Table of Contents

1 Port Security Configuration Commands· 1-1

Port Security Configuration Commands· 1-1

display port-security· 1-1

display port-security mac-address block· 1-3

display port-security mac-address security· 1-4

port-security authorization ignore· 1-5

port-security enable· 1-6

port-security intrusion-mode· 1-6

port-security mac-address security· 1-7

port-security max-mac-count 1-8

port-security ntk-mode· 1-9

port-security oui 1-9

port-security port-mode· 1-10

port-security timer disableport 1-11

port-security trap· 1-11

 

 

 

Port Security Configuration Commands

display port-security

Syntax

display port-security [ interface interface-list ]

View

Any view

Parameters

interface-list: Ethernet port list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> means that you can specify up to 10 port or port ranges. The starting port and ending port of a port range must be of the same type and the ending port number must be greater than the starting port number.

Description

Use the display port-security command to display port security configuration information, operation information, and statistics about one or more specified ports or all ports.

Related commands: port-security enable, port-security port-mode, port-security ntk-mode, port-security intrusion-mode, port-security max-mac-count, port-security mac-address security, port-security authorization ignore, port-security oui, port-security trap.

Examples

# Display port security configuration information, operation information, and statistics about all ports.

<Sysname> display port-security

 Equipment port-security is enabled

 AddressLearn trap is enabled

 Intrusion trap is enabled

 Dot1x logon trap is enabled

 Dot1x logoff trap is enabled

 Dot1x logfailure trap is enabled

 RALM logon trap is enabled

 RALM logoff trap is enabled

 RALM logfailure trap is enabled

 Disableport Timeout: 20s

 OUI value:

   Index is 1,  OUI value is 000d1a

   Index is 2,  OUI value is 003c12

 

 GigabitEthernet0/0/1 is link-down

    Port mode is UserloginWithOUI

    NeedtoKnow mode is needtoknowonly

    Intrusion mode is disableport

    Max MAC address number is 50

    Stored MAC address number is 0

    Authorization is ignored

 GigabitEthernet0/0/2 is link-down

    Port mode is noRestriction

    NeedtoKnow mode is disabled

    Intrusion mode is no action

    Max MAC address number is not configured

    Stored MAC address number is 0

    Authorization is permitted

Table 1-1 Description on the fields of the display port-security command

Field	Description
Equipment port-security is enabled	Port security is enabled.
AddressLearn trap is enabled	Address learning trap is enabled.
Intrusion trap is enabled	Intrusion protection trap is enabled.
Dot1x logon trap is enabled	802.1x logon trap is enabled.
Dot1x logoff trap is enabled	802.1x logoff trap is enabled.
Dot1x logfailure is enabled	802.1x authentication failure trap is enabled.
RALM logon trap is enabled	MAC authentication success trap is enabled.
RALM logoff trap is enabled	MAC authenticated user logoff trap is enabled.
RALM logfailure trap is enabled	MAC authentication failure trap is enabled.
Disableport Timeout: 20 s	The silence timeout is 20 seconds.
OUI value	24-bit OUI value
Index	OUI index
Port mode is UserloginWithOUI	The port security mode is UserloginWithOUI.
NeedtoKnow mode is needtoknowonly	The NTK mode is needtoknowonly.
Intrusion mode is disableport	Intrusion protection action is set to disableport.
Max MAC address number	Maximum number of secure MAC addresses allowed on the port
Stored MAC address number	Number of MAC addresses stored
Authorization is ignored	Authorization information from the server is ignored.

 

display port-security mac-address block

Syntax

display port-security mac-address block [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ]

View

Any view

Parameters

interface interface-type interface-number: Specifies a port by its type and number.

vlan vlan-id: Specifies a VLAN by its number, which is in the range 1 to 4094.

count: Displays only the count of the blocked MAC addresses.

Description

Use the display port-security mac-address block command to display information about blocked MAC addresses.

