Login
- Table of Contents
-
- H3C WX3000 Series Unified Switches Switching Engine Command Reference-6W103
- 00-Preface
- 01-CLI Command
- 02-Login Command
- 03-Configuration File Management Command
- 04-VLAN Command
- 05-Auto Detect Command
- 06-Voice VLAN Command
- 07-GVRP Command
- 08-Basic Port Configuration Command
- 09-Link Aggregation Command
- 10-Port Isolation Command
- 11-Port Security-Port Binding Command
- 12-DLDP Command
- 13-MAC Address Table Management Command
- 14-MSTP Command
- 15-802.1x and System Guard Command
- 16-AAA Command
- 17-MAC Address Authentication Command
- 18-IP Address and Performance Command
- 19-DHCP Command
- 20-ACL Command
- 21-QoS-QoS Profile Command
- 22-Mirroring Command
- 23-ARP Command
- 24-SNMP-RMON Command
- 25-Multicast Command
- 26-NTP Command
- 27-SSH Command
- 28-File System Management Command
- 29-FTP-SFTP-TFTP Command
- 30-Information Center Command
- 31-System Maintenance and Debugging Command
- 32-VLAN-VPN Command
- 33-HWPing Command
- 34-DNS Command
- 35-Smart Link-Monitor Link Command
- 36-PoE-PoE Profile Command
- 37-Routing Protocol Command
- 38-UDP Helper Command
- 39-Index
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 11-Port Security-Port Binding Command | 103.6 KB |
Port Security Commands
display mac-address security
Syntax
display mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ]
View
Any view
Parameters
interface-type: Port type.
interface-number: Port number.
vlan-id: VLAN ID, in the range of 1 to 4094.
count: Displays the number of security MAC addresses.
Description
Use the display mac-address security command to display information about security MAC addresses. Each piece of information for a port includes: secure MAC address on the port, VLAN ID of the port, current MAC address state, port index, and MAC address aging time.
By checking the output of this command, you can verify the current configuration.
Examples
# Display the security MAC address configuration on GigabitEthernet 1/0/1.
<device> display mac-address security interface GigabitEthernet1/0/1
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
0001-0001-0001 1 Security GigabitEthernet1/0/1 NOAGED
--- 1 mac address(es) found on port GigabitEthernet1/0/1 ---
display port-security
Syntax
display port-security [ interface interface-list ]
View
Any view
Parameters
interface-list: Ethernet port list, which can contain multiple Ethernet ports. The interface-list argument is in the format of { interface-type interface-number [ to interface-type interface-number ] } & <1-10>, where interface-type represents the port type, interface-number represents the port number, and & <1-10> means that you can provide up to 10 port indexes/port index ranges in this argument.
Description
Use the display port-security command to display information about port security configuration (including global configuration, and configuration on specified or all ports).
By checking the output of this command, you can verify the current configuration.
l This command will display global and all ports' security configuration information if the interface-list argument is not specified.
l This command will display particular port's security configuration information if the interface-list argument is specified.
Examples
# Display global and all ports' security configuration information.
<device> display port-security
Equipment port-security is enabled
AddressLearn trap is Enabled
Intrusion trap is Enabled
Dot1x logon trap is Enabled
Dot1x logoff trap is Enabled
Dot1x logfailure trap is Enabled
RALM logon trap is Enabled
RALM logoff trap is Enabled
RALM logfailure trap is Enabled
Vlan id assigned is NULL
Disableport Timeout: 20 s
OUI value:
Index is 5, OUI value is 00efec
GigabitEthernet1/0/1 is link-down
Port mode is Userlogin
NeedtoKnow mode is needtoknowonly
Intrusion mode is disableport
Max mac-address num is 100
Stored mac-address num is 0
Authorization is permit
(Any display that follows is omitted.)
