For Which Reason Does An Administrator Disable Mac Address Learning Within A Vlan
Port security commands
display port-security
Use brandish port-security to display port security configuration, operation information, and statistics for ports.
Syntax
display port-security [ interface interface-type interface-number ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-blazon interface-number : Specifies a port by its type and number. If you practice non specify a port, this control displays port security information for all ports.
Examples
# Display port security information for all ports.
<Sysname> brandish port-security
Global port security parameters:
Port security : Enabled
AutoLearn aging time : 0 min
Disableport timeout : 20 s
Blockmac timeout : 180 due south
MAC movement : Denied
Potency fail : Online
NAS-ID contour : Not configured
Dot1x-failure trap : Disabled
Dot1x-logon trap : Disabled
Dot1x-logoff trap : Enabled
Intrusion trap : Disabled
Address-learned trap : Enabled
Mac-auth-failure trap : Disabled
Mac-auth-logon trap : Enabled
Mac-auth-logoff trap : Disabled
Open authentication : Disabled
OUI value list :
Index : 1 Value : 123401
GigabitEthernet1/0/1 is link-upwardly
Port mode : userLogin
NeedToKnow way : Disabled
Intrusion protection style : NoAction
Security MAC address attribute
Learning way : Sticky
Aging blazon : Periodical
Max secure MAC addresses : 32
Electric current secure MAC addresses : 0
Authorization : Permitted
NAS-ID profile : Not configured
Gratuitous VLANs : Not configured
Open up authentication : Disabled
MAC-move VLAN cheque bypass : Disabled
Table 1 Command output
| Field | Description |
| Port security | Whether the port security feature is enabled. |
| AutoLearn crumbling time | Gummy MAC address aging timer, in minutes or seconds. |
| Disableport timeout | Silence period (in seconds) of the port that receives illegal packets. |
| Blockmac timeout | This field is non supported in the current software version. Block timer (in seconds) for MAC addresses in the blocked MAC address listing. |
| MAC move | Condition of MAC move: ·If the feature is enabled, this field displays Permitted. ·If the feature is disabled, this field displays Denied. |
| Authorization fail | Action to be taken for users that neglect dominance: · Online —Allows the users to go online. · Offline —Logs off the users. |
| NAS-ID profile | NAS-ID profile practical globally. |
| Dot1x-failure trap | Whether SNMP notifications for 802.1X authentication failures are enabled. |
| Dot1x-logon trap | Whether SNMP notifications for 802.1X authentication successes are enabled. |
| Dot1x-logoff trap | Whether SNMP notifications for 802.1X authenticated user logoffs are enabled. |
| Intrusion trap | Whether SNMP notifications for intrusion protection are enabled. If they are enabled, the device sends SNMP notifications after illegal packets are detected. |
| Address-learned trap | Whether SNMP notifications for MAC accost learning are enabled. If they are enabled, the device sends SNMP notifications later on it learns a new MAC address. |
| Mac-auth-failure trap | Whether SNMP notifications for MAC authentication failures are enabled. |
| Mac-auth-logon trap | Whether SNMP notifications for MAC authentication successes are enabled. |
| Mac-auth-logoff trap | Whether SNMP notifications for MAC hallmark user logoffs are enabled. |
| Open authentication | Whether global open authentication mode is enabled. |
| OUI value list | List of OUI values allowed for authentication. |
| Port style | Port security fashion: ·noRestrictions. ·autoLearn. ·macAddressWithRadius. ·macAddressElseUserLoginSecure. ·macAddressElseUserLoginSecureExt. ·secure. ·userLogin. ·userLoginSecure. ·userLoginSecureExt. ·macAddressOrUserLoginSecure. ·macAddressOrUserLoginSecureExt. ·userLoginWithOUI. For more than information about port security modes, see Security Configuration Guide. |
| NeedToKnow mode | Demand to know (NTK) mode: · NeedToKnowOnly —Forwards only unicast frames with an authenticated destination MAC address. · NeedToKnowWithBroadcast —Forwards only broadcast and unicast frames with an authenticated destination MAC accost. · NeedToKnowWithMulticast —Forrad only broadcast, multicast, and unicast frames with an authenticated destination MAC address. · NeedToKnowAuto —Forwards but circulate, multicast, and unicast frames with an authenticated destination MAC address, and only when the port has online users. · Disabled —NTK is disabled. |
| Intrusion protection mode | Intrusion protection action: · BlockMacAddress —Adds the source MAC address of the illegal parcel to the blocked MAC address listing. · DisablePort —Shuts down the port that receives illegal packets permanently. · DisablePortTemporarily —Shuts downward the port that receives illegal packets for some time. · NoAction —Does not perform intrusion protection. |
| Learning mode | Secure MAC accost learning mode: · Dynamic . · Viscid . |
| Aging type | Secure MAC address aging type: · Periodical —Timer aging only. · Inactivity —Inactivity crumbling feature together with the aging timer. |
| Max secure MAC addresses | Maximum number of secure MAC addresses (or online users) that port security allows on the port. |
| Current secure MAC addresses | Number of secure MAC addresses stored. |
| Authorization | Whether the authorization information from the hallmark server (RADIUS server or local device) is ignored: · Permitted —Authorization data from the hallmark server takes result. · Ignored —Authorization information from the authentication server does not accept event. |
| NAS-ID contour | NAS-ID contour applied to the port. |
| Free VLANs | This field is not supported in the electric current software version. VLANs in which packets volition not trigger authentication. If yous exercise not configure complimentary VLANs, this field displays Non configured. |
| Open up authentication | Whether open authentication fashion is enabled on the port. |
| MAC-move VLAN check featherbed | Whether the VLAN check bypass feature is enabled for users moving to the port from other ports. |
brandish port-security mac-address block
Use brandish port-security mac-address block to display information virtually blocked MAC addresses.
