interface interface-list: Specifies ports by a port list in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> means that you can specify up to 10 ports or port ranges. The starting port and ending port of a port range must be of the same type, and the ending port number must be greater than the starting port number.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

If the interface interface-list parameter is not provided, the command displays port security information, operation information, and status about all ports.

Examples

# Display port security configuration information, operation information, and statistics for all ports.

<Sysname> display port-security

Equipment port-security is enabled

Trap is disabled

Disableport Timeout: 20s

OUI value:

Index is 1, OUI value is 123401

Index is 2, OUI value is 123402

Index is 3, OUI value is 123403

Index is 4, OUI value is 123404

Index is 5, OUI value is 123405

Ten-GigabitEthernet1/0/2 is link-up

WLAN-ESS1 is link-down

Port mode is userLoginWithOUI

NeedToKnow mode is disabled

Intrusion Protection mode is NoAction

Max MAC address number is not configured

Stored MAC address number is 0

Authorization is permitted

Synchronization is disabled

Table 1 Command output

Field	Description
Equipment port-security	Whether the port security is enabled or not.
Trap	Whether the trap function is enabled or not.
Disableport Timeout	Silence timeout period of the port that receives illegal packets, in seconds.
OUI value	List of OUI values allowed.
Port mode	Port security mode: · noRestrictions. · macAddressWithRadius. · macAddressElseUserLoginSecure. · macAddressElseUserLoginSecureExt. · secure. · userLogin. · userLoginSecure. · userLoginSecureExt. · macAddressOrUserLoginSecure. · macAddressOrUserLoginSecureExt. · userLoginWithOUI. · presharedKey. · macAddressAndPresharedKey. · userLoginSecureExtOrPresharedKey.
NeedToKnow mode	Need to know (NTK) mode: · NeedToKnowOnly—Allows only unicast packets with authenticated destination MAC addresses. · NeedToKnowWithBroadcast—Allows only unicast packets and broadcasts with authenticated destination MAC addresses. · NeedToKnowWithMulticast—Allows unicast packets, multicasts and broadcasts with authenticated destination MAC addresses.
Intrusion Protection mode	Intrusion protection action: · BlockMacAddress—Adds the source MAC address of the illegal packet to the blocked MAC address list. · DisablePort—Shuts down the port that receives illegal packets permanently. · DisablePortTemporarily—Shuts down the port that receives illegal packets for some time. · NoAction—Performs no intrusion protection.
Max MAC address number	Maximum number of MAC addresses that port security allows on the port.
Stored MAC address number	Number of MAC addresses stored.
Authorization	Whether the authorization information from the server is ignored or not: · permitted—Authorization information from the RADIUS server takes effect. · ignored—Authorization information from the RADIUS server does not take effect.
Synchronization	Stateful failover status for port security. Port security supports only 802.1X stateful failover. Support for this field depends on the device model. For more information, see About the H3C Access Controllers Command References.

Related commands

· port-security enable

· port-security port-mode

· port-security ntk-mode

· port-security intrusion-mode

· port-security max-mac-count

· port-security authorization ignore

· port-security oui

· port-security trap

display port-security mac-address block

Use display port-security mac-address block to display information about blocked MAC addresses.

Syntax

display port-security mac-address block [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

2: System level

Parameters

interface interface-type interface-number: Specifies a port by its type and number.

vlan vlan-id: Specifies a VLAN by its ID in the range of 1 to 4094.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

With no keyword or argument specified, the command displays information about all blocked MAC addresses.

Examples

# Display information about all blocked MAC addresses.

<Sysname> display port-security mac-address block

MAC ADDR From Port VLAN ID

000f-e280-d70c GigabitEthernet1/0/1 1

001b-11b8-12f4 GigabitEthernet1/0/1 1

000f-e289-4071 GigabitEthernet1/0/1 1

000f-e25b-48c4 GigabitEthernet1/0/1 1

00e0-fc12-3456 GigabitEthernet1/0/1 1

000f-e207-f2e0 GigabitEthernet1/0/1 1

--- 6 mac address(es) found ---

Table 2 Command output

Field	Description
MAC ADDR	Blocked MAC address.
From Port	Port having received frames with the blocked MAC address being the source address.
VLAN ID	ID of the VLAN to which the port belongs.
x mac address(es) found	Number of blocked MAC addresses.

