- Table of Contents
-
- H3C S3600 Command Manual-Release 1602(V1.02)
- 00-1Cover
- 01-CLI Command
- 02-Login Command
- 03-Configuration File Management Command
- 04-VLAN Command
- 05-IP Address and Performance Command
- 06-Voice VLAN Command
- 07-GVRP Command
- 08-Port Basic Configuration Command
- 09-Link Aggregation Command
- 10-Port Isolation Command
- 11-Port Security-Port Binding Command
- 12-DLDP Command
- 13-MAC Address Table Management Command
- 14-Auto Detect Command
- 15-MSTP Command
- 16-Routing Protocol Command
- 17-Multicast Command
- 18-802.1x and System Guard Command
- 19-AAA Command
- 20-Web Authentication Command
- 21-MAC Address Authentication Command
- 22-VRRP Command
- 23-ARP Command
- 24-DHCP Command
- 25-ACL Command
- 26-QoS-QoS Profile Command
- 27-Web Cache Redirection Command
- 28-Mirroring Command
- 29-IRF Fabric Command
- 30-Cluster Command
- 31-PoE-PoE Profile Command
- 32-UDP Helper Command
- 33-SNMP-RMON Command
- 34-NTP Command
- 35-SSH Command
- 36-File System Management Command
- 37-FTP-SFTP-TFTP Command
- 38-Information Center Command
- 39-System Maintenance and Debugging Command
- 40-VLAN-VPN Command
- 41-HWPing Command
- 42-IPv6 Management Command
- 43-DNS Command
- 44-Smart Link-Monitor Link Command
- 45-Access Management Command
- 46-Appendix
- Related Documents
-
Title | Size | Download |
---|---|---|
11-Port Security-Port Binding Command | 127.63 KB |
Two port security modes, macAddressAndUserLoginSecure and macAddressAndUserLoginSecureExt, were introduced. For details, refer to port-security port-mode.
Port Security Commands
display mac-address security
Syntax
display mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ]
View
Any view
Parameters
Interface interface-type interface-number: Specify a port by its type and number, of which the security MAC address information is to be displayed.
vlan vlan-id: Specify a VLAN by its ID, of which the security MAC address information is to be displayed. The value range for the vlan-id argument is 1 to 4094.
count: Displays the number of matching security MAC addresses.
Description
Use the display mac-address security command to display security MAC address entries.
If no argument is specified, the command displays information about all security MAC address entries.
For each security MAC address entry, the output of the command displays the MAC address, the VLAN that the MAC address belongs to, state of the MAC address (which is always security), port associated with the MAC address, and the remaining lifetime of the entry.
By checking the output of this command, you can verify the current configuration.
