13-User Access and Authentication Command Reference

HomeSupportResource CenterReference GuidesCommand ReferencesH3C Access Controllers Command References(R5426P02)-6W10413-User Access and Authentication Command Reference
04-Port security commands
Title Size Download
04-Port security commands 125.30 KB

Port security commands

The WX1800H series, WX2500H series, and WX3000H series access controllers do not support parameters or commands that are available only in IRF mode.

display port-security

Use display port-security to display port security configuration, operation information, and statistics for ports.

Syntax

display port-security [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays port security information for all ports.

Examples

# Display port security information for all ports.

<Sysname> display port-security

Global port security parameters:

   Port security          : Enabled

   AutoLearn aging time   : 0 min

   Disableport timeout    : 20 s

   MAC move               : Denied

   Authorization fail     : Online

   NAS-ID profile         : Not configured

   Dot1x-failure trap     : Disabled

   Dot1x-logon trap       : Disabled

   Dot1x-logoff trap      : Enabled

   Intrusion trap         : Disabled

   Address-learned trap   : Enabled

   Mac-auth-failure trap  : Disabled

   Mac-auth-logon trap    : Enabled

   Mac-auth-logoff trap   : Disabled

   OUI value list         :

    Index :  1           Value : 123401

 

 GigabitEthernet1/0/1 is link-up

   Port mode                      : userLogin

   NeedToKnow mode                : Disabled

   Intrusion protection mode      : NoAction

   Security MAC address attribute

       Learning mode              : Sticky

       Aging type                 : Periodical

   Max secure MAC addresses       : 32

   Current secure MAC addresses   : 0

   Authorization                  : Permitted

   NAS-ID profile                 : Not configured

Table 1 Command output

Field

Description

Port security

Whether the port security feature is enabled.

AutoLearn aging time

This field is not supported in the current software version.

Sticky MAC address aging timer, in minutes.

Disableport timeout

Silence period (in seconds) of the port that receives illegal packets.

MAC move

Status of MAC move:

·     If the feature is enabled, this field displays Permitted.

·     If the feature is disabled, this field displays Denied.

Authorization fail

Action to be taken for users that fail authorization:

·     Online—Allows the users to go online.

·     Offline—Logs off the users.

NAS-ID profile

NAS-ID profile applied globally.

Dot1x-failure trap

Whether SNMP notifications for 802.1X authentication failures are enabled.

Dot1x-logon trap

Whether SNMP notifications for 802.1X authentication successes are enabled.

Dot1x-logoff trap

Whether SNMP notifications for 802.1X authenticated user logoffs are enabled.

Intrusion trap

Whether SNMP notifications for intrusion protection are enabled. If they are enabled, the device sends SNMP notifications after illegal packets are detected.

Address-learned trap

Whether SNMP notifications for MAC address learning are enabled. If they are enabled, the device sends SNMP notifications after it learns a new MAC address.

Mac-auth-failure trap

Whether SNMP notifications for MAC authentication failures are enabled.

Mac-auth-logon trap

Whether SNMP notifications for MAC authentication successes are enabled.

Mac-auth-logoff trap

Whether SNMP notifications for MAC authentication user logoffs are enabled.

OUI value list

List of OUI values allowed for authentication.

Port mode

Port security mode:

·     noRestrictions.

·     autoLearn.

·     macAddressWithRadius.

·     macAddressElseUserLoginSecure.

·     macAddressElseUserLoginSecureExt.

·     secure.

·     userLogin.

·     userLoginSecure.

·     userLoginSecureExt.

·     macAddressOrUserLoginSecure.

·     macAddressOrUserLoginSecureExt.

·     userLoginWithOUI.

For more information about port security modes, see Security Configuration Guide.

NeedToKnow mode

Need to know (NTK) mode:

·     NeedToKnowOnly—Allows only unicast packets with authenticated destination MAC addresses.

·     NeedToKnowWithBroadcast—Allows only unicast packets and broadcasts with authenticated destination MAC addresses.