Syntax
brandish port-security mac-address block [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-blazon interface-number : Specifies a port by its type and number.
vlan vlan-id : Specifies a VLAN by its ID. The value range is 1 to 4094.
count : Displays only the count of the blocked MAC addresses.
Usage guidelines
If you do non specify whatever parameters, this command displays information nearly all blocked MAC addresses.
Examples
# Display information about all blocked MAC addresses.
<Sysname> display port-security mac-address block
MAC ADDR Port VLAN ID
000f-3d80-0d2d GE1/0/1 30
--- On slot 1, 1 MAC address(es) found ---
--- ane mac address(es) found ---
# Display the count of all blocked MAC addresses.
<Sysname> display port-security mac-address cake count
--- On slot 1, i MAC address(es) constitute ---
--- i mac accost(es) found ---
Table 2 Command output
| Field | Description |
| MAC ADDR | Blocked MAC address. |
| Port | Port having received frames with the blocked MAC address being the source address. |
| VLAN ID | ID of the VLAN to which the port belongs. |
| number mac accost(es) constitute | Number of blocked MAC addresses. |
Related commands
port-security intrusion-mode
display port-security mac-accost security
Employ brandish port-security mac-accost security to display information about secure MAC addresses.
Syntax
display port-security mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
interface interface-type interface-number : Specifies a port by its blazon and number.
vlan vlan-id : Specifies a VLAN past its ID. The value range is ane to 4094.
count : Displays only the count of the secure MAC addresses.
Usage guidelines
Secure MAC addresses are those that are automatically learned by the port in autoLearn mode or configured by the port-security mac-address security command.
If y'all do not specify any parameters, this command displays information about all secure MAC addresses.
Examples
# Display information nearly all secure MAC addresses.
<Sysname> display port-security mac-accost security
MAC ADDR VLAN ID Country PORT INDEX AGING Time
0002-0002-0002 1 Secure GE1/0/ane Not aged
--- Number of secure MAC addresses: ane ---
# Display only the count of the secure MAC addresses.
<Sysname> brandish port-security mac-address security count
--- Number of secure MAC addresses: 1 ---
Table three Command output
| Field | Clarification |
| MAC ADDR | Secure MAC accost. |
| VLAN ID | ID of the VLAN to which the port belongs. |
| STATE | Blazon of the MAC accost. This field displays Secure for a secure MAC accost. |
| PORT Alphabetize | Port to which the secure MAC accost belongs. |
| AGING Time | The remaining amount of time earlier the secure MAC address ages out. ·If the secure MAC address is a static MAC accost, this field displays Not aged. ·If the secure MAC address is a sticky MAC accost, this field displays the remaining lifetime. If the remaining lifetime is less than 60 seconds, the lifetime is counted in seconds. If the lifetime is not less than 60 seconds, the lifetime is counted in minutes. Past default, sticky MAC addresses practice not age out, and this field displays Not anile. |
| Number of secure MAC addresses | Number of secure MAC addresses stored. |
Related commands
port-security mac-address security
port-security access-user log enable
Use port-security access-user log enable to enable port security user logging.
Use undo port-security access-user log enable to disable port security user logging.
Syntax
port-security access-user log enable [ failed-potency | mac-learning | violation | vlan-mac-limit ] *
undo port-security access-user log enable [ failed-authorization | mac-learning | violation | vlan-mac-limit ] *
Default
Port security user logging is disabled.
Views
Arrangement view
Predefined user roles
network-admin
Parameters
failed-authorization : Logs authorization failures of 802.1X or MAC authentication users.
mac-learning : Logs MAC address learning events.
violation : Logs intrusion protection events.
vlan-mac-limit : Logs the first access endeavor from a new MAC access in a VLAN after port security's MAC address limit for that VLAN is reached. For each VLAN, the system does not log any access attempts from new MAC addresses except the beginning one after the MAC accost limit is reached.
Usage guidelines
To prevent excessive port security user log entries, utilize this feature only if you lot demand to analyze aberrant port security user events.
If you exercise not specify whatsoever parameters, this command enables all types of port security user logs.
Examples
# Enable intrusion protection upshot logging.
<Sysname> organisation-view
[Sysname] port-security access-user log enable violation
Related commands
info-middle source portsec logfile deny (Network Management and Monitoring Command Reference)
port-security authentication open
Utilize port-security authentication open to enable open authentication mode on a port.
Utilise undo port-security authentication open to disable open hallmark mode on a port.
Syntax
port-security authentication open
undo port-security authentication open
Default
Open authentication manner is disabled on a port.
Views
Layer ii Ethernet interface view
Predefined user roles
network-admin
Usage guidelines
This command enables access users (802.1X or MAC hallmark users) of a port to come online and access the network even if they utilise nonexistent usernames or incorrect passwords.
Access users that come online in open authentication manner are chosen open users. Authorization and accounting are not available for open users. To display open user information, use the post-obit commands:
· brandish dot1x connection open .
· display mac-authentication connection open .
