from the bound MAC address and IP address when received on the port.

By default, no user MAC address or IP address is bound to a port.

&  Note:

l      An IP address can be bound with only one port at a time.

l      A MAC address can be bound with only one port at a time.

 

Examples

# In system view, bind the MAC address 000f-e200-5101 and IP address 10.153.1.1 (supposing they are MAC and IP addresses of a legal user) to Ethernet 1/0/1.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] am user-bind mac-addr 000f-e200-5101 ip-addr 10.153.1.1 interface Ethernet1/0/1

# In Ethernet pot view, bind the MAC address 000f-e200-5102 and IP address 10.153.1.2 (supposing they are MAC and IP addresses of a legal user) to Ethernet 1/0/2.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] interface Ethernet1/0/2

[Sysname-Ethernet1/0/2] am user-bind mac-addr 000f-e200-5102 ip-addr 10.153.1.2

2.1.2  display am user-bind

Syntax

display am user-bind [ interface interface-type interface-number | ip-addr ip-address | mac-addr mac-address ]

View

Any view

Parameters

interface interface-type interface-number: Specify the port to be bound. The interface-type interface-number arguments indicate the port type and port number.

ip-addr ip-address: Specify the IP address to be bound.

mac-addr mac-address: Specify the MAC address to be bound. The mac-address argument is in the form of H-H-H.

Description

Use the display am user-bind command to display port binding information.

If no keyword is specified, this command displays all port bindings.

Related commands: am user-bind.

Examples

# Display all port bindings.

<Sysname> display am user-bind

Following User address bind have been configured:

  Mac                   IP                    Port

  000f-e200-5101        10.153.1.1            Ethernet1/0/1

  000f-e200-5102        10.153.1.2            Ethernet1/0/2

 Unit 1:Total 2 found, 2 listed.

 

 Total: 2 found.

The above output displays that two port binding settings exist on unit 1:

l           MAC address 000f-e200-5101 and IP address 10.153.1.1 are bound to Ethernet 1/0/1.

l           MAC address 000f-e200-5102 and IP address 10.153.1.2 are bound to Ethernet 1/0/2.

 

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become a Partner
  • Partner Resources
  • Partner Business Management
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网