·     NeedToKnowWithMulticast—Allows unicast packets, multicasts, and broadcasts with authenticated destination MAC addresses.

·     Disabled—NTK is disabled.

Intrusion protection mode

Intrusion protection action:

·     BlockMacAddress—Adds the source MAC address of the illegal packet to the blocked MAC address list.

·     DisablePort—Shuts down the port that receives illegal packets permanently.

·     DisablePortTemporarily—Shuts down the port that receives illegal packets for some time.

·     NoAction—Does not perform intrusion protection.

Learning mode

This field is not supported in the current software version.

Secure MAC address learning mode:

·     Dynamic.

·     Sticky.

Aging type

This field is not supported in the current software version.

Secure MAC address aging type:

·     Periodical—Timer aging only.

·     Inactivity—Inactivity aging feature together with the aging timer.

Max secure MAC addresses

Maximum number of secure MAC addresses (or online users) that port security allows on the port.

Current secure MAC addresses

Number of secure MAC addresses stored.

Authorization

Whether the authorization information from the authentication server (RADIUS server or local device) is ignored:

·     Permitted—Authorization information from the authentication server takes effect.

·     Ignored—Authorization information from the authentication server does not take effect.

NAS-ID profile

NAS-ID profile applied to the port.

 

display port-security mac-address block

Use display port-security mac-address block to display information about blocked MAC addresses.

Syntax

display port-security mac-address block [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies a port by its type and number.

vlan vlan-id: Specifies a VLAN by its ID. The value range is 1 to 4094.

count: Displays only the count of the blocked MAC addresses.

Usage guidelines

If you do not specify any parameters, this command displays information about all blocked MAC addresses.

Examples

# (In standalone mode.) Display information about all blocked MAC addresses.

<Sysname> display port-security mac-address block

 MAC ADDR             Port                         VLAN ID

 0002-0002-0002      GE1/0/1                     1

 000d-88f8-0577      GE1/0/1                     1

 

 ---  2 mac address(es) found  ---

# (In IRF mode.) Display information about all blocked MAC addresses.

<Sysname> display port-security mac-address block

 MAC ADDR             Port                         VLAN ID

 

 --- On slot 0, no MAC address found ---

 MAC ADDR              Port                        VLAN ID

 000f-3d80-0d2d       GE1/0/1                    30

 

 --- On slot 1, 1 MAC address(es) found ---

 

 --- 1 mac address(es) found ---

# (In standalone mode.) Display the count of all blocked MAC addresses.

<Sysname> display port-security mac-address block count

 

--- 2 mac address(es) found ---

# (In IRF mode.) Display the count of all blocked MAC addresses.

<Sysname> display port-security mac-address block count

 

--- On slot 0, no MAC address found ---

 

--- On slot 1, 1 MAC address(es) found ---

 

--- 1 mac address(es) found ---

Table 2 Command output

Field

Description

MAC ADDR

Blocked MAC address.

Port

Port having received frames with the blocked MAC address being the source address.

VLAN ID

ID of the VLAN to which the port belongs.

number mac address(es) found

Number of blocked MAC addresses.

 

Related commands

port-security intrusion-mode

display port-security mac-address security

Use display port-security mac-address security to display information about secure MAC addresses.

Syntax

display port-security mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

interface interface-type interface-number: Specifies a port by its type and number.

vlan vlan-id: Specifies a VLAN by its ID. The value range is 1 to 4094.

count: Displays only the count of the secure MAC addresses.

Usage guidelines

Secure MAC addresses are those that are automatically learned by the port in autoLearn mode or configured by the port-security mac-address security command.

If you do not specify any parameters, this command displays information about all secure MAC addresses.

