This feature might provide information related to 802.1X, MAC address authentication, and Web authentication. For more information about these features, see Security Configuration Guide and commands for 802.1X, MAC authentication and Web authentication in Security Command Reference.

The device supports authorization VSIs and microsegmentation only when it is operating in expert mode. For more information about the expert mode, see device management in Fundamentals Configuration Guide.

Only the following modules support configuring port security in Layer 2 aggregate interface view:

· SC modules prefixed with LSCM2.

· SD interface modules.

· SF interface modules.

display port-security

Use display port-security to display port security configuration, operation information, and statistics for ports.

Syntax

display port-security [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays port security information for all ports.

Usage guidelines

After a port is bound to a port security authentication profile, the port uses the configuration of the bound profile to perform authentication for access users. For functions available in both interface view and port security authentication profile view, the functions configured in interface view do not take effect regardless of whether they are configured in the profile view or not.

Examples

# Display port security information for all ports.

<Sysname> display port-security

Global port security parameters:

Port security : Enabled

M-LAG load sharing mode (criterion) : Distributed (local)

M-LAG member's authentication scope : Local M-LAG interfaces

M-LAG member configuration conflict : Unknown

AutoLearn aging time : 0 min

Disableport timeout : 20 sec

Blockmac timeout : 180 sec

MAC move : Denied

Authorization fail : Online

NAS-ID profile : Not configured

Dot1x-failure trap : Disabled

Dot1x-logon trap : Disabled

Dot1x-logoff trap : Enabled

Intrusion trap : Disabled

Intrusion-recover trap : Disabled

Address-learned trap : Enabled

Mac-auth-failure trap : Disabled

Mac-auth-logon trap : Enabled

Mac-auth-logoff trap : Disabled

Mac-auth-not-support trap : Disabled

AC-creation-failure trap : Disabled

ACL-author-failure trap : Disabled

ACL-author-success trap : Disabled

URL-author-failure trap : Disabled

URL-author-success trap : Disabled

NTK-ineffective trap : Disabled

Port-mode-ineffective trap : Disabled

Open authentication : Disabled

Traffic-statistics : Disabled

User aging period for preauth domain : 82800 sec

User aging period for Auth-Fail domain : 82800 sec

User aging period for critical domain : 82800 sec

Reauth period for preauth domain : 600 sec

Reauth period for Auth-Fail domain : 600 sec

MAC move for topology change protection : Denied

Topology change detection period : 5 sec

Max detection attempts : 3

Record max-number : 4096

Record aging period : 1440 min

OUI value list :

Index : 1 Value : 123401

Ten-GigabitEthernet3/0/1 is link-up

Authentication profile : p1

Port mode : userLogin

Pre-auth domain : test

URL-unavailable domain ：domain1

NeedToKnow mode : Disabled

Intrusion protection mode : NoAction

Strict intrusion protection : Disabled

Security MAC address attribute

Learning mode : Sticky

Aging type : Periodical

Max secure MAC addresses : 32

Current secure MAC addresses : 0

Authorization : Permitted

NAS-ID profile : Not configured

Free VLANs : Not configured

Open authentication : Disabled

MAC-move VLAN check bypass : Disabled

Table 1 Command output

Field	Description
Port security	Whether the port security feature is enabled.
M-LAG load sharing mode (criterion)	‌ Authentication load sharing mode for users attached to M-LAG interfaces: · Centralized—In this mode, the primary M-LAG member device processes authentication services for all users attached to any M-LAG interfaces in the system. · Distributed—In a distributed mode, both M-LAG member devices provide authentication services for users attached to the M-LAG interfaces. Port security provides the following distributed authentication processing modes: ¡ local—Each M-LAG member device processes authentication for users attached to their local M-LAG interfaces. ¡ odd source MAC—Uses the local device to process authentication services for users with odd MAC addresses and attached to any M-LAG interfaces in the M-LAG system. ¡ even source MAC—Uses the local device to process authentication services for users with even MAC addresses and attached to any M-LAG interfaces in the M-LAG system.
M-LAG member's authentication scope	‌ Scope for the local M-LAG member device to authenticate users attached to M-LAG interfaces: · None—The device does not authenticate any users attached to M-LAG interfaces. · Odd source MACs—The device process authentication services only for users with odd MAC addresses and attached to both the local and peer M-LAG interfaces. · Even source MACs—The device process authentication services only for users with even MAC addresses and attached to both the local and peer M-LAG interfaces. · Local M-LAG interfaces—The device process authentication services only for users attached to the local M-LAG interfaces. · All—The device process authentication services for all users attached to any M-LAG interfaces in the M-LAG system.
M-LAG member configuration conflict	‌ M-LAG member configuration check result: · Conflicted—The configuration on one M-LAG member device conflicts with that on the other M-LAG member device. · Not conflicted—The configuration on one M-LAG member device does not conflict with that on the other M-LAG member device. · Unknown—The system cannot detect whether the configuration on one M-LAG member device conflicts with that on the other M-LAG member device.
AutoLearn aging time	Sticky MAC address aging timer, in minutes or seconds.
Disableport timeout	Silence period (in seconds) of the port that receives illegal packets.
Blockmac timeout	Block timer (in seconds) for MAC addresses in the blocked MAC address list.
MAC move	Status of MAC move: · Both port move and VLAN move are permitted. · Denied. · Only port move is permitted. · Only VLAN move is permitted.
Authorization fail	Action to be taken for users that fail authorization: · Online—Allows the users to go online. · Offline—Logs off the users.
NAS-ID profile	NAS-ID profile applied globally.
Dot1x-failure trap	Whether SNMP notifications for 802.1X authentication failures are enabled.
Dot1x-logon trap	Whether SNMP notifications for 802.1X authentication successes are enabled.
Dot1x-logoff trap	Whether SNMP notifications for 802.1X authenticated user logoffs are enabled.
Intrusion trap	Whether SNMP notifications for intrusion protection are enabled. If they are enabled, the device sends SNMP notifications after illegal packets are detected.
Intrusion-recover trap	Whether SNMP notifications are enabled when the MAC address block timer or port silence period for the intrusion protection action times out and the intrusion protection action recovers.
Address-learned trap	Whether SNMP notifications for MAC address learning are enabled. If they are enabled, the device sends SNMP notifications after it learns a new MAC address.
Mac-auth-failure trap	Whether SNMP notifications for MAC authentication failures are enabled.
Mac-auth-logon trap	Whether SNMP notifications for MAC authentication successes are enabled.
Mac-auth-logoff trap	Whether SNMP notifications for MAC authentication user logoffs are enabled.
Mac-not-support trap	Whether SNMP notifications are enabled when an interface does not support enabling MAC authentication.
AC-creation-failure trap	Whether SNMP notifications are enabled for AC creation failures.
ACL-author-failure trap	Whether SNMP notifications are enabled for ACL authorization failures.
ACL-author-success trap	Whether SNMP notifications are enabled for ACL authorization successes.
ACL-author-failure trap	Whether SNMP notifications are enabled for URL authorization failures.
ACL-author-success trap	Whether SNMP notifications are enabled for URL authorization successes.
NTK-ineffective trap	Whether SNMP notifications are enabled when the NTK feature does not take effect on an interface.
Port-mode-ineffective trap	Whether SNMP notifications are enabled when the port security mode does not take effect on an interface.
Open authentication	‌ Whether global open authentication mode is enabled.
Traffic-statistics	‌ Whether traffic statistics is enabled for 802.1X and MAC authentication users.
User aging period for preauth domain	Aging time (in seconds) for users in the preauthentication domain.
User aging period for Auth-Fail domain	Aging time (in seconds) for users in the Auth-Fail domain.
User aging period for critical domain	Aging time (in seconds) for users in the critical domain.
Reauth period for preauth domain	Reauthentication period (in seconds) for users in the preauthentication domain.
Reauth period for Auth-Fail domain	Reauthentication period (in seconds) for users in the Auth-Fail domain.
MAC move for topology change protection	Whether to permit authenticated users to move between member ports in a TC group without being authenticated again when the network topology changes: · Denied. · Permitted.
Topology change detection period	Packet detection interval when the network topology changes, in seconds.
Max detection attempts	Maximum number of attempts for sending a detection packet when the network topology changes.
Record max-number	Maximum number of users that can be maintained by port security. For related configurations, see the port security diagnostic commands.
Record aging period	Aging time for the port security user maintenance information. For related configurations, see the port security diagnostic commands.
OUI value list	List of OUI values allowed for authentication.
Authentication profile	Security authentication profile bound to the port. If no security authentication profile is bound to the port, this field displays Not configured.
Port mode	Port security mode: · noRestrictions. · autoLearn. · macAddressWithRadius. · macAddressElseUserLoginSecure. · macAddressElseUserLoginSecureExt. · macAddressAndUserLoginSecureExt. · secure. · userLogin. · userLoginMab. · userLoginSecure. · userLoginSecureExt. · macAddressOrUserLoginSecure. · macAddressOrUserLoginSecureExt. · userLoginWithOUI. For more information about port security modes, see Security Configuration Guide.
Pre-auth domain	Preauthentication domain for port security users.
URL-unavailable domain	‌ Domain for users redirected to an unavailable URL.
NeedToKnow mode	‌ Need to know (NTK) mode: · NeedToKnowOnly—Forwards only unicast frames with a known destination MAC address. · NeedToKnowWithBroadcast—Forwards only broadcast and unicast frames with a known destination MAC address. · NeedToKnowWithMulticast—Forwards only broadcast, multicast, and unicast frames with a known destination MAC address. · NeedToKnowAuto—Forwards only broadcast, multicast, and unicast frames with a known destination MAC address, and only when the port has online users. · Disabled—NTK is disabled.
Intrusion protection mode	Intrusion protection action: · BlockMacAddress—Adds the source MAC address of the illegal packet to the blocked MAC address list. · DisablePort—Shuts down the port that receives illegal packets permanently. · DisablePortTemporarily—Shuts down the port that receives illegal packets for some time. · NoAction—Does not perform intrusion protection.
Strict intrusion protection	Status of strict intrusion protection on the port: · Enabled. · Disabled.
Learning mode	Secure MAC address learning mode: · Dynamic. · Sticky.
Aging type	Secure MAC address aging type: · Periodical—Timer aging only. · Inactivity—Inactivity aging feature together with the aging timer.
Max secure MAC addresses	Maximum number of secure MAC addresses (or online users) that port security allows on the port.
Current secure MAC addresses	Number of secure MAC addresses stored.
Authorization	Whether the authorization information from the authentication server (RADIUS server or local device) is ignored: · Permitted—Authorization information from the authentication server takes effect. · Ignored—Authorization information from the authentication server does not take effect.
NAS-ID profile	NAS-ID profile applied to the port.
Free VLANs	VLANs in which packets will not trigger authentication. If you do not configure free VLANs, this field displays Not configured.
Open authentication	‌ Whether open authentication mode is enabled on the port.
MAC-move VLAN check bypass	‌ Whether the VLAN check bypass feature is enabled for users moving to the port from other ports.
Reauth max-attempts	Maximum number of user reauthentication attempts. · preauth domain—Maximum number of reauthentication attempts for users in the preauthentication domain. · Auth-Fail domain—Maximum number of reauthentication attempts for users in the Auth-Fail domain.
Server-reachable reauth	Whether the device immediately triggers reauthentication for users when the authentication server becomes reachable. · preauth domain—Whether the device immediately triggers reauthentication for users in the preauthentication domain when the authentication server becomes reachable. · Auth-Fail domain—Whether the device immediately triggers reauthentication for users in the Auth-Fail domain when the authentication server becomes reachable.

‌

display port-security access-user

Use display port-security access-user to display entries for port security access users.

Syntax

In standalone mode:‌

display port-security access-user [ m-lag [ local | peer ] ] [ access-type { dot1x | mac-auth | web-auth | static } | domain domain-name | microsegment microsegment-id | online-type { auth-fail-domain | critical-domain | preauth-domain | success | url-unavailable-domain } | slot slot-number ] * [ brief ]

In IRF mode:

display port-security access-user [ m-lag [ local | peer ] ] [ access-type { dot1x | mac-auth | web-auth | static } | chassis chassis-number slot slot-number | domain domain-name | microsegment microsegment-id | online-type { auth-fail-domain | critical-domain | preauth-domain | success | url-unavailable-domain } ] * [ brief ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

m-lag [ local | peer ]: Specifies port security access users on M-LAG interfaces. If you do not specify these keywords, the command does not distinguish port security access users on M-LAG interfaces and non-M-LAG interfaces. If you specify the m-lag keyword without the local or peer keyword, the command displays entries for port security access users on both the local and peer M-LAG member devices.

· local: Displays entries for port security access users on the local M-LAG member device.

· peer: Displays entries for port security access users on the peer M-LAG member device.

access-type: Specifies an access type.

· dot1x: Specifies 802.1X authentication.

· mac-auth: Specifies MAC authentication.

· web-auth: Specifies Web authentication.

· static: Specifies static access.

· domain isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. The ISP domain name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

· microsegment microsegment-id: Specifies a microsegment by its ID in the range of 1 to 65535.

online-type: Specifies a type of port security access users.

· auth-fail-domain: Specifies port security access users in the Auth-Fail domain.

· critical-domain: Specifies port security access users in the critical domain.

· preauth-domain: Specifies port security access users in the preauthentication domain.

· success: Specifies port security access users that have passed authentication.

· url-unavailable-domain: Specifies port security access users assigned to the URL-unavailable domain when the redirect URL is unavailable.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays entries for port security access users on all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays entries for port security access users on all cards of all IRF member devices. (In IRF mode.) ‌

brief: Displays brief information about access users. If you do not specify this keyword, the command display detailed information about access users.

Usage guidelines

For more information about the Auth-Fail domain and critical domain, see AAA configuration in Security Configuration Guide.

If you do not specify any parameters, this command displays entries for all port security access users.

Examples

# Display detailed information for port security access users in ISP domain test.

<Sysname> display port-security access-user domain test

Total access users: 2

Username : aaa

IP address : 10.12.12.254

IPv6 address : 2:1::3

MAC address : 00e0-fcc2-0175

State : Preauth domain

Authentication result : Unauthenticated

Access type : 802.1X authentication

M-LAG NAS-IP type : Local

M-LAG user state : Active

Authentication domain : abc

Authorization microsegment ID : N/A

Username : abc

IP address : 10.12.12.257

IPv6 address : 2:1::4

MAC address : 00e0-fcc2-0152

State : Successful

Authentication result : Authentication succeeded

Access type : Static user access

M-LAG NAS-IP type : Local

M-LAG user state : Active

Authentication domain : abc

Authorization microsegment ID : N/A

# Display detailed information for port security access users in the preauthentication domain.

<Sysname> display port-security access-user online-type preauth-domain

Total access users: 1

Username : aaa

IP address : 10.12.12.254

IPv6 address : 2:1::4

MAC address : 00e0-fcc2-0175

State : Preauth domain

Authentication result : Unauthenticated

Access type : 802.1X authentication

M-LAG NAS-IP type : Local

M-LAG user state : Active

Authentication domain : abc

Authorization microsegment ID : N/A

Table 2 Command output

Field	Description
Total access users	Total number of access users.
Username	Name of the access user.
IP address	IP address of the access user.
IPv6 address	IPv6 address of the access user.
MAC address	MAC address of the access user.
State	Access user state: · Critical domain—The user is in the critical domain. · Auth-Fail domain—The user is in the Auth-Fail domain. · Preauth domain—The user is in the preauthentication domain. · Successful—The user passes authentication. · Open—The user has come online by using a non-existent username or incorrect password to pass open authentication.
Authentication result	Authentication result of the access user: · Unauthenticated. · Authentication succeeded. · Authentication failed. · AAA server unavailable. · URL unavailable.
Access type	Access authentication method: · 802.1X authentication. · MAC authentication. · Web authentication. · Static user access.
M-LAG NAS-IP type	NAS-IP address type for the user if the user was authenticated on an M-LAG interface of the M-LAG system. · Local—Local NAS-IP address. The source IP address of outgoing RADIUS packets is an IP address on the local M-LAG member device. · Peer—Peer NAS-IP address. The source IP address of outgoing RADIUS packets is an IP address on the peer M-LAG member device.
M-LAG user state	Local state of the user on the M-LAG interface: · Active—The local M-LAG member device exchanges user authentication information with the AAA server. · Inactive—The peer M-LAG member device exchanges user authentication information with the AAA server.
Authentication domain	ISP domain in which the user was authenticated.
Authorization microsegment ID	‌ Microsegment ID assigned to the user.

‌

# Display brief inforamtion for port security access users in authentication domain test.

<Sysname> display port-security access-user domain test brief

Total access users: 2

Username IP address MAC address State Access type

aaa 10.12.12.254 00e0-fcc2-0175 Preauth 802.1X

bbb 2:1::3 00e0-fcc2-0172 Preauth MAC-auth

Table 3 Command output

Field	Description
IP address	IP address of the access user. If the user has both an IPv4 address and an IPv6 address, this field displays only the IPv4 address. If the user has only an IPv6 address, this field displays the IPv6 address.
State	Access user state: · Critical—The user is in the critical domain. · Auth-Fail—The user is in the Auth-Fail domain. · Preauth—The user is in the preauthentication domain. · Successful—The user passes authentication.
Access type	Access authentication method: · 802.1X—802.1X authentication. · MAC-auth—MAC authentication. · Web-auth—Web authentication. ‌ · Static—Static user access.

‌

display port-security authentication-profile

Use display port-security authentication-profile to display configuration information for port security authentication profiles.