Open authentication way does not bear on the access of users that use correct user information on the port.
The open hallmark manner setting has lower priority than the 802.1X Auth-Neglect VLAN and the MAC hallmark invitee VLAN. Open authentication mode does not accept effect on a port if the port is also configured with the 802.1X Auth-Fail VLAN or the MAC hallmark guest VLAN.
For information almost 802.1X authentication or MAC hallmark, see Security Configuration Guide.
Examples
# Enable open authentication mode on GigabitEthernet 1/0/1 .
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/ane
[Sysname- GigabitEthernet1/0/1 ] port-security authentication open up
Related commands
display dot1x connectedness
display mac-hallmark connection
port-security authentication open global
port-security authentication open global
Use port-security authentication open global to enable global open hallmark mode.
Employ disengage port-security authentication open global to disable global open authentication mode.
Syntax
port-security authentication open global
undo port-security hallmark open global
Default
Global open up authentication mode is disabled.
Views
Arrangement view
Predefined user roles
network-admin
Usage guidelines
This command enables access users (802.1X or MAC authentication users) to come online and access the network fifty-fifty if they employ nonexistent usernames or incorrect passwords.
Access users that come online in open authentication fashion are chosen open users. Authorization and accounting are non bachelor for open up users. To display open up user information, use the following commands:
· display dot1x connection open .
· display mac-hallmark connectedness open .
Open authentication mode does not impact the access of users that use correct user information.
The open authentication mode setting has lower priority than the 802.1X Auth-Fail VLAN and the MAC authentication guest VLAN. Open hallmark mode does not take result on a port if the port is also configured with the 802.1X Auth-Fail VLAN or the MAC authentication guest VLAN.
For data about 802.1X hallmark or MAC hallmark, see Security Configuration Guide.
Examples
# Enable global open up authentication manner.
<Sysname> system-view
[Sysname] port-security authentication open global
Related commands
brandish dot1x connexion
brandish mac-hallmark connexion
port-security authentication open
port-security authority ignore
Use port-security authorization ignore to configure a port to ignore the authorization information received from the authentication server (a RADIUS server or the local device).
Use undo port-security authorization ignore to restore the default.
Syntax
port-security authorization ignore
undo port-security authorization ignore
Default
A port uses the authority information from the server.
Views
Layer two Ethernet interface view
Predefined user roles
network-admin
Usage guidelines
Afterwards a user passes RADIUS or local hallmark, the server performs authorization based on the authorization attributes configured for the user account. For case, the server can assign a VLAN. If yous practise not want the port to use such authorization attributes for users, use this command to ignore the dominance information from the server.
Examples
# Configure GigabitEthernet one/0/ane to ignore the dominance information from the authentication server.
<Sysname> organization-view
[Sysname] interface gigabitethernet 1/0/ane
[Sysname- GigabitEthernet1/0/one ] port-security potency ignore
Related commands
display port-security
port-security say-so-neglect offline
Use port-security authorization-fail offline to enable the authority-fail-offline characteristic.
Use undo port-security authorization-fail offline to disable the authorization-neglect-offline feature.
Syntax
port-security authority-fail offline [ quiet-period ]
undo port-security authorization-neglect offline
Default
The authorization-fail-offline feature is disabled. The device does not log off users that have failed say-so.
Views
Organisation view
Predefined user roles
network-admin
Parameters
placidity-period : Enables the quiet timer for 802.1X or MAC hallmark users that are logged off by the potency-fail-offline feature. The device adds these users to the 802.1X or MAC authentication quiet queue. Within the tranquility timer, the device does not process packets from these users or authenticate them. If you lot exercise not specify this keyword, the tranquillity timer feature is disabled for users that are logged off past the authorization-fail-offline feature. The device immediately authenticates these users upon receiving packets from them.
Usage guidelines
The authorization-fail-offline feature logs off port security users that take failed ACL or user profile authorisation.
A user fails ACL or user profile potency in the post-obit situations:
·The device or server fails to assign the specified ACL or user profile to the user.
·The device or server assigns a n ACL or user profile that does not exist on the device to the user.
If this feature is disabled, the device does not log off users that have failed ACL or user profile authorization. However, the device outputs letters to report the failure.
For the repose-menstruum keyword to take result, complete the following tasks:
·For 802.1X users, use the dot1x placidity-menstruation command to enable the quiet timer and use the dot1x timer quiet-period control to set the timer.
·For MAC hallmark users, use the mac-authentication timer repose control to prepare the serenity timer for MAC authentication.
Examples
# Enable the dominance-fail-offline feature.
<Sysname> system-view
[Sysname] port-security authorization-fail offline
Related commands
brandish port-security
dot1x serenity-menstruum
dot1x timer quiet-period
mac-hallmark timer
port-security enable
Use port-security enable to enable port security.
Use undo port-security enable to disable port security.
Syntax
port-security enable
undo port-security enable
Default
Port security is disabled.
Views
Organization view
Predefined user roles
network-admin
Usage guidelines
You must disable global 802.1X and MAC authentication before you enable port security on a port.
Enabling or disabling port security resets the following security settings to the default:
·802.1X admission control mode is MAC-based.
·Port authorization state is automobile.
When online users are present on a port, disabling port security logs off the online users.
Examples
# Enable port security.
<Sysname> organization-view
[Sysname] port-security enable
Related commands
brandish port-security
dot1x
dot1x port-control
dot1x port-method
mac-authentication
port-security intrusion-manner
Use port-security intrusion-mode to configure the intrusion protection action to take when intrusion protection detects illegal frames on a port.
