Table of Contents

1 Port Security Configuration Commands· 1-1

Port Security Configuration Commands· 1-1

display port-security· 1-1

display port-security mac-address block· 1-4

display port-security mac-address security· 1-5

display port-security preshared-key user 1-6

port-security authorization ignore· 1-7

port-security enable· 1-8

port-security intrusion-mode· 1-9

port-security ntk-mode· 1-10

port-security oui 1-10

port-security port-mode· 1-11

port-security pre-shared-key· 1-14

port-security timer disableport 1-14

port-security trap· 1-15

port-security tx-key-type 11key· 1-16

 

 

Port Security Configuration Commands

display port-security

Syntax

display port-security [ interface interface-list ]

View

Any view

Default Level

2: System level

Parameters

interface-list: Ethernet port list, in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> means that you can specify up to 10 port or port ranges. The starting port and ending port of a port range must be of the same type and the ending port number must be greater than the starting port number.

Description

Use the display port-security command to display port security configuration information, operation information, and statistics about one or more ports.

If no interface list is specified, the command displays port security configuration information, operation information, and statistics about all ports.

Related commands: port-security enable, port-security port-mode, port-security ntk-mode, port-security intrusion-mode, port-security max-mac-count, port-security authorization ignore, port-security oui, and port-security trap.

Examples

# Display port security configuration information, operation information, and statistics about all ports.

<Sysname> display port-security

 Equipment port-security is enabled

 AddressLearn trap is enabled

 Intrusion trap is enabled

 Dot1x logon trap is enabled

 Dot1x logoff trap is enabled

 Dot1x logfailure trap is enabled

 RALM logon trap is enabled

 RALM logoff trap is enabled

 RALM logfailure trap is enabled

 Disableport Timeout: 20s

 OUI value:

   Index is 1,  OUI value is 000d1a

   Index is 2,  OUI value is 003c12

 