Examples
# Display information about all security MAC address entries.
<Sysname> display mac-address security
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
0000-0000-0001 1 Security Ethernet1/0/20 NOAGED
0000-0000-0002 1 Security Ethernet1/0/20 NOAGED
0000-0000-0003 1 Security Ethernet1/0/20 NOAGED
0000-0000-0004 1 Security Ethernet1/0/20 NOAGED
0000-0000-0001 2 Security Ethernet1/0/22 NOAGED
0000-0000-0007 2 Security Ethernet1/0/22 NOAGED
--- 6 mac address(es) found ---
# Display the security MAC address entries for port Ethernet 1/0/20.
<Sysname> display mac-address security interface Ethernet 1/0/20
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
0000-0000-0001 1 Security Ethernet1/0/20 NOAGED
0000-0000-0002 1 Security Ethernet1/0/20 NOAGED
0000-0000-0003 1 Security Ethernet1/0/20 NOAGED
0000-0000-0004 1 Security Ethernet1/0/20 NOAGED
--- 4 mac address(es) found on port Ethernet1/0/20 ---
# Display the security MAC address entries for VLAN 1.
<Sysname> display mac-address security vlan 1
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
0000-0000-0001 1 Security Ethernet1/0/20 NOAGED
0000-0000-0002 1 Security Ethernet1/0/20 NOAGED
0000-0000-0003 1 Security Ethernet1/0/20 NOAGED
0000-0000-0004 1 Security Ethernet1/0/20 NOAGED
--- 4 mac address(es) found in vlan 1 ---
# Display the total number of security MAC address entries.
<Sysname> display mac-address security count
6 mac address(es) found
# Display the number of security MAC address entries for VLAN 1.
<Sysname> display mac-address security vlan 1 count
4 mac address(es) found in vlan 1
Table 1-1 Description on the fields of the display mac-address security command
Field |
Description |
MAC ADDR |
Security MAC address |
VLAN ID |
VLAN that the MAC address belongs to |
STATE |
MAC address type, which is always security for a security MAC address |
PORT INDEX |
Port associated with the MAC address |
AGING TIME(s) |
Remaining lifetime of the MAC address entry |
mac address(es) found |
Number of matching security MAC addresses |
display port-security
Syntax
display port-security [ interface interface-list ]
View
Any view
Parameters
interface interface-list: Specify a list of Ethernet ports of which the port security configurations are to be displayed. For the interface-list argument, you can specify individual ports and port ranges. An individual port takes the form of interface-type interface-number and a port range takes the form of interface-type interface-number1 to interface-type interface-number2, with interface-number2 taking a value greater than interface-number1. The total number of individual ports and port ranges defined in the list must not exceed 10.
Description
Use the display port-security command to display port security configurations.
If no interface is specified, the command displays the port security configurations of all Ethernet ports.
The output of the command includes the global configurations (such as whether port security is enabled on the switch and whether the sending of specified Trap messages is enabled) and port configurations (such as the security mode and the port security features).
By checking the output of this command, you can verify the current configuration.
Examples
# Display the global port security configurations and those of all ports.
<Sysname> display port-security
Equipment port-security is enabled
AddressLearn trap is Enabled
Intrusion trap is Enabled
Dot1x logon trap is Enabled
Dot1x logoff trap is Enabled
Dot1x logfailure trap is Enabled
RALM logon trap is Enabled
RALM logoff trap is Enabled
RALM logfailure trap is Enabled
Disableport Timeout: 20 s
OUI value:
Index is 5, OUI value is 000100
Ethernet1/0/1 is link-up
Port mode is AutoLearn
NeedtoKnow mode is needtoknowonly
Intrusion mode is BlockMacaddress
Max mac-address num is 4
Stored mac-address num is 0
Authorization is ignore
(The rest of the information is omitted.)
# Display the port security configurations of ports Ethernet 1/0/1 to Ethernet 1/0/3.
<Sysname> display port-security interface Ethernet 1/0/1 to Ethernet 1/0/3
Ethernet1/0/1 is link-up
Port mode is AutoLearn
NeedtoKnow mode is needtoknowonly
Intrusion mode is BlockMacaddress
Max mac-address num is 4
Stored mac-address num is 0
Authorization is ignore
Ethernet1/0/2 is link-down
Port mode is AutoLearn
NeedtoKnow mode is disabled
Intrusion mode is no action
Max mac-address num is not configured
Stored mac-address num is 0
Authorization is ignore
Ethernet1/0/3 is link-down
Port mode is AutoLearn
NeedtoKnow mode is disabled
Intrusion mode is BlockMacaddress
Max mac-address num is not configured
Stored mac-address num is 0
Authorization is ignore
Table 1-2 Description on the fields of the display port-security command
Field |
Description |
Equipment port security is enabled |
Port security is enabled on the switch. |
AddressLearn trap is Enabled |
The sending of address-learning trap messages is enabled. |
Intrusion trap is Enabled |
The sending of intrusion-detection trap messages is enabled. |
Dot1x logon trap is Enabled |
The sending of 802.1x user authentication success trap messages is enabled. |
Dot1x logoff trap is Enabled |
The sending of 802.1x user logoff trap messages is enabled. |
Dot1x logfailure trap is Enabled |
The sending of 802.1x user authentication failure trap messages is enabled. |
RALM logon trap is Enabled |
The sending of MAC-based authentication success trap messages is enabled. |
RALM logoff trap is Enabled |
The sending of logoff trap messages for MAC-based authenticated users is enabled. |
RALM logfailure trap is Enabled |
The sending of MAC-based authentication failure trap messages is enabled. |
Disableport Timeout: 20 s |
The temporary port-disabling time is 20 seconds. |
OUI value |
The next line displays OUI value. |
Index |
OUI index |
Ethernet1/0/1 is link-up |
The link status of port Ethernet 1/0/1 is up. |
Port mode is AutoLearn |
The security mode of the port is autolearn. |
NeedtoKnow mode is needtoknowonly |
The NTK (Need To Know) mode is ntkonly. |
Intrusion mode is BlockMacaddress |
The intrusion detection mode is BlockMacaddress. |
Max mac-address num is 4 |
The maximum number of MAC addresses allowed on the port is 4. |
Stored mac-address num is 0 |
No MAC address is stored. |
Authorization is ignore |
Authorization information delivered by the Remote Authentication Dial-In User Service (RADIUS) server will not be applied to the port. |
mac-address security
Syntax
In system view:
mac-address security mac-address interface interface-type interface-number vlan vlan-id
undo mac-address security [ [ mac-address [ interface interface-type interface-number ] ] vlan vlan-id ]
In Ethernet port view:
mac-address security mac-address vlan vlan-id
undo mac-address security [ [ mac-address ] vlan vlan-id ]
View
System view, Ethernet port view
Parameters
mac-address: Security MAC address, in the H-H-H format.