Examples

# Display information about all secure MAC addresses.

<Sysname> display port-security mac-address security

 MAC ADDR         VLAN ID  STATE          PORT INDEX                      AGING TIME

 0002-0002-0002  1         Security       GE1/0/1                         NOAGED

 000d-88f8-0577  1         Security       GE1/0/1                         NOAGED

 

 ---  2 mac address(es) found  ---

# Display only the count of the secure MAC addresses.

<Sysname> display port-security mac-address security count

 

 ---  2 mac address(es) found

Table 3 Command output

Field

Description

MAC ADDR

Secure MAC address.

VLAN ID

ID of the VLAN to which the port belongs.

STATE

Type of the MAC address. This field displays Security for a secure MAC address.

PORT INDEX

Port to which the secure MAC address belongs.

AGING TIME

The remaining amount of time before the secure MAC address ages out.

For a static secure MAC address, this field displays NOAGED.

number mac address(es) found

Number of secure MAC addresses stored.

 

Related commands

port-security mac-address security

port-security authorization ignore

Use port-security authorization ignore to configure a port to ignore the authorization information received from the authentication server (a RADIUS server or the local device).

Use undo port-security authorization ignore to restore the default.

Syntax

port-security authorization ignore

undo port-security authorization ignore

Default

A port uses the authorization information from the server.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Usage guidelines

After a user passes RADIUS or local authentication, the server performs authorization based on the authorization attributes configured for the user account. For example, the server can assign a VLAN. If you do not want the port to use such authorization attributes for users, use this command to ignore the authorization information from the server.

Examples

# Configure GigabitEthernet 1/0/1 to ignore the authorization information from the authentication server.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security authorization ignore

Related commands

display port-security

port-security authorization-fail offline

Use port-security authorization-fail offline to enable the authorization-fail-offline feature.

Use undo port-security authorization-fail offline to disable the authorization-fail-offline feature.

Syntax

port-security authorization-fail offline

undo port-security authorization-fail offline

Default

The authorization-fail-offline feature is disabled. The device does not log off users that have failed authorization.

Views

System view

Predefined user roles

network-admin

Usage guidelines

The authorization-fail-offline feature logs off port security users that have failed ACL or user profile authorization.

A user fails ACL or user profile authorization in the following situations:

·     The device fails to authorize the specified ACL or user profile to the user.

·     The server assigns a nonexistent ACL or user profile to the user.

If this feature is disabled, the device does not log off users that have failed ACL or user profile authorization. However, the device outputs messages to report the failure.

Examples

# Enable the authorization-fail-offline feature.

<Sysname> system-view

[Sysname] port-security authorization-fail offline

Related commands

display port-security

port-security enable

Use port-security enable to enable port security.

Use undo port-security enable to disable port security.

Syntax

port-security enable

undo port-security enable

Default

Port security is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

You must disable global 802.1X and MAC authentication before you enable port security on a port.

Enabling or disabling port security resets the following security settings to the default:

·     802.1X access control mode is MAC-based.

·     Port authorization state is auto.

When online users are present on a port, disabling port security logs off the online users.

Examples

# Enable port security.

<Sysname> system-view

[Sysname] port-security enable

Related commands

display port-security

dot1x

dot1x port-control

dot1x port-method

mac-authentication

port-security intrusion-mode

Use port-security intrusion-mode to configure the intrusion protection action to take when intrusion protection detects illegal frames on a port.

Use undo port-security intrusion-mode to restore the default.

Syntax

port-security intrusion-mode { blockmac | disableport | disableport-temporarily }

undo port-security intrusion-mode

Default

Intrusion protection is disabled.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

blockmac: Adds the source MAC addresses of illegal frames to the blocked MAC address list and discards frames with blocked source MAC addresses. This action implements illegal traffic filtering on the port. A blocked MAC address is restored to normal after being blocked for 3 minutes, which is not user configurable. To display the blocked MAC address list, use the display port-security mac-address block command.

disableport: Disables the port permanently when an illegal frame is received on the port.

disableport-temporarily: Disables the port for a period of time whenever it receives an illegal frame. You can use the port-security timer disableport command to set the period.

