- Table of Contents
- Related Documents
-
Title | Size | Download |
---|---|---|
05-Port Security Commands | 67.38 KB |
Table of Contents
1 Port Security Configuration Commands
Port Security Configuration Commands
display port-security mac-address block
display port-security mac-address security
port-security authorization ignore
port-security mac-address security
port-security timer disableport
Port Security Configuration Commands
display port-security
Syntax
display port-security [ interface interface-list ]
View
Any view
Default Level
2: System level
Parameters
interface-list: Ethernet port list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> means that you can specify up to 10 port or port ranges. The starting port and ending port of a port range must be of the same type and the ending port number must be greater than the starting port number.
Description
Use the display port-security command to display port security configuration information, operation information, and statistics about one or more specified ports or all ports.
Related commands: port-security enable, port-security port-mode, port-security ntk-mode, port-security intrusion-mode, port-security max-mac-count, port-security mac-address security, port-security authorization ignore, port-security oui, port-security trap.
Examples
# Display port security configuration information, operation information, and statistics about all ports.
<Sysname> display port-security
Equipment port-security is enabled
AddressLearn trap is enabled
Intrusion trap is enabled
Dot1x logon trap is enabled
Dot1x logoff trap is enabled
Dot1x logfailure trap is enabled
RALM logon trap is enabled
RALM logoff trap is enabled
RALM logfailure trap is enabled
Disableport Timeout: 20s
OUI value:
Index is 1, OUI value is 000d1a
Index is 2, OUI value is 003c12
GigabitEthernet2/0/1 is link-down
Port mode is UserloginWithOUI
NeedtoKnow mode is needtoknowonly
Intrusion mode is disableport
Max MAC address number is 50
Stored MAC address number is 0
Authorization is ignored
GigabitEthernet2/0/2 is link-down
Port mode is noRestriction
NeedtoKnow mode is disabled
Intrusion mode is no action
Max MAC address number is not configured
Stored MAC address number is 0
Authorization is permitted
Table 1-1 display port-security command output description
Field |
Description |
Equipment port-security is enabled |
Port security is enabled. |
AddressLearn trap is enabled |
Address learning trap is enabled. |
Intrusion trap is enabled |
Intrusion protection trap is enabled. |
Dot1x logon trap is enabled |
802.1X logon trap is enabled. |
Dot1x logoff trap is enabled |
802.1X logoff trap is enabled. |
Dot1x logfailure is enabled |
802.1X authentication failure trap is enabled. |
RALM logon trap is enabled |
MAC authentication success trap is enabled. |
RALM logoff trap is enabled |
MAC authenticated user logoff trap is enabled. |
RALM logfailure trap is enabled |
MAC authentication failure trap is enabled. |
Disableport Timeout |
Silence timeout of the port, in seconds. |
OUI value |
24-bit OUI value |
Index |
OUI index |
Port mode is UserloginWithOUI |
The port security mode is UserloginWithOUI. |
NeedtoKnow mode is needtoknowonly |
The NTK mode is needtoknowonly. |
Intrusion mode is disableport |
Intrusion protection action is set to disableport. |
Max MAC address number |
Maximum number of secure MAC addresses allowed on the port |
Stored MAC address number |
Number of MAC addresses stored |
Authorization is ignored |
Authorization information from the server is ignored. By default, the information takes effect and this field is displayed as “Authorization is permitted.” |
display port-security mac-address block
Syntax
display port-security mac-address block [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ]
View
Any view
Default Level
2: System level
Parameters
interface interface-type interface-number: Specifies a port by its type and number.
vlan vlan-id: Specifies a VLAN by its number, which is in the range 1 to 4094.
count: Displays only the count of the blocked MAC addresses.
Description
Use the display port-security mac-address block command to display information about blocked MAC addresses.
With no keyword or argument specified, the command displays information about all blocked MAC addresses.
Related commands: port-security intrusion-mode.