 Ethernet1/0/1 is link-down

    Port mode is UserloginWithOUI

    NeedtoKnow mode is NeedToKnowOnly

    Intrusion Portection is DisablePort

    Max MAC address number is 50

    Stored MAC address number is 0

    Authorization is ignored

 Ethernet1/0/2 is link-down

    Port mode is noRestriction

    NeedtoKnow mode is disabled

    Intrusion mode is NoAction

    Max MAC address number is not configured

    Stored MAC address number is 0

    Authorization is permitted

WLAN-BSS5 is link-down

   Port mode is macAddressWithRadius

   NeedToKnow mode is disabled

   Intrusion Protection mode is NoAction

   Max MAC address number is not configured

   Stored MAC address number is 0

   Authorization is permitted

Table 1-1 display port-security command output description

Field	Description
Equipment port-security	Whether port security is enabled or not.
AddressLearn trap	Whether address learning trap is enabled or not. If it is enabled, the port sends trap information after it learns a new MAC address.
Intrusion trap	Whether trapping for intrusion protection is enabled or not. If it is enabled, the port sends trap information after it detects illegal packets.
Dot1x logon trap	Whether trapping for 802.1X logon is enabled or not. If it is enabled, the port sends trap information after a user passes 802.1X authentication.
Dot1x logoff trap	Whether trapping for 802.1X logoff is enabled or not. If it is enabled, the port sends trap information after an 802.1X user logs off.
Dot1x logfailure	Whether trapping for 802.1X authentication failure is enabled or not. If it is enabled, the port sends trap information after a user fails the 802.1X authentication.
RALM logon trap	Whether trapping for MAC authentication success is enabled or not. If it is enabled, the port sends trap information when a user passes MAC address authentication.
RALM logoff trap	Whether trapping for MAC authenticated user logoff is enabled or not. If it is enabled, traps are sent when a MAC address authenticated user logs off.
RALM logfailure trap	Whether trapping for MAC authentication failure is enabled or not. If it is enabled, the port sends trap information when a user fails MAC address authentication.
Disableport Timeout	Silence timeout of the port that receives illegal packets, in seconds.
OUI value	List of OUI values allowed
Index	OUI index
Port mode	Port security mode, which can be: l      macAddressWithRadius l      macAddressElseUserLoginSecure l      macAddressElseUserLoginSecureExt l      secure l      userLogin l      userLoginSecure l      userLoginSecureExt l      macAddressOrUserLoginSecure l      macAddressOrUserLoginSecureExt l      userLoginWithOUI l      presharedKey l      macAddressAndPresharedKey l      userLoginSecureExtOrPresharedKey
NeedtoKnow mode	Need to know (NTK) mode, which can be: l      NeedToKnowOnly: Allows only unicasts with authenticated destination MAC addresses. l      NeedToKnowWithBroadcast: Allows only unicasts and broadcasts with authenticated destination MAC addresses. l      NeedToKnowWithMulticast: Allows unicasts, multicasts and broadcasts with authenticated destination MAC addresses.
Intrusion mode	Intrusion protection action mode, which can be: l      BlockMacAddress: Adds the source MAC address of the illegal packet to the blocked MAC address list. l      DisablePort: Shuts down the port that receives illegal packets permanently. l      DisablePortTemporarily: Shuts down the port that receives illegal packets for some time. l      NoAction: Performs no intrusion protection.
Max MAC address number	Maximum number of secure MAC addresses allowed on the port
Stored MAC address number	Number of secure MAC addresses stored
Authorization	Whether the authorization information from the server is ignored or not: l      permitted: Authorization information from the RADIUS server takes effect. l      ignored: Authorization information from the RADIUS server does not take effect.

 

display port-security mac-address block

Syntax

display port-security mac-address block [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ]

View

Any view

Default Level

2: System level

Parameters

interface interface-type interface-number: Specifies a port by its type and number.

vlan vlan-id: Specifies a VLAN by its ID, which ranges from 1 to 4094.

count: Displays only the count of the blocked MAC addresses.

Description

Use the display port-security mac-address block command to display information about blocked MAC addresses.

With no keyword or argument specified, the command displays information about all blocked MAC addresses.

Related commands: port-security intrusion-mode.

Examples

# Display information about all blocked MAC addresses.

<Sysname> display port-security mac-address block

MAC ADDR             From Port                  VLAN ID

0002-0002-0002      Ethernet1/0/1                1

000d-88f8-0577      Ethernet1/0/1                1

  ---  2 mac address(es) found  ---

# Display the count of all blocked MAC addresses.

<Sysname> display port-security mac-address block count

 2 mac address(es) found

# Display information about all blocked MAC addresses in VLAN 1.

<Sysname> display port-security mac-address block vlan 1

MAC ADDR             From Port                    VLAN ID

0002-0002-0002      Ethernet1/0/1                1

000d-88f8-0577      Ethernet1/0/1                1

  ---  2 mac address(es) found  ---

# Display information about all blocked MAC addresses of port Ethernet 1/0/1.

<Sysname> display port-security mac-address block interface ethernet1/0/1

MAC ADDR             From Port                    VLAN ID

000d-88f8-0577      Ethernet1/0/1                1

  ---  1 mac address(es) found  ---

# Display information about all blocked MAC addresses of port Ethernet 1/0/1 in VLAN 1.

<Sysname> display port-security mac-address block interface ethernet 1/0/1 vlan 1

MAC ADDR             From Port                    VLAN ID

000d-88f8-0577      Ethernet1/0/1                1

  ---  1 mac address(es) found  ---

Table 1-2 display port-security mac-address block command output description

Field	Description
MAC ADDR	Blocked MAC address
From Port	Port having received frames with the blocked MAC address
VLAN ID	ID of the VLAN to which the port belongs
2 mac address(es) found	Number of blocked MAC addresses

 

display port-security mac-address security

Syntax

display port-security mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ]

View

Any view

Default Level

2: System level

Parameters

interface interface-type interface-number: Specifies a port by its type and number.

vlan vlan-id: Specifies a VLAN by its ID, which ranges from 1 to 4094.

count: Displays only the count of the secure MAC addresses.

