Port security configuration commands· 1

display port-security· 1

display port-security mac-address block· 4

display port-security mac-address security· 5

display port-security preshared-key user 7

port-security authorization ignore· 8

port-security enable· 9

port-security intrusion-mode· 9

port-security mac-address aging-type inactivity· 10

port-security mac-address dynamic· 11

port-security mac-address security· 12

port-security max-mac-count 14

port-security ntk-mode· 14

port-security oui 15

port-security port-mode· 16

port-security timer autolearn aging· 19

port-security preshared-key· 20

port-security timer disableport 21

port-security trap· 22

port-security tx-key-type 11key· 23

 

display port-security

Use display port-security to display port security configuration information, operation information, and statistics for one or more ports.

Syntax

display port-security [ interface interface-list ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

2: System level

Parameters

interfaceinterface-list:Specifies ports by aport listin the format of {interface-type interface-number [ tointerface-type interface-number ] }&<1-10>, where &<1-10> means that you can specify up to 10 portsor port ranges. The starting port and ending port of a port range must be of the same type, and the ending port number must be greater than the starting port number.

|: Filters command output by specifying a regular expression. For more information about regular expressions, seeFundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

If the interface interface-list parameter is not provided, the command displays port securityinformation, operation information, and status about all ports.

Examples

# Display port security configuration information, operation information, and statistics forall ports.

<Sysname> display port-security

 Equipment port-security is enabled

 AddressLearned trap is enabled

 Intrusion trap is enabled

 Dot1x logon trap is enabled

 Dot1x logoff trap is enabled

 Dot1x logfailure trap is enabled

 RALM logon trap is enabled

 RALM logoff trap is enabled

 RALM logfailure trap is enabled

 AutoLearn aging time is 1 minutes

 Disableport Timeout: 20s

 OUI value:

GigabitEthernet1/0/1 is link-up

 GigabitEthernet1/0/2 is link-down

 WLAN-BSS32 is link-down

Port mode is userLoginWithOUI

NeedToKnow mode is NeedToKnowOnly

Intrusion Portection mode is DisablePort

Max MAC address number is 50

Stored MAC address number is 0

Authorization is ignored

 Security MAC address learning mode is sticky

Security MAC address aging type is absolute

Table 1 Command output

Field	Description
Equipment port-security	Whether the port security is enabled or not.
AddressLearned trap	Whether trapping for MAC address learning is enabled or not. If it is enabled, the port sends trap information after it learns a new MAC address.
Intrusion trap	Whether trapping for intrusion protection is enabled or not. If it is enabled, the port sends trapinformationafter it detects illegal packets.
Dot1x logon trap	Whether trapping for 802.1X logon is enabled or not. If it is enabled, the port sends trapinformation after a user passes 802.1X authentication.
Dot1x logoff trap	Whethertrapping for 802.1X logoff is enabled or not.If it is enabled,the port sends trap information after an 802.1X user logs off.
Dot1x logfailure	Whether trapping for 802.1X authentication failure is enabled or not. If it is enabled, the port sends trap information after a user fails 802.1X authentication.
RALM logon trap	Whether trapping for MAC authentication success is enabled or not. If it is enabled, the port sends trap information when a user passes MAC address authentication.
RALM logoff trap	Whether trapping for MAC authenticated user logoff is enabled or not.If it is enabled, traps are sent when a MAC address authenticated user logs off.
RALM logfailure trap	Whether trapping for MAC authentication failure is enabled or not. If it is enabled, the port sends trap information when a user fails MAC address authentication.
AutoLearn aging time	Secure MAC aging timer. The timer applies to sticky or dynamic secure MAC addresses.
Disableport Timeout	Silence timeout period of the port that receives illegal packets, in seconds.
OUI value	List of OUI values allowed.
Port mode	Port security mode, which can be one of the following modes: ·         noRestrictions. ·         autoLearn. ·         macAddressWithRadius. ·         macAddressElseUserLoginSecure. ·         macAddressElseUserLoginSecureExt. ·         secure. ·         userLogin. ·         userLoginSecure. ·         userLoginSecureExt. ·         macAddressOrUserLoginSecure. ·         macAddressOrUserLoginSecureExt. ·         userLoginWithOUI. ·         presharedKey. ·         macAddressAndPresharedKey. ·         userLoginSecureExtOrPresharedKey. ·         WAPI. For more information about port security modes, see Security Configuration Guide. Support for the security modesvaries by interface type. For more information, see the port-security port-mode command.
NeedToKnow mode	Need to know (NTK) mode, which can be one of the following modes: ·         NeedToKnowOnly—Allows only unicast packets withauthenticateddestination MAC addresses. ·         NeedToKnowWithBroadcast—Allows only unicast packets and broadcasts with authenticated destination MAC addresses. ·         NeedToKnowWithMulticast—Allows unicast packets, multicasts and broadcasts with authenticated destination MAC addresses.
Intrusion mode	Intrusion protection action mode, which can be one of the following modes: ·         BlockMacAddress—Adds the source MAC address of the illegal packet to the blocked MAC address list. ·         DisablePort—Shutsdown the port that receives illegal packets permanently. ·         DisablePortTemporarily—Shuts down the port that receives illegal packets for some time. ·         NoAction—Performsno intrusion protection.
Max MAC address number	Maximum number of MAC addresses that port security allows on the port.
Stored MAC address number	Number of MAC addresses stored.
Authorization	Whether the authorization information from the server is ignored or not: ·         permitted—Authorization information from the RADIUS server takes effect. ·         ignored—Authorization information from the RADIUS server does not take effect.
Security MAC address learning mode	Secure MAC address learning mode: ·         sticky—Learn MAC addresses as sticky secure MAC addresses. ·         dynamic—Learns MAC addresses as dynamic secure MAC addresses.
Security MAC address aging type	Secure MAC address aging type: ·         absolute—Timer aging. ·         inactivity—Inactivity aging.