Related commands

port-security intrusion-mode

display port-security preshared-key user

Use display port-security preshared-key user to display information about pre-shared key (PSK) user information.

Syntax

display port-security preshared-key user [ interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

2: System level

Parameters

interface interface-type interface-number: Specifies a port by its type and number.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

If the interface interface-type interface-number parameters are not provided, the command displays information about PSK users on all ports.

Examples

# Display information about PSK users on all ports.

<Sysname> display port-security preshared-key user

Index Mac-Address VlanID Interface

-----------------------------------------------------

0 000a-eba2-7f9d 1 WLAN-DBSS1:0

1 000a-eba2-7f9d 2 WLAN-DBSS1:1

# Display information about PSK users on the specified WLAN-DBSS port.

<Sysname> display port-security preshared-key user interface wlan-dbss1:0

Index Mac-Address VlanID Interface

-----------------------------------------------------

0 000a-eba2-7f9d 1 WLAN-DBSS1:0

Table 3 Command output

Field	Description
Index	Index of the user.
Mac-Address	MAC address of the user.
VlanID	VLAN ID of the user.
Interface	Port that the user accesses.

port-security authorization ignore

Use port-security authorization ignore to configure a port to ignore the authorization information received from the server (a RADIUS server or the local device).

Use undo port-security authorization ignore to restore the default.

Syntax

port-security authorization ignore

undo port-security authorization ignore

Default

A port uses the authorization information from the server.

Views

Layer 2 Ethernet interface view, WLAN-ESS interface view

Default command level

2: System level

Usage guidelines

After a user passes RADIUS or local authentication, the server performs authorization based on the authorization attributes configured for the user's account. For example, it may assign a VLAN.

Examples

# Configure port WLAN-ESS 1 to ignore the authorization information from the authentication server.

<Sysname> system-view

[Sysname] interface wlan-ess 1

[Sysname-WLAN-ESS1] port-security authorization ignore

Related commands

display port-security

port-security enable

Use port-security enable to enable port security.

Use undo port-security enable to disable port security.

Syntax

port-security enable

undo port-security enable

Default

Port security is enabled.

Views

System view

Default command level

2: System level

Usage guidelines

You must disable global 802.1X and MAC authentication before you enable port security on a port.

Enabling or disabling port security resets the following security settings to the default:

· 802.1X access control mode is MAC-based, and the port authorization state is auto.

· Port security mode is noRestrictions.

You cannot disable port security when online users are present.

Examples

# Enable port security.

<Sysname> system-view

[Sysname] port-security enable

Related commands

· display port-security

· dot1x port-method

· dot1x port-control

· mac-authentication

port-security intrusion-mode

Use port-security intrusion-mode to configure the intrusion protection feature so that the port takes the pre-defined actions when intrusion protection is triggered on the port.

Use undo port-security intrusion-mode to restore the default.

Syntax

port-security intrusion-mode { blockmac | disableport | disableport-temporarily }

undo port-security intrusion-mode

Default

Intrusion protection is disabled.

Views

Layer 2 Ethernet interface view, WLAN-ESS interface view

Default command level

2: System level

Parameters

blockmac: Adds the source MAC addresses of illegal frames to the blocked MAC address list and discards frames with blocked source MAC addresses. This implements illegal traffic filtering on the port. A blocked MAC address is restored to normal after being blocked for three minutes, which is fixed and cannot be changed. To view the blocked MAC address list, use the display port-security mac-address block command.

disableport: Disables the port permanently upon detecting an illegal frame received on the port. WLAN-ESS interfaces do not support this keyword.

disableport-temporarily: Disables the port for a specific period of time whenever it receives an illegal frame. Use port-security timer disableport to set the period.

Usage guidelines

To restore the connection of the port, use the undo shutdown command.

Examples

# Configure port GigabitEthernet 1/0/1 to block the source MAC addresses of illegal frames after intrusion protection is triggered.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security intrusion-mode blockmac

Related commands

· display port-security

· port-security timer disableport

port-security max-mac-count

Use port-security max-mac-count to set the maximum number of MAC addresses that port security allows on a port.