interface interface-type interface-number: Specify the port on which the security MAC address is to be added. The interface-type interface-number arguments indicate the port type and port number.
vlan vlan-id: Specify the VLAN to which the MAC address belongs. The vlan-id argument specifies a VLAN ID in the range 1 to 4094.
Description
Use the mac-address security command to create a security MAC address entry.
Use the undo mac-address security command to remove a security MAC address.
By default, no security MAC address entry is configured.
l The mac-address security command can be configured successfully only when port security is enabled and the security mode is autolearn.
l To create a security MAC address entry successfully, you must make sure that the specified VLAN is carried on the specified port.
Examples
# Enable port security; configure the port security mode of Ethernet 1/0/1 as autolearn and create a security MAC address entry for 0001-0001-0001, setting the associated port to Ethernet 1/0/1 and assigning the MAC address to VLAN 1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] port-security enable
[Sysname] interface Ethernet1/0/1
[Sysname-Ethernet1/0/1] port-security max-mac-count 100
[Sysname-Ethernet1/0/1] port-security port-mode autolearn
[Sysname-Ethernet1/0/1] mac-address security 0001-0001-0001 vlan 1
# Use the display mac-address interface command to verify the configuration result.
[Sysname]display mac-address interface Ethernet 1/0/1
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
0001-0001-0001 1 Security Ethernet1/0/1 NOAGED
--- 1 mac address(es) found on port Ethernet1/0/1 ---
port-security enable
Syntax
port-security enable
undo port-security enable
View
System view
Parameters
None
Description
Use the port-security enable command to enable port security.
Use the undo port-security enable command to disable port security.
By default, port security is disabled.
Enabling port security resets the following configurations on the ports to the defaults (as shown in parentheses below):
l 802.1x (disabled), port access control method (macbased), and port access control mode (auto)
l MAC authentication (disabled)
In addition, you cannot perform the above-mentioned configurations manually because these configurations change with the port security mode automatically.
Related commands: display port-security.
Examples
# Enable port security.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] port-security enable
Notice: The port-control of 802.1x will be restricted to auto when port-security is enabled.
Please wait... Done.
port-security intrusion-mode
Syntax
port-security intrusion-mode { blockmac | disableport | disableport-temporarily }
undo port-security intrusion-mode
View
Ethernet port view
Parameters
blockmac: Adds the source MAC addresses of illegal packets to the blocked MAC address list. As a result, the packets sourced from the blocked MAC addresses will be filtered out. A blocked MAC address will be unblocked three minutes (not user configurable) after the block action.
disableport: Disables a port permanently once an illegal frame or event is detected on it.
disableport-temporarily: Disables a port for a specified period of time after an illegal frame or event is detected on it. You can set the period with the port-security timer disableport command.
Description
Use the port-security intrusion-mode command to set intrusion protection.
Use the undo port-security intrusion-mode command to disable intrusion protection.
By default, intrusion protection is not configured.
By checking the source MAC addresses in inbound data frames or the username and password in 802.1x authentication requests on a port, intrusion protection detects illegal packets (packets with illegal MAC address) or events and takes a pre-set action accordingly. The actions you can set include: disconnecting the port temporarily/permanently and blocking packets with invalid MAC addresses.
The following cases can trigger intrusion protection on a port:
l A packet with unknown source MAC address is received on the port while MAC address learning is disabled on the port.
l A packet with unknown source MAC address is received on the port while the amount of security MAC addresses on the port has reached the preset maximum number.
l The user fails the 802.1x or MAC address authentication.