Usage guidelines

To bring up the port disabled by the intrusion protection feature, use the undo shutdown command.

Examples

# Configure GigabitEthernet 1/0/1 to block the source MAC addresses of illegal frames after intrusion protection detects the illegal frames.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security intrusion-mode blockmac

Related commands

display port-security

display port-security mac-address block

port-security timer disableport

port-security mac-address security

Use port-security mac-address security to add a secure MAC address.

Use undo port-security mac-address security to remove a secure MAC address.

Syntax

In Layer 2 Ethernet interface view:

port-security mac-address security mac-address vlan vlan-id

undo port-security mac-address security mac-address vlan vlan-id

In system view:

port-security mac-address security mac-address interface interface-type interface-number vlan vlan-id

undo port-security mac-address security [ [ mac-address [ interface interface-type interface-number ] ] vlan vlan-id ]

Default

No manually configured secure MAC address entries exist.

Views

System view

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

mac-address: Specifies a MAC address, in H-H-H format.

interface interface-type interface-number: Specifies a port by its type and number.

vlan vlan-id: Specifies the VLAN to which the secure MAC address belongs. The value range for the vlan-id argument is 1 to 4094.

Usage guidelines

Secure MAC addresses are MAC addresses configured or learned in autoLearn mode, and if saved, can survive a device reboot. You can bind a secure MAC address only to one port in a VLAN.

You can add important or frequently used MAC addresses as secure MAC addresses to avoid the secure MAC address limit causing authentication failure. To successfully add secure MAC addresses on a port, first complete the following tasks:

·     Enable port security on the port.

·     Set the port security mode to autoLearn.

·     Configure the port to permit packets of the specified VLAN to pass or add the port to the VLAN. Make sure the VLAN already exists.

Static secure MAC addresses never age out unless you perform the following operations:

·     Remove these MAC addresses by using the undo port-security mac-address security command.

·     Change the port security mode.

·     Disable the port security feature.

To modify a secure MAC address entry, you must first delete the old entry and then add a new entry.

Examples

# Enable port security, set GigabitEthernet 1/0/1 to operate in autoLearn mode, and configure the port to support a maximum number of 100 secure MAC addresses.

<Sysname> system-view

[Sysname] port-security enable

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security max-mac-count 100

[Sysname-GigabitEthernet1/0/1] port-security port-mode autolearn

# In system view, specify MAC address 0001-0001-0002 in VLAN 10 as a secure MAC address for GigabitEthernet 1/0/1.

[Sysname] port-security mac-address security 0001-0001-0002 interface gigabitethernet 1/0/1 vlan 10

Related commands

display port-security

port-security mac-move permit

Use port-security mac-move permit to enable MAC move on the device.

Use undo port-security mac-move permit to disable MAC move on the device.

Syntax

port-security mac-move permit

undo port-security mac-move permit

Default

MAC move is disabled on the device.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command takes effect on both 802.1X and MAC authentication users.

MAC move allows 802.1X or MAC authenticated users to move between ports on a device. For example, if an 802.1X-authenticated user moves to another 802.1X-enabled port on the device, the authentication session is deleted from the first port. The user is reauthenticated on the new port.

If MAC move is disabled, 802.1X or MAC users authenticated on one port cannot pass authentication after they move to another port.

802.1X or MAC authenticated users cannot move between ports on a device if the number of online users on the authentication server (local or remote) has reached the upper limit.

Examples

# Enable MAC move.

<Sysname> system-view

[Sysname] port-security mac-move permit

Related commands

display port-security

port-security max-mac-count

Use port-security max-mac-count to set the maximum number of secure MAC addresses that port security allows on a port.

Use undo port-security max-mac-count to restore the default.

Syntax

port-security max-mac-count max-count

undo port-security max-mac-count

Default

Port security does not limit the number of secure MAC addresses on a port.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

max-count: Specifies the maximum number of secure MAC addresses that port security allows on the port. The value range is 1 to 2147483647. Make sure this value is no less than the number of MAC addresses currently saved on the port.