 

Related commands

·          port-security enable

·          port-security port-mode

·          port-security ntk-mode

·          port-security intrusion-mode

·          port-security max-mac-count

·          port-security mac-address security

·          port-security authorization ignore

·          port-security oui

·          port-security trap

display port-security mac-address block

Use display port-security mac-address blockto display information about blocked MAC addresses.

Syntax

display port-security mac-address block [ interface interface-type interface-number] [ vlan vlan-id ] [ count ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

2: System level

Parameters

interface interface-type interface-number: Specifies a port by its type and number.

vlan vlan-id: Specifies a VLAN by its ID. The value ranges from 1 to 4094.

count: Displays only the count of the blocked MAC addresses.

|: Filters command output by specifying a regular expression. For more information about regular expressions, seeFundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

With no keyword or argument specified, the command displays information about all blocked MAC addresses.

Examples

# Display information about all blocked MAC addresses.

<Sysname>display port-security mac-address block

MAC ADDR             From Port                  VLAN ID

000d-88f8-0577  GigabitEthernet1/0/1     1

 

  ---  1mac address(es) found  ---

# Display the count of all blocked MAC addresses.

<Sysname>display port-security mac-address block count

 

---1mac address(es) found ---

# Display information about all blocked MAC addresses in VLAN 1.

<Sysname>display port-security mac-address block vlan 1

MAC ADDR             From Port                  VLAN ID

000d-88f8-0577  GigabitEthernet1/0/1     1

 

  ---  1 mac address(es) found  ---

# Display information about all blocked MAC addresses of port GigabitEthernet 1/0/1.

<Sysname>display port-security mac-address block interface gigabitethernet 1/0/1

MAC ADDR             From Port                  VLAN ID

000d-88f8-0577  GigabitEthernet1/0/1    1

 

  ---  1 mac address(es) found  ---

# Display information about all blocked MAC addresses of port GigabitEthernet 1/0/1 in VLAN 1.

<Sysname>display port-security mac-address block interface gigabitethernet 1/0/1 vlan 1

MAC ADDR             From Port                  VLAN ID

000d-88f8-0577  GigabitEthernet1/0/1     1

 

  ---  1 mac address(es) found  ---

Table 2 Command output

Field	Description
MAC ADDR	Blocked MAC address.
From Port	Port having received frames with the blocked MAC address being the source address.
VLAN ID	ID of the VLAN to which the port belongs.
xmac address(es) found	Number of blocked MAC addresses.

 

Related commands

port-security intrusion-mode

display port-security mac-address security

Use display port-security mac-address security to display information about secure MAC addresses. Secure MAC addresses are those that are automatically learned by the port in autoLearn mode or configured by the port-security mac-address security command.

Syntax

display port-security mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

2: System level

Parameters

interface interface-type interface-number: Specifies a port by its type and number.

vlan vlan-id: Specifiesa VLAN by its ID, in the range of1 to 4094.

count: Displays only the count of the secure MAC addresses.

|: Filters command output by specifying a regular expression. For more information about regular expressions, seeFundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

With no keyword or argument specified, the command displays information about all secure MAC addresses.