Examples
# Display information about all blocked MAC addresses.
<Sysname> display port-security mac-address block
MAC ADDR From Port VLAN ID
0002-0002-0002 GigabitEthernet2/0/1 1
000d-88f8-0577 GigabitEthernet2/0/2 1
--- 2 mac address(es) found ---
# Display the count of all blocked MAC addresses.
<Sysname> display port-security mac-address block count
--- 2 mac address(es) found ---
# Display information about all blocked MAC addresses in VLAN 1.
<Sysname> display port-security mac-address block vlan 1
MAC ADDR From Port VLAN ID
0002-0002-0002 GigabitEthernet2/0/1 1
000d-88f8-0577 GigabitEthernet2/0/2 1
--- 2 mac address(es) found ---
# Display information about all blocked MAC addresses of port GigabitEthernet 2/0/2.
<Sysname> display port-security mac-address block interface GigabitEthernet 2/0/2
MAC ADDR From Port VLAN ID
000d-88f8-0577 GigabitEthernet2/0/2 1
--- 1 mac address(es) found ---
# Display information about all blocked MAC addresses of port GigabitEthernet 2/0/2 in VLAN 1.
<Sysname> display port-security mac-address block interface GigabitEthernet2/0/2 vlan 1
MAC ADDR From Port VLAN ID
000d-88f8-0577 GigabitEthernet2/0/2 1
--- 1 mac address(es) found ---
Table 1-2 display port-security mac-address block command output description
Field |
Description |
MAC ADDR |
Blocked MAC address |
From Port |
Port having received frames with the blocked MAC address being the source address |
VLAN ID |
ID of the VLAN to which the port belongs |
2 mac address(es) found |
Number of blocked MAC addresses |
display port-security mac-address security
Syntax
display port-security mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ]
View
Any view
Default Level
2: System level
Parameters
interface interface-type interface-number: Specifies a port by its type and number.
vlan vlan-id: Specifies a VLAN by its number, which is in the range 1 to 4094.
count: Displays only the count of the secure MAC addresses.
Description
Use the display port-security mac-address security command to display information about secure MAC addresses.
With no keyword or argument specified, the command displays information about all secure MAC addresses.
Related commands: port-security mac-address security.
Examples
# Display information about all secure MAC addresses.
<Sysname> display port-security mac-address security
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
0002-0002-0002 1 Security GigabitEthernet2/0/1 NOAGED
000d-88f8-0577 1 Security GigabitEthernet2/0/2 NOAGED
--- 2 mac address(es) found ---
# Display only the count of the secure MAC addresses.
<Sysname> display port-security mac-address security count
--- 2 mac address(es) found ---
# Display information about secure MAC addresses in a specified VLAN.
<Sysname> display port-security mac-address security vlan 1
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
0002-0002-0002 1 Security GigabitEthernet2/0/1 NOAGED
000d-88f8-0577 1 Security GigabitEthernet2/0/2 NOAGED
--- 2 mac address(es) found ---
# Display information about secure MAC addresses on the specified port.
<Sysname> display port-security mac-address security interface GigabitEthernet2/0/2
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
000d-88f8-0577 1 Security GigabitEthernet2/0/2 NOAGED
--- 1 mac address(es) found ---
# Display information about secure MAC addresses that are on the specified port and in the specified VLAN.
<Sysname> display port-security mac-address security interface GigabitEthernet 2/0/2 vlan 1
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
000d-88f8-0577 1 Security GigabitEthernet2/0/2 NOAGED
--- 1 mac address(es) found ---
Table 1-3 display port-security mac-address command output description
Field |
Description |
MAC ADDR |
Secure MAC address |
VLAN ID |
VLAN to which the port belongs |
STATE |
Type of the MAC address added |
PORT INDEX |
Port to which the secure MAC address belongs |
AGING TIME(s) |
Period of time before the secure MAC address ages out |
xxx mac address(es) found |
Number of secure MAC addresses stored |
port-security authorization ignore
Syntax
port-security authorization ignore
undo port-security authorization ignore
View
Ethernet port view
Default Level
2: System level
Parameters
None
Description
Use the port-security authorization ignore command to configure a port to ignore the authorization information from the RADIUS server.
Use the undo port-security port-mode ignore command to restore the default.
By default, a port uses the authorization information from the RADIUS server.
After a user passes RADIUS authentication, the RADIUS server performs authorization based on the authorization attributes configured for the user’s account. For example, it may assign a VLAN.
Related commands: display port-security.