Usage guidelines

For autoLearn mode, this command sets the maximum number of secure MAC addresses (both configured and automatically learned) on the port.

In any other mode that enables 802.1X, MAC authentication, or both, this command sets the maximum number of authenticated MAC addresses on the port. The actual maximum number of concurrent users that the port accepts equals the smaller of the following values:

·     The value set by using this command.

·     The maximum number of concurrent users allowed by the authentication mode in use.

For example, in userLoginSecureExt mode, if 802.1X allows more concurrent users than port security's limit on the number of MAC addresses, port security's limit takes effect.

You cannot change port security's limit on the number of MAC addresses when the port meets any of the following requirements:

·     The port is operating in autoLearn mode.

·     The port is a wireless port that has online users.

Examples

# Set the maximum number of secure MAC address port security allows on GigabitEthernet 1/0/1 to 100.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security max-mac-count 100

Related commands

display port-security

port-security nas-id-profile

Use port-security nas-id-profile to apply a NAS-ID profile to global or port-based port security.

Use undo port-security nas-id-profile to restore the default.

Syntax

port-security nas-id-profile profile-name

undo port-security nas-id-profile

Default

No NAS-ID profile is applied to port security globally or on any port.

Views

System view

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

profile-name: Specifies a NAS-ID profile by its name. The argument is a case-insensitive string of 1 to 31 characters.

Usage guidelines

A NAS-ID profile defines NAS-ID and VLAN bindings. You can create a NAS-ID profile by using the aaa nas-id profile command. For more information about this command, see "AAA commands."

The device selects a NAS-ID profile for a port in the following order:

1.     The port-specific NAS-ID profile.

2.     The NAS-ID profile applied globally.

If no NAS-ID profile is applied or no matching binding is found in the selected profile, the device uses the device name as the NAS-ID.

Examples

# Apply NAS-ID profile aaa to GigabitEthernet 1/0/1 for port security.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security nas-id-profile aaa

# Globally apply NAS-ID profile aaa to port security.

<Sysname> system-view

[Sysname] port-security nas-id-profile aaa

Related commands

aaa nas-id profile

port-security ntk-mode

Use port-security ntk-mode to configure the NTK feature.

Use undo port-security ntk-mode to restore the default.

Syntax

port-security ntk-mode { ntk-withbroadcasts | ntk-withmulticasts | ntkonly }

undo port-security ntk-mode

Default

The NTK feature is not configured on a port and all frames are allowed to be sent.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

ntk-withbroadcasts: Forwards only broadcast frames and unicast frames with authenticated destination MAC addresses.

ntk-withmulticasts: Forwards only broadcast frames, multicast frames, and unicast frames with authenticated destination MAC addresses.

ntkonly: Forwards only unicast frames with authenticated destination MAC addresses.

Usage guidelines

The NTK feature checks the destination MAC addresses in outbound frames. This feature allows frames to be sent only to devices passing authentication, preventing illegal devices from intercepting network traffic.

If a wireless port has online users, you cannot change its NTK settings.

Examples

# Set the NTK mode of GigabitEthernet 1/0/1 to ntkonly, allowing the port to forward received packets only to devices passing authentication.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security ntk-mode ntkonly

Related commands

display port-security

port-security oui

Use port-security oui to configure an OUI value for user authentication.

Use undo port-security oui to delete the OUI value with the specified OUI index.

Syntax

port-security oui index index-value mac-address oui-value

undo port-security oui index index-value

Default

No OUI values are configured.

Views

System view

Predefined user roles

network-admin

Parameters

index-value: Specifies the OUI index, in the range of 1 to 16.

oui-value: Specifies an OUI string, a 48-bit MAC address in the H-H-H format. The system uses only the 24 high-order bits as the OUI value.

Usage guidelines

You can configure multiple OUI values.