Examples

# Display information about all secure MAC addresses.

<Sysname> display port-security mac-address security

MAC ADDR        VLAN ID   STATE          PORT INDEX               AGING TIME(s)

000d-88f8-0577  1         Security       GigabitEthernet1/0/1  NOAGED

 

  ---  1mac address(es) found  ---

# Display only the count of the secure MAC addresses.

<Sysname> display port-security mac-address security count

---  1 mac address(es) found---

# Display information about secure MAC addresses in VLAN 1.

<Sysname> display port-security mac-address security vlan 1

MAC ADDR        VLAN ID   STATE          PORT INDEX               AGING TIME(s)

000d-88f8-0577  1         Security      Gigabitethernet1/0/1   NOAGED

 

  ---  1mac address(es) found  ---

# Display information about secure MAC addresses on portGigabitEthernet 1/0/1.

<Sysname>display port-security mac-address security interface gigabitethernet 1/0/1

MAC ADDR        VLAN ID   STATE          PORT INDEX               AGING TIME(s)

000d-88f8-0577  1         Security      GigabitEthernet1/0/1   NOAGED

 

  ---  1 mac address(es) found  ---

# Display information about secure MAC addressesof port GigabitEthernet 1/0/1in VLAN 1.

<Sysname>display port-security mac-address security interface gigabitethernet 1/0/1 vlan 1

MAC ADDR        VLAN ID   STATE          PORT INDEX               AGING TIME(s)

000d-88f8-0577  1         Security      GigabitEthernet1/0/1  NOAGED

 

  ---  1 mac address(es) found  ---

Table 3 Command output

Field	Description
MAC ADDR	Secure MAC address.
VLAN ID	ID of the VLAN to which the port belongs.
STATE	Type of the MAC address added. "Security" means it is a secure MAC address.
PORT INDEX	Port to which the secure MAC address belongs.
AGING TIME(s)	Period of time before the secure MAC address ages out. "NOAGED"is displayed for secure MAC addresses.
x mac address(es) found	Number of secure MAC addresses stored.

 

Related commands

port-security mac-address security

display port-security preshared-key user

Use display port-security preshared-key user to display information about pre-shared key (PSK) user information.

Syntax

display port-security preshared-key user [ interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

2: System level

Parameters

interface interface-type interface-number: Specifies a port by its type and number.

|: Filters command output by specifying a regular expression. For more information about regular expressions, seeFundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

If the interface interface-type interface-number parameters are not provided, thecommand displays information about PSK users on all ports.

Examples

# Display information about PSK users on all ports.

<Sysname> display port-security preshared-key user

  Index     Mac-Address    VlanID     Interface

-----------------------------------------------------

      0  0000-1122-3344        1       wlan-bss1

      1  0000-1133-2244        2       wlan-bss2

# Display information about PSK userson WLAN port WLAN-BSS1.

<Sysname> display port-security preshared-key user interface wlan-bss 1

  Index     Mac-Address    VlanID     Interface

-----------------------------------------------------

      0  0000-1122-3344        1       wlan-bss-1

Table 4 Command output

Field	Description
Index	Index of the user.
Mac-Address	MAC address of the user.
VlanID	VLAN ID of the user.
Interface	Port that the user accesses.

 

port-security authorization ignore

Use port-security authorization ignore to configure a port to ignore the authorization information received from the server (an RADIUS server or the local device).

Use undo port-security authorization ignore to restore the default.

Syntax

port-security authorization ignore

undo port-security authorization ignore

Default

A port uses the authorization information from the server.

Views

Ethernet interface view, WLAN-BSS interface view

Default command level

2: System level

Usage guidelines

After a user passes RADIUS or local authentication, the server performs authorization based on the authorization attributes configured for the user's account. For example, it may assign a VLAN.

Examples

# Configure port GigabitEthernet 1/0/1to ignore the authorization information from the authenticationserver.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security authorization ignore

Related commands

display port-security

port-security enable

Use port-security enableto enable port security.

Use undo port-security enableto disable port security.

Syntax

port-security enable

undo port-security enable

Default

Port security is enabled.

Views

System view

Default command level

2: System level

Usage guidelines

You must disable global 802.1X and MAC authentication before you enable port security on a port.

Enabling or disabling port security resets the following security settings to the default:

·          802.1X access control mode is MAC-based, and the port authorization state is auto.

·          Port security mode is noRestrictions.

You cannot disable port security when online users are present.

Examples

# Enable port security.

<Sysname> system-view

[Sysname] port-security enable

Related commands

·          display port-security

·          dot1x

·          dot1x port-control

·          dot1x port-method

·          mac-authentication

port-security intrusion-mode

Use port-security intrusion-mode to configure the intrusion protection feature so that the port takes the pre-defined actions when intrusion protection is triggered on the port.