Syntax

display port-security authentication-profile [ name profile-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

name profile-name: Specifies a port security authentication profile by its name. The profile-name argument represents the profile name, a case-insensitive string of 1 to 31 characters. If you do not specify this option, the command displays brief configuration information for all port security authentication profiles.

Usage guidelines

After completing the configuration of port security authentication profiles, you can use this command to check whether the configuration of the port security authentication profiles is correct.

Examples

# Display configuration information for all port security authentication profiles.

<Sysname> display port-security authentication-profile

Total number: 2

Auth-profile 802.1x acc-profile MAC acc-profile

aaa1 bbb1 ccc1

aaa2 bbb2 ccc2

# Display configuration information for port security authentication profile auth1.

<Sysname> display port-security authentication-profile name auth1

802.1x access profile : d1

MAC-authentication access profile : m1

Authentication order : dot1x-mac

Multi-authentication : Disabled

Parallel-authentication : Enabled

Pre-auth domain : test

URL-unavailable domain : domain1

MAC-move VLAN check bypass : Disabled

Link down action : Offline after a delay (10 sec)

Total interfaces bound to the profile: 3

ten-gigabitethernet 3/0/1

ten-gigabitethernet 3/0/2

ten-gigabitethernet 3/0/3

Table 4 Command output

Field	Description
Auth-profile	Port security authentication profile.
802.1x acc-profile	802.1X access profile.
MAC acc-profile	MAC authentication access profile.
802.1x access profile	802.1X access profile bound to the port security authentication profile.
MAC-authentication access profile	MAC authentication access profile bound to the port security authentication profile.
Authentication order	Port security authentication mode.
Multi-authentication	Status of the multi-authentication feature. · Enabled. · Disabled.
Parallel-authentication	Status of the parallel 802.1X and MAC authentication processing feature. · Enabled. · Disabled.
Pre-auth domain	Domain used by users before performing port security authentication.
URL-unavailable domain	‌ Domain used when the port security authentication URL is unreachable.
MAC-move VLAN check bypass	Status of VLAN check bypass during MAC move. · Enabled. · Disabled.
Link down action	Action to take on online users when the interface goes down. Options include: · Keep online. · Offline. · Offline after a delay (XX sec).
Total interfaces bound to the profile	Total number of interfaces bound to the port security authentication profile.

‌

display port-security mac-address block

Use display port-security mac-address block to display information about blocked MAC addresses.

Syntax

display port-security mac-address block [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

interface interface-type interface-number: Specifies a port by its type and number.

vlan vlan-id: Specifies a VLAN by its ID. The value range is 1 to 4094.

count: Displays only the count of the blocked MAC addresses.

Usage guidelines

If you do not specify any parameters, this command displays information about all blocked MAC addresses.

Examples

# (In standalone mode.) ‌Display information about all blocked MAC addresses.

<Sysname> display port-security mac-address block

MAC ADDR Port VLAN ID

000f-3d80-0d2d XGE3/0/1 30

--- On slot 3, 1 MAC address(es) found ---

--- 1 mac address(es) found ---

# (In standalone mode.) ‌Display the count of all blocked MAC addresses.

<Sysname> display port-security mac-address block count

--- On slot 3, 1 MAC address(es) found ---

--- 1 mac address(es) found ---

Table 5 Command output

Field	Description
MAC ADDR	Blocked MAC address.
Port	Port having received frames with the blocked MAC address being the source address.
VLAN ID	ID of the VLAN to which the port belongs.
number mac address(es) found	Number of blocked MAC addresses.

Related commands

port-security intrusion-mode

display port-security mac-address m-lag sync-from-peer

Use display port-security mac-address m-lag sync-from-peer to display MAC address entries synchronized from the M-LAG peer.

Syntax

display port-security mac-address m-lag sync-from-peer [ user-mac mac-address ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

user-mac mac-address: Specifies a user MAC address in the format of H-H-H. If you do not specify this option, the command displays all MAC address entries synchronized from the M-LAG peer.

Usage guidelines

Application scenarios

Use this command on an M-LAG member device to view MAC address entries synchronized by the port security module from its M-LAG peer device for users single-homed to the peer device.

An M-LAG system automatically synchronizes the MAC entries for users single-homed to it between its member devices after these users pass authentication and obtain an authorization microsegment to come online. When users single-homed to the peer device attempt to access the network resources attached to the local device, the local device enforces the group-based policies associated with their authorization microsegments to control their access to resources.

Operating mechanism

The port security module on the device flushes the MAC address entries synchronized from the M-LAG peer to the driver for parsing and use by other modules. For example, the ARP module can use a flushed MAC address entry to establish a mapping between the user's IP address and authorization microsegment. If the port security module fails to flush a MAC address entry to the driver, you can view the output of this command to obtain the failure reason and troubleshoot the issue accordingly.

Examples

# Display MAC address entries synchronized from the M-LAG peer.

<Sysname> display port-security mac-address m-lag peer-link sync-from-peer

Total MAC address entries: 3

MAC state : AUTH

MAC address : 0010-9700-0001

VLAN ID : 3

VSI name : N/A

Authorization microsegment ID : 3

Flush failure reason: : VSI doesn't exist

MAC state : DOT1X

MAC address : 0010-9700-0002

VLAN ID : 3

VSI name : N/A

Authorization microsegment ID : 3

Flush failure reason : MAC addition failed(0x4001001)

MAC state : DOT1X

MAC address : 0010-9700-0004

VLAN ID : 3

VSI name : N/A

Authorization microsegment ID : 3

Table 6 Command output

Field	Description
Total MAC address entries	Total MAC address entries synchronized from the M-LAG peer.
MAC state	Authentication method for the access user: · DOT1X—802.1X authentication. · AUTH—MAC authentication or Web authentication.
MAC address	MAC address of the access user.
VLAN ID	VLAN to which the access user belongs.
VSI name	VSI to which the access user belongs. If the user does not belong to any VSI, this field displays N/A.
Authorization microsegment ID	Microsegment ID assigned to the access user.
Flush failure reason	Reason for failure in flushing the MAC address entry to the driver: · VSI doesn't exist. · MAC addition failed(error-code). The error code is in hexadecimal notation. This field is not displayed if the MAC address entry is flushed to the driver.

Related commands

display port-security mac-address m-lag sync-to-peer

Use display port-security mac-address m-lag sync-to-peer to display MAC address entries synchronized to the M-LAG peer.

Syntax

display port-security mac-address m-lag sync-to-peer [ interface interface-type interface-number | user-mac mac-address ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

interface interface-type interface-number: Specifies an interface by its type and number. If you do not specify an interface, this command displays MAC address entries synchronized from all interfaces on the device to the M-LAG peer.

user-mac mac-address: Specifies a user MAC address in the format of H-H-H. If you do not specify this option, the command displays all MAC address entries synchronized to the M-LAG peer.

Usage guidelines

You can use this command to view MAC address entries synchronized from the device to the M-LAG peer.

In a network where an access device is attached to only one M-LAG member device in an M-LAG system, the following happens when a user comes online from the local device after passing authentication and obtaining an authorization microsegment:

· The local device automatically synchronizes the MAC address entry to the M-LAG peer.

· After obtaining the microsegment information of the user, the M-LAG peer controls the user's traffic according to the group-based policy corresponding to the user's authorization microsegment. In this way, the user can access network resources on the M-LAG peer.

Examples

# Display MAC address entries synchronized to the M-LAG peer.

<Sysname> display port-security mac-address m-lag sync-to-peer

Total MAC address entries: 1

MAC state : AUTH

MAC address : 0010-9700-0001

Access interface : Bridge-Aggregation1

VLAN ID : 3

VSI name : N/A

Authorization microsegment ID : 3

Table 7 Command output

Field	Description
Total MAC address entries	Total MAC address entries synchronized to the M-LAG peer.
MAC state	Authentication method for the access user: · DOT1X—802.1X authentication. · AUTH—MAC authentication or Web authentication.
MAC address	MAC address of the access user.
Access interface	Name of the access interface of the user.
VLAN ID	VLAN to which the access user belongs.
VSI name	VSI to which the access user belongs. If the user does not belong to any VSI, this field displays N/A.
Authorization microsegment ID	Microsegment ID assigned to the access user.

Related commands

display port-security mac-address m-lag sync-from-peer

display port-security mac-address security

Use display port-security mac-address security to display information about secure MAC addresses.

Syntax

display port-security mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

interface interface-type interface-number: Specifies a port by its type and number.

vlan vlan-id: Specifies a VLAN by its ID. The value range is 1 to 4094.

count: Displays only the count of the secure MAC addresses.

Usage guidelines

Secure MAC addresses are those that are automatically learned by the port in autoLearn mode or manually configured by the port-security mac-address security command.

If you do not specify any parameters, this command displays information about all secure MAC addresses.

Examples

# Display information about all secure MAC addresses.

<Sysname> display port-security mac-address security

MAC ADDR VLAN ID STATE PORT INDEX AGING TIME

0002-0002-0002 1 Secure XGE3/0/1 Not aged

--- Number of secure MAC addresses: 1 ---

# Display only the count of the secure MAC addresses.

<Sysname> display port-security mac-address security count

--- Number of secure MAC addresses: 1 ---

Table 8 Command output

Field	Description
MAC ADDR	Secure MAC address.
VLAN ID	ID of the VLAN to which the port belongs.
STATE	Type of the MAC address. This field displays Secure for a secure MAC address.
PORT INDEX	Port to which the secure MAC address belongs.
AGING TIME	The remaining amount of time before the secure MAC address ages out. · If the secure MAC address is a static MAC address, this field displays Not aged. · If the secure MAC address is a sticky MAC address, this field displays the remaining lifetime. If the remaining lifetime is less than 60 seconds, the lifetime is counted in seconds. If the lifetime is not less than 60 seconds, the lifetime is counted in minutes. By default, sticky MAC addresses do not age out, and this field displays Not aged.
Number of secure MAC addresses	Number of secure MAC addresses stored.

Related commands

port-security mac-address security

display port-security static-user

Use display port-security static-user to display static user configuration information.

Syntax

display port-security static-user [ domain isp-name | interface interface-type interface-number | { ip | ipv6 } start-ip-address [ end-ip-address ] | vpn-instance vpn-instance-name ] *

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

domain isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. The ISP domain name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

interface interface-type interface-number: Specifies an interface by its type and number.

ip: Specifies a static user range by its IPv4 address range.

ipv6: Specifies a static user range by its IPv6 address range.

start-ip-address [ end-ip-address ]: Specifies the IP address range of the static user range. The start-ip-address argument represents the start IP address and the end-ip-address argument represents the end IP address. If you specify only the start IP address, the static user range contains only one static user and the start IP address is the IP address of the static user.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which static users belong. The vpn-instance-name argument represents the VPN instance name, which is a case-sensitive string of 1 to 31 characters. If the static users belong to the public network, do not specify this option.

Usage guidelines

If you do not specify any parameters, this command displays configuration information for all static users.

Examples

# Display configuration information for all static users.

<Sysname> display port-security static-user

Global Static-user parameters:

Static user IP update : Disabled

Offline detect timer : 300 seconds

ARP detect period : 200 seconds

ACL number for matching MAC addresses : 4000

Ten-GigabitEthernet3/0/1 is link-up

Static user max-user : 4294967295

Start IPv4 address : 10.1.1.6

End IPv4 address : 10.1.1.8

Interface : XGE3/0/1

MAC address : 00e0-fc12-3456

VPN instance : N/A

Domain name : local

VLAN ID : 10

ARP detection : Disabled

Keep online : Disabled

Start IPv6 address : 1:1::1:2

End IPv6 address : 1:1::1:4

Interface : XGE3/0/1

MAC address : 00e0-fc12-1234

VPN instance : N/A

Domain name : local

VLAN ID : 10

ARP detection : Disabled

Keep online : Disabled

Table 9 Command output

Field	Description
Static user IP update	State of static user IP update: · Enabled—Allows the device to update static user IP addresses. · Disabled—Prevents the device from updating static user IP addresses.
Offline detect timer	Offline detect period of static users, in seconds.
ARP detect period	ARP detection interval, in seconds.
ACL number for matching MAC addresses	Number of the ACL used to match the MAC addresses of static users. If no ACL is configured, this field is not available.
Static user max-user	Maximum number of static users allowed on a port.
Start IPv4 address	Start IPv4 address of the IP address range for a static user range.
End IPv4 address	End IPv4 address of the IP address range for the static user range. If no end IPv4 address is configured, this field displays N/A.
Start IPv6 address	Start IPv6 address of the IP address range for a static user range.
End IPv6 address	End IPv6 address of the IP address range for the static user range. If no end IPv6 address is configured, this field displays N/A.
Interface	Interface through which the static user range comes online. If no access interface is configured, this field displays N/A.
MAC address	MAC address of the static user range. If no MAC address is configured, this field displays N/A.
VPN instance	‌ VPN instance to which the static user range belongs. If no VPN instance is configured, this field displays N/A.
Domain name	ISP domain to which the static user range belongs. If no ISP domain is configured, this field displays N/A.
VLAN ID	VLAN to which the static user range belongs. If no VLAN is configured, this field displays N/A.
ARP detection	ARP detection state: · Enabled. · Disabled.
Keep online	State of the static user keep-online feature: · Enabled. · Disabled.

Related commands

port-security static-user

display port-security static-user connection

Use display port-security static-user connection to display information about online static users.

Syntax

In standalone mode:‌

display port-security static-user connection [ [ m-lag [ local | peer ] ] [ interface interface-type interface-number | online-type { auth-fail-domain | critical-domain | preauth-domain | success } | slot slot-number | user-name user-name ] | { ip | ipv6 } ip-address | mac mac-address ]

In IRF mode:

display port-security static-user connection [ [ m-lag [ local | peer ] ] [ chassis chassis-number slot slot-number | interface interface-type interface-number | online-type { auth-fail-domain | critical-domain | preauth-domain | success } | user-name user-name ] | { ip | ipv6 } ip-address | mac mac-address ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

m-lag [ local | peer ]: Specifies online static users on M-LAG interfaces. If you do not specify these keywords, the command does not distinguish online static users on M-LAG interfaces and non-M-LAG interfaces. If you specify the m-lag keyword without the local or peer keyword, the command displays information about online static users on both the local and peer M-LAG member devices.

· local: Displays information about online static users on the local M-LAG member device.

· peer: Displays information about online static users on the peer M-LAG member device.

interface interface-type interface-number: Specifies an interface by its type and number.

{ ip | ipv6 } ip-address: Specifies an online static user by its IP address. If the static user has an IPv4 address, specify the ip keyword and use the ip-address argument to specify the IPv4 address of the static user. If the static user has an IPv6 address, specify the ipv6 keyword and use the ip-address argument to specify the IPv6 address of the static user.

mac mac-address: Specifies an online static user by its MAC address. The mac-address argument represents the MAC address, in the format of H-H-H.

online-type: Specifies a type of static users.

· auth-fail-domain: Specifies static users in the Auth-Fail domain.

· critical-domain: Specifies static users in the critical domain.

· preauth-domain: Specifies static users in the preauthentication domain.

· success: Specifies static users that have passed authentication.

user-name name-string: Specifies an online static user by its username, a case-sensitive string of 1 to 253 characters.

slot slot-number: Specifies a card by its slot number. If you do not specify a card, the command displays information about online static users on all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, the command displays information about online static users on all cards of all IRF member devices. (In IRF mode.) ‌

Usage guidelines

If you do not specify any parameters, this command displays information about all online static users.