With no keyword or argument specified, the command displays information about all blocked MAC addresses.

Related commands: port-security intrusion-mode.

Examples

# Display information about all blocked MAC addresses.

<Sysname> display port-security mac-address block

MAC ADDR             From Port                  VLAN ID

0002-0002-0002      GigabitEthernet0/0/1                1

000d-88f8-0577      GigabitEthernet0/0/1                1

  ---  2 mac address(es) found  ---

# Display the count of all blocked MAC addresses.

<Sysname> display port-security mac-address block count

 2 mac address(es) found

# Display information about all blocked MAC addresses in VLAN 1.

<Sysname> display port-security mac-address block vlan 1

MAC ADDR             From Port                  VLAN ID

0002-0002-0002      GigabitEthernet0/0/1                1

000d-88f8-0577      GigabitEthernet0/0/1                1

  ---  2 mac address(es) found  ---

# Display information about all blocked MAC addresses of port GigabitEthernet 0/0/1.

<Sysname> display port-security mac-address block interface GigabitEthernet0/0/1

MAC ADDR             From Port                  VLAN ID

000d-88f8-0577      GigabitEthernet0/0/1                1

  ---  1 mac address(es) found  ---

# Display information about all blocked MAC addresses of port GigabitEthernet 0/0/1 in VLAN 1.

<Sysname> display port-security mac-address block interface GigabitEthernet 0/0/1 vlan 1

MAC ADDR             From Port                  VLAN ID

000d-88f8-0577      GigabitEthernet0/0/1                1

  ---  1 mac address(es) found  ---

Table 1-2 Description on the fields of display port-security mac-address block

Field	Description
MAC ADDR	Blocked MAC address
From Port	Port having received frames with the blocked MAC address being the source address
VLAN ID	ID of the VLAN to which the port belongs
2 mac address(es) found	Number of blocked MAC addresses

 

display port-security mac-address security

Syntax

display port-security mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ]

View

Any view

Parameters

interface interface-type interface-number: Specifies a port by its type and number.

vlan vlan-id: Specifies a VLAN by its number, which is in the range 1 to 4094.

count: Displays only the count of the secure MAC addresses.

Description

Use the display port-security mac-address security command to display information about secure MAC addresses.

With no keyword or argument specified, the command displays information about all secure MAC addresses.

Related commands: port-security mac-address security.

Examples

# Display information about all secure MAC addresses.

<Sysname> display port-security mac-address security

MAC ADDR        VLAN ID   STATE          PORT INDEX               AGING TIME(s)

0002-0002-0002  1        Security        GigabitEthernet0/0/1   NOAGED

000d-88f8-0577  1        Security        GigabitEthernet0/0/1    NOAGED

 

  ---  2 mac address(es) found  ---

# Display only the count of the secure MAC addresses.

<Sysname> display port-security mac-address count

 2 mac address(es) found

# Display information about secure MAC addresses in the specified VLAN.

<Sysname> display port-security mac-address security vlan 1

MAC ADDR        VLAN ID   STATE          PORT INDEX               AGING TIME(s)

0002-0002-0002  1         Security      GigabitEthernet0/0/1    NOAGED

000d-88f8-0577  1         Security      GigabitEthernet0/0/1    NOAGED

 

  ---  2 mac address(es) found  ---

# Display information about secure MAC addresses on the specified port.

<Sysname> display port-security mac-address security interface GigabitEthernet0/0/1

MAC ADDR        VLAN ID   STATE          PORT INDEX               AGING TIME(s)

000d-88f8-0577  1        Security       GigabitEthernet0/0/1    NOAGED

 

  ---  1 mac address(es) found  ---

# Display information about secure MAC addresses that are on the specified port and in the specified VLAN.

<Sysname> display port-security mac-address security interface GigabitEthernet 0/0/1 vlan 1

MAC ADDR        VLAN ID   STATE          PORT INDEX               AGING TIME(s)