Use undo port-security max-mac-count to restore the default setting.

Syntax

port-security max-mac-count count-value

undo port-security max-mac-count

Default

Port security has no limit on the number of MAC addresses on a port.

Views

Layer 2 Ethernet interface view, WLAN-ESS interface view, WLAN-MESH interface view

Default command level

2: System level

Parameters

count-value: Specifies the maximum number of MAC addresses that port security allows on the port. The value range is 1 to 1024.

Usage guidelines

In any other mode that enables 802.1X, MAC authentication, or both, this command sets the maximum number of authenticated MAC addresses on the port. The actual maximum number of concurrent users that the port accepts equals this limit or the authentication method's limit on the number of concurrent users, whichever is smaller. For example, in userLoginSecureExt mode, if 802.1X allows less concurrent users than port security's limit on the number of MAC addresses, port security's limit takes effect.

You cannot change port security's limit on the number of MAC addresses when the port is a wireless port that has online users.

The number you set by this command cannot be smaller than that of the MAC addresses already saved on the port.

Examples

# Set port security's limit on the number of MAC addresses to 100 on port WLAN-ESS 1.

<Sysname> system-view

[Sysname] interface wlan-ess 1

[Sysname-WLAN-ESS1] port-security max-mac-count 100

Related commands

display port-security

port-security nas-id-profile

Use port-security nas-id-profile to specify a NAS ID profile for interface-specific or global port security.

Use undo port-security nas-id-profile to delete the interface-specific or global NAS ID profile.

Syntax

port-security nas-id-profile profile-name

undo port-security nas-id-profile

Default

No NAS ID profile is specified for port security.

Views

System view, interface view

Default command level

3: Manage level

Parameters

profile-name: Specifies the name of a profile that defines NAS ID-VLAN bindings. The profile name is a case-insensitive string of 1 to 16 characters. To create a profile, use the aaa nas-id profile command (see "AAA configuration commands").

Usage guidelines

You can specify only one NAS ID profile for port security in either of the system view or interface view.

When a user passes port security authentication on an interface, the device searches the NAS ID to be sent to the RADIUS server in the following order:

1. NAS ID configured in the AP template.

2. NAS ID configured in radio view.

3. NAS ID in the NAS ID profile specified for port security on the interface.

4. NAS ID in the NAS ID profile specified for port security in system view.

5. Device name.

Examples

# Specify NAS ID profile aaa for port security on interface WLAN-ESS 2.

<Sysname> system-view

[Sysname] interface wlan-ess 2

[Sysname-WLAN-ESS2] port-security nas-id-profile aaa

port-security ntk-mode

Use port-security ntk-mode to configure the NTK feature.

Use undo port-security ntk-mode to restore the default.

Syntax

port-security ntk-mode { ntk-withbroadcasts | ntk-withmulticasts | ntkonly }

undo port-security ntk-mode

Default

NTK is disabled on a port and all frames are allowed to be sent.

Views

Layer 2 Ethernet interface view, WLAN-ESS interface view

Default command level

2: System level

Parameters

ntk-withbroadcasts: Forwards only broadcast frames and unicast frames with authenticated destination MAC addresses.

ntk-withmulticasts: Forwards only broadcast frames, multicast frames, and unicast frames with authenticated destination MAC addresses.

ntkonly: Forwards only unicast frames with authenticated destination MAC addresses.

Usage guidelines

The need to know (NTK) feature checks the destination MAC addresses in outbound frames to allow frames to be sent to only devices passing authentication, preventing illegal devices from intercepting network traffic.

If a wireless port has online users, you cannot change its NTK settings.

Examples

# Set the NTK mode of port WLAN-ESS 1 to ntkonly, allowing the port to forward received packets to only devices passing authentication.

<Sysname> system-view

[Sysname] interface wlan-ess 1

[Sysname-WLAN-ESS1] port-security ntk-mode ntkonly

Related commands

display port-security

port-security oui

Use port-security oui to configure an OUI value for user authentication.

Use undo port-security oui to delete the OUI value with the specified OUI index.

Syntax

port-security oui oui-value index index-value

undo port-security oui index index-value

Default

No OUI value is configured.