Use undo port-security intrusion-way to restore the default.
Syntax
port-security intrusion-style { blockmac | disableport | disableport-temporarily }
undo port-security intrusion-mode
Default
Intrusion protection is disabled.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Parameters
blockmac : Adds the source MAC addresses of illegal frames to the blocked MAC address listing and discards frames with blocked source MAC addresses for a period set by the cake timer. A blocked MAC address volition be unblocked when the block timer expires. The timer is stock-still at iii minutes. To display the blocked MAC accost listing, apply the display port-security mac-address block command.
disableport : Disables the port permanently when an illegal frame is received on the port.
disableport-temporarily : Disables the port for a period of fourth dimension whenever it receives an illegal frame. Y'all can apply the port-security timer disableport command to set up the period.
Usage guidelines
To bring up the port disabled by the intrusion protection feature, employ the undo shutdown command.
Examples
# Configure GigabitEthernet 1/0/one to block the source MAC addresses of illegal frames later on intrusion protection detects the illegal frames.
<Sysname> organisation-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname- GigabitEthernet1/0/1 ] port-security intrusion-mode blockmac
Related commands
display port-security
brandish port-security mac-address block
port-security timer disableport
port-security mac-address crumbling-type inactivity
Utilize port-security mac-address aging-blazon inactivity to enable inactivity crumbling for secure MAC addresses.
Use undo port-security mac-address crumbling-blazon inactivity to disable inactivity crumbling for secure MAC addresses.
Syntax
port-security mac-address aging-type inactivity
disengage port-security mac-address aging-type inactivity
Default
The inactivity aging feature is disabled for secure MAC addresses.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Usage guidelines
This command enables the device to periodically detect traffic data from secure MAC addresses.
If only the crumbling timer is configured, the aging timer counts up regardless of whether traffic data has been sent from the secure MAC addresses. When you lot use the aging timer together with the inactivity aging feature, the crumbling timer restarts once traffic data is detected from the secure MAC addresses. The secure MAC addresses age out only when no traffic information is detected within the aging timer.
The inactivity crumbling feature prevents the unauthorized use of a secure MAC address when the authorized user is offline. The feature also removes outdated secure MAC addresses then that new secure MAC addresses can exist learned or configured.
If the aging timer is set to a value non less than 60 seconds, the traffic data detection interval is fixed at 30 seconds.
If the aging timer is set to a value less than 60 seconds, the traffic information detection interval is the effective crumbling menstruation.
To set the aging timer for secure MAC addresses, use the port-security timer autolearn aging command.
This command takes effect only on gummy MAC addresses and dynamic secure MAC addresses.
Examples
# Enable inactivity aging for secure MAC addresses on GigabitEthernet i/0/1 .
<Sysname> system-view
[Sysname] interface gigabitethernet ane/0/1
[Sysname- GigabitEthernet1/0/1 ] port-security mac-address crumbling-type inactivity
Related commands
display port-security
port-security mac-address dynamic
Employ port-security mac-accost dynamic to enable the dynamic secure MAC feature.
Utilise disengage port-security mac-address dynamic to disable the dynamic secure MAC feature.
Syntax
port-security mac-address dynamic
undo port-security mac-address dynamic
Default
The dynamic secure MAC characteristic is disabled. Sticky MAC addresses can be saved to the configuration file. Once saved, they survive a device reboot.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Usage guidelines
The dynamic secure MAC feature converts sticky MAC addresses to dynamic and disables saving them to the configuration file.
Subsequently you lot execute this command, you cannot manually configure sticky MAC addresses, and secure MAC addresses learned by a port in autoLearn manner are dynamic. All dynamic MAC addresses are lost at reboot. Apply this control when you desire to articulate all pasty MAC addresses after a device reboot.
You can display dynamic secure MAC addresses by using the display port-security mac-address security command.
The undo port-security mac-address dynamic control converts all dynamic secure MAC addresses on the port to gummy MAC addresses. You can manually configure glutinous MAC addresses.
Examples
# Enable the dynamic secure MAC feature on GigabitEthernet 1/0/1 .
<Sysname> system-view
[Sysname] interface gigabitethernet i/0/1
[Sysname- GigabitEthernet1/0/1 ] port-security mac-accost dynamic
Related commands
brandish port-security
display port-security mac-address security
port-security mac-accost security
Apply port-security mac-accost security to add a secure MAC address.
Utilize undo port-security mac-address security to remove a secure MAC address.
Syntax
In Layer two Ethernet interface view:
port-security mac-address security [ viscid ] mac-address vlan vlan-id
disengage port-security mac-accost security [ sticky ] mac-address vlan vlan-id
In system view:
port-security mac-address security [ sticky ] mac-address interface interface-type interface-number vlan vlan-id
undo port-security mac-address security [ [ mac-address [ interface interface-type interface-number ] ] vlan vlan-id ]
Default
No manually configured secure MAC address entries be.
Views
Organization view
Layer ii Ethernet interface view
Predefined user roles
network-admin
Parameters
sticky : Specifies the MAC address blazon as sticky. If yous do not specify this keyword, the command configures a static secure MAC address.
mac-address : Specifies a MAC accost, in H-H-H format.
interface interface-type interface-number : Specifies a port by its type and number.
vlan vlan-id : Specifies the VLAN to which the secure MAC address belongs. The value range for the vlan-id argument is 1 to 4094.