Table 1-1 display port-security command output description
|
Field |
Description |
|
Equipment port security is enabled |
Port security is enabled on the device. |
|
AddressLearn trap is Enabled |
The sending of address-learning trap messages is enabled. |
|
Intrusion trap is Enabled |
The sending of intrusion-detection trap messages is enabled. |
|
Dot1x logon trap is Enabled |
The sending of 802.1x user authentication success trap messages is enabled. |
|
Dot1x logoff trap is Enabled |
The sending of 802.1x user logoff trap messages is enabled. |
|
Dot1x logfailure trap is Enabled |
The sending of 802.1x user authentication failure trap messages is enabled. |
|
RALM logon trap is Enabled |
The sending of MAC-based authentication success trap messages is enabled. |
|
RALM logoff trap is Enabled |
The sending of logoff trap messages for MAC-based authenticated users is enabled. |
|
RALM logfailure trap is Enabled |
The sending of MAC-based authentication failure trap messages is enabled. |
|
Vlan id assigned is NULL |
The delivered VLAN ID is null. |
|
Disableport Timeout: 20 s |
The temporary port-disabling time is 20 seconds. |
|
OUI value |
The next line displays OUI value. |
|
GigabitEthernet1/0/1 is link-down |
The link status of the port GigabitEthernet 1/0/1 is "down". |
|
Port mode is Userlogin |
The security mode of the port is Userlogin. |
|
NeedtoKnow mode is needtoknowonly |
The NTK (Need To Know) mode is ntkonly. |
|
Intrusion mode is disableport |
The intrusion detection mode is disableport. |
|
Max mac-address num is 100 |
The maximum number of MAC addresses allowed on the port is 100. |
|
Stored mac-address num is 0 |
No MAC address is stored. |
|
Authorization is permit |
Authorization information delivered by the RADIUS server will be applied to the port. |
mac-address security
Syntax
In system view:
mac-address security mac-address interface interface-type interface-number vlan vlan-id
undo mac-address security [ [ mac-address [ interface interface-type interface-number ] ] vlan vlan-id ]
In Ethernet port view:
mac-address security mac-address vlan vlan-id
undo mac-address security [ [ mac-address ] vlan vlan-id ]
View
System view, Ethernet port view
Parameters
mac-address: Security MAC address, in the H-H-H format.
interface-type interface-number: Specifies a port by its type and number.
vlan-id: VLAN ID of the security MAC address, ranging 1 to 4094.
Description
Use the mac-address security command to manually add a security MAC address to a port.
Use the undo mac-address security command to remove a security MAC address from a port.
By default, no security MAC address is configured.
You can manually add a security MAC address to a port only when port security is enabled globally and the port-security port-mode autolearn command is configured on the port.
Examples
# Add 0001-0001-0001 as a security MAC address to GigabitEthernet 1/0/1 in VLAN 1.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] port-security enable
[device] interface GigabitEthernet1/0/1
[device-GigabitEthernet1/0/1] port-security max-mac-count 100
[device-GigabitEthernet1/0/1] port-security port-mode autolearn
[device-GigabitEthernet1/0/1] mac-address security 0001-0001-0001 vlan 1
port-security authorization ignore
Syntax
port-security authorization ignore
undo port-security authorization ignore
View
Ethernet port view
Parameters
None
Description
Use the port-security authorization ignore command to configure the port to ignore the authorization information delivered by the RADIUS server.
Use the undo port-security authorization ignore command to restore the default configuration.
By default, the port uses (does not ignore) the authorization information delivered by the RADIUS server.
l With the port-security authorization ignore command executed, issuing the display port-security command will display "Authorization is ignore" in the output information.
l With the undo port-security authorization ignore command executed, issuing the display port-security command will display "Authorization is permit" in the output information.
Examples
# Configure GigabitEthernet 1/0/2 to ignore the authorization information delivered from the RADIUS server.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] interface GigabitEthernet 1/0/2
[device-GigabitEthernet1/0/2] port-security authorization ignore
port-security enable
Syntax
port-security enable
undo port-security enable
View
System view
Parameters
None
Description
Use the port-security enable command to enable port security.
Use the undo port-security enable command to disable port security.
By default, port security is disabled.
Enabling port security resets the following configurations on the ports to the defaults (as shown in parentheses below):
l 802.1x (disabled), port access control method (macbased), and port access control mode (auto)
l MAC authentication (disabled)
In addition, you cannot perform the above-mentioned configurations manually because these configurations change with the port security mode automatically.
Examples
# Enable port security.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] port-security enable
Notice: The port-control of 802.1x will be restricted to auto when port-security is enabled.
Please wait... Done.
port-security intrusion-mode
Syntax
port-security intrusion-mode { disableport | disableport-temporarily | blockmac }
undo port-security intrusion-mode
View
Ethernet port view
Parameters
disableport: Specifies to permanently disable the port.
disableport-temporarily: Specifies to temporarily disable the port, and enable the port after a pre-set time.
blockmac: Specifies to discard the packets with illegal source MAC addresses.