Views

System view

Default command level

2: System level

Parameters

oui-value: Specifies an organizationally unique identifier (OUI) string, a 48-bit MAC address in the H-H-H format. The system uses only the 24 high-order bits as the OUI value.

index-value: Specifies the OUI index in the range of 1 to 16.

Usage guidelines

An OUI, the first 24 binary bits of a MAC address, is assigned by IEEE to uniquely identify a device vendor. Use this command when you configure a device to allow packets from certain wired devices to pass authentication or to allow packets from certain wireless devices to initiate authentication. For example, when a company allows only IP phones of vendor A in the Intranet, use this command to set the OUI of vendor A.

Examples

# Configure an OUI value of 000d2a, setting the index to 4.

<Sysname> system-view

[Sysname] port-security oui 000d-2a10-0033 index 4

Related commands

display port-security

port-security port-mode

Use port-security port-mode to set the port security mode of a port.

Use undo port-security port-mode to restore the default.

Syntax

port-security port-mode { mac-and-psk | mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secure-ext | psk | secure | userlogin | userlogin-secure | userlogin-secure-ext | userlogin-secure-ext-or-psk | userlogin-secure-or-mac | userlogin-secure-or-mac-ext | userlogin-withoui }

undo port-security port-mode

Default

A port operates in noRestrictions mode, where port security does not take effect.

Views

Layer 2 Ethernet interface view, WLAN-ESS interface view, WLAN-MESH interface view

Default command level

2: System level

Parameters

Keyword	Security mode	Description
mac-and-psk	macAddressAndPresharedKey	In this mode, a user must pass MAC authentication and then use the pre-configured PSK to negotiate with the device. Only when the negotiation succeeds, can the user access the device.
mac-authentication	macAddressWithRadius	In this mode, a port performs MAC authentication for users and services multiple users.
mac-else-userlogin-secure	macAddressElseUserLoginSecure	This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority. · For wired users, the port performs MAC authentication 30 seconds after receiving non-802.1X frames. · For wireless users, the port performs MAC authentication upon receiving non-802.1X frames. Upon receiving 802.1X frames, the port performs MAC authentication, and if the MAC authentication fails, it performs 802.1X authentication.
mac-else-userlogin-secure-ext	macAddressElseUserLoginSecureExt	Similar to the macAddressElseUserLoginSecure mode except that a port in this mode supports multiple 802.1X and MAC authentication users.
psk	presharedKey	In this mode, a user must use a pre-configured static key, also called "the PSK," to negotiate with the device and can access the port only after the negotiation succeeds.
secure	secure	In this mode, MAC address learning is disabled on the port and you can configure MAC addresses by using the mac-address static and mac-address dynamic commands. The port permits only frames sourced from MAC addresses you configured manually by using the mac-address static and mac-address dynamic commands.
userlogin	userLogin	In this mode, a port performs 802.1X authentication and implements port-based access control. If one 802.1X user passes authentication, all the other 802.1X users of the port can access the network without authentication.
userlogin-secure	userLoginSecure	In this mode, a port performs 802.1X authentication and implements MAC-based access control. It services only one user passing 802.1X authentication.
userlogin-secure-ext	userLoginSecureExt	Similar to the userLoginSecure mode except that this mode supports multiple online 802.1X users.
userlogin-secure-ext-or-psk	userLoginSecureExtOrPresharedKey	In this mode, a user interacts with the device, choosing to undergo UserLoginSecure mode or use the PSK to negotiate with the device.
userlogin-secure-or-mac	macAddressOrUserLoginSecure	This mode is the combination of the userLoginSecure and macAddressWithRadius modes. · For wired users, the port performs MAC authentication 30 seconds after receiving non-802.1X frames and performs 802.1X authentication upon receiving 802.1X frames. · For wireless users, the port performs 802.1X authentication first. If 802.1X authentication fails, MAC authentication is performed.
userlogin-secure-or-mac-ext	macAddressOrUserLoginSecureExt	Similar to the macAddressOrUserLoginSecure mode except that a port in this mode supports multiple 802.1X and MAC authentication users.
userlogin-withoui	userLoginWithOUI	Similar to the userLoginSecure mode. In addition, a port in this mode also permits frames from a user whose MAC address contains a specific OUI (organizationally unique identifier). · For wired users, the port performs 802.1X authentication upon receiving 802.1X frames, and performs OUI check upon receiving non-802.1X frames. · For wireless users, the port performs OUI check at first. If the OUI check fails, the port performs 802.1X authentication.