After executing the port-security intrusion-mode blockmac command, you can only use the display port-security command to view blocked MAC addresses.
Related commands: display port-security, port-security timer disableport.
Examples
# Configure the intrusion protection mode on Ethernet 1/0/1 as blockmac.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] port-security intrusion-mode blockmac
# Display information about blocked MAC addresses after intrusion protection is triggered.
<Sysname> display port-security
Equipment port-security is enabled
AddressLearn trap is Enabled
Intrusion trap is Enabled
Dot1x logon trap is Enabled
Dot1x logoff trap is Enabled
Dot1x logfailure trap is Enabled
RALM logon trap is Enabled
RALM logoff trap is Enabled
RALM logfailure trap is Enabled
Disableport Timeout: 20 s
OUI value:
Index is 5, OUI value is 000100
Blocked Mac info:
MAC ADDR From Port Vlan
--- On unit 1, 2 blocked mac address(es) found. ---
0000-0000-0003 Ethernet1/0/1 1
0000-0000-0004 Ethernet1/0/1 1
--- 2 blocked mac address(es) found. ---
Ethernet1/0/1 is link-up
Port mode is Secure
NeedtoKnow mode is disabled
Intrusion mode is BlockMacaddress
Max mac-address num is 2
Stored mac-address num is 2
Authorization is permit
For description on the output information, refer to Table 1-2.
# Configure the intrusion protection mode on Ethernet 1/0/1 as disableport-temporarily. As a result, the port will be disconnected when intrusion protection is triggered and then re-enabled 30 seconds later.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] port-security timer disableport 30
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] port-security intrusion-mode disableport-temporarily
# Configure the intrusion protection mode on Ethernet 1/0/1 as disableport. As a result, when intrusion protection is triggered, the port will be disconnected permanently.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] port-security intrusion-mode disableport
You can bring up a port that has been permanently disabled by running the undo shutdown command or disabling port security on the port.
port-security authorization ignore
Syntax
port-security authorization ignore
undo port-security authorization ignore
View
Ethernet port view
Parameters
None
Description
Use the port-security authorization ignore command to configure the port to ignore the authorization information delivered by the RADIUS server.
Use the undo port-security authorization ignore command to restore the default configuration.
By default, the port uses (does not ignore) the authorization information delivered by the RADIUS server.
You can use the display port-security command to check whether the port will use the authorization information delivered by the RADIUS server.
After a RADIUS user passes authentication, the RADIUS server authorizes the attributes configured for the user account such as the dynamic VLAN configuration. For more information, refer to AAA Command.
Examples
# Configure Ethernet 1/0/2 to ignore the authorization information delivered by the RADIUS server.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet 1/0/2
[Sysname-Ethernet1/0/2] port-security authorization ignore
port-security max-mac-count
Syntax
port-security max-mac-count count-value
undo port-security max-mac-count
View
Ethernet port view
Parameters
count-value: Maximum number of MAC addresses allowed on the port, in the range of 1 to 1024.
Description
Use the port-security max-mac-count command to set the maximum number of MAC addresses allowed on the port.
Use the undo port-security max-mac-count command to cancel this limit.
By default, there is no limit on the number of MAC addresses allowed on the port.
By configuring the maximum number of MAC addresses allowed on a port, you can:
l Limit the number of users accessing the network through the port.
l Limit the number of security MAC addresses that can be added on the port.
When the maximum number of MAC addresses allowed on a port is reached, the port will not allow more users to access the network through this port.
l The port-security max-mac-count command is irrelevant to the maximum number of MAC addresses that can be learned on a port configured in MAC address management.
l When there are online users on a port, you cannot perform the port-security max-mac-count command on the port.
Examples
# Set the maximum number of MAC addresses allowed on the port to 100.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] port-security enable
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] port-security max-mac-count 100
port-security ntk-mode
Syntax
port-security ntk-mode { ntkonly | ntk-withbroadcasts | ntk-withmulticasts }
undo port-security ntk-mode
View
Ethernet port view
Parameters
ntkonly: Allows the port to transmit only unicast packets with successfully-authenticated destination MAC addresses.
ntk-withbroadcasts: Allows the port to transmit broadcast packets and unicast packets with successfully-authenticated destination MAC addresses.
ntk-withmulticasts: Allows the port to transmit multicast packets, broadcast packets and unicast packets with successfully-authenticated destination MAC addresses.