Usage guidelines
Secure MAC addresses are MAC addresses configured or learned in autoLearn manner, and if saved, can survive a device reboot. You can bind a secure MAC address merely to 1 port in a VLAN.
You can add important or oft used MAC addresses as sticky or static secure MAC addresses to avert the secure MAC accost limit causing authentication failure. To successfully add secure MAC addresses on a port, first consummate the post-obit tasks:
·Enable port security on the port.
·Set the port security style to autoLearn.
·Configure the port to allow packets of the specified VLAN to pass or add together the port to the VLAN. Make sure the VLAN already exists.
Sticky MAC addresses can be manually configured or automatically learned in autoLearn mode. Sticky MAC addresses do non age out by default. You lot tin can utilize the port-security timer autolearn aging command to set an aging timer for the sticky MAC addresses. When the timer expires, the viscid MAC addresses are removed.
Static secure MAC addresses never historic period out unless you perform the following operations:
·Remove these MAC addresses by using the undo port-security mac-address security command.
·Change the port security way.
·Disable the port security feature.
You cannot change the type of a secure address entry that has been added or add ii entries that are identical except for their entry type. For instance, yous cannot add the port-security mac-address security glutinous i-1-1 vlan 10 entry when a port-security mac-accost security 1-1-1 vlan 10 entry exists. To add the new entry, you lot must delete the old entry.
Examples
# Enable port security, set GigabitEthernet 1/0/1 to operate in autoLearn mode, and configure the port to support a maximum number of 100 secure MAC addresses.
<Sysname> organization-view
[Sysname] port-security enable
[Sysname] interface gigabitethernet ane/0/1
[Sysname- GigabitEthernet1/0/i ] port-security max-mac-count 100
[Sysname- GigabitEthernet1/0/i ] port-security port-mode autolearn
# Specify MAC address 0001-0002-0003 in VLAN 4 as a sticky MAC address.
[Sysname- GigabitEthernet1/0/1 ] port-security mac-address security mucilaginous 0001-0002-0003 vlan iv
[Sysname- GigabitEthernet1/0/1 ] quit
# In system view, specify MAC address 0001-0001-0002 in VLAN x equally a secure MAC accost for GigabitEthernet i/0/one .
[Sysname] port-security mac-address security 0001-0001-0002 interface gigabitethernet 1/0/1 vlan 10
Related commands
display port-security
port-security timer autolearn aging
port-security mac-limit
Utilise port-security mac-limit to set the maximum number of MAC addresses that port security allows for specific VLANs on a port.
Use undo port-security mac-limit to restore the default.
Syntax
port-security mac-limit max-number per-vlan vlan-id-list
disengage port-security mac-limit max-number per-vlan vlan-id-list
Default
The maximum number is 2147483647.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Parameters
max-number : Specifies the maximum number of MAC addresses. The value range is ane to 2147483647.
per-vlan vlan-id-list : Applies the maximum number to a VLAN listing on per-VLAN footing. The vlan-id-list argument specifies a space-separated list of up to 10 VLAN items. Each VLAN item specifies a VLAN by VLAN ID or specifies a range of VLANs in the form of vlan-id1 to vlan-id2 . The value range for the VLAN IDs is ane to 4094. The value for the vlan-id2 argument must be equal to or greater than the value for the vlan-id1 argument.
Usage guidelines
This command limits the number of MAC addresses that port security allows to access a port through specific VLANs. Use this command to prevent resource contentions amid MAC addresses and ensure reliable functioning for each admission user on the port. When the number of MAC addresses in a VLAN on the port reaches the upper limit, the device denies any subsequent MAC addresses in the VLAN on the port.
Port security allows the admission of the post-obit types of MAC addresses on a port:
·MAC addresses that pass 802.1X or MAC authentication.
·MAC addresses in the MAC hallmark invitee VLAN or MAC authentication critical VLAN.
·MAC addresses in the 802.1X guest VLAN, 802.1X Auth-Fail VLAN, or 802.1X critical VLAN.
On a port, the maximum number of MAC addresses in a VLAN cannot be smaller than the number of existing MAC addresses in the VLAN. If the specified maximum number is smaller, the setting does non have upshot.
Examples
# On GigabitEthernet 1/0/i , configure VLAN 1, VLAN v, and VLANs 10 through 20 each to allow a maximum of 32 MAC hallmark and 802.1X users.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/ane
[Sysname- GigabitEthernet1/0/1 ] port-security mac-limit 32 per-vlan i v 10 to xx
Related commands
brandish dot1x
display mac-authentication
port-security mac-move bypass-vlan-check
Use port-security mac-move bypass-vlan-check to enable VLAN check bypass on a port for users moving to it.
Apply disengage port-security mac-move bypass-vlan-check to disable VLAN bank check bypass on a port for users moving to it.
Syntax
port-security mac-motility bypass-vlan-check
undo port-security mac-movement bypass-vlan-cheque
Default
VLAN check bypass is disabled in port security for users moving to a port. When reauthenticating a user that has moved to the port, the device examines whether the VLAN to which the user belongs is permitted by the port.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Usage guidelines
This command is supported only in Release 6318P01 and later.
Enable VLAN bank check bypass on a port to skip checking VLAN data in the packets that trigger 802.1X authentication or MAC authentication for users moving to that port.