Examples

# Display information about all online static users.

<Sysname> display port-security static-user connection

Total connections: 2

User MAC address: 0015-e9a6-7cfe

M-LAG NAS-IP type: Local

M-LAG user state: Active

Access interface: Ten-GigabitEthernet3/0/1

Username: ias

User access state: Successful

Authentication domain: macusers

IPv4 address: 192.168.1.1

IPv6 address: 2000:0:0:0:1:2345:6789:abcd

IPv4 address source: User packet

IPv6 address source: User packet

Initial VLAN: 1

Authorization untagged VLAN: 100

Authorization tagged VLAN: N/A

Authorization VSI: N/A

Authorization microsegment ID: N/A

Authorization ACL number/name: 3001

Authorization dynamic ACL name: N/A

Authorization user profile: N/A

Authorization CAR:

Average input rate: 102400 kbps

Peak input rate: 204800 kbps

Average output rate: 102400 kbps

Peak output rate: 204800 kbps

Authorization URL: N/A

Authorization IPv6 URL: N/A

Authorization temporary redirect: Disabled

Start accounting: Successful

Real-time accounting-update failures: 0

Termination action: RADIUS-request

Session timeout period: 2 sec

Offline detection: 100 sec (server-assigned)

Remaining reauth attempts: 2

Online from: 2013/03/02 13:14:15

Online duration: 0h 2m 15s

Port-down keep online: Enabled

User MAC address: 0016-e9a6-7cfe

M-LAG NAS-IP type: Local

M-LAG user state: Active

Access interface: Ten-GigabitEthernet3/0/2

Username: i1s

User access state: Successful

Authentication domain: macusers

IPv4 address: 192.168.1.1

IPv6 address: 2000:0:0:0:1:2345:6789:abcd

IPv4 address source: User packet

IPv6 address source: User packet

Initial VLAN: 1

Authorization untagged VLAN: 100

Authorization tagged VLAN: N/A

Authorization VSI: N/A

Authorization microsegment ID: N/A

Authorization ACL number/name: 3001

Authorization dynamic ACL name: N/A

Authorization user profile: N/A

Authorization CAR:

Average input rate: 102400 kbps

Peak input rate: 204800 kbps

Average output rate: 102400 kbps

Peak output rate: 204800 kbps

Authorization URL: N/A

Authorization IPv6 URL: N/A

Authorization temporary redirect: Disabled

Start accounting: Successful

Real-time accounting-update failures: 0

Termination action: RADIUS-request

Session timeout period: 2 sec

Offline detection: 100 sec (server-assigned)

Remaining reauth attempts: 2

Online from: 2013/03/02 13:14:15

Online duration: 0h 2m 15s

Port-down keep online: Enabled

Table 10 Command output

Field	Description
Total connections	Total number of online static users.
User MAC address	MAC address of a static user.
M-LAG NAS-IP type	NAS-IP address type for the user if the user was authenticated on an M-LAG interface of the M-LAG system. · Local—Local NAS-IP address. The source IP address of outgoing RADIUS packets is an IP address on the local M-LAG member device. · Peer—Peer NAS-IP address. The source IP address of outgoing RADIUS packets is an IP address on the peer M-LAG member device.
M-LAG user state	Local state of the user on the M-LAG interface: · Active—The local M-LAG member device exchanges user authentication information with the AAA server. · Inactive—The peer M-LAG member device exchanges user authentication information with the AAA server.
Access interface	Interface through which the user access the device.
Username	Username.
User access state	Access state of the user: · Auth-Fail domain—The user is in the Auth-Fail domain. · Critical domain—The user is in the critical domain. · Preauth domain—The user is in the preauthentication domain. · Successful—The user has passed MAC authentication and accessed the network.
IPv4 address	User IPv4 address.
IPv6 address	User IPv6 address.
Initial VLAN	VLAN to which the user belongs before static user access authentication.
Authorization untagged VLAN	Untagged VLAN assigned to the user.
Authorization tagged VLAN	Tagged VLAN assigned to the user.
Authorization VSI	‌ VSI assigned to the user.
Authorization microsegment ID	‌ Microsegment ID assigned to the user.
Authorization ACL number/name	Number or name of the static ACL assigned to the user. If no static ACL has been assigned to the user, this field displays N/A. If ACL authorization failed, this field displays (NOT effective) next to the ACL number or name.
Authorization dynamic ACL name	Name of the dynamic ACL assigned to the user. If no dynamic ACL has been assigned to the user, this field displays N/A. If ACL authorization failed, this field displays (NOT effective) next to the ACL name.
Authorization user profile	Name of the user profile assigned to the user.
Authorization CAR	‌ Authorization CAR attributes assigned by the server to the user: · Average input rate—Average rate of inbound traffic in kbps. · Peak input rate—Peak rate of inbound traffic in kbps. · Average output rate—Average rate of outbound traffic in kbps. · Peak output rate—Peak rate of outbound traffic in kbps. If the device fails to assign the CAR attributes to the user, the Authorization CAR field displays (NOT effective). If the server does not assign the peak rates, the peak rates by default are the same as the assigned average rates. In the current software version, the device does not support exclusive assignment of peak rates from the server. If no authorization CAR attributes are assigned, this field displays N/A.
Authorization URL	‌ Redirect URL assigned to the user.
Authorization IPv6 URL	‌ IPv6 redirect URL assigned to the user.
Authorization temporary redirect	‌ State of temporary redirection authorization: · Enabled—Temporary redirection is authorized. The HTTP or HTTPS redirection packets sent to the user include state code 302. · Disabled—Temporary redirection is not authorized. The HTTP or HTTPS redirection packets sent to the user include state code 200.
Start accounting	Start-accounting request result: · Successful. · Failed. The device does not support accounting for users in the preauthentication domain. For such users, this field displays N/A.
Real-time accounting-update failures	Number of consecutive real-time accounting-update failures.
Termination action	Action attribute assigned by the server to terminate the user session: · Default—Logs off the online authenticated static user when the server-assigned session timeout timer expires. This attribute does not take effect when static user periodic reauthentication is enabled and the periodic reauthentication timer is shorter than the server-assigned session timeout timer. · RADIUS-request—Reauthenticates the online user when the server-assigned session timeout timer expires, regardless of whether the static user periodic reauthentication feature is enabled or not. If the device performs local authentication, this field displays Default.
Session timeout period	Session timeout timer assigned by the server.
Offline detection	Offline detection setting for the user: · Ignore (command-configured)—The device does not perform offline detection for the user. The setting is configured from the CLI. · timer (command-configured)—Represents the offline detect timer. The timer is configured from the CLI. · Ignore (server-assigned)—The device does not perform offline detection for the user. The setting is assigned by a RADIUS server. · timer (server-assigned)—Represents the offline detect timer. The timer is assigned by a RADIUS server.
Remaining reauth attempts	Remaining number of reauthentication attempts. By default, the number of reauthentication attempts is not limited, and this field is not displayed.
Online from	Time from which the static user came online.
Online duration	Online duration of the static user.
Port-down keep online	Whether the device allows the user to stay online after the user's access interface goes down. Setting for this field depends on the state of the shutdown-keep-online proprietary attribute issued by the RADIUS server. · Enabled—The device allows the user to stay online after the access interface goes down. This state is displayed if the RADIUS server assigned the shutdown-keep-online proprietary attribute and set the attribute not to 0. · Disabled (offline)—The device logs off the user when the access interface goes down. This state is displayed if the RADIUS server assigned the shutdown-keep-online proprietary attribute and set the attribute to 0, or the RADIUS server did not assign the attribute.

‌

display port-security statistics

Use display port-security statistics to display port security statistics.

Syntax

In standalone mode:‌

display port-security statistics [ slot slot-number ]

In IRF mode:

display port-security statistics [ chassis chassis-number slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

slot slot-number: Specifies a card by its slot number. If you do not specify a card, this command displays port security statistics on all cards. (In standalone mode.)

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. If you do not specify a card, this command displays port security statistics on all cards of all IRF member devices. (In IRF mode.) ‌

Examples

# Display port security statistics.

<Sysname> display port-security statistics

Slot ID: 0

Entries received from IPCIM:

Entries notified to be added : 0

Entries notified to be deleted : 0

Entries actually added : 0

Entries actually deleted : 0

Table 11 Command output

Field	Description
Slot ID	Slot number.
Entries received from IPCIM	Number of entries received by the port security module from the IP client information management (IPCIM) module. Values include: · Entries notified to be added—Number of user entries that IPCIM notified port security to add. · Entries notified to be deleted—Number of user entries that IPCIM notified port security to delete. · Entries actually added—Number of user entries that port security actually added. · Entries actually deleted—Number of user entries that port security actually deleted.

Field

Description

Slot ID

Slot number.

Entries received from IPCIM

Number of entries received by the port security module from the IP client information management (IPCIM) module. Values include:

· Entries notified to be added—Number of user entries that IPCIM notified port security to add.

· Entries notified to be deleted—Number of user entries that IPCIM notified port security to delete.

· Entries actually added—Number of user entries that port security actually added.

· Entries actually deleted—Number of user entries that port security actually deleted.

Related commands

reset port-security statistics

if-match

Use if-match to configure match criteria and actions for port security access users.

Use undo if-match to delete match criteria and actions for port security access users.

Syntax

if-match [ not ] acl mac acl-number action access-type { dot1x | mac-auth | static | web-auth } *

undo if-match [ not ] acl mac [ acl-number ]

Default

No match criteria and actions are configured for port security access users.

Views

Port security access policy view

Predefined user roles

network-admin

mdc-admin

Parameters

not: Does not match an ACL.

acl mac acl-number: Specifies a Layer 2 ACL by its number in the range of 4000 to 4999.

action: Specifies the action to take on users that match or do not match the specified ACL.

access-type: Specifies the authentication method for users that match or do not match the specified ACL.

· dot1x: 802.1X authentication.

· mac-auth: MAC authentication.

· static: Static users.

· web-auth: Web authentication.

Usage guidelines

Application scenarios

The current port security mechanism primarily controls access users based on the port. For example, when MAC authentication is enabled on a port, all users passing through this port can trigger MAC authentication. To allow only certain users to trigger MAC authentication and prevent the others from triggering it, configure the match criteria and actions for access users in a port security access policy to control port access users more precisely.

Operating mechanism

When configuring this feature in a port security access policy, follow these guidelines:

· If the not keyword is not specified, the specified action is taken on users that match the specified ACL.

· If the not keyword is specified, the specified action is taken on users that do not match the specified ACL.

Restrictions and guidelines

If you execute this command multiple times with the same ACL number specified, the most recent command takes effect. If you execute this command multiple times with different ACL numbers specified, all executed commands take effect.

If a user matches ACLs in multiple commands, only the action corresponding to the first matched ACL will be executed.

If you execute this command together with the port-security static-user match-mac acl command, a user first attempts to match the ACL specified in this command. If the user matches the ACL, the user will not continue to match the ACL specified in the port-security static-user match-mac acl command.

Examples

# In the port security access policy named p1, configure MAC authentication for users that match ACL 4000 and 802.1X authentication for users that do not match ACL 4000.

<Sysname> system-view

[Sysname] port-security access-policy p1

[Sysname-portsec-access-policy-p1] if-match acl mac 4000 action access-type mac-authentication

[Sysname-portsec-access-policy-p1] if-match not acl mac 4000 action access-type dot1x

Related commands

port-security access-policy

port-security access-user log enable

Use port-security access-user log enable to enable port security user logging.

Use undo port-security access-user log enable to disable port security user logging.

Syntax

port-security access-user log enable [ failed-authorization | mac-learning | violation | vlan-mac-limit ] *

undo port-security access-user log enable [ failed-authorization | mac-learning | violation | vlan-mac-limit ] *

Default

Port security user logging is disabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

failed-authorization: Logs authorization failures of 802.1X or MAC authentication users.

mac-learning: Logs MAC address learning events.

violation: Logs intrusion protection events.

vlan-mac-limit: Logs the first access attempt from a new MAC access in a VLAN after port security's MAC address limit for that VLAN is reached.

Usage guidelines

Application scenarios

Use this feature when you troubleshoot port security issues or when you need to view real-time information about the status of access users in port security.

To prevent excessive port security user log entries, use this feature only if you need to analyze abnormal port security user events.

Restrictions and guidelines

If you do not specify any parameters, this command enables all types of port security user logs.

With VLAN-MAC-limit logging, the system does not log any access attempts from new MAC addresses in a VLAN except the first one after the MAC address limit for that VLAN is reached.

Examples

# Enable intrusion protection event logging.

<Sysname> system-view

[Sysname] port-security access-user log enable violation

Related commands

info-center source portsec logfile deny (Network Management and Monitoring Command Reference)

port-security access-policy

Use port-security access- to create a port security access policy and enter its view or enter the view of an existing port security access policy.

Use undo port-security access-policy to delete a port security access policy.

Syntax

port-security access-policy policy-name

undo port-security access-policy policy-name

Default

No port security access policy exists.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

policy-name: Specifies a port security access policy name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

Application scenarios

To simplify port security configuration, you can configure a port security access policy and uniformly apply it to all interfaces. By configuring match criteria and actions in port security access policy view, you can control port access users more granularly.

Restrictions and guidelines

A port security access policy only takes effect on users that come online for the first time, and does not affect the re-authentication process of existing online users.

Examples

# Create a port security access policy named p1 and enter its view.

<Sysname> system-view

[Sysname] port-security access-policy p1

Port security access policy created.

[Sysname-portsec-access-policy-p1]

port-security apply access-policy

Use port-security apply access-policy to globally apply a port security access policy.

Use undo port-security apply access-policy to restore the default.

Syntax

port-security apply access-policy policy-name

undo port-security apply access-policy

Default

No port security access policy is applied globally.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

policy-name: Specifies a port security access policy by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

Application scenarios

Apply a configured port security access policy in system view to make it take effect on all interfaces on the device. An interface controls access users based on the ACL match criteria and actions configured in the port security access policy.

Prerequisites

Execute the port-security access-policy command in system view to create a port security access policy.

Restrictions and guidelines

Only one port security access policy can be applied globally.

Examples

# Apply the port security access policy named p1 in system view.

<Sysname> system-view

[Sysname] port-security apply access-policy p1

Related commands

port-security access-policy

port-security authentication open

Use port-security authentication open to enable open authentication mode on a port.

Use undo port-security authentication open to disable open authentication mode on a port.

Syntax

port-security authentication open

undo port-security authentication open

Default

Open authentication mode is disabled on a port.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

Application scenarios

In the initial phase of network deployment, administrators must gather details such as the number of users and their authentication methods to set up the RADIUS server for effective access control. Enabling 802.1X or MAC address authentication prematurely can prevent users from accessing the network if their information is not yet configured on the RADIUS server, hindering collection of sufficient user data.

This command enables access users (802.1X or MAC authentication users) of a port to come online and access the network even if they use nonexistent usernames or incorrect passwords.

Access users that come online with a nonexistent username or incorrect password from a port in open authentication mode are called open users. Authorization and accounting are not available for open users. To display open user information, use the following commands:

· display dot1x connection open.

· display mac-authentication connection open.

Open users do not include those users that are normally authenticated to come online from a port in open authentication mode.

Restrictions and guidelines

This feature is only applicable to 802.1X and MAC authentication users.

The open authentication mode setting has lower priority than the 802.1X Auth-Fail VLAN and the MAC authentication guest VLAN. Open authentication mode does not take effect on a port if the port is also configured with the 802.1X Auth-Fail VLAN or the MAC authentication guest VLAN.

The open authentication mode setting has lower priority than the 802.1X Auth-Fail VSI and the MAC authentication guest VSI. Open authentication mode does not take effect on a port if the port is also configured with the 802.1X Auth-Fail VSI or the MAC authentication guest VSI.

Examples

# Enable open authentication mode on Ten-GigabitEthernet 3/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] port-security authentication open

Related commands

display dot1x connection

display mac-authentication connection

port-security authentication open global

Use port-security authentication open global to enable global open authentication mode.

Use undo port-security authentication open global to disable global open authentication mode.

Syntax

port-security authentication open global

undo port-security authentication open global

Default

Global open authentication mode is disabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

You can enable open authentication mode globally or on a per-port basis by using the port-security authentication open command.

· Global open authentication mode is applicable to the same scenario and has the same restrictions and guidelines as per-interface open authentication mode settings.

· If global open authentication mode is enabled, the setting applies to all ports.

· If global open authentication mode is disabled, the setting on ports apply.

Examples

# Enable global open authentication mode.

<Sysname> system-view

[Sysname] port-security authentication open global

Related commands

display dot1x connection

display mac-authentication connection

port-security authentication open

port-security authentication-profile

Use port-security authentication-profile to bind an interface to a port security authentication profile.

Use undo port-security authentication-profile to restore the default.

Syntax

port-security authentication-profile profile-name

undo port-security authentication-profile [ profile-name ]

Default

No port security authentication profile is bound to an interface.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

mdc-admin

Parameters

profile-name: Specifies the name of a port security authentication profile, a case-insensitive string of 1 to 31 characters.

Usage guidelines

Operating mechanism

After an interface is bound to a port security authentication profile, the interface uses the configuration of the bound profile to perform authentication for access users.

· For functions available in both interface view and port security authentication profile view (commands might differ), the functions configured in interface view are deleted regardless of whether they are configured in the profile view or not. To use those functions on the interface, configure them in the bound port security authentication profile.

· For the functions available only in interface view, they can take effect on the interface after being configured.

· The authentication mode used on a port is determined by the 802.1X access profile and MAC authentication access profile bound to the port security authentication profile.

After an interface is bound to a port security authentication profile, the interface supports only MAC-based authentication. If you bind a MAC authentication access profile to the port security authentication profile, the interface will use MAC authentication. If you bind an 802.1X access profile to the port security authentication profile, the interface will use 802.1X authentication in MAC-based access control.

Prerequisites

To bind an interface to a port security authentication profile, first create the profile by using the port-security authentication-profile name command in system view.

Restrictions and guidelines

A port security authentication profile can be bound to different interfaces. An interface can be bound to only one port security authentication profile. To change the bound port security authentication profile of an interface, you must first unbind the profile from the interface.

As a best practice to avoid authentication anomalies on an interface, do not both apply a port security authentication profile and configure 802.1X port-based access control on the interface. (The 802.1X port-based access control is configured by using the dot1x port-method portbased command.)

Examples

# Bind GigabitEthernet 1/0/1 to port security authentication profile 123.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port-security authentication-profile 123

Related commands

display port-security authentication-profile

port-security authentication-profile name

Use port-security authentication-profile name to create a port security authentication profile and enter its view, or enter the view of an existing port security authentication profile.

Use undo port-security authentication-profile name to delete a port security authentication profile.

Syntax

port-security authentication-profile name profile-name

undo port-security authentication-profile name profile-name

Default

No port security authentication profiles exist.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

profile-name: Specifies the name of a port security authentication profile, a case-insensitive string of 1 to 31 characters.

Usage guidelines

Application scenarios

To implement fast port security authentication on users, the device uses port security authentication profiles for unified management of the access authentication configuration. In a port security authentication profile, you can bind 802.1X and MAC authentication access profiles and configure the authentication order to control user access.

Restrictions and guidelines

After the authentication profile bound to an interface takes effect, deleting the bound authentication profile will cause abnormal disconnection of online users on the interface.

Examples

# Create port security authentication profile aaa and enter its view.

<Sysname> system-view

[Sysname] port-security authentication-profile name aaa

[Sysname-portsec-auth-prof-aaa]

Related commands

display port-security authentication-profile

port-security authorization ignore

Use port-security authorization ignore to configure a port to ignore the authorization information received from the authentication server (a RADIUS server or the local device).

Use undo port-security authorization ignore to restore the default.

Syntax

port-security authorization ignore

undo port-security authorization ignore

Default

A port uses the authorization information from the server.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

After a user passes RADIUS or local authentication, the server performs authorization based on the authorization attributes configured for the user account. For example, the server can assign a VLAN. If you do not want the port to use such authorization attributes for users, use this command to ignore the authorization information from the server.