Use undo port-security intrusion-mode to restore the default.

Syntax

port-security intrusion-mode { blockmac | disableport | disableport-temporarily }

undo port-security intrusion-mode

Default

Intrusion protection is disabled.

Views

Layer 2 Ethernet interface view, WLAN-BSS interface view

Default command level

2: System level

Parameters

blockmac: Adds the source MAC addresses of illegal frames to the blocked MAC address list and discards frames with blocked source MAC addresses. This implements illegal trafficfiltering on the port.A blocked MAC address is restored to normal after being blocked for three minutes, which is fixed and cannot be changed. To view the blocked MAC address list, use the display port-security mac-address block command.

disableport: Disables the port permanently upon detecting an illegal frame received on the port. This keyword is not supported on a WLAN-BSS interface.

disableport-temporarily: Disables the port for a specific period of time whenever it receives an illegal frame. Use port-security timer disableport to set the period.

Usage guidelines

To restore the connection of the port, use the undo shutdowncommand.

Examples

# Configure port GigabitEthernet 1/0/1to block the source MAC addresses of illegal frames after intrusion protection is triggered.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security intrusion-mode blockmac

Related commands

·          display port-security

·          display port-security mac-address block

·          port-security timer disableport

port-security mac-address aging-type inactivity

Use port-security mac-address aging type inactivity to enable inactivity aging for secure MAC addresses (sticky or dynamic).

Use undo port-security mac-address aging type inactivity to restore the default.

Syntax

port-securitymac-addressaging-typeinactivity

undo port-security mac-address aging-type inactivity

Default

The inactivity aging function is disabled.

Views

Layer 2 Ethernet interface view

Default command level

2: System level

Usage guidelines

If only an aging timer is configured, the aging timer counts up regardless of whether traffic data has been sent from the sticky MAC address.When you use an aging timer together with theinactivity aging function, the aging timer restarts once traffic data is detected from the sticky MAC addressTheinactivity aging function prevents the unauthorized use of a secure MAC address when the authorized user is offline, and removes outdated secure MAC addresses so new secure MAC addresses can be learned.

Examples

# Enable inactivity aging for secure MAC addresses on interface GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname]interfacegigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1]port-security mac-address aging-type inactivity

Related commands

·          port-security timer autolearn aging

·          port-security mac-address dynamic

port-security mac-address dynamic

Use port-security mac-address dynamic to enable the dynamic secure MAC function. This function converts sticky MAC addresses to dynamic, and disables saving them to the configuration file.

Use undo port-security mac-address dynamicto disable the dynamic secure MAC function. Then, all dynamic secure MAC addresses are converted to sticky MAC addresses, and you can manually configure sticky MAC address.

Syntax

port-security mac-address dynamic

undo port-security mac-address dynamic

Default

The dynamic secure MAC functionis disabled. Sticky MAC addresses can be saved to the configuration file, and once saved, survive a device reboot.

Views

Layer 2 Ethernet interface view

Default command level

2: System level

Usage guidelines

After you execute this command, you cannot manually configure sticky MAC address, and secure MAC addresses automatically learned by a port in autoLearn mode are also dynamic. All dynamic MAC addresses are lost at reboot. Use this command when you want to clear all sticky MAC addresses after a device reboot.

You can display dynamicsecure MAC addresses by using thedisplay port-security mac-address security command.

Examples

# Enable the dynamic secure MAC function on interfaceGigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname]interfacegigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security mac-address dynamic

Related commands

·          display port-security mac-address security

·          mac-address dynamic

port-security mac-address security

Use port-security mac-address security to add a secure MAC address in Layer 2 Ethernet interface view or system view.

Use undo port-security mac-address security to remove a secure MAC address.

Syntax

In Layer 2 Ethernet interface view:

port-securitymac-addresssecurity [ sticky ]mac-address vlan vlan-id

undo port-security mac-address security[ sticky ] mac-addressvlan vlan-id

In system view:

port-securitymac-addresssecurity[ sticky ] mac-addressinterface interface-type interface-numbervlanvlan-id

undo port-security mac-address security [ [ mac-address[ interface interface-type interface-number ] ] vlan vlan-id ]

Default

No secure MAC address entry is configured.

Views

Layer 2 Ethernet interface view, system view

Default command level

2: System level

Parameters

sticky: Specifies a sticky MAC address. If you do not provide this keyword, the command configures a static secure MAC address.

mac-address: Secure MAC address, in the H-H-H format.

interfaceinterface-type interface-number: Specifies a Layer 2 Ethernet port by its type and number.

vlanvlan-id: Specifies theVLAN that has the secure MAC address. The vlan-idargument represents the ID of the VLANin the range of1 to 4094. Make sure that you have assigned the Layer 2 port to the specified VLAN.