An OUI, the first 24 binary bits of a MAC address, is assigned by IEEE to uniquely identify a device vendor. Use this command when you configure a device to allow packets from specific wired devices to pass authentication or to allow packets from certain wireless devices to initiate authentication. For example, when a company allows only IP phones of vendor A in the Intranet, use this command to specify the OUI of vendor A.

The OUI values configured by this command apply only to the ports operating in userLoginWithOUI mode. In userLoginWithOUI mode, a port allows only one 802.1X user and one user whose MAC address matches one of the configured OUI values.

Examples

# Configure an OUI value of 000d2a, and set the index to 4.

<Sysname> system-view

[Sysname] port-security oui index 4 mac-address 000d-2a10-0033

Related commands

display port-security

port-security port-mode

Use port-security port-mode to set the port security mode of a port.

Use undo port-security port-mode to restore the default.

Syntax

port-security port-mode { autolearn | mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secure-ext | secure | userlogin | userlogin-secure | userlogin-secure-ext | userlogin-secure-or-mac | userlogin-secure-or-mac-ext | userlogin-withoui }

undo port-security port-mode

Default

A port operates in noRestrictions mode, where port security does not take effect.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

Parameters

Keyword

Security mode

Description

autolearn

autoLearn

A port in this mode can learn MAC addresses. The automatically learned MAC addresses are not added to the MAC address table as dynamic MAC address. Instead, the MAC addresses are added to the secure MAC address table as secure MAC addresses. You can also configure secure MAC addresses by using the port-security mac-address security command.

A port in autoLearn mode allows frames sourced from the following MAC addresses to pass:

·     Secure MAC addresses.

·     MAC addresses configured by using the mac-address static command.

When the number of secure MAC addresses reaches the upper limit set by the port-security max-mac-count command, the port changes to secure mode.

mac-authentication

macAddressWithRadius

In this mode, a port performs MAC authentication for users and services multiple users.

mac-else-userlogin-secure

macAddressElseUserLoginSecure

This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority. In this mode, the port allows one 802.1X authentication user and multiple MAC authentication users to log in.

·     Upon receiving a non-802.1X frame, a port in this mode performs only MAC authentication.

·     Upon receiving an 802.1X frame, the port performs MAC authentication and then, if MAC authentication fails, 802.1X authentication.

mac-else-userlogin-secure-ext

macAddressElseUserLoginSecureExt

Same as the macAddressElseUserLoginSecure mode except that a port in this mode supports multiple 802.1X and MAC authentication users.

secure

secure

In this mode, MAC address learning is disabled on the port and you can configure MAC addresses by using the mac-address static and mac-address dynamic commands.

The port permits only frames sourced from the following MAC addresses to pass:

·     Secure MAC addresses.

·     MAC addresses configured by using the mac-address static and mac-address dynamic commands.

userlogin

userLogin

In this mode, a port performs 802.1X authentication and implements port-based access control.

If one 802.1X user passes authentication, all the other 802.1X users of the port can access the network without authentication.

userlogin-secure

userLoginSecure

In this mode, a port performs 802.1X authentication and implements MAC-based access control. The port services only one user passing 802.1X authentication.

userlogin-secure-ext

userLoginSecureExt

Same as the userLoginSecure mode, except that this mode supports multiple online 802.1X users.

userlogin-secure-or-mac

macAddressOrUserLoginSecure

This mode is the combination of the userLoginSecure and macAddressWithRadius modes. In this mode, the port allows one 802.1X authentication user and multiple MAC authentication users to log in.

In this mode, the port performs 802.1X authentication first. If 802.1X authentication fails, MAC authentication is performed.

userlogin-secure-or-mac-ext

macAddressOrUserLoginSecureExt

Same as the macAddressOrUserLoginSecure mode, except that a port in this mode supports multiple 802.1X and MAC authentication users.

userlogin-withoui

userLoginWithOUI

Similar to the userLoginSecure mode. In addition, a port in this mode also permits frames from a user whose MAC address contains a specific OUI.