For 802.1X and MAC authentication users, this command ignores all attributes assigned by the server except the Termination-Action and Session-Timeout attributes. For Web authentication users, this command ignores all attributes assigned by the server.

Examples

# Configure Ten-GigabitEthernet 3/0/1 to ignore the authorization information from the authentication server.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] port-security authorization ignore

Related commands

display port-security

port-security authorization-fail offline

Use port-security authorization-fail offline to enable the authorization-fail-offline feature.

Use undo port-security authorization-fail offline to disable the authorization-fail-offline feature.

Syntax

port-security authorization-fail offline [ quiet-period ]

undo port-security authorization-fail offline

Default

The authorization-fail-offline feature is disabled. The device does not log off users that have failed authorization.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

quiet-period: Enables the quiet timer for 802.1X or MAC authentication users that are logged off by the authorization-fail-offline feature. The device adds these users to the 802.1X or MAC authentication quiet queue. Within the quiet timer, the device does not process packets from these users or authenticate them. If you do not specify this keyword, the quiet timer feature is disabled for users that are logged off by the authorization-fail-offline feature. The device immediately authenticates these users upon receiving packets from them.

Usage guidelines

Application scenarios

The authorization-fail-offline feature logs off port security users that have failed ACL authorization.

A user fails ACL authorization in the following situations:

· The device or server fails to assign the specified ACL to the user.

· The device or server assigns an ACL that does not exist on the device to the user.

If this feature is disabled, the device does not log off users that have failed ACL authorization. However, the device outputs messages to report the failure.

Prerequisites

For the quiet-period keyword to take effect, complete the following tasks:

· For 802.1X users, use the dot1x quiet-period command to enable the quiet timer and use the dot1x timer quiet-period command to set the timer.

· For MAC authentication users, use the mac-authentication timer quiet command to set the quiet timer for MAC authentication.

Restrictions and guidelines

This feature does not apply to VLAN authorization failures. The device logs off users that have failed to obtain an authorization VLAN.

Examples

# Enable the authorization-fail-offline feature.

<Sysname> system-view

[Sysname] port-security authorization-fail offline

Related commands

display port-security

dot1x quiet-period

dot1x timer quiet-period

mac-authentication timer

port-security auth-order

Use port-security auth-order to configure the port security authentication order.

Use undo port-security auth-order to restore the default.

Syntax

port-security auth-order { dot1x-mac [ parallel ] | mac-dot1x [ multiple ] }

undo port-security auth-order

Default

After a port receives a packet with unknown source MAC address, it performs 802.1X authentication and then MAC authentication for the user.

Views

Port security authentication profile view

Predefined user roles

network-admin

mdc-admin

Parameters

dot1x-mac: Performs 802.1X authentication and then MAC authentication.

parallel: Enables parallel 802.1X and MAC authentication processing. The port performs 802.1X authentication and MAC authentication simultaneously, and once either authentication is successful, the user can go online. If you do not specify this keyword, a user can perform MAC authentication only after it completes 802.1X authentication.

mac-dot1x: Performs MAC address authentication and then 802.1X authentication.

multiple: Enables multi-authentication mode. To go online, a user must pass MAC authentication successfully and then pass 802.1X authentication successfully. If do not specify this keyword, a user can go online after passing either MAC or 802.1X authentication.

Usage guidelines

Operating mechanism

You can configure the access authentication order on a port enabled with both 802.1X and MAC authentication methods.

· In dot1x-mac order, for a port to perform MAC authentication and assign an authorization VLAN or authorization VSI before it joins the 802.1X guest VLAN or guest VSI, enable parallel 802.1X and MAC authentication processing by using the parallel keyword and enable 802.1X guest VLAN or VSI assignment delay. For information about the commands for enabling 802.1X guest VLAN or VSI assignment delay, see 802.1X commands.

· In mac-dot1x order, to allow a user to go online only after the user passes both MAC and 802.1X authentication, enable multi-authentication mode by using the multiple keyword.

Prerequisites

To use combined 802.1X and MAC authentication on a port, you must enable both authentication methods and configure the access control method of 802.1X authentication as macbased.

Restrictions and guidelines

Changing the access authentication order by using the port-security auth-order command will result in authentication failure for users that are currently being authenticated. The users must trigger authentication again in order to go online. To avoid such authentication failures, change the authentication order only when necessary.

If parallel 802.1X and MAC authentication processing is enabled, do not configure MAC authentication delay as a best practice.

Examples

# Enable MAC and 802.1X multi-authentication mode in port security authentication profile 123.

<Sysname> system-view

[Sysname] port-security authentication-profile name 123

[Sysname-portsec-auth-profile-123] port-security auth-order mac-dot1x multiple

Related commands

mac-authentication parallel-with-dot1x

port-security triple-auth-order mac-dot1x-web

port-security port-mode mac-and-userlogin-secure-ext

port-security enable

Use port-security enable to enable port security.

Use undo port-security enable to disable port security.

Syntax

port-security enable

undo port-security enable

Default

Port security is disabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

Application scenarios

Port security provides different modes to control MAC address learning and define combined authentication methods on ports. With port security, you can configure basic port authentication in a simplified way to ensure that the device learns only legitimate source MAC addresses for network security.

To have port security mode settings take effect, you must enable port security.

Restrictions and guidelines

You must disable global 802.1X and MAC authentication before you enable port security on a port.

Enabling or disabling port security resets the following security settings to the default:

· 802.1X access control mode is MAC-based.

· Port authorization state is auto.

These settings are not configurable after port security is enabled.

When online users are present on a port, disabling port security logs off the online users.

Examples

# Enable port security.

<Sysname> system-view

[Sysname] port-security enable

Related commands

display port-security

dot1x

dot1x port-control

dot1x port-method

mac-authentication

port-security escape critical-vsi

Use port-security escape critical-vsi to enable the escape critical VSI feature for 802.1X and MAC authentication users on a port.

Use undo port-security escape critical-vsi to disable the escape critical VSI feature for 802.1X and MAC authentication users on a port.

Syntax

port-security escape critical-vsi

undo port-security escape critical-vsi

Default

The escape critical VSI feature is disabled on a port.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

Application scenarios

The escape critical VSI feature operates on VXLAN networks. It enables 802.1X and MAC authentication users to escape the authentication failure that occurs because the RADIUS server is malfunctioning.

You can enable this feature temporarily to prevent 802.1X and MAC authentication service interruption while you are troubleshooting a malfunctioning RADIUS server.

The escape critical VSI feature operates as follows after it is enabled on a port:

· New 802.1X or MAC authentication users are automatically granted access to the VXLAN associated with the critical VSI for 802.1X or MAC authentication, respectively, without undergoing authentication. The escape critical VSI feature does not affect 802.1X or MAC authentication users that have been online before this feature is enabled.

· If you use the mac-authentication critical vsi critical-vsi-name url-user-logoff command in conjunction with this feature, MAC authentication users that have been assigned authorization URLs on the port will be logged off. For more information, see MAC authentication in Security Configuration Guide.

The escape critical VSI feature does not take effect on a new 802.1X or MAC authentication user if any of the following conditions exists:

· The 802.1X client and the device use different EAP message handling methods.

· 802.1X MAC address binding is enabled on the user's access port, but the MAC address of the 802.1X user is not bound to that port.

· The user's MAC address is an all-zero, all-F, or multicast MAC address.

When you disable the escape critical VSI feature on a port, the device handles users in the critical VSIs on the port as follows:

· If the global escape critical VSI feature is enabled, the users are not removed from the critical VSIs on the port.

· If the global escape critical VSI feature is disabled, the users are removed from the critical VSIs on the port. The users must perform authentication to come online again on the port.

Prerequisites

Make sure an 802.1X critical VSI or a MAC authentication critical VSI is configured on the port, depending its the authentication mode.

Restrictions and guidelines

For the escape critical VSI feature to operate correctly on a port, make sure the port does not have the following settings:

· Web authentication.

· Guest, Auth-Fail, or critical VLAN for 802.1X authentication.

· Guest or critical VLAN for MAC authentication.

Examples

# Enable the escape critical VSI on Ten-GigabitEthernet 3/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] port-security escape critical-vsi

Please make sure the port is configured with the 802.1X and MAC authentication critical VSIs. Continue? [Y/N]:y

Related commands

dot1x critical vsi

mac-authentication critical vsi

port-security global escape critical-vsi

vsi (VXLAN Command Reference)

port-security free-vlan

Use port-security free-vlan to configure free VLANs for port security.

Use undo port-security free-vlan to restore the default.

Syntax

port-security free-vlan vlan-id-list

undo port-security free-vlan [ vlan-id-list ]

Default

No free VLANs are configured for port security on a port. Authentication will be triggered by packets from users in any VLAN on the port that is configured with 802.1X, MAC authentication, or a port security authentication mode.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

mdc-admin

Parameters

vlan-id-list: Specifies a space-separated list of up to 10 VLAN items. Each VLAN item specifies a VLAN by VLAN ID or specifies a range of VLANs in the form of start-vlan-id to end-vlan-id. The value range for VLAN IDs is 1 to 4094. The end VLAN ID must be equal to or greater than the start VLAN ID.

Usage guidelines

Application scenarios

This command allows packets from the specified VLANs to not trigger 802.1X or MAC authentication on a port configured with any of the following features:

· 802.1X authentication.

· MAC authentication.

· Any of the following port security modes:

¡ userLogin.

¡ userLoginSecure.

¡ userLoginWithOUI.

¡ userLoginSecureExt.

¡ macAddressWithRadius.

¡ macAddressOrUserLoginSecure.

¡ macAddressElseUserLoginSecure.

¡ macAddressOrUserLoginSecureExt.

¡ macAddressElseUserLoginSecureExt.

Restrictions and guidelines

Execute this command multiple times to specify multiple free VLANs for port security.

If you do not specify the vlan-id-list argument when executing the undo port-security free-vlan command, the command deletes all free VLANs.

Examples

# Configure free VLANs for port security on Ten-GigabitEthernet 3/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] port-security free-vlan 2 3

Related commands

display port-security

port-security global escape critical-vsi

Use port-security global escape critical-vsi to enable the escape critical VSI feature globally for 802.1X and MAC authentication users.

Use undo port-security global escape critical-vsi to disable the escape critical VSI feature globally for 802.1X and MAC authentication users.

Syntax

port-security global escape critical-vsi

undo port-security global escape critical-vsi

Default

The global escape critical VSI feature is disabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

Application scenarios

You can enable this feature temporarily to prevent 802.1X and MAC authentication service interruption while you are troubleshooting a malfunctioning RADIUS server.

The global escape critical VSI feature applies to all ports. The escape critical VSI feature operates as follows on a port:

· New 802.1X or MAC authentication users on any ports are automatically granted access to the VXLAN associated with the critical VSI for 802.1X or MAC authentication, respectively, without undergoing authentication. The escape critical VSI feature does not affect 802.1X or MAC authentication users that have been online before this feature is enabled.

The global escape critical VSI feature does not take effect on a new 802.1X or MAC authentication user if any of the following conditions exists:

· The 802.1X client and the device use different EAP message handling methods.

· 802.1X MAC address binding is enabled on the user's access port, but the MAC address of the 802.1X user is not bound to that port.

· The user's MAC address is an all-zero, all-F, or multicast MAC address.

When you disable the global escape critical VSI feature, the device handles users in the critical VSIs on each port as follows:

· If the escape critical VSI feature is enabled on the port, the users on the port are not removed from the critical VSIs.

· If the escape critical VSI feature is disabled on the port, the users on the port are removed from the critical VSIs. The users must perform authentication to come online again on the port.

Prerequisites

Make sure an 802.1X critical VSI or a MAC authentication critical VSI is configured on each of the ports configured with port security, depending on their authentication mode.

Restrictions and guidelines

The global escape critical VSI feature applies to all ports.

For the escape critical VSI feature to operate correctly on a port, make sure the port does not have the following settings:

· Web authentication.

· Guest, Auth-Fail, or critical VLAN for 802.1X authentication.

· Guest or critical VLAN for MAC authentication.

Examples

# Enable the global escape critical VSI feature.

<Sysname> system-view

[Sysname] port-security global escape critical-vsi

Please make sure critical VSI settings exist. Continue? [Y/N]:y

Related commands

dot1x critical vsi

mac-authentication critical vsi

port-security escape critical-vsi

vsi (VXLAN Command Reference)

port-security intrusion-mode

Use port-security intrusion-mode to configure the intrusion protection action to take when intrusion protection detects illegal frames on a port.

Use undo port-security intrusion-mode to restore the default.

Syntax

port-security intrusion-mode { blockmac | disableport | disableport-temporarily }

undo port-security intrusion-mode

Default

Intrusion protection is disabled.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

mdc-admin

Parameters

blockmac: Adds the source MAC addresses of illegal frames to the blocked MAC address list and discards frames with blocked source MAC addresses for a period set by the block timer. A blocked MAC address will be unblocked when the block timer expires. The timer is configurable with the port-security timer blockmac command. To display the blocked MAC address list, use the display port-security mac-address block command.

disableport: Disables the port permanently when an illegal frame is received on the port.

disableport-temporarily: Disables the port for a period of time whenever it receives an illegal frame. You can use the port-security timer disableport command to set the period.

Usage guidelines

Application scenarios

After you enable port security, you can configure different intrusion protection actions to take on different ports, depending on the network configuration.

Prerequisites

Enable port security.

Configure a port security mode that supports intrusion protection on the port:

· autoLearn.

· secure.

· userLoginSecure.

· userLoginSecureExt.

· userLoginWithOUI.

· macAddressWithRadius.

· macAddressOrUserLoginSecure.

· macAddressOrUserLoginSecureExt.

· macAddressElseUserLoginSecure.

· macAddressElseUserLoginSecureExt.

· macAddressAndUserLoginSecureExt.

Restrictions and guidelines

To bring up the port disabled by the intrusion protection feature, use the undo shutdown command.

When strict intrusion protection is enabled on a port, you cannot change the intrusion protection action to blockmac on that port. To change the intrusion protection action to blockmac, you must first disable strict intrusion protection on that port.

Examples

# Configure Ten-GigabitEthernet 3/0/1 to block the source MAC addresses of illegal frames after intrusion protection detects the illegal frames.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] port-security intrusion-mode blockmac

Related commands

display port-security

display port-security mac-address block

port-security timer blockmac

port-security strict-intrusion-protection enable

port-security timer disableport

port-security link-down action

Use port-security link-down action to configure the action to be taken on online users when their access ports go down.

Use undo port-security link-down action to restore the default.

Syntax

port-security link-down action { keep-online | offline-delay delay-value }

undo port-security link-down action

Default

The device immediately logs off online users when their access ports go down.

Views

Port security authentication profile view

Predefined user roles

network-admin

mdc-admin

Parameters

keep-online: Allows online users to stay online when their access ports go down.

offline-delay delay-value: Delays logging off online users when their access ports go down. The delay-value argument represents the logoff delay time, in the range of 0 to 60 seconds.

Usage guidelines

Application scenarios

By default, the device immediately logs off online users when their access ports go down. When the ports come up, the users must be reauthenticated to come online. To prevent users from having to repeatedly be reauthenticated and come online in the event of frequent port flapping, you can configure the following actions for online users as needed:

· keep-online—Allows online users to stay online when their access ports go down. When the ports come up, the users can come online without being reauthenticated.

· offline-delay—Delays logging off online users when their access ports go down.

¡ If the access ports come up before the delay time expires, the users can come online without being reauthenticated.

¡ If the access ports do not come up before the delay time expires, the users are logged off when the delay time expires. When the ports come up, the users must be reauthenticated to come online.

Restrictions and guidelines

This command takes effect for online users on a port only when the port automatically goes down due to link abnormalities. It does not take effect when the port goes down manually by executing the shutdown command.

This command takes effect for online users on a port only if you configure it when that access port is up. It does not take effect for online users on a port if that access port is down when you configure it. In this case, any modification or deletion to the command configuration cannot take effect on that access port.

Examples

# Delay logging off online users by 5 seconds when their access ports go down.

<Sysname> system-view

[Sysname] port-security authentication-profile name abc

Port security authentication profile created.

[Sysname-portsec-auth-prof-abc] port-security link-down action offline-delay 5

Related commands

port-security authentication-profile name

port-security m-lag load-sharing-mode

Use port-security m-lag load-sharing-mode to configure the authentication load sharing mode for users attached to M-LAG interfaces.

Use undo port-security m-lag load-sharing-mode to restore the default.

Syntax

port-security m-lag load-sharing-mode { centralized | distributed { even-mac | local | odd-mac } }

undo port-security m-lag load-sharing-mode

Default

Centralized mode applies.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

centralized: Specifies centralized mode. In this mode, the primary M-LAG member device processes authentication services for all users attached to any M-LAG interfaces in the system.

distributed { even-mac | local | odd-mac }: Specifies distributed mode and sets the distributed authentication processing mode. In a distributed mode, both M-LAG member devices provide authentication services for users attached to the M-LAG interfaces according to the distributed authentication processing mode.

even-mac: Specifies the even-source MAC distribution authentication processing mode. If you set this mode on an M-LAG member device, the M-LAG member device will process authentication services for all users with even MAC addresses and attached to any M-LAG interfaces in the M-LAG system.

local: Uses the local device to process authentication for users attached to the local M-LAG interfaces.

odd-mac: Specifies the odd-source MAC distribution authentication processing mode. If you set this mode on an M-LAG member device, the M-LAG member device will process authentication services for all users with odd MAC addresses and attached to any M-LAG interfaces in the M-LAG system.

