Port security configuration commands 1

display port-security· 1

display port-security mac-address block· 4

display port-security preshared-key user 5

port-security authorization ignore· 6

port-security enable· 7

port-security intrusion-mode· 8

port-security max-mac-count 9

port-security ntk-mode· 9

port-security oui 10

port-security port-mode· 11

port-security preshared-key· 13

port-security remote-auth-proxy enable· 15

port-security timer disableport 15

port-security trap· 16

port-security tx-key-type 11key· 17

 

display port-security

Syntax

display port-security [ interface interface-list ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

2: System level

Parameters

interface interface-list: Specifies ports by an port list in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> means that you can specify up to 10 ports or port ranges. The starting port and ending port of a port range must be of the same type, and the ending port number must be greater than the starting port number.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display port-security to display port security configuration information, operation information, and statistics for one or more ports.

If the interface interface-list parameter is not provided, the command displays port security information, operation information, and status about all ports.

Related commands: port-security enable, port-security port-mode, port-security ntk-mode, port-security intrusion-mode, port-security max-mac-count, port-security authorization ignore, port-security oui, and port-security trap.

Examples

# Display port security configuration information, operation information, and statistics about all ports.

<Sysname> display port-security

 Equipment port-security is enabled

Trap is enabled

 Intrusion trap is enabled

 Dot1x logon trap is enabled

 Dot1x logoff trap is enabled

 Dot1x logfailure trap is enabled

 RALM logon trap is enabled

 RALM logoff trap is enabled

 RALM logfailure trap is enabled

 Disableport Timeout: 20s

 OUI value:

   Index is 1,  OUI value is 000d1a

   Index is 2,  OUI value is 003c12

 

GigabitEthernet1/0/1 is link-down

    Port mode is userLoginWithOUI

    NeedToKnow mode is NeedToKnowOnly

    Intrusion Portection mode is DisablePort

    Max MAC address number is 50

    Stored MAC address number is 0

    Authorization is ignored

 GigabitEthernet1/0/2 is link-down

    Port mode is noRestriction

    NeedToKnow mode is disabled

    Intrusion mode is NoAction

    Max MAC address number is not configured

    Stored MAC address number is 0

    Authorization is permitted

Table 1 Command output

Field	Description
Equipment port-security	Whether the port security is enabled or not.
Trap	Whether trapping for MAC address learning is enabled or not. If it is enabled, the port sends trap information after it learns a new MAC address.
Intrusion trap	Whether trapping for intrusion protection is enabled or not. If it is enabled, the port sends trap information after it detects illegal packets.
Dot1x logon trap	Whether trapping for 802.1X logon is enabled or not. If it is enabled, the port sends trap information after a user passes 802.1X authentication.
Dot1x logoff trap	Whether trapping for 802.1X logoff is enabled or not. If it is enabled, the port sends trap information after an 802.1X user logs off.
Dot1x logfailure	Whether trapping for 802.1X authentication failure is enabled or not. If it is enabled, the port sends trap information after a user fails 802.1X authentication.
RALM logon trap	Whether trapping for MAC authentication success is enabled or not. If it is enabled, the port sends trap information when a user passes MAC address authentication.
RALM logoff trap	Whether trapping for MAC authenticated user logoff is enabled or not. If it is enabled, traps are sent when a MAC address authenticated user logs off.
RALM logfailure trap	Whether trapping for MAC authentication failure is enabled or not. If it is enabled, the port sends trap information when a user fails MAC address authentication.
Disableport Timeout	Silence timeout period of the port that receives illegal packets, in seconds.
OUI value	List of OUI values allowed.
Port mode	Port security mode, which can be one of the following modes: ·     macAddressWithRadius ·     macAddressElseUserLoginSecure ·     macAddressElseUserLoginSecureExt ·     secure ·     userLogin ·     userLoginSecure ·     userLoginSecureExt ·     macAddressOrUserLoginSecure ·     macAddressOrUserLoginSecureExt ·     userLoginWithOUI ·     presharedKey ·     macAddressAndPresharedKey ·     userLoginSecureExtOrPresharedKey For more information about port security modes, see Security Configuration Guide.
NeedToKnow mode	Need to know (NTK) mode, which can be one of the following modes ·     NeedToKnowOnly: Allows only unicast packets with authenticated destination MAC addresses. ·     NeedToKnowWithBroadcast: Allows only unicast packets and broadcasts with authenticated destination MAC addresses. ·     NeedToKnowWithMulticast: Allows unicast packets, multicasts and broadcasts with authenticated destination MAC addresses.
Intrusion mode	Intrusion protection action mode, which can be one of the following modes: ·     BlockMacAddress: Adds the source MAC address of the illegal packet to the blocked MAC address list. ·     DisablePort: Shuts down the port that receives illegal packets permanently. ·     DisablePortTemporarily: Shuts down the port that receives illegal packets for some time. ·     NoAction: Performs no intrusion protection.
Max MAC address number	Maximum number of MAC addresses that port security allows on the port.
Stored MAC address number	Number of MAC addresses stored.
Authorization	Whether the authorization information from the server is ignored or not: ·     permitted: Authorization information from the RADIUS server takes effect. ·     ignored: Authorization information from the RADIUS server does not take effect.