Description

Use the display port-security mac-address security command to display information about secure MAC addresses. Secure MAC addresses are those that are automatically learned by the port in autoLearn mode.

With no keyword or argument specified, the command displays information about all secure MAC addresses.

Examples

# Display information about all secure MAC addresses.

MAC ADDR        VLAN ID   STATE          PORT INDEX          AGING TIME(s)

 0002-0002-0002  1        Security       Ethernet1/0/1       NOAGED

 000d-88f8-0577  1        Security       Ethernet1/0/1       NOAGED

  ---  2 mac address(es) found  ---

# Display only the count of the secure MAC addresses.

<Sysname> display port-security mac-address security count

2 mac address(es) found

# Display information about secure MAC addresses in the specified VLAN.

<Sysname> display port-security mac-address security vlan 1

MAC ADDR        VLAN ID   STATE          PORT INDEX          AGING TIME(s)

0002-0002-0002  1         Security       Ethernet1/0/1       NOAGED

000d-88f8-0577  1         Security       Ethernet1/0/1       NOAGED

 

  ---  2 mac address(es) found  ---

# Display information about secure MAC addresses on the specified port.

<Sysname> display port-security mac-address security interface ethernet1/0/1

MAC ADDR        VLAN ID   STATE            PORT INDEX          AGING TIME(s)

000d-88f8-0577  1         Security         Ethernet1/0/1       NOAGED

 

  ---  1 mac address(es) found  ---

# Display information about secure MAC addresses that are on the specified port and in the specified VLAN.

<Sysname> display port-security mac-address security interface ethernet 1/0/1 vlan 1

MAC ADDR        VLAN ID   STATE          PORT INDEX          AGING TIME(s)

000d-88f8-0577  1         Security       Ethernet1/0/1       NOAGED

 

  ---  1 mac address(es) found  ---

Table 1-3 display port-security mac-address command output description

Field	Description
MAC ADDR	Secure MAC address
VLAN ID	VLAN to which the port belongs
STATE	Type of the MAC address added. "Security" means it is a secure MAC address.
PORT INDEX	Port to which the secure MAC address belongs
AGING TIME(s)	Period of time before the secure MAC address ages out. "NOAGED" means do not age out the secure MAC address.
1 max address(es) found	Number of secure MAC addresses stored

 

display port-security preshared-key user

Syntax

display port-security preshared-key user [ interface interface-type interface-number ]

View

Any view

Default Level

2: System level

Parameters

interface interface-type interface-number: Specifies a port by its type and number.

Description

Use the display port-security preshared-key user command to display information about pre-shared key (PSK) users on the specified or all PSK users.

If no interface is specified, the command displays information about all PSK users on all ports.

 

 

Examples

# Display information about all PSK users on all ports.

<Sysname> display port-security preshared-key user

  Index     Mac-Address    VlanID     Interface

-----------------------------------------------------

      0  0000-1122-3344        1       WLAN-BSS 1

      1  0000-1133-2244        2       WLAN-BSS 2

# Display information about PSK users on WLAN port WLAN-BSS1.

<Sysname> display port-security preshared-key user interface WLAN-BSS 1

  Index     Mac-Address    VlanID     Interface

-----------------------------------------------------

      0  0000-1122-3344        1       WLAN-BSS 1

Table 1-4 display port-security preshared-key user command output description

Field	Description
Index	Index of the user
Mac-Address	MAC address of the user
VlanID	VLAN ID of the user
Interface	Port that the user accesses

 

port-security authorization ignore

Syntax

port-security authorization ignore

undo port-security authorization ignore

View

Layer 2 Ethernet interface view, WLAN-BSS interface view

Default Level

2: System level

Parameters

None

Description

Use the port-security authorization ignore command to configure a port to ignore the authorization information from the RADIUS server.