Usage guidelines

Secure MAC addresses are MAC addresses configured or learned in autoLearn mode. They can survive link down/up events, and once saved, can survive a device reboot. You can bind a MAC address to only one port in a VLAN.

When a port is operating in autoLearn mode, you can add important or frequently used MAC addresses as sticky or static secure MAC addresses to avoid the secure MAC address limit causing authentication failure.

Static secure MAC addresses never age out unless you remove them by using the undo port-security mac-address security command, changing the port security mode, or disabling the port security feature.

Sticky MAC addressescan be manually configured or automatically learned in autoLearn mode. Sticky MAC addresses do not age out by default. You can use the port-security timer autolearn aging command to set an aging timer for them. When the timer expires, the sticky MAC addresses are removed.

You cannot change the type of a secure address entry that has been added or add two entries that are identical except for their entry type. For example, you cannot add the port-security mac-address security sticky 1-1-1 vlan 10 entry when a port-security mac-address security 1-1-1 vlan 10 entry exists. To add the new entry, you must delete the old entry.

To enable port security on a port, use the port-security enable command, and to set the port in autoLearn mode, use the port-security port-mode autolearn command.

When the dynamic secure MAC function is enabled (using the port-security mac-address dynamic command), you cannot manually configure sticky MAC addresses.

Examples

# Enable port security, set port GigabitEthernet 1/0/1 in autoLearn mode, and adda static secure MAC address 0001-0001-0002inVLAN 10.

<Sysname> system-view

[Sysname] port-security enable

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security max-mac-count 100

[Sysname-GigabitEthernet1/0/1] port-security port-mode autolearn

[Sysname-GigabitEthernet1/0/1] quit

[Sysname] port-security mac-address security 0001-0001-0002 interface gigabitethernet1/0/1 vlan 10

# Enable port security, set port GigabitEthernet 1/0/1 inautoLearn mode, and add a static secureMAC address 0001-0002-0003 in VLAN 4 in interface view.

<Sysname> system-view

[Sysname] port-security enable

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security max-mac-count 100

[Sysname-GigabitEthernet1/0/1] port-security port-mode autolearn

[Sysname-GigabitEthernet1/0/1] port-security mac-addresssecurity 0001-0002-0003 vlan 4

Related commands

·          display port-security

·          port-security timer autolearn aging

port-security max-mac-count

Use port-security max-mac-count to set the maximum number of MAC addresses that port security allows on a port.

Use undo port-security max-mac-count to restore the default setting.

Syntax

port-security max-mac-count count-value

undo port-security max-mac-count

Default

Port security has no limit on the number of MAC addresses on a port.

Views

Ethernet interface view, WLAN-BSS interface view

Default command level

2: System level

Parameters

count-value: Specifies the maximum number of MAC addresses that port security allows on the port. The value ranges from 1 to 1024.

Usage guidelines

In autoLearn mode, this command sets the maximum number of secure MAC addresses (both configured and automatically learned) on the port.

In any other mode that enables 802.1X, MAC authentication, or both, this command sets the maximum number of authenticated MAC addresses on the port. The actual maximum number of concurrent users that the port accepts equals this limit or the authentication method's limit on the number of concurrent users, whichever is smaller. For example, in userLoginSecureExt mode, if 802.1X allows less concurrent users than port security's limit on the number of MAC addresses, port security's limit takes effect.

You cannot change port security's limit on the number of MAC addresses when the port is operating in autoLearn mode or is a wireless port that has online users.

Examples

# Set port security's limit on the number of MAC addresses to 100 on port GigabitEthernet1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security max-mac-count 100

Related commands

display port-security

port-security ntk-mode

Use port-security ntk-mode to configure the NTK feature.

Use undo port-security ntk-mode to restore the default.

Syntax

port-security ntk-mode { ntk-withbroadcasts | ntk-withmulticasts | ntkonly }

undo port-security ntk-mode

Default

NTK is disabled on a port and all frames are allowed to be sent.

Views

Ethernet interface view, WLAN-BSS interface view

Default command level

2: System level

Parameters

ntk-withbroadcasts: Forwards only broadcast frames and unicastframes with authenticated destination MAC addresses.

ntk-withmulticasts: Forwards only broadcast frames, multicast frames, and unicastframes with authenticated destinationMAC addresses.

ntkonly: Forwards only unicast frames with authenticated destinationMAC addresses.