Usage guidelines

Application scenarios

In an M-LAG system, one M-LAG member device automatically synchronizes user data to the other M-LAG member device upon each successful user authentication. This ensures that when one M-LAG member device fails, the other member device can take over to process authentication services for all users.

Make sure the M-LAG member devices are consistent in authentication load sharing settings for users attached to M-LAG interfaces.

· Centralized mode—Configure both devices to operate in centralized mode for user authentication.

· Distributed local mode—Configure both M-LAG member devices to operate in distributed local mode for user authentication.

· Distributed even-/odd-MAC mode—Configure one M-LAG member device in distributed even-MAC mode and the other to operate in distributed odd-MAC mode for user authentication.

Restrictions and guidelines

CAUTION:

To avoid user logoffs caused by configuration conflicts, do not change the authentication load sharing mode for users on M-LAG interfaces when port security, 802.1X, or MAC authentication is enabled.

This command takes effect only on 802.1X, Web authentication, and MAC authentication users attached to M-LAG interfaces in an M-LAG environment.

In an M-LAG system, the M-LAG member devices exchange configuration information with each other to check for configuration conflicts. If a configuration conflict exists, the M-LAG member devices do not allow new users to come online.

To ensure correct user data processing, follow these guidelines when you configure the peer aggregate interfaces on each remote access device connected to the M-LAG interfaces:

· If the M-LAG system uses distributed local mode for user authentication, link-aggregation load sharing on the access device can only be based on one of the following criteria:

¡ Destination IP address.

¡ Destination MAC address.

¡ Source IP address.

¡ Source MAC address.

· In an 802.1X authentication scenario, you must configure the access device to ignore all packet fields except the source MAC if it uses the default link-aggregation load sharing mode.

In centralized mode, if all member ports of an M-LAG interface belong only to one M-LAG member device and the M-LAG interface forwards authentication traffic, users attached to the M-LAG interface cannot come online. To ensure that users attached to such M-LAG interfaces can come online, do not set the authentication load sharing mode to centralized mode.

For more information about M-LAG, see Layer 2—LAN Switching Configuration Guide. For more information about link aggregation load sharing, see Ethernet link aggregation in Layer 2—LAN Switching Configuration Guide.

Examples

# Set the authentication load sharing mode to distributed local mode for users attached to M-LAG interfaces.

<Sysname> system-view

[Sysname] port-security m-lag load-sharing-mode distributed local

Changing the load sharing mode will log off all online users on M-LAG interfaces. Continue? [Y/N]:y

[Sysname]

Related commands

display port-security

link-aggregation global load-sharing mode (Layer 2—LAN Switching Command Reference)

link-aggregation load-sharing ignore (Layer 2—LAN Switching Command Reference)

port-security mac-address aging-type inactivity

Use port-security mac-address aging-type inactivity to enable inactivity aging for secure MAC addresses.

Use undo port-security mac-address aging-type inactivity to disable inactivity aging for secure MAC addresses.

Syntax

port-security mac-address aging-type inactivity

undo port-security mac-address aging-type inactivity

Default

The inactivity aging feature is disabled for secure MAC addresses.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

Application scenarios

The inactivity aging feature prevents unauthorized use of a secure MAC address when the authorized user is offline. The feature also removes outdated secure MAC addresses so that new secure MAC addresses can be learned or configured.

Operating mechanism

The inactivity aging feature periodically detects traffic data from secure MAC addresses.

If only the aging timer is configured, the aging timer counts up regardless of whether traffic data has been sent from the secure MAC addresses. When you use the aging timer together with the inactivity aging feature, the aging timer restarts once traffic data is detected from the secure MAC addresses. A secure MAC address ages out when its lifetime expires because no traffic has been detected from it.

If this feature is enabled on a Layer 2 Ethernet interface, the lifetime of a secure MAC address depends on the aging timer (configured by using the port-security timer autolearn aging command).

· If the aging timer is equal to or greater than 60 seconds, port security detects traffic from the secure MAC addresses on the interface at intervals of 30 seconds. The lifetime of a secure MAC address is a multiple of 30.

¡ If the aging timer is also a multiple of 30, the lifetime of a secure MAC address is equal to the aging timer.

¡ If the aging timer is not a multiple of 30, the lifetime of a secure MAC address is equal to the aging timer rounded up to the nearest multiple of 30.

For example, if the aging timer is 80 seconds, the lifetime of a secure MAC address will be 90 seconds.

· If the aging timer is less than 60 seconds, the traffic detection interval equals the aging timer. The lifetime of a secure MAC address is equal to the aging timer.

This secure MAC lifetime calculation mechanism on Layer 2 Ethernet interfaces also applies to Layer 2 aggregate interfaces except that a compensation mechanism is introduced.

This compensation mechanism adds 90 seconds to the initial lifetime of a secure MAC address when the aging timer is equal to or greater than 60 seconds. For example, if the aging timer is 80 seconds, the initial lifetime of a secure MAC address will be 180 (90 + 90) seconds.

This 90-second compensation time is added only to the initial lifetime of each secure MAC address. If traffic is received from a secure MAC address before its initial lifetime expires, its lifetime will be renewed without a 90-second compensation. For example, if the aging timer is 80 seconds, the renewed lifetime of that secure MAC address will be 90 seconds.

Restrictions and guidelines

This command takes effect only on sticky MAC addresses and dynamic secure MAC addresses.

Examples

# Enable inactivity aging for secure MAC addresses on Ten-GigabitEthernet 3/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] port-security mac-address aging-type inactivity

Related commands

display port-security

port-security mac-address dynamic

Use port-security mac-address dynamic to enable the dynamic secure MAC feature.

Use undo port-security mac-address dynamic to disable the dynamic secure MAC feature.

Syntax

port-security mac-address dynamic

undo port-security mac-address dynamic

Default

The dynamic secure MAC feature is disabled. Sticky MAC addresses can be saved to the configuration file. Once saved, they survive a device reboot.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

Application scenarios

If port security is enabled, the MAC addresses automatically learned on a port in autoLearn mode become sticky MAC addresses. These addresses are saved in the configuration file and can survive a device reboot. After the device reboots, their aging timers restart.

To prevent the device from saving the sticky MAC addresses learned on a port before a reboot, use the dynamic secure MAC feature. This feature converts sticky MAC addresses to dynamic secure MAC addresses, which cannot be saved to the configuration file and will be lost at reboot. To verify the presence of these addresses, execute the display port-security mac-address security command.

Restrictions and guidelines

After you execute the port-security mac-address dynamic command, you cannot manually configure sticky MAC addresses. You can manually configure sticky MAC addresses on a port only after you execute the undo form of this command to convert dynamic secure MAC addresses on that port to sticky MAC addresses.

Examples

# Enable the dynamic secure MAC feature on Ten-GigabitEthernet 3/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] port-security mac-address dynamic

Related commands

display port-security

display port-security mac-address security

port-security mac-address security

Use port-security mac-address security to add a secure MAC address.

Use undo port-security mac-address security to remove a secure MAC address.

Syntax

In Layer 2 Ethernet interface view or Layer 2 aggregate interface view:

port-security mac-address security [ sticky ] mac-address vlan vlan-id

undo port-security mac-address security [ sticky ] mac-address vlan vlan-id

In system view:

port-security mac-address security [ sticky ] mac-address interface interface-type interface-number vlan vlan-id

undo port-security mac-address security [ [ mac-address [ interface interface-type interface-number ] ] vlan vlan-id ]

Default

No manually configured secure MAC address entries exist.

Views

System view

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

mdc-admin

Parameters

sticky: Specifies the MAC address type as sticky. If you do not specify this keyword, the command configures a static secure MAC address.

mac-address: Specifies a MAC address, in H-H-H format.

interface interface-type interface-number: Specifies a port by its type and number.

vlan vlan-id: Specifies the VLAN to which the secure MAC address belongs. The value range for the vlan-id argument is 1 to 4094.

Usage guidelines

Application scenarios

Use this command to add the MAC addresses of trusted, important hosts or devices that need to connect to a port in autoLearn mode as secure MAC addresses in advance. This ensures that their packets can always pass through the port, avoiding competition for resources with the packets from other MAC addresses learned automatically on the port.

Operating mechanism

Static secure MAC addresses never age out unless you perform the following operations:

· Remove these MAC addresses by using the undo port-security mac-address security command.

· Change the port security mode.

· Disable the port security feature.

Sticky MAC addresses do not age out by default. You can use the port-security timer autolearn aging command to set an aging timer for the sticky MAC addresses. When the timer expires, the sticky MAC addresses are removed.

Prerequisites

Before you add secure MAC addresses on a port, perform the following tasks:

· Enable port security on the port.

· Set the maximum number of secure MAC addresses permited by port security.

· Set the port security mode to autoLearn.

· Configure the port to permit packets of the specified VLAN to pass or add the port to the VLAN. Make sure the VLAN already exists.

Restrictions and guidelines

You cannot add a MAC address to a VLAN as a static secure MAC address if it has been added as a sticky MAC address in that VLAN, and vice versa.

Examples

# Enable port security, set Ten-GigabitEthernet 3/0/1 to operate in autoLearn mode, and configure the port to support a maximum number of 100 secure MAC addresses.

<Sysname> system-view

[Sysname] port-security enable

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] port-security max-mac-count 100

[Sysname-Ten-GigabitEthernet3/0/1] port-security port-mode autolearn

# Specify MAC address 0001-0002-0003 in VLAN 4 as a sticky MAC address.

[Sysname-Ten-GigabitEthernet3/0/1] port-security mac-address security sticky 0001-0002-0003 vlan 4

[Sysname-Ten-GigabitEthernet3/0/1] quit

# In system view, specify MAC address 0001-0001-0002 in VLAN 10 as a secure MAC address for Ten-GigabitEthernet 3/0/1.

[Sysname] port-security mac-address security 0001-0001-0002 interface ten-gigabitethernet 3/0/1 vlan 10

Related commands

display port-security

port-security timer autolearn aging

port-security mac-limit

Use port-security mac-limit to set the maximum number of MAC addresses that port security allows for specific VLANs on a port.

Use undo port-security mac-limit to restore the default.

Syntax

port-security mac-limit max-number per-vlan vlan-id-list

undo port-security mac-limit max-number per-vlan vlan-id-list

Default

No limit is set to the number of MAC addresses that port security allows for specific VLANs on a port.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

mdc-admin

Parameters

max-number: Specifies the maximum number of MAC addresses. The value range is 1 to 2147483647.

per-vlan vlan-id-list: Applies the maximum number to a VLAN list on per-VLAN basis. The vlan-id-list argument specifies a space-separated list of up to 10 VLAN items. Each VLAN item specifies a VLAN by VLAN ID or specifies a range of VLANs in the form of vlan-id1 to vlan-id2. The value range for the VLAN IDs is 1 to 4094. The value for the vlan-id2 argument must be equal to or greater than the value for the vlan-id1 argument.

Usage guidelines

Application scenarios

This command limits the number of MAC addresses that port security allows to access a port through specific VLANs. Use this command to prevent resource contentions among MAC addresses and ensure reliable performance for each access user on the port. When the number of MAC addresses in a VLAN on the port reaches the upper limit, the device denies any subsequent MAC addresses in the VLAN on the port.

Port security allows the access of the following types of MAC addresses on a port:

· MAC addresses that pass 802.1X authentication or MAC authentication.

· MAC addresses in the MAC authentication guest or critical VLAN, MAC addresses in the MAC authentication guest or critical VSI, and MAC addresses in the MAC authentication critical microsegment.

· MAC addresses in the 802.1X guest, Auth-Fail, or critical VLAN and MAC addresses in the 802.1X guest, Auth-Fail, or critical VSI.

· MAC addresses that pass Web authentication and MAC addresses in the Web authentication Auth-Fail VLAN.

Restrictions and guidelines

On a port, the maximum number of MAC addresses in a VLAN cannot be smaller than the number of existing MAC addresses in the VLAN. If the specified maximum number is smaller, the setting does not take effect.

Examples

# On Ten-GigabitEthernet 3/0/1, configure VLAN 1, VLAN 5, and VLANs 10 through 20 each to allow a maximum of 32 MAC authentication and 802.1X users.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] port-security mac-limit 32 per-vlan 1 5 10 to 20

Related commands

display dot1x

display mac-authentication

port-security mac-move bypass-vlan-check

Use port-security mac-move bypass-vlan-check to enable VLAN check bypass for users moving to a port from other ports.

Use undo port-security mac-move bypass-vlan-check to disable VLAN check bypass for users moving to a port from other ports.

Syntax

port-security mac-move bypass-vlan-check

undo port-security mac-move bypass-vlan-check

Default

VLAN check bypass is disabled for users moving to a port from other ports. When reauthenticating a user that has moved to the port, the device examines whether the VLAN to which the user belongs is permitted by the port.

Views

Layer 2 Ethernet interface view

Port security authentication profile view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

Application scenario

When the MAC move feature is enabled, use VLAN check bypass to ensure successful reauthentication for users that move from a port enabled with MAC-based VLAN to a different port.

By default, when an 802.1X or MAC authenticated user moves from a port enabled with MAC-based VLAN to a different port, the user will reauthenticate in the authorization VLAN assigned on the source port. If that VLAN is not permitted to pass through on the destination port, reauthentication will fail and the user cannot come online. To avoid this situation, enable VLAN check bypass on the destination port.

VLAN check bypass skips checking VLAN information in the packets that trigger authentication for users moving to the port from other ports.

Restrictions and guidelines

If you enable VLAN check bypass on an 802.1X trunk port, you must execute the dot1x eapol untag command to configure it to send 802.1X protocol packets without VLAN tags.

Examples

# Enable VLAN check bypass for users moving to Ten-GigabitEthernet 3/0/1 from other ports.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] port-security mac-move bypass-vlan-check

Related commands

display port-security

dot1x eapol untag

port-security mac-move permit

port-security mac-move overwrite-local

Use port-security mac-move overwrite-local to enable the device to overwrite the local MAC entry for a MAC address with the remote MAC entry for that MAC address after a MAC move.

Use undo port-security mac-move overwrite-local to disable the device from overwriting the local MAC entry for a MAC address with the learned remote MAC entry for that MAC address after a MAC move.

Syntax

port-security mac-move overwrite-local

undo port-security mac-move overwrite-local

Default

By default, the device overwrites the local MAC entry for a MAC address with the remote MAC entry for that MAC address after a MAC move.

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

This feature is typically used in an EVPN or M-LAG environment. It enables the device to overwrite local authenticated MAC entries with remote authenticated MAC entries received from remote devices over tunnels or the peer link immediately, without waiting for the local entries to age out. This overwrite mechanism ensures that the device can promptly update authenticated MAC entries to forward traffic correctly for port security users after they move to a remote device and reauthenticate to the network.

Examples

# Enable the device to overwrite the local MAC entry for a MAC address with the remote MAC entry for that MAC address after a MAC move.

<Sysname> system-view

[Sysname] port-security mac-move overwrite-local

Related commands

display port-security

port-security mac-move permit

Use port-security mac-move permit to enable MAC move on the device.

Use undo port-security mac-move permit to disable MAC move on the device.

Syntax

port-security mac-move permit [ port | vlan ]

undo port-security mac-move permit

Default

MAC move is disabled on the device.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

port: Specifies the inter-port MAC move.

vlan: Specifies the inter-VLAN MAC move.

Usage guidelines

Application scenarios

By default, the MAC move feature of port security is disabled. Authenticated users on one port must go offline first before they can be reauthenticated successfully on another port to come online, regardless of whether the two ports are in the same VLAN or different VLANs.

The MAC move feature allows an authenticated online user on one port or VLAN to be reauthenticated and come online on another port or VLAN without going offline first.

Operating mechanism

The MAC move feature takes effect on online users authenticated through 802.1X authentication, MAC authentication, or Web authentication in the following scenarios:

· Inter-port move on a device—An authenticated online user moves between ports on the device. The user VLAN or authentication method might change or stay unchanged after the move.

· Inter-VLAN move on a port—An authenticated online user moves between VLANs on a trunk or hybrid port. This mode takes effect only when the packets that trigger authentication are VLAN tagged.

Port security MAC move allows an authenticated online user on one port or VLAN to be reauthenticated and come online on another port or VLAN without going offline first. After the user passes authentication on the new port or VLAN, the system removes the authentication session of the user on the original port or VLAN. This action ensures that the user stays online on only one port in one VLAN.

Restrictions and guidelines

If you do not specify any parameters, this command enables both the inter-port and inter-VLAN MAC moves.

Authenticated users cannot move between ports on a device or between VLANs on a port if the maximum number of online users on the authentication server has been reached.

For MAC authentication, the MAC move feature applies only when MAC authentication single-VLAN mode is used. The MAC move feature does not apply to MAC authentication users that move between VLANs on a port with MAC authentication multi-VLAN mode enabled.

Examples

# Enable MAC move.

<Sysname> system-view

[Sysname] port-security mac-move permit

Related commands

display port-security

mac-authentication host-mode multi-vlan

port-security max-mac-count

Use port-security max-mac-count to set the maximum number of secure MAC addresses that port security allows on a port.

Use undo port-security max-mac-count to restore the default.

Syntax

port-security max-mac-count max-count [ vlan [ vlan-id-list ] ]

undo port-security max-mac-count [ vlan [ vlan-id-list ] ]

Default

Port security does not limit the number of secure MAC addresses on a port.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

mdc-admin

Parameters

max-count: Specifies the maximum number of secure MAC addresses that port security allows on the port. The value range is 1 to 2147483647.

vlan [ vlan-id-list ]: Specifies a space-separated list of up to 10 VLAN items. Each VLAN item specifies a VLAN ID or a range of VLAN IDs in the form of start-vlan-id to end-vlan-id. The end VLAN ID cannot be smaller than the start VLAN ID. The value range for VLAN IDs is 1 to 4094. If you do not specify the vlan keyword, this command sets the maximum number of secure MAC addresses that port security allows on a port. If you do not specify the vlan-id-list argument, this command sets the maximum number of secure MAC addresses for each VLAN on the port. This option takes effect only on a port that operates in autoLearn mode.