In this mode, the port performs OUI check at first. If the OUI check fails, the port performs 802.1X authentication. The port permits frames that pass OUI check or 802.1X authentication.

 

Usage guidelines

To change the security mode for a port security enabled port, you must set the port in noRestrictions mode first. Do not change port security mode when the port has online users.

 

IMPORTANT

IMPORTANT:

If you are configuring the autoLearn mode, first set port security's limit on the number of secure MAC addresses by using the port-security max-mac-count command. You cannot change the setting when the port is operating in autoLearn mode.

 

When port security is enabled, you cannot enable 802.1X or MAC authentication, or change the access control mode or port authorization state. The port security automatically modifies these settings in different security modes.

As a best practice, do not enable the mac-else-userlogin-secure or mac-else-userlogin-secure-ext mode on the port where MAC authentication delay is enabled. The two modes are mutually exclusive with the MAC authentication delay feature. For more information about MAC authentication delay, see "MAC authentication commands."

Examples

# Enable port security, and set GigabitEthernet 1/0/1 to operate in secure mode.

<Sysname> system-view

[Sysname] port-security enable

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security port-mode secure

# Change the port security mode of GigabitEthernet 1/0/1 to userLogin.

[Sysname-GigabitEthernet1/0/1] undo port-security port-mode

[Sysname-GigabitEthernet1/0/1] port-security port-mode userlogin

Related commands

display port-security

port-security max-mac-count

port-security timer disableport

Use port-security timer disableport to set the silence period during which the port remains disabled.

Use undo port-security timer disableport to restore the default.

Syntax

port-security timer disableport time-value

undo port-security timer disableport

Default

The port silence period is 20 seconds.

Views

System view

Predefined user roles

network-admin

Parameters

time-value: Specifies the silence period in seconds during which the port remains disabled. The value is in the range of 20 to 300.

Usage guidelines

If you configure the intrusion protection action as disabling the port temporarily, use this command to set the silence period.

Examples

# Configure the intrusion protection action on GigabitEthernet 1/0/1 as disabling the port temporarily, and set the port silence period to 30 seconds.

<Sysname> system-view

[Sysname] port-security timer disableport 30

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security intrusion-mode disableport-temporarily

Related commands

display port-security

port-security intrusion-mode

snmp-agent trap enable port-security

Use snmp-agent trap enable port-security to enable SNMP notifications for port security.

Use undo snmp-agent trap enable port-security to disable SNMP notifications for port security.

Syntax

snmp-agent trap enable port-security [ address-learned | dot1x-failure | dot1x-logoff | dot1x-logon | intrusion | mac-auth-failure | mac-auth-logoff | mac-auth-logon ] *

undo snmp-agent trap enable port-security [ address-learned | dot1x-failure | dot1x-logoff | dot1x-logon | intrusion | mac-auth-failure | mac-auth-logoff | mac-auth-logon ] *

Default

All port security SNMP notifications are disabled.

Views

System view

Predefined user roles

network-admin

network-operator

Parameters

address-learned: Specifies notifications about MAC address learning.

dot1x-failure: Specifies notifications about 802.1X authentication failures.

dot1x-logoff: Specifies notifications about 802.1X user logoffs.

dot1x-logon: Specifies notifications about 802.1X authentication successes.

intrusion: Specifies notifications about illegal frame detection.

mac-auth-failure: Specifies notifications about MAC authentication failures.

mac-auth-logoff: Specifies notifications about MAC authentication user logoffs.

mac-auth-logon: Specifies notifications about MAC authentication successes.

Usage guidelines

To report critical port security events to an NMS, enable SNMP notifications for port security. For port security event notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see Network Management and Monitoring Configuration Guide.

If you do not specify a notification, this command enables all SNMP notifications for port security.

For this command to take effect, make sure the intrusion protection feature is configured.

Examples

# Enable SNMP notifications about MAC address learning.

<Sysname> system-view

[Sysname] snmp-agent trap enable port-security address-learned

Related commands

display port-security

port-security enable