Description
Use the port-security intrusion-mode command to set the action to be taken by the device when intrusion protection is triggered on the port.
Use the undo port-security intrusion-mode command to cancel the action setting.
By default, no action will be taken after intrusion protection is triggered.
By checking the source MAC addresses in inbound data frames or the username and password in 802.1x authentication requests on a port, intrusion protection detects illegal packets (packets with illegal MAC address) or events and takes a pre-set action accordingly. The actions you can set include: disconnecting the port temporarily/permanently and blocking packets with invalid MAC addresses.
The following cases can trigger intrusion protection on a port:
l A packet with unknown source MAC address is received on the port while MAC address learning is disabled on the port.
l A packet with unknown source MAC address is received on the port while the amount of security MAC addresses on the port has reached the preset maximum number.
l The user fails the 802.1x or MAC address authentication.
After executing the port-security intrusion-mode blockmac command, you can only use the display port-security command to view blocked MAC addresses, which you cannot configure as static MAC addresses.
The port-security timer disableport command is used in conjunction with the port-security intrusion-mode disableport-temporarily command to set the length of time during which the port remains disabled.
Examples
# Configure the device to disable GigabitEthernet 1/0/1 when intrusion protection is triggered on the port.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] interface GigabitEthernet 1/0/1
[device-GigabitEthernet1/0/1] port-security intrusion-mode disableport
port-security max-mac-count
Syntax
port-security max-mac-count count-value
undo port-security max-mac-count
View
Ethernet port view
Parameters
count-value: Maximum number of MAC addresses allowed on the port, in the range of 1 to 1,024.
Description
Use the port-security max-mac-count command to set the maximum number of MAC addresses allowed on the port. The number is the sum of the following:
l Number of MAC addresses that pass 802.1x authentication
l Number of MAC addresses that pass MAC address authentication
l Number of security MAC addresses
Use the undo port-security max-mac-count command to cancel this limit.
By default, there is no limit on the number of MAC addresses allowed on the port.
l Assume that, in the macAddressOrUserLoginSecureExt port security mode, you have configured to allow up to n authenticated users to access the network. When all of these n authenticated users are connected to the network and one or more of them are MAC-authenticated, to perform 802.1x authentication on the MAC-authenticated user(s), the number of maximum MAC addresses allowed on the port must be set to n + 1. Similarly, in the case of the macAddressOrUserLoginSecure security mode, the maximum number of MAC addresses allowed on the port must be set to 2.
l In the macAddressAndUserLoginSecureExt port security mode, to allow up to n authenticated users to be connected to the network at the same time and the nth user to be 802.1x-authenticated, the maximum number MAC addresses allowed on the port must be set to at least n + 1. Similarly, in the case of the macAddressAndUserLoginSecure security mode, the maximum number of MAC addresses allowed on the port must be set to 2.
Examples
# Set the maximum number of MAC addresses allowed on the port to 100.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] port-security enable
[device] interface GigabitEthernet 1/0/1
[device-GigabitEthernet1/0/1] port-security max-mac-count 100
port-security ntk-mode
Syntax
port-security ntk-mode { ntkonly | ntk-withbroadcasts | ntk-withmulticasts }
undo port-security ntk-mode
View
Ethernet port view
Parameters
ntkonly: Allows the port to transmit only unicast packets with successfully-authenticated destination MAC addresses.
ntk-withbroadcasts: Allows the port to transmit broadcast packets and unicast packets with successfully-authenticated destination MAC addresses.
ntk-withmulticasts: Allows the port to transmit multicast packets, broadcast packets and unicast packets with successfully-authenticated destination MAC addresses.
Description
Use the port-security ntk-mode command to configure the NTK feature on the port.
Use the undo port-security ntk-mode command to restore the default setting.
Be default, NTK is disabled on a port, namely all frames are allowed to be sent.
l By checking the destination MAC addresses of the data frames to be sent from a port, the NTK feature ensures that only successfully authenticated devices can obtain data frames from the port, thus preventing illegal devices from intercepting network data.
l Currently, the WX3000 series do not support the ntkonly NTK feature.