Usage guidelines

The need to know (NTK) feature checks the destination MAC addresses in outbound frames to allow frames to be sent to only devices passing authentication, preventing illegal devices from intercepting network traffic.

If a wireless port has online users, you cannot change its NTK settings.

Examples

# Set the NTK mode of port GigabitEthernet1/0/1 to ntkonly, allowing the port to forward received packets to only devices passing authentication.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security ntk-mode ntkonly

Related commands

display port-security

port-security oui

Use port-security oui to configure an OUI value for user authentication.

Use undo port-security oui to delete the OUI value with the specified OUI index.

Syntax

port-security oui oui-value index index-value

undo port-security oui index index-value

Default

No OUI value is configured.

Views

System view

Default command level

2: System level

Parameters

oui-value: Specifies an organizationally unique identifier (OUI)string, a 48-bit MAC address in the H-H-H format. The system uses only the 24 high-order bits as the OUI value.

index-value: Specifies the OUI index, in the range of1 to 16.

Usage guidelines

An OUI, the first 24 binary bits of a MAC address, is assigned by IEEE to uniquely identify a device vendor.Use this command when you configurea device to allow packets from certainwired devices to pass authentication or to allow packets from certainwireless devicesto initiate authentication. For example, when a company allows only IP phones of vendor A in the Intranet, use this command to set the OUI of vendor A.

Examples

# Configurean OUI value of 000d2a, setting the index to 4.

<Sysname> system-view

[Sysname] port-security oui 000d-2a10-0033 index 4

Related commands

display port-security

port-security port-mode

Use port-security port-modeto set the port security mode of a port.

Use undo port-security port-mode to restore the default.

Syntax

port-security port-mode { autolearn | mac-and-psk | mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secure-ext | psk | secure | userlogin | userlogin-secure | userlogin-secure-ext | userlogin-secure-ext-or-psk | userlogin-secure-or-mac | userlogin-secure-or-mac-ext | userlogin-withoui}

undo port-security port-mode

Default

A port operates in noRestrictions mode, where port security does not take effect.

Views

Layer 2 Ethernet interface view, WLAN-BSS interface view

Default command level

2: System level

Parameters

Keyword	Security mode	Description
autolearn	autoLearn	In this mode, a port can learn MAC addresses, and allows frames sourced from learned or configured the MAC addresses to pass. The automatically learned MAC addressesaresecure MAC addresses. You can also configure secure MAC addresses by using the port-security mac-address security command. A secure MAC address never ages out by default. In addition, you can configure MAC addresses manually by using the mac-address dynamic and mac-address static commands for a port in autoLearn mode. When the number of secure MAC addresses reaches the upper limit set by the port-security max-mac-count command, the port changestosecure mode.
mac-and-psk	macAddressAndPresharedKey	In this mode, a user must pass MAC authentication and then use the pre-configured PSK to negotiate with the device. Only when the negotiation succeeds, can the user access the device.
mac-authentication	macAddressWithRadius	In this mode, a port performs MAC authentication forusersand services multiple users.
mac-else-userlogin-secure	macAddressElseUserLoginSecure	This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority. ·         For wired users, the port performs MAC authentication 30 seconds after receivingnon-802.1X frames. ·         For wireless users, the port performs MAC authentication upon receiving non-802.1X frames. Upon receiving 802.1X frames, the port performs MAC authentication, and if the MAC authentication fails, it performs 802.1X authentication.
mac-else-userlogin-secure-ext	macAddressElseUserLoginSecureExt	Similar to the macAddressElseUserLoginSecure mode except that a port in this mode supportsmultiple 802.1Xand MAC authentication users.
psk	presharedKey	In this mode, a user must use a pre-configured static key, also called"the PSK," to negotiate with the device and can access the port only after the negotiation succeeds.
secure	secure	In this mode, MAC addresslearning is disabled on the port and you can configure MAC addresses by using the mac-address static and mac-address dynamic commands. The port permits only frames sourced from secure MAC addressesand MAC addresses you manually configured by using the mac-address static and mac-address dynamic commands.
userlogin	userLogin	In this mode, a port performs 802.1X authentication and implements port-based access control. If one 802.1X user passes authentication, all the other802.1X users of the port can access the network without authentication.
userlogin-secure	userLoginSecure	In this mode, a port performs 802.1X authentication and implements MAC-based access control. It services only one user passing 802.1X authentication.
userlogin-secure-ext	userLoginSecureExt	Similar to the userLoginSecure mode except that this mode supports multiple online 802.1X users.
userlogin-secure-ext-or-psk	userLoginSecureExtOrPresharedKey	In this mode, a user interacts with the device, choosing to undergo UserLoginSecuremode or use thePSK to negotiate with the device.
userlogin-secure-or-mac	macAddressOrUserLoginSecure	This mode is the combination of the userLoginSecure and macAddressWithRadius modes. ·         For wiredusers, the port performs MAC authentication 30 seconds after receivingnon-802.1X frames and performs 802.1X authentication upon receiving 802.1Xframes. ·         For wireless users, the port performs 802.1Xauthentication first. If 802.1X authentication fails, MAC authentication is performed.
userlogin-secure-or-mac-ext	macAddressOrUserLoginSecureExt	Similar to the macAddressOrUserLoginSecure mode except that a port in this mode supportsmultiple 802.1Xand MAC authentication users.
userlogin-withoui	userLoginWithOUI	Similar to the userLoginSecure mode. In addition, a port in this mode also permits frames from a user whose MAC address contains a specific OUI (organizationally unique identifier). ·         For wired users, the port performs 802.1X authentication upon receiving 802.1X frames, and performs OUI check upon receiving non-802.1X frames. ·         For wireless users, the port performs OUI check at first. If the OUI check fails, the port performs 802.1X authentication.