Examples
# Configure port GigabitEthernet 2/0/1 to ignore the authorization information from the RADIUS server.
<Sysname> system-view
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] port-security authorization ignore
port-security enable
Syntax
port-security enable
undo port-security enable
View
System view
Default Level
2: System level
Parameters
None
Description
Use the port-security enable command to enable port security.
Use the undo port-security enable command to disable port security.
By default, port security is disabled.
Note that:
1) Port security cannot be enabled when 802.1X or MAC authentication is enabled globally.
2) Enabling port security resets the following configurations on a port to the defaults bracketed, making them dependent completely on the port security mode:
l 802.1X (disabled), port access control method (macbased), and port access control mode (auto)
l MAC authentication (disabled)
3) Disabling port security resets the following configurations on a port to the defaults bracketed:
l Port security mode (noRestrictions)
l 802.1X (disabled), port access control method (macbased), and port access control mode (auto)
l MAC authentication (disabled)
4) Port security cannot be disabled if there is any user present on a port.
Related commands: display port-security, dot1x, dot1x port-method, dot1x port-control in 802.1X Commands of the Security Volume, mac-authentication in MAC Authentication Commands of the Security Volume.
Examples
# Enable port security.
<Sysname> system-view
[Sysname] port-security enable
port-security intrusion-mode
Syntax
port-security intrusion-mode { blockmac | disableport | disableport-temporarily }
undo port-security intrusion-mode
View
Ethernet port view
Default Level
2: System level
Parameters
blockmac: Adds the source MAC addresses of illegal frames to the blocked MAC address list and discards frames with blocked source MAC addresses. A blocked MAC address is restored to normal after being blocked for three minutes, which is fixed and cannot be changed. You can use the display port-security mac-address block command to view the blocked MAC address list.
disableport: Disables the port permanently upon detecting an illegal frame received on the port.
disableport-temporarily: Disables the port for a specified period of time whenever it receives an illegal frame. Use the port-security timer disableport command to set the period.
Description
Use the port-security intrusion-mode command to configure the intrusion protection feature, so that the interface performs configured security policies in response to received illegal packets.
Use the undo port-security intrusion-mode command to restore the default.
By default, intrusion protection is disabled.
You can use the undo shutdown to restore the connection of the port.
Related commands: display port-security, display port-security mac-address block, port-security timer disableport.
Examples
# Configure port GigabitEthernet 2/0/1 to block the source MAC addresses of illegal frames after intrusion protection is triggered.
<Sysname> system-view
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] port-security intrusion-mode blockmac
port-security mac-address security
Syntax
In Ethernet port view:
port-security mac-address security mac-address vlan vlan-id
In system view:
port-security mac-address security mac-address interface interface-type interface-number vlan vlan-id
undo port-security mac-address security [ [ mac-address [ interface interface-type interface-number ] ] vlan vlan-id ]
View
Ethernet port view, system view
Default Level
2: System level
Parameters
mac-address: Secure MAC address, in the H-H-H format.
interface interface-type interface-number: Specifies a Layer 2 Ethernet port by its type and number.
vlan-id: ID of the VLAN to which the secure MAC address belongs, in the range 1 to 4094.
Description
Use the port-security mac-address security command to add a secure MAC address.
Use the undo port-security mac-address security command to remove specified secure MAC addresses.
By default, no secure MAC address is configured.
Note that:
l The port must belong to the specified VLAN.
l You can configure a secure MAC address only if port security is enabled and the specified port operates in autoLearn mode.
l The undo port-security mac-address security command can be used in system view only.
Related commands: display port-security.
Examples
# Enable port security, set the port security mode of port GigabitEthernet 2/0/1 to autoLearn, and add a secure MAC address of 0001-0001-0002 (belonging to VLAN 10) for port GigabitEthernet 2/0/1 in system view.
<Sysname> system-view
[Sysname] port-security enable
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] port-security max-mac-count 100
[Sysname-GigabitEthernet2/0/1] port-security port-mode autolearn
[Sysname-GigabitEthernet2/0/1] quit
[Sysname] port-security mac-address security 0001-0001-0002 interface gigabitethernet 2/0/1 vlan 10
# Enable port security, set the port security mode of port GigabitEthernet 2/0/1 to autoLearn, and add a secure MAC address of 0001-0002-0003 (belonging to VLAN 4) for port GigabitEthernet 2/0/1 in interface view.