Usage guidelines

Application scenarios

Use this command to set the maximum number of secure MAC addresses allowed by port security on a port for the following purposes:

· Prevent the system from being overloaded by excessive user accesses on the port to ensure service processing performance.

· Control the maximum number of secure MAC addresses that can be added in autoLearn mode to block untrusted users from accessing the port, enhancing device and network security.

Operating mechanism

For autoLearn mode, this command sets the maximum number of secure MAC addresses (both configured and automatically learned) on the port.

In any other mode that enables 802.1X, MAC authentication, or both, this command sets the maximum number of authenticated MAC addresses on the port. The actual maximum number of concurrent users that the port accepts equals the smaller of the following values:

· The value set by using this command.

· The maximum number of concurrent users allowed by the authentication mode in use.

For example, in userLoginSecureExt mode, if 802.1X allows more concurrent users than port security's limit on the number of MAC addresses, port security's limit takes effect.

Restrictions and guidelines

· You cannot change port security's limit on the number of MAC addresses when the port is operating in autoLearn mode.

· Make sure the maximum number of secure MAC addresses for a VLAN is not less than the number of MAC addresses currently saved for the VLAN.

· If you execute this command multiple times to set the maximum number of secure MAC addresses for the same VLAN, the most recent configuration takes effect.

Examples

# Set the maximum number of secure MAC address port security allows on Ten-GigabitEthernet 3/0/1 to 100.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] port-security max-mac-count 100

Related commands

display port-security

port-security nas-id-profile

Use port-security nas-id-profile to apply a NAS-ID profile to global or port-based port security.

Use undo port-security nas-id-profile to restore the default.

Syntax

port-security nas-id-profile profile-name

undo port-security nas-id-profile

Default

No NAS-ID profile is applied to port security globally or on any port.

Views

System view

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

mdc-admin

Parameters

profile-name: Specifies a NAS-ID profile by its name. The argument is a case-sensitive string of 1 to 31 characters.

Usage guidelines

Application scenarios

User access VLANs are typically used to identify the access location of users. In some application scenarios, network operators require an access device to convey non-VLAN user access location information in the NAS-Identifier attribute value sent to the RADIUS server. To identify the location of users in this situation, you must configure a NAS-ID profile to establish NAS-ID and VLAN bindings on the access device. When a user connects to the network, the device inserts the NAS-ID that matches the user's access VLAN in the NAS-Identifier attribute of the RADIUS request sent to the RADIUS server.

Prerequisites

Create a NAS-ID profile by using the aaa nas-id profile command.

Restrictions and guidelines

The device selects a NAS-ID profile for a port in the following order:

1. The port-specific NAS-ID profile.

2. The NAS-ID profile applied globally.

If no NAS-ID profile is applied or no matching binding is found in the selected profile, the device uses the device name as the NAS-ID.

Examples

# Apply NAS-ID profile aaa to Ten-GigabitEthernet 3/0/1 for port security.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] port-security nas-id-profile aaa

# Globally apply NAS-ID profile aaa to port security.

<Sysname> system-view

[Sysname] port-security nas-id-profile aaa

Related commands

aaa nas-id profile

port-security ntk-mode

Use port-security ntk-mode to configure the NTK feature.

Use undo port-security ntk-mode to restore the default.

Syntax

port-security ntk-mode { ntk-withbroadcasts | ntk-withmulticasts | ntkauto | ntkonly }

undo port-security ntk-mode

Default

The NTK feature is not configured on a port and all frames are allowed to be sent.

Views

Layer 2 Ethernet interface view

Predefined user roles

network-admin

mdc-admin

Parameters

ntk-withbroadcasts: Forwards only broadcast and unicast frames with a known destination MAC address.

ntk-withmulticasts: Forwards only broadcast, multicast, and unicast frames with a known destination MAC address.

ntkauto: Forwards only broadcast, multicast, and unicast frames with a known destination MAC address, and only when the port has online users.

ntkonly: Forwards only unicast frames with a known destination MAC address.

Usage guidelines

The NTK feature checks the destination MAC addresses in outbound frames. This feature allows frames to be sent only to devices with a known MAC address, preventing illegal devices from intercepting network traffic.

Examples

# Set the NTK mode of Ten-GigabitEthernet 3/0/1 to ntkonly, allowing the port to forward the unicast packets with a known destination MAC address.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] port-security ntk-mode ntkonly

Related commands

display port-security

port-security oui

Use port-security oui to configure an OUI value for user authentication.

Use undo port-security oui to delete the OUI value with the specified OUI index.

Syntax

port-security oui index index-value mac-address oui-value

undo port-security oui index index-value

Default

No OUI values are configured.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

index-value: Specifies the OUI index, in the range of 1 to 16.

oui-value: Specifies an OUI string, a 48-bit MAC address in the H-H-H format. The system uses only the 24 high-order bits as the OUI value.

Usage guidelines

Application scenarios

An OUI, the first 24 binary bits of a MAC address, is assigned by IEEE to uniquely identify a device vendor. Use this command to allow devices of specific vendors to access the network without being authenticated. For example, you can specify the OUIs of IP phones and printers.

Restrictions and guidelines

You can configure multiple OUI values.

The OUI values configured by this command apply only to the ports operating in userLoginWithOUI mode. In userLoginWithOUI mode, a port allows only one 802.1X user and one user whose MAC address matches one of the configured OUI values.

Examples

# Configure an OUI value of 000d2a, and set the index to 4.

<Sysname> system-view

[Sysname] port-security oui index 4 mac-address 000d-2a10-0033

Related commands

display port-security

port-security packet-detect arp-source-ip factor

Use port-security packet-detect arp-source-ip factor to specify an IP address and mask for calculating the source IP of ARP detection packets.

Use undo port-security packet-detect arp-source-ip factor to restore the default.

Syntax

port-security packet-detect arp-source-ip factor ip-address { mask | mask-length }

undo port-security packet-detect arp-source-ip factor

Default

No IP address or mask is specified for calculating the source IP of ARP detection packets. The source IP of ARP detection packets is 0.0.0.0.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

ip-address { mask | mask-length }: Specifies an IP address and mask for calculating the source IP of ARP detection packets. The mask argument represents the IP address mask, in dotted decimal notation. The mask cannot be 255.255.255.255. The mask-length argument represents the IP address mask length, in the range of 0 to 31.

Usage guidelines

Application scenarios

The device regularly sends ARP detetection packets to detect the status of online users. If a user does not respond within the detection interval, the device considers them offline.

By default, the device uses 0.0.0.0 as the source IP address of ARP detection packets. The network might have users that cannot respond to ARP detection packets with source IP address 0.0.0.0. As a result, the device inadequately determines that these users have gone offline. To resolve the issue, use this command to specify an IP address and mask for calculating the source IP of ARP detection packets sent to a user in conjunction with the user's IP address.

Operating mechanism

The device uses the following formula to calculate the source IP address of ARP detection packets: source IP = (user IP & specified mask) | (specified IP & ~specified mask). The ~mask parameter represents the reverse of a mask. For example, the reverse mask of 255.255.255.0 is 0.0.0.255. If the IP address of a user is 192.168.8.1/24 and the IP address and mask specified by using this command is 1.1.1.11/255.255.255.0, the source IP address of ARP detection packets is 192.168.8.11/24.

Restrictions and guidelines

To avoid the source IP address of ARP detection packets being the same as the destination IP address, follow these restrictions and guidelines:

· The mask length specified by using this command must be equal to or longer than the mask length of users' IP addresses.

· The mask cannot be 255.255.255.255.

This command takes effect only on users that come online after this command is executed.

Only SC cards prefixed with LSCM2, SD interface modules, and SF interface modules support specifing an IP address and mask for calculating the source IP of ARP detection packets.

Examples

# Specify 0.0.0.11/24 for calculating the source IP of ARP detection packets.

<Sysname> system-view

[Sysname] port-security packet-detect arp-source-ip factor 0.0.0.11 24

Related commands

mac-authentication packet-detect retry

dot1x packet-detect retry

port-security port-mode

Use port-security port-mode to set the port security mode of a port.

Use undo port-security port-mode to restore the default.

Syntax

port-security port-mode { autolearn | mac-and-userlogin-secure-ext | mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secure-ext | secure | userlogin | userlogin-secure | userlogin-secure-ext | userlogin-secure-or-mac | userlogin-secure-or-mac-ext | userlogin-withoui }

undo port-security port-mode

Default

A port operates in noRestrictions mode, where port security does not take effect.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

mdc-admin

Parameters

Keyword	Security mode	Description
autolearn	autoLearn	A port in this mode can learn MAC addresses. The automatically learned MAC addresses are not added to the MAC address table as dynamic MAC address. Instead, the MAC addresses are added to the secure MAC address table as secure MAC addresses. You can also configure secure MAC addresses by using the port-security mac-address security command. A port in autoLearn mode allows frames sourced from the following MAC addresses to pass: · Secure MAC addresses. · MAC addresses configured by using the mac-address dynamic and mac-address static commands. When the number of secure MAC addresses reaches the upper limit set by the port-security max-mac-count command, the port changes to secure mode.
mac-and-userlogin-secure-ext	macAddressAndUserLoginSecureExt	In this mode, a user must pass both MAC authentication and 802.1X authentication to access the authorized network resources. The device uses the following process to handle an access user on a port operating in this mode: 1. Performs MAC authentication for the user. 2. Marks the user as a temporary MAC authentication user when the user passes MAC authentication. A temporary MAC authentication user can access only resources in the 802.1X guest VLAN or VSI. 3. After receiving 802.1X protocol packets from the user on the port, the device performs 802.1X authentication for the user. 4. After the user passes 802.1X authentication on the port, the device removes the temporary MAC authentication user entry. Then, the user comes online as an 802.1X user.
mac-authentication	macAddressWithRadius	In this mode, a port performs MAC authentication for users and services multiple users.
mac-else-userlogin-secure	macAddressElseUserLoginSecure	This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority. In this mode, the port allows one 802.1X authentication user and multiple MAC authentication users to log in. · Upon receiving a non-802.1X frame, a port in this mode performs only MAC authentication. · Upon receiving an 802.1X frame, the port performs MAC authentication and then, if MAC authentication fails, 802.1X authentication.
mac-else-userlogin-secure-ext	macAddressElseUserLoginSecureExt	Same as the macAddressElseUserLoginSecure mode except that a port in this mode supports multiple 802.1X and MAC authentication users.
secure	secure	In this mode, MAC address learning is disabled on the port and you can configure MAC addresses by using the mac-address static and mac-address dynamic commands. The port permits only frames sourced from the following MAC addresses to pass: · Secure MAC addresses. · MAC addresses configured by using the mac-address static and mac-address dynamic commands.
userlogin	userLogin	In this mode, a port performs 802.1X authentication and implements port-based access control. If one 802.1X user passes authentication, all the other 802.1X users of the port can access the network without authentication.
userlogin-secure	userLoginSecure	In this mode, a port performs 802.1X authentication and implements MAC-based access control. The port services only one user passing 802.1X authentication.
userlogin-secure-ext	userLoginSecureExt	Same as the userLoginSecure mode, except that this mode supports multiple online 802.1X users.
userlogin-secure-or-mac	macAddressOrUserLoginSecure	This mode is the combination of the userLoginSecure and macAddressWithRadius modes. In this mode, the port allows one 802.1X authentication user and multiple MAC authentication users to log in. In this mode, the port performs 802.1X authentication first. By default, if 802.1X authentication fails, MAC authentication is performed. However, the port in this mode processes authentication differently when the following conditions exist: · The port is enabled with parallel processing of MAC authentication and 802.1X authentication. · The port is enabled with the 802.1X unicast trigger. · The port receives a packet from an unknown MAC address. Under such conditions, the port sends a unicast EAP-Request/Identity packet to the MAC address to initiate 802.1X authentication. After that, the port immediately processes MAC authentication without waiting for the 802.1X authentication result.
userlogin-secure-or-mac-ext	macAddressOrUserLoginSecureExt	Same as the macAddressOrUserLoginSecure mode, except that a port in this mode supports multiple 802.1X and MAC authentication users.
userlogin-withoui	userLoginWithOUI	Similar to the userLoginSecure mode. In addition, a port in this mode also permits frames from a user whose MAC address contains a specific OUI. In this mode, the port performs OUI check at first. If the OUI check fails, the port performs 802.1X authentication. The port permits frames that pass OUI check or 802.1X authentication.

Usage guidelines

Application scenarios

Port security provides different security modes to control MAC address learning on ports and define combinations of authentication methods. It enables the device to learn legitimate source MAC addresses and simplifies the procedure to configure basic port authentication for desired network management.

Prerequisites

Execute the port-security enable command to enable port security.

Restrictions and guidelines

To change the security mode for a port security enabled port, you must set the port in noRestrictions mode first. Do not change port security mode when the port has online users.

IMPORTANT:

If you are configuring the autoLearn mode, first set port security's limit on the number of secure MAC addresses on the port by using the port-security max-mac-count (without specifying the vlan keyword) command. You cannot change the setting when the port is operating in autoLearn mode.

When port security is enabled, you cannot enable 802.1X or MAC authentication, or change the access control mode or port authorization state. The port security automatically modifies these settings in different security modes.

As a best practice, do not enable the mac-else-userlogin-secure or mac-else-userlogin-secure-ext mode on the port where MAC authentication delay is enabled. The two modes are mutually exclusive with the MAC authentication delay feature.

When the port security mode is macAddressAndUserLoginSecureExt on a port, follow these restrictions and guidelines:

· To make sure the 802.1X clients attached to the port can initiate authentication, enable unicast trigger on the port by using the dot1x unicast-trigger command.

· The guest VLAN or VSI for MAC authentication on the port does not take effect. For the temporary MAC authentication users to access a limited set of resources, configure an 802.1X guest VLAN or VSI on the port.

· If accounting is not required for the temporary MAC authentication users, configure different ISP domains for MAC authentication users and 802.1X users. In the ISP domain for MAC authentication users, set the accounting method to none.

If a port operating in macAddressAndUserLoginSecureExt mode is configured with an 802.1X guest VLAN, you must use the port-security mac-move permit command to enable inter-VLAN MAC move on the port. If you do not use this command, a user cannot pass 802.1X authentication to come online after it passes MAC authentication when the user initial VLAN and guest VLAN are different VLANs.

Examples

# Enable port security, and set Ten-GigabitEthernet 3/0/1 to operate in secure mode.

<Sysname> system-view

[Sysname] port-security enable

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] port-security port-mode secure

# Change the port security mode of Ten-GigabitEthernet 3/0/1 to userLogin.

[Sysname-Ten-GigabitEthernet3/0/1] undo port-security port-mode

[Sysname-Ten-GigabitEthernet3/0/1] port-security port-mode userlogin

Related commands

display port-security

port-security max-mac-count

port-security pre-auth domain

Use port-security pre-auth domain to specify a preauthentication domain for port security users on a port.

Use undo port-security pre-auth domain to restore the default.

Syntax

port-security pre-auth domain isp-name

undo port-security pre-auth domain

Default

No preauthentication domain is specified for port security users on a port.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Port security authentication profile view

Predefined user roles

network-admin

mdc-admin

Parameters

isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. The ISP domain name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

Usage guidelines

Application scenarios

To enable users to use a limit set of network resources before they are authenticated, configure a preauthentication domain.

A preauthentication domain accommodates 802.1X and MAC authentication users that have not performed authentication. A preauthentication domain is applicable to the following scenarios:

· A user accesses the network for the first time. This scenario is applicable only to 802.1X and Web authentication users.

· A user fails authentication, but no Auth-Fail domain is configured.

· No server is reachable, but the critical domain is not configured.

Operating mechanism

The authorization attributes available for users in the preauthentication domain differs depending on their authentication method.

· 802.1X and MAC authentication support the VLAN, ACL, VSI, and microsegment ID authorization attributes.

· Web authentication supports the VLAN, ACL, and microsegment ID authorization attributes.

On a port configured with a preauthentication domain, authentication users will be assigned authorization attributes in the preauthentication domain after they are assigned to the preauthentication domain. They can access only network resources permitted in the preauthentication domain. If they pass authentication, AAA will assign new authorization information to them.

If the authorization settings in the current preauthentication domain have changes, the changes take effect only on users that are assigned to the preauthentication domain after the changes are made. Users that have been assigned to the preauthentication domain before the changes are made still use the original settings.

When 802.1X is triggered after a user has failed MAC authentication on a port, the system assigns that user to the preauthentication domain as a MAC authentication user if no Auth-Fail domain is configured on the port.

Restrictions and guidelines

Users in the preauthentication domain are counted as online users. They consume online user resources on the port.

Users in the preauthentication domain do not support features triggered by the AAA server. These features include DMs, CoA messages, and RADIUS session-control.

Port security preauthentication domain is mutually exclusive with the following features of other authentication modules:

· 802.1X authentication—Guest VLAN, guest VSI, Auth-Fail VLAN, Auth-Fail VSI, critical VLAN, critical VSI, critical microsegment, and critical profile.

· MAC authentication—Guest VLAN, guest VSI, critical VLAN, critical VSI, critical microsegment, and critical profile.

· Web authentication—Auth-Fail VLAN.