 

display port-security mac-address block

Syntax

display port-security mac-address block [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

2: System level

Parameters

interface interface-type interface-number: Specifies a port by its type and number.

vlan vlan-id: Specifies a VLAN by its ID, in the range 1 to 4094.

count: Displays only the count of the blocked MAC addresses.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display port-security mac-address block to display information about blocked MAC addresses.

With no keyword or argument specified, the command displays information about all blocked MAC addresses.

Related commands: port-security intrusion-mode.

Examples

# Display information about all blocked MAC addresses.

<Sysname> display port-security mac-address block

MAC ADDR             From Port                             VLAN ID

 000f-e280-d70c       GigabitEthernet1/0/1       1

 001b-11b8-12f4       GigabitEthernet1/0/1       1

 000f-e289-4071       GigabitEthernet1/0/1       1

 000f-e25b-48c4       GigabitEthernet1/0/1       1

 00e0-fc12-3456       GigabitEthernet1/0/1       1

 000f-e207-f2e0       GigabitEthernet1/0/1       1

 --- 6 mac address(es) found ---

# Display the count of all blocked MAC addresses.

<Sysname> display port-security mac-address block count

 

--- 6 mac address(es) found ---

# Display information about all blocked MAC addresses in VLAN 1.

<Sysname> display port-security mac-address block vlan 1

MAC ADDR             From Port                          VLAN ID

000f-e280-d70c       GigabitEthernet1/0/1       1

 001b-11b8-12f4       GigabitEthernet1/0/1       1

 000f-e289-4071       GigabitEthernet1/0/1       1

 000f-e25b-48c4       GigabitEthernet1/0/1       1

 00e0-fc12-3456       GigabitEthernet1/0/1       1

 000f-e207-f2e0       GigabitEthernet1/0/1       1

 --- 6 mac address(es) found ---

# Display information about all blocked MAC addresses of port GigabitEthernet 1/0/1.

<Sysname> display port-security mac-address block interface GigabitEthernet1/0/1

MAC ADDR             From Port                             VLAN ID

 000f-e280-d70c       GigabitEthernet1/0/1       1

 001b-11b8-12f4       GigabitEthernet1/0/1       1

 000f-e289-4071       GigabitEthernet1/0/1       1

 000f-e25b-48c4       GigabitEthernet1/0/1       1

 00e0-fc12-3456       GigabitEthernet1/0/1       1

 000f-e207-f2e0       GigabitEthernet1/0/1       1

 --- 6 mac address(es) found  ---

# Display information about all blocked MAC addresses of port GigabitEthernet 1/0/1 in VLAN 1.

<Sysname> display port-security mac-address block interface GigabitEthernet 1/0/1 vlan 1

MAC ADDR             From Port                             VLAN ID

 000f-e280-d70c       GigabitEthernet1/0/1       1

 001b-11b8-12f4       GigabitEthernet1/0/1       1

 000f-e289-4071       GigabitEthernet1/0/1       1

 000f-e25b-48c4       GigabitEthernet1/0/1       1

 00e0-fc12-3456       GigabitEthernet1/0/1       1

 000f-e207-f2e0       GigabitEthernet1/0/1       1

 --- 6 mac address(es) found  ---

Table 2 Command output

Field	Description
MAC ADDR	Blocked MAC address.
From Port	Port having received frames with the blocked MAC address being the source address.
VLAN ID	ID of the VLAN to which the port belongs.
x mac address(es) found	Number of blocked MAC addresses.