Use the undo port-security port-mode ignore command to restore the default.

After a user passes RADIUS authentication, the RADIUS server performs authorization based on the authorization attributes configured for the user’s account. For example, it may assign a VLAN.

Related commands: display port-security.

Examples

# Configure port Ethernet 1/0/1 to ignore the authorization information from the RADIUS server.

<Sysname> system-view

<Sysname> system-view

[Sysname] interface ethernet 1/0/1

[Sysname-Ethernet1/0/1] port-security authorization ignore

port-security enable

Syntax

port-security enable

undo port-security enable

View

System view

Default Level

2: System level

Parameters

None

Description

Use the port-security enable command to enable port security.

Use the undo port-security enable command to disable port security.

By default, port security is enabled.

Note that:

1)        You cannot enable port security when 802.1X or MAC authentication is globally enabled.

2)        Enabling port security resets the following configurations on a port to the defaults bracketed, making them dependent completely on the port security mode:

l          802.1X (disabled), port access control method (macbased), and port authorization mode (auto)

l          MAC authentication (disabled)

3)        Disabling port security resets the following configurations on a port to the defaults bracketed:

l          Port security mode (noRestrictions)

l          802.1X (disabled), port access control method (macbased), and port authorization mode (auto)

l          MAC authentication (disabled)

4)        Port security cannot be disabled if there is any user present on a port.

Related commands: display port-security (Port Security in the Security Command Reference); dot1x, dot1x port-method, and dot1x port-control (802.1X in the Security Command Reference); mac-authentication (MAC Authentication in the Security Command Reference).

Examples

# Enable port security.

<Sysname> system-view

[Sysname] port-security enable

port-security intrusion-mode

Syntax

port-security intrusion-mode { blockmac | disableport | disableport-temporarily }

undo port-security intrusion-mode

View

Layer 2 Ethernet interface view, WLAN-BSS interface view

Default Level

2: System level

Parameters

blockmac: Adds the source MAC addresses of illegal frames to the blocked MAC address list and discards frames with blocked source MAC addresses. This implements illegal traffic filtering on the port. A blocked MAC address is restored to normal after being blocked for three minutes, which is fixed and cannot be changed. You can use the display port-security mac-address block command to view the blocked MAC address list.

disableport: Disables the port permanently upon detecting an illegal frame received on the port. The disableport keyword is not supported on the WLAN-BSS port.

disableport-temporarily: Disables the port for a specified period of time whenever it receives an illegal frame. Use the port-security timer disableport command to set the period.

Description

Use the port-security intrusion-mode command to configure the intrusion protection feature so that the port takes the pre-defined actions when intrusion protection is triggered on the port.

Use the undo port-security intrusion-mode command to restore the default.

By default, intrusion protection is disabled.

You can use the undo shutdown command to restore the connection of the port.

Related commands: display port-security, display port-security mac-address block, and port-security timer disableport.

Examples

# Configure port Ethernet 1/0/1 to block the source MAC addresses of illegal frames after intrusion protection is triggered.

<Sysname> system-view

[Sysname] interface ethernet 1/0/1

[Sysname-Ethernet1/0/1] port-security intrusion-mode blockmac

port-security ntk-mode

Syntax

port-security ntk-mode { ntk-withbroadcasts | ntk-withmulticasts | ntkonly }

undo port-security ntk-mode

View

Ethernet interface view, WLAN-BSS interface view

Default Level

2: System level

Parameters

ntk-withbroadcasts: Forwards only broadcast frames and unicast frames with authenticated destination MAC addresses.

ntk-withmulticasts: Forwards only broadcast frames, multicast frames, and unicast frames with authenticated destination MAC addresses.

ntkonly: Forwards only unicast frames with authenticated destination MAC addresses.

Description

Use the port-security ntk-mode command to configure the NTK feature. The need to know (NTK) feature checks the destination MAC addresses in outbound frames to allow frames to be sent to only devices passing authentication, thus preventing illegal devices from intercepting network traffic.