000d-88f8-0577  1         Security      GigabitEthernet0/0/1    NOAGED

 

  ---  1 mac address(es) found  ---

Table 1-3 Description on the fields of display port-security mac-address

Field	Description
MAC ADDR	Secure MAC address
VLAN ID	VLAN to which the port belongs
STATE	Type of the MAC address added
PORT INDEX	Port to which the secure MAC address belongs
AGING TIME(s)	Period of time before the secure MAC address ages out
xxx mac address(es) found	Number of secure MAC addresses stored

 

port-security authorization ignore

Syntax

port-security authorization ignore

undo port-security authorization ignore

View

Layer 2 Ethernet port view

Parameters

None

Description

Use the port-security authorization ignore command to configure a port to ignore the authorization information from the RADIUS server.

Use the undo port-security port-mode ignore command to restore the default.

By default, a port uses the authorization information from the RADIUS server.

Related commands: display port-security.

Examples

# Configure port GigabitEthernet 0/0/1 to ignore the authorization information from the RADIUS server.

<Sysname> system-view

[Sysname] interface gigabitethernet 0/0/1

[Sysname-GigabitEthernet0/0/1] port-security authorization ignore

port-security enable

Syntax

port-security enable

undo port-security enable

View

System view

Parameters

None

Description

Use the port-security enable command to enable port security.

Use the undo port-security enable command to disable port security.

By default, port security is disabled.

Note that:

1)        Port security cannot be enabled when 802.1x or MAC authentication is enabled globally.

2)        Enabling port security resets the following configurations on a port to the defaults bracketed, making them dependent completely on the port security mode:

l          802.1x (disabled), port access control method (macbased), and port access control mode (auto)

l          MAC authentication (disabled)

3)        Disabling port security resets the following configurations on a port to the defaults bracketed:

l          Port security mode (noRestrictions)

l          802.1x (disabled), port access control method (macbased), and port access control mode (auto)

l          MAC authentication (disabled)

4)        Port security cannot be disabled if there is any user present on a port.

Related commands: display port-security, and these commands in 802.1x-HABP-MAC Authentication Commands: dot1x, dot1x port-method, dot1x port-control, and mac-authentication.

Examples

# Enable port security.

<Sysname> system-view

[Sysname] port-security enable

port-security intrusion-mode

Syntax

port-security intrusion-mode { blockmac | disableport | disableport-temporarily }

undo port-security intrusion-mode

View

Layer 2 Ethernet Port view

Parameters

blockmac: Adds the source MAC addresses of illegal frames to the blocked MAC address list and discards frames with blocked source MAC addresses. A blocked MAC address is restored to normal after being blocked for three minutes, which is fixed and cannot be changed.

disableport: Disables the port permanently upon detecting an illegal frame received on the port.

disableport-temporarily: Disables the port for a specified period of time whenever it receives an illegal frame. Use the port-security timer disableport command to set the period.

Description

Use the port-security intrusion-mode command to configure the intrusion protection feature.

Use the undo port-security intrusion-mode command to restore the default.

By default, intrusion protection is disabled.

Related commands: display port-security, port-security timer disableport.

Examples

# Configure port GigabitEthernet 0/0/1 to block the source MAC addresses of illegal frames after intrusion protection is triggered.

<Sysname> system-view

[Sysname] interface gigabitethernet 0/0/1

[Sysname-GigabitEthernet0/0/1] port-security intrusion-mode blockmac

port-security mac-address security

Syntax

In Layer 2 Ethernet port view:

port-security mac-address security mac-address vlan vlan-id

In system view:

port-security mac-address security mac-address interface interface-type interface-number vlan vlan-id

undo port-security mac-address security [ [ mac-address [ interface interface-type interface-number ] ] vlan vlan-id ]

View

Layer 2 Ethernet Port view, system view

Parameters

mac-address: Secure MAC address, in the H-H-H format.

interface interface-type interface-number: Specifies a Layer 2 Ethernet port by its type and number.

vlan-id: ID of the VLAN to which the secure MAC address belongs, in the range 1 to 4094.