Examples

# Specify ISP domain bbb as the preauthentication domain for port security users on Ten-GigabitEthernet 3/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] port-security pre-auth domain bbb

Related commands

display port-security

port-security static-user

Use port-security static-user to configure a static user range for port access authentication.

Use undo port-security static-user to restore the default.

Syntax

port-security static-user { ip | ipv6 } start-ip-address [ end-ip-address ] [ vpn-instance vpn-instance-name ] [ domain isp-name | [ interface interface-type interface-number [ detect ] ] vlan vlan-id | mac mac-address | keep-online ] *

undo port-security static-user { ip | ipv6 } start-ip-address [ end-ip-address ] [ vpn-instance vpn-instance-name ]

Default

No static user ranges are configured.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

ip: Specifies the IPv4 addresses of the static user range.

ipv6: Specifies the IPv6 addresses of the static user range.

start-ip-address [ end-ip-address ]: Specifies the IP address range of the static user range. The start-ip-address argument represents the start IP address and the end-ip-address argument represents the end IP address. If you specify only the start IP address, the static user range contains only one static user and the specified start IP address is the IP address of the static user.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the static user range belongs. The vpn-instance-name argument represents the VPN instance name, which is a case-sensitive string of 1 to 31 characters. If the static user range belongs to the public network, do not specify this option.

interface interface-type interface-number: Specifies an interface by its type and number.

detect: Allows the device to periodically send ARP messages to trigger authentication for static users in the static user range when the static users are not online.

vlan vlan-id: Specifies a VLAN by its ID in the range of 1 to 4094.

mac mac-address: Specifies the MAC address of the static user range, in the format of H-H-H.

keep-online: Always allow the static user range to stay online. With this keyword, the device does not perform offline detection on the static user range. If you do not specify this keyword, the device performs offline detection on the static user range.

Usage guidelines

Application scenarios

Typically, administrators assign static IP addresses to dumb terminals such as printers. For such users, you can configure them as static users to facilitate flexible authentication. After you configure a dumb terminal as a static user, the device can use the static user information such as the user IP address as the username to perform authentication for the dumb terminal on the user's access interface. For this purpose, make sure 802.1X, Web authentication, or MAC authentication is enabled on the user's access interface.

Operating mechanism

The device uses the following rules to handle static users:

· If two users have different IP addresses and MAC addresses, the users are different static user. They both can come online.

· If a user that has the same MAC address as an online static user attempts to come online, the device does not trigger authentication for the new user, regardless of whether the users use the same IP address. To update the IP addresses of static users, use the port-security static-user update-ip enable command.

· If users that have the same IP address but different MAC addresses come online, the device handles the users as follows:

¡ If a MAC address has been bound to the IP address, the user that has the bound MAC address can come online. Users with other MAC addresses cannot trigger authentication to come online.

¡ If no MAC address is bound to the IP address, the device allows all users that have IP addresses belonging to a static user IP range to trigger authentication to come online.

Restrictions and guidelines

When you configure a static user range, follow these restrictions and guidelines:

· In the public network or the same VPN instance, the IP address ranges for all static user ranges cannot overlap.

· When you use the undo port-security static-user command to delete a static user range, you must specify an IP address range the same as that specified when the static user range was configured. You cannot delete only partial of the IP addresses in the IP address range.

· Modification to a static user range does not affect online static users. The modification takes effect only on static users that will come online.

When the maximum number of static users is reached on a port, the port denies subsequent static users. In addition, these static users cannot come online through other access authentication methods on the port.

When the usernames of static users are their IP or MAC addresses, do not enable RESTful server-assisted automatic MAC authentication user recovery. If you enable RESTful server-assisted automatic MAC authentication user recovery, the device will recover static users as MAC authentication users after the device reboots or recovers from a failure.

The device supports a maximum of 50000 static user ranges.

Examples

# Configure IP address range 20.20.20.20 to 20.20.20.30 for a static user range. Users at IP addresses in the IP address range will come online as static users.

<Sysname> system-view

[Sysname] port-security static-user ip 20.20.20.20 20.20.20.30

Related commands

display port-security static-user

port-security static-user match-mac acl

Use port-security static-user match-mac acl to specify an ACL to match the MAC addresses of static users.

Use undo port-security static-user match-mac acl to restore the default.

Syntax

port-security static-user match-mac acl acl-number

undo port-security static-user match-mac acl

Default

No ACL is specified to match the MAC addresses of static users.

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

Application scenarios

Typically, endpoints that match static user IP ranges come online as static users. However, the device recognizes the endpoints as MAC authentication users instead of static users in the following situations:

· The first packet sent by an endpoint is a Layer 2 packet that does not contain an IP address. In this situation, the packet triggers MAC authentication first.

· An endpoint has both IPv4 and IPv6 addresses and the first packet sent by the endpoint is an IPv6 packet, but only static user IPv4 ranges are configured on the device. In this situation, the packet triggers MAC authentication first.

To resolve the issues, use this command to use MAC address as the criterion to match static users. With this command, the device allows users that match the specified ACL to trigger authentication and come online only as static users. The users cannot trigger other authentication processes.

Restrictions and guidelines

The specified ACL must be a Layer 2 ACL. The ACL can contain only permit rules with the source MAC range criteria.

The match criteria configured by using this command take effect only on static users that come online for the first time and do not affect the re-authentication process of existing online users.

Examples

# Specify ACL 4001 to match the MAC addresses of static users.

<Sysname> system-view

[Sysname] port-security static-user match-mac acl 4001

Related commands

port-security static-user

acl

port-security static-user max-user

Use port-security static-user max-user to set the maximum number of concurrent static users allowed on a port.

Use undo port-security static-user max-user to restore the default.

Syntax

port-security static-user max-user max-number

undo port-security static-user max-user

Default

A port supports a maximum of 4294967295 concurrent static users.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

mdc-admin

Parameters

max-number: Sets the maximum number of concurrent static users allowed on a port. The value range is 1 to 4294967295.

Usage guidelines

Set the maximum number of concurrent static users on a port to prevent the system resources from being overused. When the maximum number is reached, the port denies subsequent static users.

Examples

# Configure Ten-GigabitEthernet 3/0/1 to support a maximum of 32 concurrent static users.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/0/1

[sysname-Ten-GigabitEthernet3/0/1] port-security static-user max-user 32

Related commands

display port-security static-user

port-security static-user password

Use port-security static-user password to configure a password for static users.

Use undo port-security static-user password to restore the default.

Syntax

port-security static-user password { cipher | simple } string

undo port-security static-user password

Default

No password is configured for static users.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

cipher: Specifies a password in encrypted form.

simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.

string: Specifies the password string that cannot contain a question mark (?) or space. Its plaintext form is a case-sensitive string of 1 to 63 characters. Its encrypted form is a case-sensitive string of 1 to 117 characters.

Usage guidelines

After a static user triggers authentication, the access device sends the configured password as the user's password to the authentication server.

This command takes effect only on static users that come online after this command is used.

Examples

# Configure the password as 123456 for static users.

<Sysname> system-view

[Sysname] port-security static-user password simple 123456

Related commands

display port-security static-user

port-security static-user timer detect-period

Use port-security static-user timer detect-period to set the interval at which the device actively sends ARP packets to trigger authentication for static users.

Use undo port-security static-user timer detect-period to restore the default.

Syntax

port-security static-user timer detect-period time-value

undo port-security static-user timer detect-period

Default

The device actively sends ARP packets to trigger authentication for static users at intervals of 3 minutes.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

time-value: Sets the interval at which the device actively sends ARP packets to trigger authentication for static users. The value range for the interval is 60 to 2147483647, in seconds.

Usage guidelines

Application scenarios

If you specify the detect keyword when using the port-security static-user command to configure a static user range, the device enables ARP detection for the static user range. With the port-security static-user timer detect-period command, the device sends ARP packets to the IP addresses specified by using the port-security static-user command at intervals as configured. These ARP packets trigger authentication for static users that have not come online.

Restrictions and guidelines

If a large number of static users are configured, set the ARP detection interval to a larger value as a best practice. This configuration ensures that the device can detect all IP addresses in one interval.

Modification to the ARP detection interval takes effect only after the timer for the old ARP detection interval expires.

Examples

# Configure the device to actively send ARP packets to trigger authentication for static users at intervals of 100 seconds.

<Sysname> system-view

[Sysname] port-security static-user timer detect-period 100

Related commands

display port-security static-user

port-security static-user timer offline-detect

Use port-security static-user timer offline-detect to set the offline detect period for static users.

Use undo port-security static-user timer offline-detect to restore the default.

Syntax

port-security static-user timer offline-detect time-value

undo port-security static-user timer offline-detect

Default

The offline detect period is 5 minutes for static users.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

time-value: Sets the offline detect period, in the range of 60 to 2147483647 seconds.

Usage guidelines

Application scenarios

If you do not specify the keep online keywords when using the port-security static-user command to configure a static user range, the device enables offline detection for online static users in the range. If the device fails to receive any traffic from an online static user within an offline detect period, the device logs off that user and requests the RADIUS accounting server to stop accounting for the user. To set the offline detect period timer, execute the port-security static-user timer offline-detect command.

Restrictions and guidelines

Be careful when you set the offline detect period timer.

· If the detection timer is set too short, online static users might be undesirably logged off when the device has not received traffic from them for a brief period.

· If the detection timer is set too long, inactive static users might stay online for a long time, occupying system resources undesirably.

Examples

# Set the offline detect period to 100 seconds for static users.

<Sysname> system-view

[Sysname] port-security static-user timer offline-detect 100

Related commands

display port-security static-user

port-security static-user update-ip enable

Use port-security static-user update-ip enable to enable static user IP update.

Use undo port-security static-user update-ip enable to restore the default.

Syntax

port-security static-user update-ip enable

undo port-security static-user update-ip enable

Default

Static user IP update is disabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

Application scenarios

An endpoint might send abnormal ARP packets to the access device after it comes online as a static user. In these ARP packets, the sender IP address does not belong to the specified IP address range for static users.

By default, the device does not update IP addresses for static users when it receives ARP packets with a sender IP address beyond the specified IP address range from these users. This setting prevents online static users from being logged off because of abnormal ARP packets.

If static user IP update is enabled, the device updates the IP address of the endpoint. After address update, the endpoint is no longer a static user. Then, the device logs off the endpoint.

To trace IP address changes of endpoints, enable static user IP update to allow the device to update the IP addresses of static users.

Restrictions and guidelines

Use static user IP update in conjunction with DHCP snooping, ARP snooping, DHCPv6 snooping, or ND snooping. To receive notifications of IP address changes from a snooping feature, you must enable that feature.

Examples

# Enable static user IP update.

<Sysname> system-view

[Sysname] port-security static-user update-ip enable

Related commands

display port-security static-user

port-security static-user user-name-format

Use port-security static-user user-name-format to configure the username format used by static users when they come online.

Use undo port-security static-user user-name-format to restore the default.

Syntax

port-security static-user user-name-format { ip-address | mac-address | system-name }

undo port-security static-user user-name-format

Default

The username of each static user is in the format of SysnameIP, in which Sysname is the name of the access device and IP is the user IP address. For example, if the name of the access device is test and the IP address of a static user is 1.1.1.1, the username of that static user is test1.1.1.1.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

ip-address: Uses the IP address of each static user as their usernames.For example, if the IP address of a static user is 1.1.1.1, its username is 1.1.1.1.

mac-address: Uses the MAC address of each static user as their usernames. For example, if the MAC address of a static user is 1a46-6209-0100 and no MAC-based user account format is configured, its username is 1a46-6209-0100.

system-name: Uses the name of the access device to which each static user accesses as their usernames. For example, if the access device name of a static user is test, its username is test.

Usage guidelines

Application scenarios

After a static user triggers authentication, the access device sends the username in the configured format to the authentication server.

If the device name is longer than 16 characters, the system only uses the first 16 characters to form a username.

Restrictions and guidelines

This command takes effect only on static users that come online after this command is used.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure static users to use their IP addresses as usernames when they come online.

<Sysname> system-view

[Sysname] port-security static-user user-name-format ip-address

Related commands

display port-security static-user

port-security static-user user-name-format mac-address

Use port-security static-user user-name-format mac-address to configure the user account format when MAC addresses of static users are used as their usernames.

Use undo port-security static-user user-name-format mac-address to restore the default.

Syntax

port-security static-user user-name-format mac-address { one-section | { six-section | three-section } delimiter { colon | hyphen } } [ uppercase ] [ password-with-mac ]

undo port-security static-user user-name-format mac-address

Default

A static user does not have a password when its MAC address is used as its username. The MAC address contains three hyphen-separated sections and letters in the MAC address are in lower case.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

one-section: Specifies the one-section MAC address format, for example, xxxxxxxxxxxx or XXXXXXXXXXXX.

six-section: Specifies the six-section MAC address format, for example, xx-xx-xx-xx-xx-xx or XX-XX-XX-XX-XX-XX.

three-section: Specifies three-section MAC address format, for example, xxxx-xxxx-xxxx or XXXX-XXXX-XXXX.

delimiter: Specifies a delimiter to separate the sections in a MAC address.

· colon: Uses the colon (:) as the delimiter.

· hyphen: Uses the hyphen (_) as the delimiter.

uppercase: Uses letters in upper case. If you do not specify this keyword, letters in a MAC address are in lower case.

password-with-mac: Specifies whether to use the MAC address of each static user as their passwords when their MAC addresses are used as their usernames. If you do not specify this keyword, the device uses the password configured by using the port-security static-user password command as the password of the static users.

Usage guidelines

This command has higher priority than the port-security static-user user-name-format and port-security static-user password commands.

Examples

# Configure static users to use six-section MAC addresses as their usernames for authentication. Letters in the MAC addresses are in upper case and the sections in the MAC addresses are separated by hyphen (-). The MAC addresses of static users are also used as their passwords.

<Sysname> system-view

[Sysname] port-security static-user user-name-format mac-address six-section delimiter hyphen uppercase password-with-mac

Related commands

display port-security static-user

port-security strict-intrusion-protection enable

Use port-security strict-intrusion-protection enable to enable strict intrusion protection.

Use undo port-security strict-intrusion-protection enable to disable strict intrusion protection.

Syntax

port-security strict-intrusion-protection enable

undo port-security strict-intrusion-protection enable

Default

Strict intrusion protection is disabled.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

Use strict intrusion protection with the disableport or disableport-temporarily action to enhance security.

With strict intrusion protection, the port shuts down when it receives a frame whose source MAC address is a secure MAC address on another port in the same VLAN.

Examples

# Enable strict intrusion protection on Ten-GigabitEthernet 3/0/1.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] port-security strict-intrusion-protection enable

Related commands

port-security intrusion-mode

port-security port-mode

port-security timer

Use port-security timer to set port security timers.

Use undo port-security timer to restore the default.

Syntax

port-security timer { reauth-period { auth-fail-domain | preauth-domain } | user-aging { auth-fail-domain | critical-domain | preauth-domain } } time-value

undo port-security timer { reauth-period { auth-fail-domain | preauth-domain } | user-aging { auth-fail-domain | critical-domain | preauth-domain } }

Default

The period for the periodic reauthentication timer is 600 seconds. The period for the user aging timer is 23 hours.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

reauth-period: Specifies the periodic reauthentication timer.

user-aging: Sets the user aging timer.

auth-fail-domain: Specifies the Auth-Fail domain.

preauth-domain: Specifies the preauthentication domain.

critical-domain: Specifies the critical domain.

time-value: Specifies the timer period, in integer. The value for the periodic reauthentication period is 0 or in the range of 30 to 7200, in seconds. Value 0 indicates that periodic reauthentication is disabled. The value for the user aging period is 0 or in the range of 60 to 4294860, in seconds. Value 0 indicates that the specified users will not age out.

Usage guidelines

Application scenarios

Adjust the reauthentication and user aging timers based on network conditions.

The device periodically initiates re-authentication for users in the preauthentication or Auth-Fail domain on a port so they can come online as soon as possible. To prevent these users from occupying system resources for a long time, set user aging timers for them. The device logs off a user if that user remains unauthenticated when the aging timer expires. You can also set a user aging timer for users in the critical domain.

Operating mechanism

If the periodic reauthentication period (reauth-period) is not 0, periodic reauthentication is enabled. The device initiates reauthentication for online users on a port at intervals as configured.

If the user aging period (user-aging) is not 0 for a specific domain, user entries in the domain will age out. When the aging timer expires, the users will leave the specified domain.

Restrictions and guidelines

The periodic reauthentication period does not take effect on Web authentication users.

The users that are allowed to stay online by the authen-radius-recover online command are controlled by the user aging timer in the critical domain. When the user aging timer expires, the users will go offline. For more information about the authen-radius-recover online command, see "AAA commands."

Examples

# Set the user aging period to 60 seconds for users in the preauthentication domain.

<Sysname> system-view

[Sysname] port-security timer user-aging preauth-domain 60

Related commands

display port-security

authen-radius-recover online

port-security timer autolearn aging

Use port-security timer autolearn aging to set the secure MAC aging timer.

Use undo port-security timer autolearn aging to restore the default.

Syntax

port-security timer autolearn aging [ second ] time-value

undo port-security timer autolearn aging

Default

Secure MAC addresses do not age out.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

second: Specifies the aging timer in seconds for secure MAC addresses. If you do not specify this keyword, the command sets the aging timer in minutes for secure MAC addresses.

time-value: Specifies the aging timer. The value range is 0 to 129600 if the unit is minute. To disable the aging timer, set the timer to 0. The value range is 10 to 7776000 if the unit is second.

Usage guidelines

Application scenarios

By default, all secure MAC addresses do not age. You can enable regular aging of secure MAC addresses for the following purposes:

· Prevent inactive or fast moving secure MAC addresses from occupying system resources for a long time.