Use the undo port-security ntk-mode command to restore the default.

Be default, NTK is disabled on a port and all frames are allowed to be sent.

On a wireless port with users online, you cannot change the configuration of the NTK feature.

Related commands: display port-security.

Examples

# Set the NTK mode of port Ethernet 1/0/1 to ntkonly, allowing the port to forward received packets to only devices passing authentication.

<Sysname> system-view

[Sysname] interface ethernet 1/0/1

[Sysname-Ethernet1/0/1] port-security ntk-mode ntkonly

port-security oui

Syntax

port-security oui oui-value index index-value

undo port-security oui index index-value

View

System view

Default Level

2: System level

Parameters

oui-value: Organizationally unique identifier (OUI) string, a 48-bit MAC address in the H-H-H format. The system automatically uses only the 24 high-order bits as the OUI value.

index-value: OUI index, in the range 1 to 16.

Description

Use the port-security oui command to configure an OUI value for user authentication. This value is used when the port security mode is UserLoginWithOUI.

Use the undo port-security oui command to delete an OUI value with the specified OUI index.

By default, no OUI value is configured.

An OUI (Organizational Unique Identifier), the first 24 binary bits of a MAC address, is assigned by IEEE to uniquely identify a device vendor. Use this command when you need to configure an AP to allow packets from certain wired devices to pass authentication or to allow packets from certain wireless devices to initiate authentication. For example, when a company allows only IP phones of vendor A in the Intranet, use this command to set the OUI of vendor A.

Note that an OUI value configured by using the port-security oui command takes effect only when the security mode is userLoginWithOUI.

Related commands: display port-security.

Examples

# Configure an OUI value of 000d2a, setting the index to 4.

<Sysname> system-view

[Sysname] port-security oui 000d-2a10-0033 index 4

port-security port-mode

Syntax

port-security port-mode { mac-and-psk | mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secure-ext | psk | secure | userlogin | userlogin-secure | userlogin-secure-ext | userlogin-secure-ext-or-psk | userlogin-secure-or-mac | userlogin-secure-or-mac-ext | userlogin-withoui }

undo port-security port-mode

View

Interface view

Default Level

2: System level

Parameters

See the following for details about the keywords of port security modes:

Keyword	Security mode	Description
mac-and-psk	macAddressAnd PresharedKey	In this mode, a user must pass MAC authentication and then use the PSK to negotiate with the device. Only when the negotiation succeeds, can the user access the device.
mac-authentication	macAddressWithRadius	In this mode, a port performs MAC authentication and services multiple users.
mac-else-userlogin-secure	macAddressElseUserLoginSecure	This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority. l      Upon receiving a non-802.1X frame, a port in this mode performs only MAC authentication. l      Upon receiving an 802.1X frame, the port performs MAC authentication and then, if MAC authentication fails, 802.1X authentication.
mac-else-userlogin-secure-ext	macAddressElseUserLoginSecureExt	Similar to the macAddressElseUserLoginSecure mode except that a port in this mode supports multiple 802.1X and MAC authentication users.
psk	presharedKey	In this mode, a user must use a pre-configured static key, namely the PSK, to negotiate with the device and can access the port only after the negotiation succeeds.
secure	secure	In this mode, MAC address learning is disabled on the port and you can configure MAC addresses by using the mac-address static and mac-address dynamic commands. The port permits only frames sourced from secure MAC addresses and MAC addresses you manually configured by using the mac-address static and mac-address dynamic commands.
userlogin	userLogin	In this mode, a port performs 802.1X authentication and implements port-based access control. If one 802.1X user passes authentication, all the other 802.1X users of the port can access the network without authentication.
userlogin-secure	userLoginSecure	In this mode, a port performs 802.1X authentication and implements port-based access control. It services only one user passing 802.1X authentication.
userlogin-secure-ext	userLoginSecureExt	In this mode, a port performs 802.1X authentication and implements MAC-based access control. It supports multiple online 802.1X users.
userlogin-secure-ext-or-psk	userLoginSecureExtOrPresharedKey	In this mode, a user interacts with the device, choosing to undergo UserLoginSecure mode or PSK negotiation.
userlogin-secure-or-mac	macAddressOrUserLoginSecure	This mode is the combination of the userLoginSecure and macAddressWithRadius modes. l      For wired users, the port performs MAC authentication upon receiving non-802.1X frames and performs 802.1X authentication upon receiving 802.1X frames. l      For wireless users, the port performs 802.1X authentication first. If 802.1X authentication fails, MAC authentication is performed.
userlogin-secure-or-mac-ext	macAddressOrUserLoginSecureExt	Similar to the macAddressOrUserLoginSecure mode except that a port in this mode supports multiple 802.1X and MAC authentication users.
userlogin-withoui	userLoginWithOUI	Similar to the userLoginSecure mode.  a The difference is that a port in this mode also permits frames from one user whose MAC address contains a specified OUI (organizationally unique identifier). l      For wired users, the port performs 802.1X authentication upon receiving 802.1X frames, and performs OUI check upon receiving non-802.1X frames. l      For wireless users, the port performs OUI check at first. If the OUI check fails, the port performs 802.1X authentication.