 

display port-security preshared-key user

Syntax

display port-security preshared-key user [ interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

2: System level

Parameters

interface interface-type interface-number: Specifies a port by its type and number.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display port-security preshared-key user to display information about pre-shared key (PSK) users on a specific port or all PSK users.

If the interface interface-type interface-number parameters are not provided, the command displays information about PSK users on all ports.

Examples

# Display information about PSK users on all ports.

<Sysname> display port-security preshared-key user

  Index     Mac-Address    VlanID     Interface

-----------------------------------------------------

      0  000a-eba2-7f9d        1       WLAN-DBSS1:0

      1  000a-eba2-7f9d        2       WLAN-DBSS1:1

# Display information about PSK users on the WLAN-DBSS port.

<Sysname> display port-security preshared-key user interface WLAN-ESS 1

<Sysname> display port-security preshared-key user interface WLAN-DBSS1:0

  Index     Mac-Address    VlanID     Interface

-----------------------------------------------------

      0  000a-eba2-7f9d        1       WLAN-DBSS1:0

Table 3 Command output

Field	Description
Index	Index of the user
Mac-Address	MAC address of the user
VlanID	VLAN ID of the user
Interface	Port that the user accesses

 

port-security authorization ignore

Syntax

port-security authorization ignore

undo port-security authorization ignore

View

Layer 2 Ethernet interface view, WLAN-ESS interface view

Default level

2: System level

Parameters

None

Description

Use port-security authorization ignore to configure a port to ignore the authorization information from the authentication server.

Use undo port-security authorization ignore to restore the default.

By default, a port uses the authorization information from the authentication server.

After a user passes authentication, the server performs authorization based on the authorization attributes configured for the user's account. For example, it may assign a VLAN.

Related commands: display port-security.

Examples

# Configure port GigabitEthernet 1/0/1 to ignore the authorization information from the authentication server.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security authorization ignore

port-security enable

Syntax

port-security enable

undo port-security enable

View

System view

Default level

2: System level

Parameters

None

Description

Use port-security enable to enable port security.

Use undo port-security enable to disable port security.

By default, port security is enabled.

You must disable global 802.1X and MAC authentication before you enable port security on a port.

Enabling or disabling port security resets the following security settings to the default:

·     802.1X access control mode is MAC-based, and the port authorization state is auto.

·     Port security mode is noRestrictions.

When port security is enabled, you cannot manually enable 802.1X or MAC authentication, or change the access control mode or port authorization state. The port security automatically modifies these settings in different security modes.

You cannot disable port security when online users are present.

Related commands: display port-security, dot1x, and mac-authentication.

Examples

# Enable port security.

<Sysname> system-view

[Sysname] port-security enable

port-security intrusion-mode

Syntax

port-security intrusion-mode { blockmac | disableport | disableport-temporarily }

undo port-security intrusion-mode

View

Layer 2 Ethernet interface view, WLAN-ESS interface view

Default level

2: System level

Parameters

blockmac: Adds the source MAC addresses of illegal frames to the blocked MAC address list and discards frames with blocked source MAC addresses. This implements illegal traffic filtering on the port. A blocked MAC address is restored to normal after being blocked for three minutes, which is fixed and cannot be changed. To view the blocked MAC address list, use the display port-security mac-address block command.

disableport: Disables the port permanently upon detecting an illegal frame received on the port. This keyword is not support on WLAN-ESS interfaces.

disableport-temporarily: Disables the port for a specific period of time whenever it receives an illegal frame. Use port-security timer disableport to set the period.

Description

Use port-security intrusion-mode to configure the intrusion protection feature so that the port takes the pre-defined actions when intrusion protection is triggered on the port.