Description
Use the port-security ntk-mode command to configure the NTK feature on the port.
Use the undo port-security ntk-mode command to restore the default setting.
Be default, NTK is disabled on a port, namely all frames are allowed to be sent.
By checking the destination MAC addresses of the data frames to be sent from a port, the NTK feature ensures that only successfully authenticated devices can obtain data frames from the port, thus preventing illegal devices from intercepting network data.
Examples
# Set the NTK feature to ntk-withbroadcasts on Ethernet 1/0/1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] port-security enable
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] port-security ntk-mode ntk-withbroadcasts
port-security oui
Syntax
port-security oui OUI-value index index-value
undo port-security oui index index-value
View
System view
Parameters
OUI-value: OUI value. You can input a 48-bit MAC address in the form of H-H-H for this argument and the system will take the first 24 bits as the OUI value and ignore the rest.
index-value: OUI index, ranging from 1 to 16.
The organizationally unique identifiers (OUIs) are assigned by the IEEE to different vendors. Each OUI uniquely identifies an equipment vendor in the world and is the higher 24 bits of a MAC address.
Description
Use the port-security oui command to set an OUI value for authentication.
Use the undo port-security oui command to cancel the OUI value setting.
By default, no OUI value is set for authentication.
l The OUI value set by this command takes effect only when the security mode of the port is set to userLoginWithOUI by the port-security port-mode command.
l The OUI value set by this command cannot be a multicast MAC address.
Related commands: port-security port-mode.
Examples
# Configure an OUI value of 00ef-ec00-0000, setting the OUI index to 5.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] port-security oui 00ef-ec00-0000 index 5
port-security port-mode
Syntax
port-security port-mode { autolearn | mac-and-userlogin-secure | mac-and-userlogin-secure-ext | mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secure-ext | secure | userlogin | userlogin-secure | userlogin-secure-ext | userlogin-secure-or-mac | userlogin-secure-or-mac-ext | userlogin-withoui }
undo port-security port-mode
View
Ethernet port view
Parameters
Table 1-3 shows the description on the security mode keywords.
Keyword |
Security mode |
Description |
autolearn |
autolearn |
In this mode, MAC addresses learned on the port become security MAC addresses. When the number of security MAC addresses exceeds the maximum number of MAC addresses configured by the port-security max-mac-count command, the port security mode changes to secure automatically. After that, no more security MAC addresses can be added to the port and only the packets whose source MAC addresses are the security MAC addresses or already configured dynamic MAC addresses can pass through the port. |
mac-and-userlogin-secure |
macAddressAndUserLoginSecure |
In this mode, users trying to assess the network through the port must first pass MAC address authentication and then 802.1x authentication. In this mode, only one user can access the network through the port at a time. |
mac-and-userlogin-secure-ext |
macAddressAndUserLoginSecureExt |
This mode is similar to the macAddressAndUserLoginSecure mode, except that in this mode, more than one user can access the network through the port in this mode. |
mac-authentication |
macAddressWithRadius |
In this mode, MAC address authentication is applied on users trying to access the network. |
mac-else-userlogin-secure |
macAddressElseUserLoginSecure |
In this mode, MAC address authentication is first applied on users. If the authentication succeeds, the users can access the network successfully. If not, 802.1x authentication is applied. In this mode, only one 802.1x-authenticated user can access the network through the port. But at the same time, there can be more than one MAC-address-authenticated user on the port. |
mac-else-userlogin-secure-ext |
macAddressElseUserLoginSecureExt |
This mode is similar to the macAddressElseUserLoginSecure mode, except that in this mode, there can be more than one 802.1x-authenticated user on the port. |
secure |
secure |
In this mode, MAC address learning is disabled on the current port. Only packets whose source MAC addresses are security MAC addresses, already configured static or dynamic MAC addresses can pass through the port. |
userlogin |
userlogin |
In this mode, 802.1x authentication is applied on users trying to access the network through the current port. |
userlogin-secure |
userLoginSecure |
In this mode, MAC-based 802.1x authentication is applied on users trying to access the network through the port. The port will be enabled when the authentication succeeds and allow packets from authenticated users to pass through. In this mode, only one 802.1x-authenticated user can access the network through the port. When the security mode of the port changes from noRestriction to this mode, the old dynamic MAC address entries and authenticated MAC address entries kept on the port are deleted automatically. |