 

Description

Use the port-security port-mode command to set the port security mode of a port.

Use the undo port-security port-mode command to restore the default.

By default, a port operates in noRestrictions mode, where port security does not take effect.

Note that:

l          The presharedKey, macAddressAndPresharedKey, and userlLoginSecureExtOrPresharedKey modes apply to only WLAN-ESS and WLAN-Ethernet ports.

l          The secure, userLogin, and userLoginWithOUI modes apply to only Layer 2 Ethernet ports.

Table 1-5 Port security modes supported by different types of ports

Port type	Supported security modes
Layer 2 Ethernet port	mac-authentication, mac-else-userlogin-secure, mac-else-userlogin-secure-ext, secure, userlogin, userlogin-secure, userlogin-secure-ext, userlogin-secure-or-mac, userlogin-secure-or-mac-ext, userlogin-withoui
WLAN-BSS port	mac-and-psk, mac-authentication, mac-else-userlogin-secure, mac-else-userlogin-secure-ext, psk, userlogin-secure, userlogin-secure-ext, userlogin-secure-ext-or-psk, userlogin-secure-or-mac, userlogin-secure-or-mac-ext

 

l          Configuration of port security mode on a port is mutually exclusive with the configuration of 802.1X authentication, port access control method, port access control mode, and MAC authentication on the port.

l          With port security enabled, you can change the port security mode of a port only when the port is operating in noRestrictions mode, the default mode. You can use the undo port-security port-mode command to restore the default port security mode.

l          You cannot change the port security mode of a port with users online.

Related commands: display port-security.

Examples

# Enable port security and configure the port security mode of port Ethernet 1/0/1 as secure.

<Sysname> system-view

[Sysname] port-security enable

 [Sysname] interface ethernet 1/0/1

[Sysname-Ethernet1/0/1] port-security port-mode secure

# Change the port security mode of port Ethernet 1/0/1 to userLogin.

[Sysname-Ethernet1/0/1] undo port-security port-mode

[Sysname-Ethernet1/0/1] port-security port-mode userlogin

# Configure the port security mode of WLAN port WLAN-BSS1 as userLogin-secure.

<Sysname> system-view

[Sysname] interface wlan-bss 1

[Sysname-WLAN-BSS1] port-security port-mode userLogin-secure

port-security pre-shared-key

Syntax

port-security preshared-key { pass-phrase | raw-key } [ cipher | simple] key

undo port-security preshared-key

View

WLAN-BSS interface view

Default Level

2: System level

Parameters

pass-phrase: Enters a PSK in the form of a character string.

raw-key: Enters a PSK in the form of a hexadecimal number.

cipher: Displays the PSK in cipher text.

simple: Displays the PSK in plain text.

key: PSK, a string of 8 to 63 displayable characters or a hexadecimal number of the length of 64.