· Ensure that secure MAC users can come online when they move to a new port, enable regular aging of secure MAC addresses.

This enhances port security and improve port resource use efficiency.

Operating mechanism

The secure MAC aging timer applies to all sticky and dynamic secure MAC addresses, including those automatically learned and manually configured.

The effective aging timer varies by the aging timer setting:

· If the aging timer is set in seconds, the effective aging timer can be either of the following values:

¡ The nearest multiple of 30 seconds to the configured aging timer if the configured timer is\ not less than 60 seconds. The effective aging timer is not less than the configured aging timer.

¡ The configured aging timer if the configured timer is less than 60 seconds.

· If the aging timer is set in minutes, the effective aging timer is the configured aging timer.

Restrictions and guidelines

A short aging time improves port access security and port resource utility but affects online user stability. Set an appropriate secure MAC address aging timer according to your device performance and the network environment.

When a short aging time (less than 60 seconds) works with inactivity aging, do not assign a large value to the maximum number of secure MAC addresses on a port. A large value in this case might affect device performance.

Examples

# Set the secure MAC aging timer to 30 minutes.

<Sysname> system-view

[Sysname] port-security timer autolearn aging 30

# Set the secure MAC aging timer to 50 seconds.

<Sysname> system-view

[Sysname] port-security timer autolearn aging second 50

Related commands

display port-security

port-security mac-address security

port-security timer blockmac

Use port-security timer blockmac to set the block timer for MAC addresses in the blocked MAC address list.

Use undo port-security timer blockmac to restore the default.

Syntax

port-security timer blockmac time-value

undo port-security timer blockmac

Default

The block timer for blocked MAC addresses is 180 seconds.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

time-value: Sets a timer value in the range of 1 to 3600 seconds.

Usage guidelines

Use the block timer in conjunction with the intrusion protection action that blocks the source MAC addresses of illegal frames. This block action is configured by using the port-security intrusion-mode blockmac command.

The block timer sets the amount of time that a MAC address must remain in the blocked MAC address list before it is unblocked.

Examples

# Configure the intrusion protection action on Ten-GigabitEthernet 3/0/1 as blocking source MAC addresses of illegal frames, and set the block timer to 60 seconds.

<Sysname> system-view

[Sysname] port-security timer blockmac 60

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] port-security intrusion-mode blockmac

Related commands

display port-security

port-security intrusion-mode

port-security timer disableport

Use port-security timer disableport to set the silence period during which the port remains disabled.

Use undo port-security timer disableport to restore the default.

Syntax

port-security timer disableport time-value

undo port-security timer disableport

Default

The port silence period is 20 seconds.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

time-value: Specifies the silence period in seconds during which the port remains disabled. The value is in the range of 20 to 300.

Usage guidelines

Use this command to set the silence period when you configure the intrusion protection action as disabling the port temporarily by using the port-security intrusion-mode disableport-temporarily command.

Examples

# Configure the intrusion protection action on Ten-GigabitEthernet 3/0/1 as disabling the port temporarily, and set the port silence period to 30 seconds.

<Sysname> system-view

[Sysname] port-security timer disableport 30

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] port-security intrusion-mode disableport-temporarily

Related commands

display port-security

port-security intrusion-mode

port-security topology-change detect-period

Use port-security topology-change detect-period to set the interval at which the device actively sends ARP or NS detection packets when the network topology changes.

Use undo port-security topology-change detect-period to restore the default.

Syntax

port-security topology-change detect-period time-value

undo port-security topology-change detect-period

Default

The device actively sends ARP or NS detection packets at intervals of 5 seconds when the network topology changes.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

time-value: Sets the interval at which the device actively sends ARP or NS detection packets. The value range is 1 to 3600, in seconds.

Usage guidelines

Application scenarios

The device sends ARP or NS packets to online users on one member port in a TC group through the other member port in the same TC group at detection intervals if the following conditions exist:

· The member port receives TC event messages sent by the STP module.

· The device permits MAC move between member ports in a TC group.

Use this command to adjust the detection interval as needed.

Restrictions and guidelines

As a best practice, set the detection interval to a large value if a large number of online users exist. The configuration avoids starting the second round of detection before the first round of detection packets are sent out completely.

The modification to the detection interval takes effect at the next detection interval.

Examples

# Configure the device to actively send ARP or NS detection packets at intervals of 100 seconds when the network topology changes.

<Sysname> system-view

[Sysname] port-security topology-change detect-period 100

Related commands

display port-security

port-security topology-change free-mac-move

port-security topology-change retry

port-security topology-change detect-retry

Use port-security topology-change detect-retry to set the maximum number of attempts for sending a detection packet when the network topology changes.

Use undo port-security topology-change detect-retry to restore the default.

Syntax

port-security topology-change detect-retry retries

undo port-security topology-change detect-retry

Default

The device attempts to send a detection packet for a maximum of three times when the network topology changes.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

retries: Sets the maximum number of attempts for sending a detection packet. The value range is 1 to 10.

Usage guidelines

The device sends ARP or NS packets to online users on a member port in a TC group at detection intervals through the other member port in that TC group if the following conditions exist:

· The member port receives TC event messages sent by the STP module.

· The device permits MAC move between member ports in a TC group.

If the device does not receive any response packets for a user after it has made the maximum number of attempts for sending a detection packet, it determines that the network topology of the TC group does not change. It does not move the user to the other member port.

Examples

# Configure the device to attempt to send a detection packet for a maximum of eight times when the network topology changes.

<Sysname> system-view

[Sysname] port-security topology-change detect-retry 8

Related commands

display port-security

port-security topology-change detect-period

port-security topology-change free-mac-move

Use port-security topology-change free-mac-move to permit MAC move between member ports in a TC group when the network topology changes.

Use undo port-security topology-change free-mac-move to restore the default.

Syntax

port-security topology-change free-mac-move

undo port-security topology-change free-mac-move

Default

MAC move is denied between member ports in a TC group when the network topology changes.

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

Application scenarios

When the network topology changes, the STP module sends a topology change (TC) event message to notify relevant devices that the network topology has changed. TC events might cause traffic forwarding exceptions on a member port in a TC group.

To resolve this issue, use this feature to permit MAC move between member ports in a TC group when the network topology changes. MAC move allows authenticated online users on a member port in a TC group to move to the other member port in the same TC group without being authenticated again. The process is as described in "Operating mechanism."

Use this feature on the device if the device is connected to users that cannot actively send packets to trigger MAC move when the network topology changes.

Operating mechanism

The operating mechanism of this feature is as follows:

· If a member port in a TC group is up and receives a TC event message, the device searches for online authenticated users that come online from that port. In addition, the device sends ARP or NS detection packets to these users at detection intervals through the other member port in the same TC group.

¡ If the other member port receives a response packet for a user, that user moves to the other member port and comes online without being authenticated.

¡ If the other member port does not receive any response packets for a user after the device has made the maximum number of attempts for sending a detection packet, the device determines that the network topology of that TC group does not change. It does not move the user to the other member port.

· If the network topology changes because a member port in a TC group goes down, the device does not wait to receive TC event messages sent by the STP module or actively detect online authenticated users on that port from the other member port. Instead, it immediately moves the online authenticated users on that port to the other member port without authenticating them. To detect whether the users can come online correctly on the other member port, you can enable offline detection or ARP or NS packet detection on the other member port.

For more information about TC groups, see spanning tree configuration in Layer 2—LAN Switching Configuration Guide.

Restrictions and guidelines

This feature takes effect only on static users, MAC authentication users, and 802.1X users.

As a best practice to ensure successful MAC move between member ports in a TC group, the member ports in that TC group must use the same settings.

Examples

# Permit MAC move between member ports in a TC group when the network topology changes.

<Sysname> system-view

[Sysname] port-security topology-change free-mac-move

Related commands

port-security topology-change detect-period

port-security topology-change retry

stp tc-group (Layer 2—LAN Switching Command Reference)

port-security triple-auth-order mac-dot1x-web

Use port-security triple-auth-order mac-dot1x-web to configure the trigger order for authentication methods on a port as MAC authentication, 802.1X authentication, and Web authentication in a triple authentication environment.

Use undo port-security triple-auth-order to restore the default.

Syntax

port-security triple-auth-order mac-dot1x-web

undo port-security triple-auth-order

Default

In a triple authentication environment, the authentication that is triggered first depends on the type of packets sent from endpoints.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

Application scenarios

This command takes effect only on ports with triple authentication enabled. Triple authentication allows Web authentication, MAC authentication, and 802.1X authentication to be enabled concurrently on a Layer 2 port for user access. Different types of endpoint packets trigger different types of authentication first.

By default, if 802.1X unicast trigger is enabled, any packdets from endpoints will trigger 802.1X authentication. To enable any endpoint packets to trigger MAC authentication first, use this command.

Operating mechanism

A port can run authentication processes concurrently for multiple authentication methods. The failure of one authentication does not affect the processes for other authentication methods. However, if an endpoint passes one authentication on a port, the device handles processes for other authentication methods on the port as follows:

· If the endpoint passes MAC authentication, the device generates a MAC authentication user entry on the port and continues to perform 802.1X authentication for the endpoint on the port. However, the device cannot continue Web authentication for the endpoint on the port.

¡ If the endpoint passes 802.1X authentication after MAC authentication, the device generates an 802.1X user entry for the endpoint on the port. The 802.1X user entry overwrites the MAC authentication user entry.

¡ If the endpoint does not pass 802.1X authentication after MAC authentication, the MAC authentication user entry is retained on the port. The endpoint can trigger 802.1X authentication again, but it cannot trigger Web authentication.

· If the endpoint fails MAC authentication but passes 802.1X or Web authentication, the device immediately stops all authentication methods on the port except the one the endpoint has passed. In addition, the device can no longer trigger authentication processes for the stopped authentication methods for the endpoint on the port.

Restrictions and guidelines

This command takes effect only on ports with triple authentication enabled.

On a port, an authentication-type port security mode (if any) has higher priority than this command.

This command causes users that are being authenticated to fail authentication. The users must retrigger authentication to come online. As a best practice to avoid users failing to come online, use this command with caution.

Examples

# Configure the trigger order for authentication methods on Ten-GigabitEthernet 3/0/1 as MAC authentication, 802.1X authentication, and Web authentication.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] port-security triple-auth-order mac-dot1x-web

Related commands

mac-authentication

dot1x

web-auth enable

port-security url-unavailable domain

Use port-security url-unavailable domain to specify a domain for port security users redirected to an unavailable URL.

Use undo port-security url-unavailable domain to restore the default.

Syntax

port-security url-unavailable domain isp-name

undo port-security url-unavailable domain

Default

No domain is specified for port security users redirected to an unavailable URL.

Views

Layer 2 Ethernet interface view

Layer 2 aggregate interface view

Port security authentication profile view

Predefined user roles

network-admin

mdc-admin

Parameters

isp-name: Specifies an ISP domain by its name, a case-insensitive string of 1 to 255 characters. The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation mark ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

Usage guidelines

Application scenarios

This command takes effect only on MAC authentication and Web authentication users.

During user authentication, if the Web server specified by the redirect URL is unavailable, users cannot be redirected to the Web authentication page on the Web server. As a result, the users cannot come online. To allow users to access the resources in an ISP domain when the redirect URL is unavailable, use this command to specify that ISP domain for the users.

Restrictions and guidelines

The configuration for this command is mutually exclusive with the following 802.1X, MAC authentication, and Web authentication settings:

· Guest VLAN and VSI settings.

· Auth-Fail VLAN and VSI settings.

· Critical VLAN, VSI, and microsegment settings.

· Critical profile settings.

Examples

# On Ten-GigabitEthernet 3/0/1, specify domain bbb for port security users redirected to an unavailable URL.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/0/1

[Sysname-Ten-GigabitEthernet3/0/1] port-security url-unavailable domain bbb

Related commands

display port-security

reset port-security static-user

Use reset port-security static-user to log off online static users.

Syntax

reset port-security static-user [ interface interface-type interface-number | { ip | ipv6 } ip-address | mac mac-address | online-type { auth-fail-domain | critical-domain | preauth-domain | success } | user-name user-name ]

Views

User view

Predefined user roles

network-admin

mdc-admin

Parameters

interface interface-type interface-number: Specifies an interface by its type and number.

mac mac-address: Specifies an online static user by its MAC address. The mac-address argument represents the MAC address, in the format of H-H-H.

online-type: Specifies a type of online static users.

· auth-fail-domain: Specifies online static users in the Auth-Fail domain.

· critical-domain: Specifies online static users in the critical domain.

· preauth-domain: Specifies online static users in the preauthentication domain.

· success: Specifies online static users that have passed authentication.

user-name user-name: Specifies an online static user by its username, a case-sensitive string of 1 to 253 characters.

Usage guidelines

Application scenarios

Use this command to force static users offline when you need to change their network access permissions or when you detect unauthorized access.

Restrictions and guidelines

If you do not specify any parameters, this command logs off all types of online static users.

Examples

# Log off all online static users on Ten-GigabitEthernet 3/0/1.

<Sysname> reset port-security static-user interface ten-gigabitethernet 3/0/1

Related commands

display port-security static-user

reset port-security statistics

Use reset port-security statistics to clear port security statistics.

Syntax

reset port-security statistics

Views

User view

Predefined user roles

network-admin

mdc-admin

Examples

# Clear port security statistics.

<Sysname> reset port-security statistics

Usage guidelines

When you redeploy or troubleshoot the network, clear the port security statistics. This ensures that you can correctly identify the network state and troublehsoot the issue without being misled by the historical data.

Related commands

display port-security statistics

snmp-agent trap enable port-security

Use snmp-agent trap enable port-security to enable SNMP notifications for port security.

Use undo snmp-agent trap enable port-security to disable SNMP notifications for port security.

Syntax

Default

All port security SNMP notifications are disabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

ac-creation-failure: Specifies notifications about AC creation failures.

acl-author-failure: Specifies notifications about ACL authorization failures.

acl-author-success: Specifies notifications about ACL authorization successes.

address-learned: Specifies notifications about MAC address learning.

dot1x-failure: Specifies notifications about 802.1X authentication failures.

dot1x-ip-change: Specifies notifications about IP address changes of 802.1X users.

dot1x-logoff: Specifies notifications about 802.1X user logoffs.

dot1x-logon: Specifies notifications about 802.1X authentication successes.

intrusion: Specifies notifications about illegal frame detection.

intrusion-recover: Specifies notifications when the MAC address block timer or port silence period for the intrusion protection action times out and the intrusion protection action recovers.

mac-auth-failure: Specifies notifications about MAC authentication failures.

mac-auth-ip-change: Specifies notifications about IP address changes of MAC authentication users.

mac-auth-logoff: Specifies notifications about MAC authentication user logoffs.

mac-auth-logon: Specifies notifications about MAC authentication successes.

mac-auth-not-support: Specifies notifications when an interface does not support enabling MAC authentication.

ntk-ineffective: Specifies notifications when the NTK feature does not take effect on an interface.

port-mode-ineffective: Specifies notifications when the port security mode does not take effect on an interface.

url-author-failure: Specifies notifications about URL authorization failures.

url-author-success: Specifies notifications about URL authorization successes.

Usage guidelines

Application scenarios

To report critical port security events to an NMS, enable SNMP notifications for port security. Notifications of critical port security events enable administrators to obtain MAC learning and access user status data from port security.

Prerequisites

For the intrusion and intrusion-recover keywords to take effect, make sure the intrusion protection feature is configured by using the port-security intrusion-mode command.

Restrictions and guidelines

For port security event notifications to be sent correctly, you must also configure SNMP on the device. For more information about SNMP configuration, see Network Management and Monitoring Configuration Guide.

If you do not specify a notification, this command enables all SNMP notifications for port security.

Examples

# Enable SNMP notifications about MAC address learning.

<Sysname> system-view

[Sysname] snmp-agent trap enable port-security address-learned

Related commands

display port-security

port-security enable

11-Security Command Reference

Port security commands

Application scenarios

Operating mechanism

Application scenarios

Operating mechanism

Restrictions and guidelines

Application scenarios

Restrictions and guidelines

Application scenarios

Restrictions and guidelines

Application scenarios

Prerequisites

Restrictions and guidelines

Application scenarios

Restrictions and guidelines

Operating mechanism

Prerequisites

Restrictions and guidelines

Application scenarios

Restrictions and guidelines

Application scenarios

Prerequisites

Restrictions and guidelines

Operating mechanism

Prerequisites

Restrictions and guidelines

Application scenarios

Restrictions and guidelines

Prerequisites

Restrictions and guidelines

Restrictions and guidelines

Application scenarios

Prerequisites

Restrictions and guidelines

Application scenarios

Prerequisites

Restrictions and guidelines

Application scenarios

Restrictions and guidelines

port-security m-lag load-sharing-mode

Application scenarios

Restrictions and guidelines

Application scenarios

Operating mechanism

Restrictions and guidelines

Application scenarios

Restrictions and guidelines

Application scenarios

Operating mechanism

Prerequisites

Restrictions and guidelines

Application scenarios

Restrictions and guidelines

Application scenario

Restrictions and guidelines

Operating mechanism

Restrictions and guidelines

Application scenarios

Operating mechanism

Restrictions and guidelines

Application scenarios

Prerequisites

Restrictions and guidelines

port-security oui

Application scenarios

Restrictions and guidelines

Application scenarios

Operating mechanism

Restrictions and guidelines

Application scenarios

Prerequisites

Restrictions and guidelines

Operating mechanism

Restrictions and guidelines

Application scenarios

Operating mechanism

Restrictions and guidelines

Application scenarios

Restrictions and guidelines