Use undo port-security intrusion-mode to restore the default.

By default, intrusion protection is disabled.

To restore the connection of the port, use the undo shutdown command.

Related commands: display port-security, display port-security mac-address block, and port-security timer disableport.

Examples

# Configure port GigabitEthernet 1/0/1 to block the source MAC addresses of illegal frames after intrusion protection is triggered.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security intrusion-mode blockmac

port-security max-mac-count

Syntax

port-security max-mac-count count-value

undo port-security max-mac-count

View

Ethernet interface view, WLAN-ESS interface view, WLAN-MESH interface view

Default level

2: System level

Parameters

count-value: Specifies the maximum number of MAC addresses that port security allows on the port. The value is in the range of 1 to 1024.

Description

Use port-security max-mac-count to set the maximum number of MAC addresses that port security allows on a port.

Use undo port-security max-mac-count to restore the default setting.

By default, port security has no limit on the number of MAC addresses on a port.

In any other mode that enables 802.1X, MAC authentication, or both, this command sets the maximum number of authenticated MAC addresses on the port. The actual maximum number of concurrent users that the port accepts equals this limit or the authentication method's limit on the number of concurrent users, whichever is smaller. For example, in userLoginSecureExt mode, if 802.1X allows more concurrent users than port security's limit on the number of MAC addresses, port security's limit takes effect.

You cannot change port security's limit on the number of MAC addresses when the port is a wireless port that has online users.

Related commands: display port-security.

Examples

# Set port security's limit on the number of MAC addresses to 100 on port GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security max-mac-count 100

port-security ntk-mode

Syntax

port-security ntk-mode { ntk-withbroadcasts | ntk-withmulticasts | ntkonly }

undo port-security ntk-mode

View

Layer 2 Ethernet interface view, WLAN-ESS interface view

Default level

2: System level

Parameters

ntk-withbroadcasts: Forwards only broadcast frames and unicast frames with authenticated destination MAC addresses.

ntk-withmulticasts: Forwards only broadcast frames, multicast frames, and unicast frames with authenticated destination MAC addresses.

ntkonly: Forwards only unicast frames with authenticated destination MAC addresses.

Description

Use port-security ntk-mode to configure the NTK feature.

Use undo port-security ntk-mode to restore the default.

By default, NTK is disabled on a port and all frames are allowed to be sent.

The need to know (NTK) feature checks the destination MAC addresses in outbound frames to allow frames to be sent to only devices passing authentication, preventing illegal devices from intercepting network traffic.

If a wireless port has online users, you cannot change its NTK settings.

Related commands: display port-security.

Examples

# Set the NTK mode of port GigabitEthernet 1/0/1 to ntkonly, allowing the port to forward received packets to only devices passing authentication.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security ntk-mode ntkonly

port-security oui

Syntax

port-security oui oui-value index index-value

undo port-security oui index index-value

View

System view

Default level

2: System level

Parameters

oui-value: Specifies an organizationally unique identifier (OUI) string, a 48-bit MAC address in the H-H-H format. The system uses only the 24 high-order bits as the OUI value.

index-value: Specifies the OUI index, in the range 1 to 16.

Description

Use port-security oui to configure an OUI value for user authentication. This value is used when the port security mode is userLoginWithOUI.

Use undo port-security oui to delete the OUI value with the specified OUI index.

By default, no OUI value is configured.

An OUI, the first 24 binary bits of a MAC address, is assigned by IEEE to uniquely identify a device vendor. Use this command when you configure a device to allow packets from certain wired devices to pass authentication or to allow packets from certain wireless devices to initiate authentication. For example, when a company allows only IP phones of vendor A in the Intranet, use this command to set the OUI of vendor A.

Related commands: display port-security.