 

Usage guidelines

To change the security mode of a port security enabled port, you must set the port in noRestrictions mode first. When the port has online users, you cannot change port security mode.

 

	IMPORTANT: If you are configuring the autoLearn mode, first set port security's limit on the number of MAC addresses by using the port-security max-mac-count command. You cannot change the setting when the port is operating in autoLearn mode.

 

When port security is enabled, you cannot manually enable 802.1X or MAC authentication, or change the access control mode or port authorization state. The port security automatically modifies these settings in different security modes.

The support of ports for security modes varies:

·          The presharedKey, macAddressAndPresharedKey, and userlLoginSecureExtOrPresharedKeymodes apply to only WLAN-BSS ports.

·          The autoLearn, secure, userLogin, anduserloginWithOUImodes apply to only Layer 2 Ethernet ports.

Table 5 Port security modes supported by different types of ports

Port type	Supported security modes
Layer 2 Ethernet port	autolearn, mac-authentication, mac-else-userlogin-secure, mac-else-userlogin-secure-ext, secure, userlogin, userlogin-secure, userlogin-secure-ext, userlogin-secure-or-mac, userlogin-secure-or-mac-ext, userlogin-withoui
WLAN-BSS	mac-and-psk, mac-authentication, mac-else-userlogin-secure, mac-else-userlogin-secure-ext, psk, userlogin-secure, userlogin-secure-ext, userlogin-secure-ext-or-psk, userlogin-secure-or-mac, userlogin-secure-or-mac-ext

 

Examples

# Enable port security and setport GigabitEthernet1/0/1insecure mode.

<Sysname> system-view

[Sysname]port-security enable

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security port-mode secure

# Change the port security mode of port GigabitEthernet1/0/1 to userLogin.

[Sysname-GigabitEthernet1/0/1] undo port-security port-mode

[Sysname-GigabitEthernet1/0/1] port-security port-mode userlogin

# Set WLAN port WLAN-BSS1 to operate in presharedKeymode.

<Sysname>system-view

[Sysname] interface wlan-bss 1

[Sysname-WLAN-BSS1] port-security port-mode psk

Related commands

display port-security

port-security timer autolearn aging

Use port-security timer autolearn agingto set the secure MAC aging timer. The timer applies to all sticky or dynamic secure MAC addresses.

Use undo port-security timer autolearn aging to restore the default.

Syntax

port-security timer autolearn agingtime-value

undo port-security timer autolearn aging

Default

Secure MAC addresses never age out.

Views

System view

Default command level

2: System level

Parameters

time-value: Sets the aging timer in minutes for secureMAC addresses. The value is in the range of 0 to 129600. To disable the aging timer, set the timer to 0.

Examples

# Set the secure MAC aging timer to 30 minutes.

<Sysname> system-view

[Sysname] port-security timer autolearn aging 30

Related commands

·          display port-security

·          port-security mac-address security

port-security preshared-key

Use port-security preshared-key to configure a PSK.

Use undo port-security preshared-key to remove the PSK.

Syntax

port-security preshared-key { pass-phrase | raw-key } [ cipher | simple ] key

undo port-security preshared-key

Default

No PSK is configured.