For a user moving between ports, the port from which the user moves is called the source port and the port to which the user moves is called the destination port.
When you configure VLAN check bypass, follow these guidelines:
·To ensure a successful reauthentication, enable VLAN cheque featherbed on a destination port if the source port is enabled with MAC-based VLAN.
·If the destination port is an 802.1X-enabled trunk port, you must configure information technology to send 802.1X protocol packets without VLAN tags.
Examples
# Enable VLAN check bypass for users moving to GigabitEthernet ane/0/one from other ports.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/ane
[Sysname- GigabitEthernet1/0/1 ] port-security mac-move bypass-vlan-check
Related commands
display port-security
dot1x eapol untag
port-security mac-move permit
port-security mac-motility permit
Use port-security mac-move permit to enable MAC move on the device.
Apply undo port-security mac-move let to disable MAC move on the device.
Syntax
port-security mac-move let
disengage port-security mac-movement permit
Default
MAC motion is disabled on the device.
Views
System view
Predefined user roles
network-admin
Usage guidelines
Port security MAC move takes effect in the post-obit scenarios:
· Inter-port motility on a device —An online user authenticated through 802.1X or MAC hallmark moves between ports on the device. The user VLAN or hallmark method might change or stay unchanged after the motility.
· Inter-VLAN move on a port —An online user authenticated through 802.1X or MAC hallmark moves betwixt VLANs on a trunk or hybrid port. In improver, the packets that trigger authentication take VLAN tags.
Port security MAC move allows an online user authenticated through 802.1X or MAC hallmark on one port or VLAN to be reauthenticated and come online on another port or VLAN without going offline first. Afterward the user passes authentication on the new port or VLAN, the system removes the authentication session of the user on the original port or VLAN.
| NOTE: For MAC authentication, the MAC movement feature applies only when MAC authentication unmarried-VLAN mode is used. The MAC move feature does non apply to MAC authentication users that motility between VLANs on a port with MAC hallmark multi-VLAN manner enabled. |
If this feature is disabled, 802.1X or MAC authenticated users must become offline commencement before they tin can be reauthenticated successfully on a new port or VLAN to come online.
802.1X or MAC authenticated users cannot move between ports on a device or between VLANs on a port if the maximum number of online users on the authentication server has been reached.
Examples
# Enable MAC move.
<Sysname> organization-view
[Sysname] port-security mac-move permit
Related commands
display port-security
mac-authentication host-manner multi-vlan
port-security max-mac-count
Use port-security max-mac-count to set the maximum number of secure MAC addresses that port security allows on a port.
Utilize undo port-security max-mac-count to restore the default.
Syntax
port-security max-mac-count max-count [ vlan [ vlan-id-list ] ]
disengage port-security max-mac-count [ vlan [ vlan-id-list ] ]
Default
Port security does non limit the number of secure MAC addresses on a port.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Parameters
max-count : Specifies the maximum number of secure MAC addresses that port security allows on the port. The value range is i to 2147483647.
vlan [ vlan-id-list ] : Specifies a space-separated listing of up to 10 VLAN items. Each VLAN item specifies a VLAN ID or a range of VLAN IDs in the form of showtime-vlan-id to end-vlan-id . The end VLAN ID cannot be smaller than the starting time VLAN ID. The value range for VLAN IDs is 1 to 4094. If you do not specify the vlan keyword, this command sets the maximum number of secure MAC addresses that port security allows on a port. If you lot exercise not specify the vlan-id-list argument, this command sets the maximum number of secure MAC addresses for each VLAN on the port. This option takes effect only on a port that operates in autoLearn mode.
Usage guidelines
For autoLearn style, this command sets the maximum number of secure MAC addresses (both configured and automatically learned) on the port.
In any other mode that enables 802.1X, MAC authentication, or both, this command sets the maximum number of authenticated MAC addresses on the port. The actual maximum number of concurrent users that the port accepts equals the smaller of the following values:
·The value set past using this command.
·The maximum number of concurrent users allowed by the authentication mode in use.
For example, in userLoginSecureExt fashion, if 802.1X allows more than concurrent users than port security's limit on the number of MAC addresses, port security's limit takes issue.
When you configure this command, follow these guidelines and restrictions:
·Brand certain the maximum number of secure MAC addresses for a VLAN is not less than the number of MAC addresses currently saved for the VLAN.
·If you lot execute this command multiple times to set the maximum number of secure MAC addresses for the aforementioned VLAN, the virtually recent configuration takes event.
·You cannot change port security'due south limit on the number of MAC addresses when the port is operating in autoLearn manner.
Examples
# Set the maximum number of secure MAC address port security allows on GigabitEthernet 1/0/ane to 100.
<Sysname> system-view
[Sysname] interface gigabitethernet i/0/1
[Sysname- GigabitEthernet1/0/1 ] port-security max-mac-count 100
Related commands
display port-security
port-security nas-id-contour
Utilise port-security nas-id-profile to apply a NAS-ID profile to global or port-based port security.
Employ undo port-security nas-id-profile to restore the default.
Syntax
port-security nas-id-contour contour-name
undo port-security nas-id-profile
Default
No NAS-ID profile is applied to port security globally or on whatever port.
Views
System view
Layer two Ethernet interface view
Predefined user roles
network-admin
Parameters
profile-name : Specifies a NAS-ID profile by its name. The argument is a case-insensitive cord of 1 to 31 characters.