Examples

# Configure an OUI value of 000d2a, setting the index to 4.

<Sysname> system-view

[Sysname] port-security oui 000d-2a10-0033 index 4

port-security port-mode

Syntax

port-security port-mode { mac-and-psk | mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secure-ext | psk | secure | userlogin | userlogin-secure | userlogin-secure-ext | userlogin-secure-ext-or-psk | userlogin-secure-or-mac | userlogin-secure-or-mac-ext | userlogin-withoui }

undo port-security port-mode

View

Layer 2 Ethernet interface view, WLAN-ESS interface view, WLAN-MESH interface view

Default level

2: System level

Parameters

Keyword	Security mode	Description
mac-and-psk	macAddressAndPresharedKey	In this mode, a user must pass MAC authentication and then use the pre-configured PSK to negotiate with the device. Only when the negotiation succeeds, can the user access the device.
mac-authentication	macAddressWithRadius	In this mode, a port performs MAC authentication for users and services multiple users.
mac-else-userlogin-secure	macAddressElseUserLoginSecure	This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority. ·     Upon receiving a non-802.1X frame, a port in this mode performs only MAC authentication. ·     Upon receiving an 802.1X frame, the port performs MAC authentication and then, if MAC authentication fails, 802.1X authentication.
mac-else-userlogin-secure-ext	macAddressElseUserLoginSecureExt	Similar to the macAddressElseUserLoginSecure mode except that a port in this mode supports multiple 802.1X and MAC authentication users.
psk	presharedKey	In this mode, a user must use a pre-configured static key, also called "the PSK," to negotiate with the device and can access the port only after the negotiation succeeds.
secure	secure	In this mode, MAC address learning is disabled on the port and you can configure MAC addresses by using the mac-address static and mac-address dynamic commands. The port permits only frames sourced from secure MAC addresses and MAC addresses you manually configured by using the mac-address static and mac-address dynamic commands.
userlogin	userLogin	In this mode, a port performs 802.1X authentication and implements port-based access control. If one 802.1X user passes authentication, all the other 802.1X users of the port can access the network without authentication.
userlogin-secure	userLoginSecure	In this mode, a port performs 802.1X authentication and implements MAC-based access control. It services only one user passing 802.1X authentication.
userlogin-secure-ext	userLoginSecureExt	Similar to the userLoginSecure mode except that this mode supports multiple online 802.1X users.
userlogin-secure-ext-or-psk	userLoginSecureExtOrPresharedKey	In this mode, a user interacts with the device, choosing to undergo UserLoginSecure mode or use the PSK to negotiate with the device.
userlogin-secure-or-mac	macAddressOrUserLoginSecure	This mode is the combination of the userLoginSecure and macAddressWithRadius modes. ·     For wired users, the port performs MAC authentication upon receiving non-802.1X frames and performs 802.1X authentication upon receiving 802.1X frames. ·     For wireless users, the port performs 802.1X authentication first. If 802.1X authentication fails, MAC authentication is performed.
userlogin-secure-or-mac-ext	macAddressOrUserLoginSecureExt	Similar to the macAddressOrUserLoginSecure mode except that a port in this mode supports multiple 802.1X and MAC authentication users.
userlogin-withoui	userLoginWithOUI	Similar to the userLoginSecure mode. In addition, a port in this mode also permits frames from a user whose MAC address contains a specific OUI (organizationally unique identifier). ·     For wired users, the port performs 802.1X authentication upon receiving 802.1X frames, and performs OUI check upon receiving non-802.1X frames. ·     For wireless users, the port performs OUI check at first. If the OUI check fails, the port performs 802.1X authentication.

 

Description

Use port-security port-mode to set the port security mode of a port.

Use undo port-security port-mode to restore the default.

By default, a port operates in noRestrictions mode, where port security does not take effect.

To change the security mode of a port security enabled port, you must set the port in noRestictions mode first. When the port has online users, you cannot change port security mode.

When port security is enabled, you cannot manually enable 802.1X or MAC authentication, or change the access control mode or port authorization state. The port security automatically modifies these settings in different security modes.

The support of ports for security modes varies:

·     The presharedKey, macAddressAndPresharedKey, and userlLoginSecureExtOrPresharedKey modes apply to only WLAN-ESS ports.

·     The secure, and userLogin modes apply to only Layer 2 Ethernet ports.

·     The userloginWithOUI mode applies to only Layer 2 Ethernet ports and WLAN-ESS ports.