Usage guidelines

To change the security mode of a port enabled with port security, you must set the port in noRestrictions mode first. When the port has online users, you cannot change port security mode.

When port security is enabled, you cannot manually enable 802.1X or MAC authentication, or change the access control mode or port authorization state. The port security automatically modifies these settings in different security modes.

The support of ports for security modes varies:

· The presharedKey, macAddressAndPresharedKey, and userlLoginSecureExtOrPresharedKey modes apply to only WLAN-ESS ports.

· The secure and userLogin modes apply to only Layer 2 Ethernet ports.

· The userloginWithOUI mode applies to only Layer 2 Ethernet ports and WLAN-ESS ports.

Table 4 Port security modes supported by different types of ports

Port type	Supported security modes
Layer 2 Ethernet port	mac-authentication, mac-else-userlogin-secure, mac-else-userlogin-secure-ext, secure, userlogin, userlogin-secure, userlogin-secure-ext, userlogin-secure-or-mac, userlogin-secure-or-mac-ext, userlogin-withoui
WLAN-ESS port	mac-and-psk, mac-authentication, mac-else-userlogin-secure, mac-else-userlogin-secure-ext, psk, userlogin-secure, userlogin-secure-ext, userlogin-secure-ext-or-psk, userlogin-secure-or-mac, userlogin-secure-or-mac-ext, userlogin-withoui
WLAN-MESH port	psk

Examples

# Set WLAN port WLAN-ESS 1 to operate in preshared key mode.

<Sysname> system-view

[Sysname] interface wlan-ess 1

[Sysname-WLAN-ESS1] port-security port-mode psk

Related commands

display port-security

port-security preshared-key

Use port-security preshared-key to configure a PSK.

Use undo port-security preshared-key to remove the PSK.

Syntax

port-security preshared-key { pass-phrase | raw-key } [ cipher | simple ] key

undo port-security preshared-key

Default

No PSK is configured.

Views

WLAN-ESS interface view, WLAN-MESH interface view

Default command level

2: System level

Parameters

pass-phrase: Enters a PSK in the form of a character string.

raw-key: Enters a PSK in the form of a hexadecimal number.

cipher: Sets a ciphertext PSK.

simple: Sets a plaintext PSK.

key: Specifies the PSK. This argument is case sensitive. If simple is specified, it must be a non-hexadecimal string of 8 to 63 characters or a 64-character hexadecimal string. If cipher is specified, it must be a ciphertext string of 8 to 117 characters. If neither cipher nor simple is specified, you set a plaintext key string.

Usage guidelines

For security purpose, all keys, including the keys configured in plain text, are saved in cipher text.

Examples

# Configure the plaintext PSK abcdefgh on port WLAN-ESS 1.

<Sysname> system-view

[Sysname] interface wlan-ess 1

[Sysname-WLAN-ESS1] port-security preshared-key pass-phrase simple abcdefgh

# Configure the plaintext, hexadecimal string 123456789abcdefg123456789abcdefg123456789abcdefg123456789abcdefg as the PSK on port WLAN-ESS 1.

<Sysname> system-view

[Sysname] interface wlan-ess 1

[Sysname-WLAN-ESS1] port-security preshared-key raw-key 1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef

# Configure ciphertext PSK wrWR2LZofLzlEY9ZdYsidw== on port WLAN-ESS 1.

<Sysname> system-view

[Sysname] interface wlan-ess 1

[Sysname-WLAN-ESS1] port-security preshared-key raw-key cipher wrWR2LZofLzlEY9ZdYsidw==

port-security synchronization enable

Use port-security synchronization enable to enable stateful failover for port security.

Use undo port-security synchronization enable to restore the default.

Syntax

port-security synchronization enable

undo port-security synchronization enable

Default

Port security stateful failover is disabled.