Usage guidelines
A NAS-ID profile defines NAS-ID and VLAN bindings. You can create a NAS-ID profile by using the aaa nas-id profile command.
The device selects a NAS-ID profile for a port in the following order:
1. The port-specific NAS-ID profile.
2. The NAS-ID profile applied globally.
If no NAS-ID profile is applied or no matching binding is found in the selected profile, the device uses the device proper noun as the NAS-ID.
Examples
# Apply NAS-ID profile aaa to GigabitEthernet one/0/1 for port security.
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname- GigabitEthernet1/0/one ] port-security nas-id-profile aaa
# Globally apply NAS-ID profile aaa to port security.
<Sysname> system-view
[Sysname] port-security nas-id-profile aaa
Related commands
aaa nas-id contour
port-security ntk-mode
Employ port-security ntk-way to configure the NTK feature.
Utilize undo port-security ntk-manner to restore the default.
Syntax
port-security ntk-mode { ntk-withbroadcasts | ntk-withmulticasts | ntkauto | ntkonly }
undo port-security ntk-manner
Default
The NTK feature is not configured on a port and all frames are immune to exist sent.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Parameters
ntk-withbroadcasts : Forwards only broadcast and unicast frames with an authenticated destination MAC address.
ntk-withmulticasts : Forrad only circulate, multicast, and unicast frames with an authenticated destination MAC address.
ntkauto : Forwards only circulate, multicast, and unicast frames with an authenticated destination MAC accost, and only when the port has online users.
ntkonly : Forwards only unicast frames with an authenticated destination MAC address.
Usage guidelines
The NTK feature checks the destination MAC addresses in outbound frames. This feature allows frames to exist sent only to devices passing authentication, preventing illegal devices from intercepting network traffic.
Examples
# Fix the NTK manner of GigabitEthernet one/0/1 to ntkonly, allowing the port to forward received packets only to devices passing hallmark.
<Sysname> organization-view
[Sysname] interface gigabitethernet i/0/1
[Sysname- GigabitEthernet1/0/1 ] port-security ntk-manner ntkonly
Related commands
display port-security
port-security oui
Use port-security oui to configure an OUI value for user authentication.
Use undo port-security oui to delete the OUI value with the specified OUI index.
Syntax
port-security oui index index-value mac-address oui-value
undo port-security oui alphabetize index-value
Default
No OUI values are configured.
Views
System view
Predefined user roles
network-admin
Parameters
index-value : Specifies the OUI index, in the range of 1 to xvi.
oui-value : Specifies an OUI string, a 48-bit MAC address in the H-H-H format. The system uses just the 24 high-order bits every bit the OUI value.
Usage guidelines
You can configure multiple OUI values.
An OUI, the get-go 24 binary bits of a MAC address, is assigned by IEEE to uniquely identify a device vendor. Use this command to allow devices of specific vendors to admission the network without beingness authenticated. For example, you tin specify the OUIs of IP phones and printers.
The OUI values configured past this command apply only to the ports operating in userLoginWithOUI mode. In userLoginWithOUI manner, a port allows merely i 802.1X user and ane user whose MAC address matches i of the configured OUI values.
Examples
# Configure an OUI value of 000d2a, and set the index to 4.
<Sysname> system-view
[Sysname] port-security oui alphabetize 4 mac-address 000d-2a10-0033
Related commands
brandish port-security
port-security port-manner
Use port-security port-mode to prepare the port security mode of a port.
Use undo port-security port-mode to restore the default.
Syntax
port-security port-mode { autolearn | mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secure-ext | secure | userlogin | userlogin-secure | userlogin-secure-ext | userlogin-secure-or-mac | userlogin-secure-or-mac-ext | userlogin-withoui }
undo port-security port-mode
Default
A port operates in noRestrictions mode, where port security does not take event.
Views
Layer 2 Ethernet interface view
Predefined user roles
network-admin
Parameters
| Keyword | Security fashion | Description |
| autolearn | autoLearn | A port in this manner tin learn MAC addresses. The automatically learned MAC addresses are not added to the MAC address tabular array as dynamic MAC address. Instead, the MAC addresses are added to the secure MAC address table as secure MAC addresses. You can too configure secure MAC addresses by using the port-security mac-address security command. A port in autoLearn way allows frames sourced from the following MAC addresses to pass: ·Secure MAC addresses. ·MAC addresses configured by using the mac-accost dynamic and mac-accost static commands. When the number of secure MAC addresses reaches the upper limit set by the port-security max-mac-count command, the port changes to secure mode. |
| mac-hallmark | macAddressWithRadius | In this manner, a port performs MAC hallmark for users and services multiple users. |
| mac-else-userlogin-secure | macAddressElseUserLoginSecure | This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a college priority. In this fashion, the port allows one 802.1X authentication user and multiple MAC hallmark users to log in. ·Upon receiving a non-802.1X frame, a port in this fashion performs only MAC authentication. ·Upon receiving an 802.1X frame, the port performs MAC authentication and then, if MAC authentication fails, 802.1X hallmark. |
| mac-else-userlogin-secure-ext | macAddressElseUserLoginSecureExt | Same every bit the macAddressElseUserLoginSecure manner except that a port in this mode supports multiple 802.1X and MAC authentication users. |
| secure | secure | In this mode, MAC address learning is disabled on the port and you can configure MAC addresses by using the mac-address static and mac-accost dynamic commands. The port permits only frames sourced from the following MAC addresses to pass: ·Secure MAC addresses. ·MAC addresses configured past using the mac-address static and mac-address dynamic commands. |