userlogin-secure-ext |
userLoginSecureExt |
This mode is similar to the userLoginSecure mode, except that in this mode, there can be more than one 802.1x-authenticated user on the port. |
userlogin-secure-or-mac |
macAddressOrUserLoginSecure |
MAC address authentication and 802.1x authentication can coexist on a port, with 802.1x authentication having higher priority. 802.1x authentication can be applied on users who have already passed MAC address authentication. However, users who have already passed 802.1x authentication do not need to go through MAC address authentication. In this mode, only one 802.1x-authenticated user can access the network through the port. However, there can be more than one MAC-address-authenticated user on the port. |
userlogin-secure-or-mac-ext |
macAddressOrUserLoginSecureExt |
This mode is similar to the macAddressOrUserLoginSecure mode, except that in this mode, there can be more than one 802.1x-authenticated user on the port. |
userlogin-withoui |
userLoginWithOUI |
Similar to the userLoginSecure mode, in this mode, there can be only one 802.1x-authenticated user on the port. However, the port also allows packets with the OUI address to pass through. When the security mode of the port changes from noRestriction to this mode, the old dynamic MAC address entries and authenticated MAC address entries kept on the port are deleted automatically. |
Description
Use the port-security port-mode command to set the security mode of the port.
Use the undo port-security port-mode command to restore the default mode.
By default, the port is in the noRestriction mode, namely access to the port is not restricted.
l Before setting the security mode to autolearn, you need to use the port-security max-mac-count command to configure the maximum number of MAC addresses allowed on the port.
l When a port operates in the autolearn mode, you cannot change the maximum number of MAC addresses allowed on the port.
l After setting the security mode to autolearn, you cannot configure static or blackhole MAC addresses on the port.
l When the port security mode is not noRestriction, you need to use the undo port-security port-mode command to change it back to noRestriction before you change the port security mode to other modes.
l Fabric devices do not support configuring the security mode to autolearn.
On a port configured with a security mode, you cannot do the following:
l Configure the maximum number of MAC addresses that can be learned.
l Configure the port as a reflector port for port mirroring.
l Configure the port as a Fabric port.
l Configure link aggregation.
Related commands: display port-security.
Examples
# Set the security mode of Ethernet 1/0/1 on the switch to userLogin.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] port-security enable
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] port-security port-mode userlogin
port-security timer disableport
Syntax
port-security timer disableport timer
undo port-security timer disableport
View
System view
Parameters
timer: This argument ranges from 20 to 300, in seconds.
Description
Use the port-security timer disableport command to set the time during which the system temporarily disables a port.
Use undo port-security timer disableport command restore the default time.
By default, the system disables a port for 20 seconds.
The port-security timer disableport command is used in conjunction with the port-security intrusion-mode disableport-temporarily command to set the length of time during which the port remains disabled.
Related commands: port-security intrusion-mode.
Examples
# Set the intrusion protection mode on Ethernet 1/0/1 to disableport-temporarily. It is required that when intrusion protection is triggered, the port be shut down temporarily and then go up 30 seconds later.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] port-security timer disableport 30
[Sysname] interface Ethernet 1/0/1
[Sysname-Ethernet1/0/1] port-security intrusion-mode disableport-temporarily
port-security trap
Syntax
port-security trap { addresslearned | dot1xlogfailure | dot1xlogoff | dot1xlogon | intrusion | ralmlogfailure | ralmlogoff | ralmlogon }
undo port-security trap { addresslearned | dot1xlogfailure | dot1xlogoff | dot1xlogon | intrusion | ralmlogfailure | ralmlogoff | ralmlogon }
View
System view
Parameters
addresslearned: Enables/disables sending traps for MAC addresses learning events.
dot1xlogfailure: Enables/disables sending traps for 802.1x authentication failures.
dot1xlogoff: Enables/disables sending traps for 802.1x-authenticated user logoff events.
dot1xlogon: Enables/disables sending traps for 802.1x-authenticated user logon events.
intrusion: Enables/disables sending traps for detections of intrusion packets.
ralmlogfailure: Enables/disables sending traps for MAC authentication failures.
ralmlogoff: Enables/disables sending traps for MAC-authenticated user logoff events.
ralmlogon: Enables/disables sending traps for MAC-authenticated user logon events.