Views

WLAN-ESS interface view

Default command level

2: System level

Usage guidelines

Support for this command depends on the device model. For more information, see About the H3C Access Controllers Command References.

If port security stateful failover is enabled on the WLAN-ESS interfaces with the same interface number on two devices that back up each other, the 802.1X client information on the local WLAN-ESS interface is synchronized to the peer WLAN-ESS interface in real time. The WLAN-DBSS interface created by the WLAN-ESS interface automatically copies the port security stateful failover configuration of the WLAN-ESS interface.

If a WLAN-ESS interface has been enabled with a radio service template, you cannot change the port security stateful failover configuration on the interface.

Examples

# Enable stateful failover for port security on interface WLAN-ESS 0.

<Sysname> system-view

[Sysname] interface wlan-ess 0

[Sysname-WLAN-ESS0] port-security synchronization enable

port-security timer disableport

Use port-security timer disableport to set the silence period during which the port remains disabled.

Use undo port-security timer disableport to restore the default.

Syntax

port-security timer disableport time-value

undo port-security timer disableport

Default

The silence period is 20 seconds.

Views

System view

Default command level

2: System level

Parameters

time-value: Specifies the silence period in seconds during which the port remains disabled. The value range is 20 to 300.

Usage guidelines

If you configure the intrusion protection policy as disabling the port temporarily whenever it receives an illegal frame, use this command to set the silence period.

Examples

# Configure the intrusion protection policy as disabling the port temporarily whenever it receives an illegal frame and set the silence period to 30 seconds.

<Sysname> system-view

[Sysname] port-security timer disableport 30

[Sysname] interface wlan-ess 1

[Sysname-WLAN-ESS1] port-security intrusion-mode disableport-temporarily

Related commands

display port-security

port-security trap

Use port-security trap to enable port security traps.

Use undo port-security trap to disable port security traps.

Syntax

port-security trap { addresslearned | dot1xlogfailure | dot1xlogoff | dot1xlogon | intrusion | ralmlogfailure | ralmlogoff | ralmlogon }

undo port-security trap { addresslearned | dot1xlogfailure | dot1xlogoff | dot1xlogon | intrusion | ralmlogfailure | ralmlogoff | ralmlogon }

Default

Port security traps are disabled.

Views

System view

Default command level

2: System level

Parameters

addresslearned: Enables MAC address learning traps. The port security module sends traps when a port learns a new MAC address.

dot1xlogfailure: Enables 802.1X authentication failure traps. The port security module sends traps when an 802.1X authentication fails.

dot1xlogon: Enables 802.1X authentication success traps. The port security module sends traps when an 802.1X authentication is passed.

dot1xlogoff: Enables 802.1X user logoff event traps. The port security module sends traps when an 802.1X user is logged off.

intrusion: Enables intrusion traps. The port security module sends traps when it detects illegal frames.

ralmlogfailure: Enables MAC authentication failure traps. The port security module sends traps when a MAC authentication fails.

ralmlogoff: Enables MAC authentication user logoff traps. The port security module sends traps when a MAC authentication user is logged off.

ralmlogon: Enables MAC authentication success traps. The port security module sends traps when a MAC authentication is passed.

NOTE:

RALM (RADIUS Authenticated Login using MAC-address) means RADIUS authentication based on MAC address.

Usage guidelines

You can enable certain port security traps for monitoring user behaviors.

Examples

# Enable MAC address learning traps.

<Sysname> system-view

[Sysname] port-security trap addresslearned

Related commands

display port-security

port-security tx-key-type 11key

Use port-security tx-key-type 11key to enable key negotiation of the 11key type.

Use undo port-security tx-key-type to disable key negotiation of the 11key type.

Syntax

port-security tx-key-type 11key

undo port-security tx-key-type

Default

Key negotiation of the 11key type is disabled.

Views

WLAN-ESS interface view, WLAN-MESH interface view

Default command level

2: System level

Examples

# Enable key negotiation of the 11key type on port WLAN-ESS 1.

<Sysname> system-view

[Sysname] interface wlan-ess 1

[Sysname-WLAN-ESS1] port-security tx-key-type 11key

07-Security Command Reference

Port security configuration commands

display port-security

port-security oui

port-security tx-key-type 11key

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us