Examples
# Set the NTK feature to ntk-withbroadcasts on GigabitEthernet 1/0/1.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] port-security enable
[device] interface GigabitEthernet 1/0/1
[device-GigabitEthernet1/0/1] port-security ntk-mode ntk-withbroadcasts
port-security oui
Syntax
port-security oui OUI-value index index-value
undo port-security oui index id-value
View
System view
Parameters
OUI-value: OUI value. You can input a full MAC address (in hexadecimal format) for this argument and the system will calculate the OUI value from your input. Note that it must not be a multicast MAC address.
index-value: OUI index, ranging from 1 to 16.
The organizationally unique identifiers (OUIs) are assigned by IEEE to different manufacturers. Each OUI uniquely identifies an equipment manufacturer in the world and is the higher 24 bits of a MAC address.
Description
Use the port-security oui command to set an OUI value for authentication.
Use the undo port-security oui command to cancel the OUI value setting.
By default, no OUI value is set for authentication.
l The OUI value set by this command takes effect only when the security mode of the port is set to userLoginWithOUI by the port-security port-mode command.
l You need only to input a full MAC address in hexadecimal format for the OUI-value argument in this command. The system will automatically convert the address from hexadecimal format to binary format and then take the higher 24 bits of the resulting binary data as the OUI value.
Related commands: port-security port-mode.
Examples
# Configure an OUI value of 00ef-ec00-0000, setting the OUI index to 5.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] port-security oui 00ef-ec00-0000 index 5
port-security port-mode
Syntax
port-security port-mode { autolearn | mac-and-userlogin-secure | mac-and-userlogin-secure-ext | mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secure-ext | secure | userlogin | userlogin-secure | userlogin-secure-ext | userlogin-secure-or-mac | userlogin-secure-or-mac-ext | userlogin-withoui }
undo port-security port-mode
View
Ethernet port view
Parameters
autolearn: Sets the port security mode to autoLearn.
mac-and-userlogin-secure: Sets the port security mode to macAddressAndUserLoginSecure.
mac-and-userlogin-secure-ext: Sets the port security mode to macAddressAndUserLoginSecureExt.
mac-authentication: Sets the port security mode to macAddressWithRadius.
mac-else-userlogin-secure: Sets the port security mode to macAddressElseUserLoginSecure.
mac-else-userlogin-secure-ext: Sets the port security mode to macAddressElseUserLoginSecureExt.
secure: Sets the port security mode to secure.
userlogin: Sets the port security mode to userLogin.
userlogin-secure: Sets the port security mode to userLoginSecure.
userlogin-secure-ext: Sets the port security mode to userLoginSecureExt.
userlogin-secure-or-mac: Sets the port security mode to macAddressOrUserLoginSecure.
userlogin-secure-or-mac-ext: Sets the port security mode to macAddressOrUserLoginSecureExt.
userlogin-withoui: Sets the port security mode to userLoginWithOUI.
Description
Use the port-security port-mode command to set the security mode of the port.
Use the undo port-security port-mode command to restore the default mode.
By default, the port is in the noRestriction mode, namely access to the port is not restricted.
Port security defines various security modes that allow devices to learn legal source MAC addresses, in order for you to implement different network security management as needed. With port security enabled, packets whose source MAC addresses cannot be learned by the in the security mode are considered illegal.
Examples
# Set the security mode of GigabitEthernet 1/0/1 on the device to userLogin.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] port-security enable
[device] interface GigabitEthernet 1/0/1
[device-GigabitEthernet1/0/1] port-security port-mode userlogin
port-security timer disableport
Syntax
port-security timer disableport timer
undo port-security timer disableport
View
System view
Parameters
timer: This argument ranges from 20 to 300, in seconds.
Description
Use the port-security timer disableport command to set the time during which the system temporarily disables a port.
Use undo port-security timer disableport command restore the default time.
By default, the system disables a port for 20 seconds.
The port-security timer disableport command is used in conjunction with the port-security intrusion-mode disableport-temporarily command to set the length of time during which the port remains disabled.