Description

Use the port-security preshared-key command to configure a PSK.

Use the undo port-security preshared-key command to remove the PSK.

By default, no PSK is configured.

Examples

# Configure a PSK of abcdefgh on port WLAN-BSS1.

<Sysname> system-view

[Sysname] interface wlan-bss 1

[Sysname-WLAN-BSS1] port-security preshared-key pass-phrase abcdefgh

# Configure a PSK of 123456789abcdefg123456789abcdefg123456789abcdefg1234 56789abcdefg on port WLAN-BSS1.

[Sysname-WLAN-BSS1] port-security preshared-key raw-key 123456789abcdefg123456789abcdefg123456789abcdefg123456789abcdefg

port-security timer disableport

Syntax

port-security timer disableport time-value

undo port-security timer disableport

View

System view

Default Level

2: System level

Parameters

time-value: Silence timeout during which the port remains disabled, in seconds. It ranges from 20 to 300.

Description

Use the port-security timer disableport command to set the silence timeout during which the port remains disabled.

Use the undo port-security timer disableport command to restore the default.

By default, the silence timeout is 20 seconds.

If you configure the intrusion protection policy as disabling the port temporarily whenever it receives an illegal frame, you can use this command to set the silence timeout.

Related commands: display port-security.

Examples

# Configure the intrusion protection policy as disabling the port temporarily whenever it receives an illegal frame and set the silence timeout to 30 seconds.

<Sysname> system-view

[Sysname] port-security timer disableport 30

[Sysname] interface ethernet 1/0/1

[Sysname-Ethernet1/0/1] port-security intrusion-mode disableport-temporarily

port-security trap

Syntax

port-security trap { addresslearned | dot1xlogfailure | dot1xlogoff | dot1xlogon | intrusion | ralmlogfailure | ralmlogoff | ralmlogon }

undo port-security trap { addresslearned | dot1xlogfailure | dot1xlogoff | dot1xlogon | intrusion | ralmlogfailure | ralmlogoff | ralmlogon }

View

System view

Default Level

2: System level

Parameters

addresslearned: Trapping for learning of new MAC addresses. When enabled, this function allows the AP to send trap information when a port learns a new MAC address.

dot1xlogfailure: Trapping for 802.1X authentication failure.

dot1xlogon: Trapping for successful 802.1X authentication.

dot1xlogoff: Trapping for 802.1X user logoff events.

intrusion: Trapping for detection of illegal frames.

ralmlogfailure: Trapping for MAC authentication failure.

ralmlogoff: Trapping for MAC authentication user logoff events.

ralmlogon: Trapping for successful MAC authentication.

 

 

Description

Use the port-security trap command to enable trapping for port security.

Use the undo port-security trap command to disable trapping for port security.

By default, trapping for port security is disabled.

With the trapping feature, an AP can send traps upon detecting frames that result from, for example, intrusion, abnormal login/logout operations, allowing you to monitor user behaviors.

Related commands: display port-security.

Examples

# Enable address learning trap.

<Sysname> system-view

[Sysname] port-security trap addresslearned

port-security tx-key-type 11key

Syntax

port-security tx-key-type 11key

undo port-security tx-key-type

View

WLAN-BSS interface view

Default Level

2: System level

Parameters

None

Description

Use the port-security tx-key-type command to enable key negotiation of the 11key type.

Use the undo port-security tx-key-type command to disable key negotiation of the 11key type.

Be default, key negotiation of the 11key type is disabled.

Examples

# Enable key negotiation of the 11key type on port WLAN-BSS1.

<Sysname> system-view

[Sysname] interface wlan-bss 1

[Sysname-WLAN-BSS1] port-security tx-key-type 11key