Views

WLAN-BSS interface view

Default command level

2: System level

Parameters

pass-phrase: Enters a PSK in the form of a character string.

raw-key: Enters a PSK in the form of a hexadecimal number.

cipher: Sets a ciphertext PSK.

simple: Setsa plaintext PSK.

key: Specifies the PSK. This argument is case sensitive. If simple is specified, it must be a non-hexadecimal string of 8 to 63 characters or a 64-character hexadecimal string. If cipher is specified, it must be a ciphertext string of 8 to 117 characters. If neither cipher nor simple is specified, you set a plaintext key string.

For secrecy, all keys, including the keys configured in plain text, are saved in cipher text.

Examples

# Configure the plaintext PSK abcdefgh on port WLAN-BSS1.

<Sysname>system-view

[Sysname] interface wlan-bss 1

[Sysname-WLAN-BSS1] port-security preshared-key pass-phrase simple abcdefgh

# Configure the plaintext, hexadecimal string123456789abcdefg123456789abcdefg123456789abcdefg123456789abcdefgas the PSKon port WLAN-BSS1.

<Sysname>system-view

[Sysname] interface wlan-bss 1

[Sysname-WLAN-BSS1] port-security preshared-key raw-key 1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef

# Configure ciphertext PSKwrWR2LZofLzlEY9ZdYsidw==on port WLAN-BSS1.

<Sysname>system-view

[Sysname] interface wlan-bss 1

[Sysname-WLAN-BSS1] port-security preshared-key raw-key cipher wrWR2LZofLzlEY9ZdYsidw==

port-security timer disableport

Use port-security timer disableport to set the silence period during which the port remains disabled.

Use undo port-security timer disableport to restore the default.

Syntax

port-security timer disableport time-value

undo port-security timer disableport

Default

The silence period is 20 seconds.

Views

System view

Default command level

2: System level

Parameters

time-value: Specifies the silence periodin seconds during which the port remains disabled. The value is in the range of 20 to 300.

Usage guidelines

If you configure the intrusion protection policy as disabling the port temporarilywhenever it receives an illegal frame, use this command to set the silence period.

Examples

# Configure the intrusion protection policy as disabling the port temporarilywhenever it receives an illegal frame and set the silenceperiodto 30 seconds.

<Sysname> system-view

[Sysname] port-security timer disableport 30

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security intrusion-mode disableport-temporarily

Related commands

display port-security

port-security trap

Use port-security trap to enable port security traps.

Use undo port-security trap to disable port securitytraps.

Syntax

port-security trap { addresslearned | dot1xlogfailure| dot1xlogoff | dot1xlogon | intrusion | ralmlogfailure | ralmlogoff | ralmlogon }

undo port-security trap { addresslearned | dot1xlogfailure| dot1xlogoff | dot1xlogon | intrusion | ralmlogfailure | ralmlogoff | ralmlogon }

Default

Port security traps are disabled.

Views

System view

Default command level

2: System level

Parameters

addresslearned: Enables MAC address learning traps.The port security module sends traps when a port learns a new MAC address.

dot1xlogfailure: Enables802.1X authentication failure traps. The port security module sends traps when an 802.1X authentication fails.

dot1xlogon: Enables 802.1X authentication success traps. The port security module sends traps when an 802.1X authentication is passed.

dot1xlogoff: Enables 802.1Xuser logoff event traps. The port security module sends traps when an 802.1X user is logged off.

intrusion: Enables intrusion traps. The port security module sends traps when it detectsillegal frames.

ralmlogfailure: Enables MACauthentication failure traps. The port security module sends traps when a MAC authentication fails.

ralmlogoff: EnablesMAC authentication user logoff traps. The port security module sends traps when a MAC authentication user is logged off.

ralmlogon: Enables MAC authentication success traps. The port security module sends traps when a MAC authentication is passed.

 

	NOTE: RALM (RADIUS Authenticated Login using MAC-address) means RADIUS authentication based on MAC address.

 

Usage guidelines

You can enable certain port security traps for monitoringuser behaviors.

Examples

# Enable MAC address learning traps.

<Sysname> system-view

[Sysname] port-security trap addresslearned

Related commands

display port-security

port-security tx-key-type 11key

Use port-security tx-key-type 11key to enable key negotiation of the 11key type.

Use undo port-security tx-key-type to disable key negotiation of the 11key type.

Syntax

port-security tx-key-type 11key

undo port-security tx-key-type

Default

Key negotiation of the 11key type is disabled.

Views

WLAN-BSS interface view

Default command level

2: System level

Examples

# Enable key negotiation of the 11key type on portWLAN-BSS1.

<Sysname>system-view

[Sysname]interface wlan-bss 1

[Sysname-WLAN-BSS1] port-security tx-key-type 11key