<Sysname> system-view
[Sysname] port-security enable
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] port-security max-mac-count 100
[Sysname-GigabitEthernet2/0/1] port-security port-mode autolearn
[Sysname-GigabitEthernet2/0/1] port-security mac-address security 0001-0002-0003 vlan 4
port-security max-mac-count
Syntax
port-security max-mac-count count-value
undo port-security max-mac-count
View
Ethernet interface view
Default Level
2: System level
Parameters
count-value: Maximum number of secure MAC addresses allowed on the port, ranging 1 to 1,024.
Description
Use the port-security max-mac-count command to set the maximum number of secure MAC addresses allowed on the port.
Use the undo port-security max-mac-count command to restore the default setting.
By default, the maximum number of secure MAC addresses is not limited.
Note that:
l You cannot change the maximum number of secure MAC addresses for a port working in the autoLearn mode.
l The maximum number of secure MAC addresses allowed on a port does not include or limit that of the static MAC addresses manually configured.
l The maximum number of secure MAC addresses allowed on a port must not be less than the number of MAC addresses stored on the port.
Related commands: display port-security.
Examples
# Set the maximum number of secure MAC addresses allowed on port GigabitEthernet 2/0/1 to 100.
<Sysname> system-view
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] port-security max-mac-count 100
port-security ntk-mode
Syntax
port-security ntk-mode { ntk-withbroadcasts | ntk-withmulticasts | ntkonly }
undo port-security ntk-mode
View
Ethernet interface view
Default Level
2: System level
Parameters
ntk-withbroadcasts: Sends frames destined for authenticated MAC addresses or the broadcast address.
ntk-withmulticasts: Sends frames destined for authenticated MAC addresses, the broadcast address, or unknown multicast addresses.
ntkonly: Sends frames destined for authenticated MAC addresses.
Description
Use the port-security ntk-mode command to configure the NTK feature.
Use the undo port-security ntk-mode command to restore the default.
Be default, NTK is disabled on a port and all frames are allowed to be sent.
The need to know (NTK) feature checks the destination MAC addresses in outbound frames to allow frames to be sent to only devices passing authentication, thus preventing illegal devices from intercepting network traffic.
The frames checked by the NTK feature include the authenticated unicasts, broadcasts, and frames destined for unknown multicast addresses. Frames destined for known multicast addresses are not checked.
Related commands: display port-security.
Examples
# Set the NTK mode of port GigabitEthernet 2/0/1 to ntkonly, allowing the port to forward received packets to only devices passing authentication.
<Sysname> system-view
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] port-security ntk-mode ntkonly
port-security oui
Syntax
port-security oui oui-value index index-value
undo port-security oui index index-value
View
System view
Default Level
2: System level
Parameters
oui-value: Organizationally unique identifier (OUI) string, a 48-bit MAC address in the H-H-H format. The system automatically uses only the 24 high-order bits as the OUI value.
index-value: OUI index, in the range 1 to 16.
Description
Use the port-security oui command to configure an OUI value for user authentication. This value is used when the port security mode is UserLoginWithOUI.
Use the undo port-security oui command to delete an OUI value with the specified OUI index.
By default, no OUI value is configured.
Note that an OUI value configured by using the port-security oui command takes effect only when the security mode is userLoginWithOUI.
Related commands: display port-security.
Examples
# Configure an OUI value of 000d2a, setting the index to 4.
<Sysname> system-view
[Sysname] port-security oui 000d-2a10-0033 index 4
port-security port-mode
Syntax
port-security port-mode { autolearn | mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secure-ext | secure | userlogin | userlogin-secure | userlogin-secure-ext | userlogin-secure-or-mac | userlogin-secure-or-mac-ext | userlogin-withoui }
undo port-security port-mode
View
Interface view
Default Level
2: System level
Parameters
autolearn: Operates in autoLearn mode.
mac-authentication: Operates in macAddressWithRadius mode.
mac-else-userlogin-secure: Operates in macAddressElseUserLoginSecure mode.
mac-else-userlogin-secure-ext: Operates in macAddressElseUserLoginSecureExt mode.
secure: Operates in secure mode.
userlogin: Operates in userLogin mode.
userlogin-secure: Operates in userLoginSecure mode.
userlogin-secure-ext: Operates in userLoginSecureExt mode.
userlogin-secure-or-mac: Operates in macAddressOrUserLoginSecure mode.
userlogin-secure-or-mac-ext: Operates in macAddressOrUserLoginSecureExt mode.
userlogin-withoui: Operates in userLoginWithOUI mode.