Description

Use the port-security mac-address security command to add a secure MAC address.

Use the undo port-security mac-address security command to remove specified secure MAC address.

By default, no secure MAC address is configured.

Note that:

l          You can configure a secure MAC address only if port security is enabled and the specified port operates in autoLearn mode.

l          The undo port-security mac-address security command can be used in system view only.

Related commands: display port-security.

Examples

# In system view, add a secure MAC address of 0001-0001-0002 (belonging to VLAN 10) to port GigabitEthernet 0/0/1.

<Sysname> system-view

[Sysname] port-security mac-address security 0001-0001-0002 interface gigabitethernet 0/0/1 vlan 10

# In Ethernet port view, add a secure MAC address of 0001-0002-0003 (belonging to VLAN 4) to port GigabitEthernet 0/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 0/0/1

[Sysname-GigabitEthernet0/0/1] port-security mac-address security 0001-0002-0003 vlan 4

port-security max-mac-count

Syntax

port-security max-mac-count count-value

undo port-security max-mac-count

View

Layer 2 Ethernet port view

Parameters

count-value: Maximum number of secure MAC addresses allowed on the port, ranging 1 to 1,024.

Description

Use the port-security max-mac-count command to set the maximum number of secure MAC addresses allowed on the port.

Use the undo port-security max-mac-count command to restore the default setting.

By default, the maximum number of secure MAC addresses is not limited.

Note the following:

l          The autoLearn mode cannot be enabled if this value is not configured.

l          The maximum number of secure MAC addresses allowed on a port does not include or limit that of the static MAC addresses manually configured.

l          The maximum number of secure MAC addresses allowed on a port must not be less than the number of MAC addresses stored on the port.

Related commands: display port-security.

Examples

# Set the maximum number of secure MAC addresses allowed on port GigabitEthernet 0/0/1 to 100.

<Sysname> system-view

[Sysname] interface gigabitethernet 0/0/1

[Sysname-GigabitEthernet0/0/1] port-security max-mac-count 100

port-security ntk-mode

Syntax

port-security ntk-mode { ntk-withbroadcasts | ntk-withmulticasts | ntkonly }

undo port-security ntk-mode

View

Ethernet port view

Parameters

ntk-withbroadcasts: Sends only frames destined for authenticated MAC addresses or the broadcast address.

ntk-withmulticasts: Sends only frames destined for authenticated MAC addresses, multicast addresses, or the broadcast address.

ntkonly: Sends only frames destined for authenticated MAC addresses.

Description

Use the port-security ntk-mode command to configure the NTK feature.

Use the undo port-security ntk-mode command to restore the default.

Be default, NTK is disabled on a port and all frames are allowed to be sent.

Related commands: display port-security.

Examples

# Set the NTK mode of port GigabitEthernet 0/0/1 to ntkonly.

<Sysname> system-view

[Sysname] interface gigabitethernet 0/0/1

[Sysname-GigabitEthernet0/0/1] port-security ntk-mode ntkonly

port-security oui

Syntax

port-security oui oui-value index index-value

undo port-security oui index index-value

View

System view

Parameters

oui-value: Organizationally unique identifier (OUI) string, a 48-bit MAC address in the H-H-H format. The system automatically uses only the 24 high-order bits as the OUI value.

index-value: OUI index, in the range 1 to 16.

Description

Use the port-security oui command to configure an OUI value for user authentication. This value is used when the port security mode is UserLoginWithOUI.

Use the undo port-security oui command to delete an OUI value with the specified OUI index.

By default, no OUI value is configured.

Note that an OUI value configured by using the port-security oui command takes effect only when the security mode is userLoginWithOUI.

Related commands: display port-security.