Examples
# Set the time during which the system temporarily disables a port to 50 seconds.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] port-security timer disableport 50
port-security trap
Syntax
port-security trap { addresslearned | intrusion | dot1xlogon | dot1xlogoff | dot1xlogfailure | ralmlogon | ralmlogoff | ralmlogfailure }
undo port-security trap { addresslearned | intrusion | dot1xlogon | dot1xlogoff | dot1xlogfailure | ralmlogon | ralmlogoff | ralmlogfailure }
View
System view
Parameters
addresslearned: Enables/disables sending MAC address learning trap messages.
intrusion: Enables/disables sending intrusion packet discovery trap messages.
dot1xlogon: Enables/disables sending 802.1x-authenticated user logon trap messages.
dot1xlogoff: Enables/disables sending 802.1x-authenticated user logoff trap messages.
dot1xlogfailure: Enables/disables sending 802.1x authentication failure trap messages.
ralmlogon: Enables/disables sending MAC-authenticated user logon trap messages.
ralmlogoff: Enables/disables sending MAC-authenticated user logoff trap messages.
ralmlogfailure: Enables/disables sending MAC authentication failure trap messages.
RADIUS authenticated login using MAC-address (RALM) refers to MAC-based RADIUS authentication.
Description
Use the port-security trap command to enable the sending of specified type(s) of trap messages.
Use the undo port-security trap command to disable the sending of specified type(s) of trap messages.
By default, the system disables the sending of any types of trap messages.
This command is based on the device tracking feature, which enables the device to send trap messages when special data packets (generated by illegal intrusion, abnormal user logon/logoff, or other special activities) are passing through a port, so as to help the network administrator to monitor special activities.
When you use the display port-security command to display global information, the system will display which types of trap messages are allowed to send.
Related commands: display port-security.
Examples
# Allow the sending of intrusion packet discovery trap messages.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] port-security trap intrusion
2 Port Binding Commands
Port Binding Commands
am user-bind
Syntax
In system view:
am user-bind mac-addr mac-address ip-addr ip-address interface interface-type interface-number
undo am user-bind mac-addr mac-address ip-addr ip-address interface interface-type interface-number
In Ethernet port view:
am user-bind mac-addr mac-address ip-addr ip-address
undo am user-bind mac-addr mac-address ip-addr ip-address
View
System view, Ethernet port view
Parameters
mac-address: MAC address to be bound.
ip-address: IP address to be bound.
interface-type: Type of the port to be bound to.
interface-number: Number of the port to be bound to.
Description
Use the am user-bind command to bind the MAC address and IP address of a user to a specified port.
Use the undo am user-bind command to cancel the binding.
After the binding, the device forwards only the packets from the bound MAC address and IP address when received on the port.
By default, no user MAC address or IP address is bound to a port.
l An IP address can be bound with only one port at a time.
l A MAC address can be bound with only one port at a time.
Examples
# In system view, bind the MAC address 00e0-fc00-5101 and IP address 10.153.1.1 (supposing they are MAC and IP addresses of a legal user) to GigabitEthernet 1/0/1.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] am user-bind mac-addr 00e0-fc00-5101 ip-addr 10.153.1.1 interface GigabitEthernet1/0/1
# In Ethernet pot view, bind the MAC address 00e0-fc00-5102 and IP address 10.153.1.2 (supposing they are MAC and IP addresses of a legal user) to GigabitEthernet 1/0/2.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] interface GigabitEthernet1/0/2
[device-GigabitEthernet1/0/2] am user-bind mac-addr 00e0-fc00-5102 ip-addr 10.153.1.2
display am user-bind
Syntax
display am user-bind [ interface interface-type interface-number | ip-addr ip-addr | mac-addr mac-addr ]
View
Any view
Parameters
interface: Displays binding information on a specified port.
interface-type: Port type.
interface-number: Port number.
ip-addr ip-addr: Displays only the binding information of a specified IP address.
mac-addr mac-addr: Displays only the binding information of a specified MAC address.
Description
Use the display am user-bind command to display port binding information.
Examples
# Display the current system port binding information.
<device> display am user-bind
Following User address bind have been configured:
Mac IP Port
00e0-fc00-5101 10.153.1.1 GigabitEthernet1/0/1
00e0-fc00-5102 10.153.1.2 GigabitEthernet1/0/2
Unit 1:Total 2 found, 2 listed.
Total: 2 found.
The above output displays that two port binding settings exist on unit 1:
l MAC address 00e0-fc00-5101 and IP address 10.153.1.1 are bound to GigabitEthernet 1/0/1.
l MAC address 00e0-fc00-5102 and IP address 10.153.1.2 are bound to GigabitEthernet 1/0/2.