Table 4 Port security modes supported by different types of ports

Port type	Supported security modes
Layer 2 Ethernet port	mac-authentication, mac-else-userlogin-secure, mac-else-userlogin-secure-ext, secure, userlogin, userlogin-secure, userlogin-secure-ext, userlogin-secure-or-mac, userlogin-secure-or-mac-ext, userlogin-withoui
WLAN-ESS port	mac-and-psk, mac-authentication, mac-else-userlogin-secure, mac-else-userlogin-secure-ext, psk, userlogin-secure, userlogin-secure-ext, userlogin-secure-ext-or-psk, userlogin-secure-or-mac, userlogin-secure-or-mac-ext, userlogin-withoui
WLAN-MESH port	psk

 

Related commands: display port-security.

Examples

# Enable port security and set port GigabitEthernet 1/0/1 in secure mode.

<Sysname> system-view

[Sysname] port-security enable

[Sysname] interface GigabitEthernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security port-mode secure

# Change the port security mode of port GigabitEthernet 1/0/1 to userLogin.

[Sysname-GigabitEthernet1/0/1] undo port-security port-mode

[Sysname-GigabitEthernet1/0/1] port-security port-mode userlogin

# Set port WLAN-ESS 1 to operate in userLoginSecure mode.

<Sysname> system-view

[Sysname] interface wlan-ess 1

[Sysname-WLAN-ESS1] port-security port-mode userlogin-secure

port-security preshared-key

Syntax

port-security preshared-key { pass-phrase | raw-key } [ cipher | simple ] key

undo port-security preshared-key

View

WLAN-ESS interface view, WLAN-MESH interface view

Default level

2: System level

Parameters

pass-phrase: Enters a PSK in the form of a character string.

raw-key: Enters a PSK in the form of a hexadecimal number.

[ cipher | simple ] key: Specifies a PSK.

·     The cipher key option specifies an encrypted PSK, which is saved in cipher text. You can input a character or hexadecimal string of 12, 24, 32, 44, 64, 76, 88, or 96 characters for the key argument.

·     The simple key option specifies a plain text PSK, which is saved in plain text. You can input a character string of 8 to 63 displayable characters or a hexadecimal string of 64 characters for the key argument.

·     If neither cipher nor simple is specified, you set a plain text key to be saved in cipher text. The key can be a character string of 8 to 63 displayable characters or a hexadecimal string of 64 characters.

Description

Use port-security preshared-key to configure a PSK.

Use undo port-security preshared-key to remove the PSK.

By default, no PSK is configured.

Examples

# Configure the plain text PSK abcdefgh on port WLAN-ESS 1.

<Sysname> system-view

[Sysname] interface wlan-ess 1

[Sysname-WLAN-ESS1] port-security preshared-key pass-phrase simple abcdefgh

[Sysname-WLAN-ESS1] display this

#

interface WLAN-ESS1

port-security preshared-key pass-phrase simple abcdefgh

# Configure the hexadecimal string 123456789abcdefg123456789abcdefg123456789abcdefg123456789abcdefg as the PSK on port WLAN-ESS 1.

<Sysname> system-view

[Sysname] interface wlan-ess 1

[Sysname-WLAN-ESS1] port-security preshared-key raw-key 1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef

[Sysname-WLAN-ESS1] display this

#

interface WLAN-ESS1

port-security preshared-key pass-phrase raw-key cipher wrWR2LZofLwr2ACYLngxuQ9pYV1V9LLZJd50

n2zqJ8+SjvGtjYslb87B/RypUlYIaHKVcKH/JjPqC0NbNE+qzQ6Ap/wd97Ei

# Configure PSK in cipher text wrWR2LZofLzlEY9ZdYsidw== on port WLAN-ESS 1.

<Sysname> system-view

[Sysname] interface wlan-ess 1

[Sysname-WLAN-ESS1] port-security preshared-key raw-key cipher wrWR2LZofLzlEY9ZdYsidw==

[Sysname-WLAN-ESS1] display this

#

interface WLAN-ESS1

port-security preshared-key pass-phrase cipher wrWR2LZofLzlEY9ZdYsidw==

port-security remote-auth-proxy enable

Syntax

port-security remote-auth-proxy enable

undo port-security remote-auth-proxy enable

View

WLAN-ESS interface view

Default level

2: System level

Parameters

None

Description

Use port-security remote-auth-proxy enable to enable the remote authentication proxy function on a WLAN-ESS interface. After this function is enabled, the access device does not process 802.1X authentication requests received on the WLAN-ESS interface but transport the requests to the upstream device (the IAG card) for processing.