Description
Use the port-security port-mode command to set the port security mode of a port.
Use the undo port-security port-mode command to restore the default.
By default, a port operates in noRestrictions mode, where port security does not take effect.
Note that:
l Configuration of port security mode on a port is mutually exclusive with the configuration of 802.1X authentication, port access control method, port access control mode, and MAC authentication on the port.
l With port security enabled, you can change the port security mode of a port only when the port is operating in noRestrictions mode, the default mode. You can use the undo port-security port-mode command to restore the default port security mode.
l Before configuring the port security mode to autoLearn, be sure to configure the maximum number of secure MAC addresses allowed on the port by using the port-security max-mac-count command.
l You cannot change the port security mode of a port with users online.
Related commands: display port-security.
Examples
# Enable port security and configure the port security mode of port GigabitEthernet 2/0/1 as secure.
<Sysname> system-view
[Sysname] port-security enable
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] port-security port-mode secure
# Change the port security mode of port GigabitEthernet 2/0/1 to userLogin.
[Sysname-GigabitEthernet2/0/1] undo port-security port-mode
[Sysname-GigabitEthernet2/0/1] port-security port-mode userlogin
port-security timer disableport
Syntax
port-security timer disableport time-value
undo port-security timer disableport
View
System view
Default Level
2: System level
Parameters
time-value: Silence timeout during which the port remains disabled, in seconds. It ranges from 20 to 300.
Description
Use the port-security timer disableport command to set the silence timeout during which the port remains disabled.
Use the undo port-security timer disableport command to restore the default.
By default, the silence timeout is 20 seconds.
If you configure the intrusion protection policy as disabling the port temporarily whenever it receives an illegal frame, you can use this command to set the silence period.
Related commands: display port-security.
Examples
# Configure the intrusion protection policy as disabling the port temporarily whenever it receives an illegal frame and set the silence timeout to 30 seconds.
<Sysname> system-view
[Sysname] port-security timer disableport 30
[Sysname] interface gigabitethernet 2/0/1
[Sysname-GigabitEthernet2/0/1] port-security intrusion-mode disableport-temporarily
port-security trap
Syntax
port-security trap { addresslearned | dot1xlogfailure | dot1xlogoff | dot1xlogon | intrusion | ralmlogfailure | ralmlogoff | ralmlogon }
undo port-security trap { addresslearned | dot1xlogfailure | dot1xlogoff | dot1xlogon | intrusion | ralmlogfailure | ralmlogoff | ralmlogon }
View
System view
Default Level
2: System level
Parameters
addresslearned: Address learning trap. When enabled, this function allows the system to send a trap message when a port learns a new MAC address.
dot1xlogfailure: Trap for 802.1X authentication failure.
dot1xlogon: Trap for successful 802.1X authentication.
dot1xlogoff: Trap for 802.1X user logoff events.
intrusion: Trap for illegal frames.
ralmlogfailure: Trap for MAC authentication failure.
ralmlogoff: Trap for MAC authentication user logoff events.
ralmlogon: Trap for successful MAC authentication.
RALM (RADIUS Authenticated Login using MAC-address) means RADIUS authentication based on MAC address.
Description
Use the port-security trap command to enable port security traps.
Use the undo port-security trap command to disable port security traps.
By default, no port security trap is enabled.
This command involves the trap feature. With the trap feature, a device can send trap information upon receiving packets that result from, for example, intrusion, abnormal login, or logout operations, allowing you to monitor operations of interest.
Related commands: display port-security.
Examples
# Enable address learning trap.
<Sysname> system-view
[Sysname] port-security trap addresslearned