Examples

# Configure an OUI value of 000d2a, setting the index to 4.

<Sysname> system-view

[Sysname] port-security oui 000d-2a10-0033 index 4

port-security port-mode

Syntax

port-security port-mode { autolearn | mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secure-ext | secure | userlogin | userlogin-secure | userlogin-secure-ext | userlogin-secure-or-mac | userlogin-secure-or-mac-ext | userlogin-withoui }

undo port-security port-mode

View

Ethernet port view

Parameters

autolearn: Operates in autoLearn mode.

mac-authentication: Operates in macAddressWithRadius mode.

mac-else-userlogin-secure: Operates in macAddressElseUserLoginSecure mode.

mac-else-userlogin-secure-ext: Operates in macAddressElseUserLoginSecureExt mode.

secure: Operates in secure mode.

userlogin: Operates in userLogin mode.

userlogin-secure: Operates in userLoginSecure mode.

userlogin-secure-ext: Operates in userLoginSecureExt mode.

userlogin-secure-or-mac: Operates in macAddressOrUserLoginSecure mode.

userlogin-secure-or-mac-ext: Operates in macAddressOrUserLoginSecureExt mode.

userlogin-withoui: Operates in userLoginWithOUI mode.

Description

Use the port-security port-mode command to set the port security mode of a port.

Use the undo port-security port-mode command to restore the default.

By default, a port operates in noRestrictions mode, where port security does not take effect.

Note that:

l          Configuration of port security mode on a port is mutually exclusive with the configuration of 802.1x authentication, port access control method, port access control mode, and MAC authentication on the port.

l          With port security enabled, you can change the port security mode of a port only when the port is operating in noRestrictions mode, the default mode. You can use the undo port-security port-mode command to restore the default port security mode.

l          You cannot change the port security mode of a port when any user is present on the port.

Related commands: display port-security.

Examples

# Configure the port security mode of port GigabitEthernet 0/0/1 as secure.

<Sysname> system-view

[Sysname] interface gigabitethernet 0/0/1

[Sysname-GigabitEthernet0/0/1] port-security port-mode secure

# Change the port security mode of port GigabitEthernet 0/0/1 to userLogin.

[Sysname-GigabitEthernet0/0/1] undo port-security port-mode

[Sysname-GigabitEthernet0/0/1] port-security port-mode userlogin

port-security timer disableport

Syntax

port-security timer disableport time-value

undo port-security timer disableport

View

System view

Parameters

time-value: Silence timeout during which the port remains disabled, in seconds. It ranges from 20 to 300.

Description

Use the port-security timer disableport command to set the silence timeout during which the port remains disabled.

Use the undo port-security timer disableport command to restore the default.

By default, the silence timeout is 20 seconds.

Related commands: display port-security.

Examples

# Set the silence timeout period to 30 seconds.

<Sysname> system-view

[Sysname] port-security timer disableport 30

port-security trap

Syntax

port-security trap { addresslearned | dot1xlogfailure | dot1xlogoff | dot1xlogon | intrusion | ralmlogfailure | ralmlogoff | ralmlogon }

undo port-security trap { addresslearned | dot1xlogfailure | dot1xlogoff | dot1xlogon | intrusion | ralmlogfailure | ralmlogoff | ralmlogon }

View

System view

Parameters

addresslearned: Address learning trap. When enabled, this trap allows the system to send a trap message when a port learns a new MAC address.

dot1xlogfailure: Trap for 802.1x authentication failure.

dot1xlogon: Trap for successful 802.1x authentication.

dot1xlogoff: Trap for 802.1x user logoff events.

intrusion: Trap for illegal frames.

ralmlogfailure: Trap for MAC authentication failure.

ralmlogoff: Trap for MAC authentication user logoff events.

ralmlogon: Trap for successful MAC authentication.

Description

Use the port-security trap command to enable port security traps.

Use the undo port-security trap command to disable port security traps.

By default, no port security trap is enabled.

Related commands: display port-security.

Examples

# Enable address learning trap.

<Sysname> system-view

[Sysname] port-security trap addresslearned