Use undo port-security remote-auth-proxy enable to restore the default.

By default, remote authentication proxy is disabled on a WLAN-ESS interface. The device processes the received 802.1X authentication requests.

The remote authentication proxy function is effective only in userLogin, userLoginSecure, and userLoginSecureExt modes.

Examples

# Enable remote authentication proxy on interface WLAN-ESS2.

<Sysname> system-view

[Sysname] interface wlan-ess 2

[Sysname-WLAN-ESS2] port-security remote-auth-proxy enable

port-security timer disableport

Syntax

port-security timer disableport time-value

undo port-security timer disableport

View

System view

Default level

2: System level

Parameters

time-value: Specifies the silence period during which the port remains disabled, in seconds. It is in the range of 20 to 300.

Description

Use port-security timer disableport to set the silence period during which the port remains disabled.

Use undo port-security timer disableport to restore the default.

By default, the silence period is 20 seconds.

If you configure the intrusion protection policy as disabling the port temporarily whenever it receives an illegal frame, use this command to set the silence period.

Related commands: display port-security.

Examples

# Configure the intrusion protection policy as disabling the port temporarily whenever it receives an illegal frame and set the silence period to 30 seconds.

<Sysname> system-view

[Sysname] port-security timer disableport 30

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security intrusion-mode disableport-temporarily

port-security trap

Syntax

port-security trap { addresslearned | dot1xlogfailure | dot1xlogoff | dot1xlogon | intrusion | ralmlogfailure | ralmlogoff | ralmlogon }

undo port-security trap { addresslearned | dot1xlogfailure | dot1xlogoff | dot1xlogon | intrusion | ralmlogfailure | ralmlogoff | ralmlogon }

View

System view

Default level

2: System level

Parameters

addresslearned: Enables MAC address learning traps. The port security module sends traps when a port learns a new MAC address.

dot1xlogfailure: Enables 802.1X authentication failure traps. The port security module sends traps when an 802.1X authentication fails.

dot1xlogon: Enables 802.1X authentication success traps. The port security module sends traps when an 802.1X authentication is passed.

dot1xlogoff: Enables 802.1X user logoff event traps. The port security module sends traps when an 802.1X user is logged off.

intrusion: Enables intrusion traps. The port security module sends traps when it detects illegal frames.

ralmlogfailure: Enables MAC authentication failure traps. The port security module sends traps when a MAC authentication fails.

ralmlogoff: Enables MAC authentication user logoff traps. The port security module sends traps when a MAC authentication user is logged off.

ralmlogon: Enables MAC authentication success traps. The port security module sends traps when a MAC authentication is passed.

 

NOTE: RALM (RADIUS Authenticated Login using MAC-address) means RADIUS authentication based on MAC address.

 

Description

Use port-security trap to enable port security traps.

Use undo port-security trap to disable port security traps.

By default, port security traps are disabled.

You can enable certain port security traps for monitoring user behaviors.

Related commands: display port-security.

Examples

# Enable MAC address learning traps.

<Sysname> system-view

[Sysname] port-security trap addresslearned

port-security tx-key-type 11key

Syntax

port-security tx-key-type 11key

undo port-security tx-key-type

View

WLAN-ESS interface view, WLAN-MESH interface view

Default level

2: System level

Parameters

None

Description

Use port-security tx-key-type 11key to enable 11key negotiation.

Use undo port-security tx-key-type to disable 11key negotiation.

By default, 11key negotiation is disabled.

Examples

# Enable 11key negotiation on port WLAN-ESS 1.

<Sysname> system-view

[Sysname] interface wlan-ess 1

[Sysname-WLAN-ESS1] port-security tx-key-type 11key