RADIUS authenticated login using MAC-address (RALM) refers to MAC-based RADIUS authentication.
Description
Use the port-security trap command to enable the sending of specified type(s) of trap messages.
Use the undo port-security trap command to disable the sending of specified type(s) of trap messages.
By default, the system disables the sending of any types of trap messages.
This command is based on the device tracking feature, which enables the switch to send trap messages when special data packets (generated by illegal intrusion, abnormal user logon/logoff, or other special activities) are passing through a port, so as to help the network administrator to monitor special activities.
When you use the display port-security command to display global information, the system will display which types of trap messages are allowed to send.
Related commands: display port-security.
Examples
# Allow the sending of intrusion packet-detected trap messages.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] port-security trap intrusion
# Use the display port-security command to display the related configuration information.
<Sysname> display port-security
Equipment port-security is enabled
Intrusion trap is Enabled
Disableport Timeout: 20 s
OUI value:
Ethernet1/0/1 is link-down
Port mode is AutoLearn
NeedtoKnow mode is needtoknowonly
Intrusion mode is disableportTemporarily
Max mac-address num is 4
Stored mac-address num is 0
Authorization is ignore
The rest of the information is omitted, if any.
For description of the output information, refer to Table 1-2.
2 Port Binding Commands
Port Binding Commands
am user-bind
Syntax
In system view:
am user-bind mac-addr mac-address ip-addr ip-address interface interface-type interface-number
undo am user-bind mac-addr mac-address ip-addr ip-address interface interface-type interface-number
In Ethernet port view:
am user-bind mac-addr mac-address ip-addr ip-address
undo am user-bind mac-addr mac-address ip-addr ip-address
View
System view, Ethernet port view
Parameters
interface interface-type interface-number: Specify the port to be bound. The interface-type interface-number arguments specify the port type and port number.
ip-addr ip-address: Specify the IP address to be bound.
mac-addr mac-address: Specify the MAC address to be bound. The mac-address argument is in the form of H-H-H.
Description
Use the am user-bind command to bind the MAC address and IP address of a user to a specified port.
Use the undo am user-bind command to cancel the binding.
After the binding, the switch forwards only the packets from the bound MAC address and IP address when received on the port.
By default, no user MAC address or IP address is bound to a port.
l An IP address can be bound with only one port at a time.
l A MAC address can be bound with only one port at a time.
Examples
# In system view, bind the MAC address 000f-e200-5101 and IP address 10.153.1.1 (supposing they are MAC and IP addresses of a legal user) to Ethernet 1/0/1.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] am user-bind mac-addr 000f-e200-5101 ip-addr 10.153.1.1 interface Ethernet1/0/1
# In Ethernet pot view, bind the MAC address 000f-e200-5102 and IP address 10.153.1.2 (supposing they are MAC and IP addresses of a legal user) to Ethernet 1/0/2.
<Sysname> system-view
System View: return to User View with Ctrl+Z.
[Sysname] interface Ethernet1/0/2
[Sysname-Ethernet1/0/2] am user-bind mac-addr 000f-e200-5102 ip-addr 10.153.1.2
display am user-bind
Syntax
display am user-bind [ interface interface-type interface-number | ip-addr ip-address | mac-addr mac-address ]
View
Any view
Parameters
interface interface-type interface-number: Specify the port to be bound. The interface-type interface-number arguments indicate the port type and port number.
ip-addr ip-address: Specify the IP address to be bound.
mac-addr mac-address: Specify the MAC address to be bound. The mac-address argument is in the form of H-H-H.
Description
Use the display am user-bind command to display port binding information.
If no keyword is specified, this command displays all port bindings.
Related commands: am user-bind.
Examples
# Display all port bindings.
<Sysname> display am user-bind
Following User address bind have been configured:
Mac IP Port
000f-e200-5101 10.153.1.1 Ethernet1/0/1
000f-e200-5102 10.153.1.2 Ethernet1/0/2
Unit 1:Total 2 found, 2 listed.
Total: 2 found.
The above output displays that two port binding settings exist on unit 1:
l MAC address 000f-e200-5101 and IP address 10.153.1.1 are bound to Ethernet 1/0/1.
l MAC address 000f-e200-5102 and IP address 10.153.1.2 are bound to Ethernet 1/0/2.