| userlogin | userLogin | In this mode, a port performs 802.1X hallmark and implements port-based access control. If 1 802.1X user passes hallmark, all the other 802.1X users of the port tin access the network without authentication. |
| userlogin-secure | userLoginSecure | In this fashion, a port performs 802.1X authentication and implements MAC-based access command. The port services just one user passing 802.1X authentication. |
| userlogin-secure-ext | userLoginSecureExt | Same as the userLoginSecure mode, except that this mode supports multiple online 802.1X users. |
| userlogin-secure-or-mac | macAddressOrUserLoginSecure | This mode is the combination of the userLoginSecure and macAddressWithRadius modes. In this mode, the port allows i 802.1X authentication user and multiple MAC authentication users to log in. In this mode, the port performs 802.1X hallmark first. Past default, if 802.1X authentication fails, MAC authentication is performed. However, the port in this way processes hallmark differently when the following conditions exist: ·The port is enabled with parallel processing of MAC authentication and 802.1X authentication. ·The port is enabled with the 802.1X unicast trigger. ·The port receives a parcel from an unknown MAC address. Nether such conditions, the port sends a unicast EAP-Asking/Identity packet to the MAC address to initiate 802.1X authentication. After that, the port immediately processes MAC authentication without waiting for the 802.1X hallmark consequence. |
| userlogin-secure-or-mac-ext | macAddressOrUserLoginSecureExt | Same every bit the macAddressOrUserLoginSecure mode, except that a port in this mode supports multiple 802.1X and MAC hallmark users. |
| userlogin-withoui | userLoginWithOUI | Similar to the userLoginSecure mode. In addition, a port in this mode as well permits frames from a user whose MAC address contains a specific OUI. In this way, the port performs OUI check at offset. If the OUI bank check fails, the port performs 802.1X authentication. The port permits frames that pass OUI cheque or 802.1X hallmark. |
Usage guidelines
To change the security mode for a port security enabled port, you must set the port in noRestrictions style first. Practise non change port security mode when the port has online users.
| | Important: If you lot are configuring the autoLearn mode, first set port security's limit on the number of secure MAC addresses past using the port-security max-mac-count command. You cannot modify the setting when the port is operating in autoLearn mode. |
When port security is enabled, you cannot enable 802.1X or MAC authentication, or change the admission command style or port authority land. The port security automatically modifies these settings in dissimilar security modes.
Equally a best practice, do not enable the mac-else-userlogin-secure or mac-else-userlogin-secure-ext manner on the port where MAC authentication delay is enabled. The two modes are mutually sectional with the MAC hallmark delay characteristic. For more than information nigh MAC authentication filibuster, run into "MAC authentication commands."
Examples
# Enable port security, and set GigabitEthernet ane/0/1 to operate in secure mode.
<Sysname> system-view
[Sysname] port-security enable
[Sysname] interface gigabitethernet 1/0/1
[Sysname- GigabitEthernet1/0/1 ] port-security port-mode secure
# Change the port security mode of GigabitEthernet 1/0/1 to userLogin.
[Sysname- GigabitEthernet1/0/1 ] disengage port-security port-way
[Sysname- GigabitEthernet1/0/1 ] port-security port-mode userlogin
Related commands
display port-security
port-security max-mac-count
port-security timer autolearn aging
Utilise port-security timer autolearn aging to set the secure MAC crumbling timer.
Use undo port-security timer autolearn aging to restore the default.
Syntax
port-security timer autolearn aging [ 2d ] fourth dimension-value
undo port-security timer autolearn aging
Default
Secure MAC addresses do not age out.
Views
System view
Predefined user roles
network-admin
Parameters
second : Specifies the aging timer in seconds for secure MAC addresses. If y'all do not specify this keyword, the command sets the aging timer in minutes for secure MAC addresses.
time-value : Specifies the aging timer. The value range is 0 to 129600 if the unit is minute. To disable the aging timer, set the timer to 0. The value range is x to 7776000 if the unit is 2d.
Usage guidelines
The timer applies to all sticky secure MAC addresses and those automatically learned by a port.
The effective aging timer varies by the aging timer setting:
·If the aging timer is fix in seconds, the effective crumbling timer tin can be either of the following values:
¡The nearest multiple of xxx seconds to the configured aging timer if the configured timer is not less than 60 seconds. The effective aging timer is not less than the configured aging timer.
¡The configured aging timer if the configured timer is less than 60 seconds.
·If the aging timer is set in minutes, the effective aging timer is the configured aging timer.
A curt aging time improves port access security and port resource utility only affects online user stability. Set an appropriate secure MAC address aging timer according to your device performance and the network environs.
When a curt aging time (less than sixty seconds) works with inactivity aging, do not assign a large value to the maximum number of secure MAC addresses on a port. A large value in this case might affect device functioning.
Examples
# Set the secure MAC crumbling timer to 30 minutes.
<Sysname> system-view
[Sysname] port-security timer autolearn aging thirty
# Gear up the secure MAC aging timer to 50 seconds.
<Sysname> organization-view
[Sysname] port-security timer autolearn aging 2d 50
Related commands
display port-security
port-security mac-address security
port-security timer disableport
Utilise port-security timer disableport to fix the silence period during which the port remains disabled.
Use undo port-security timer disableport to restore the default.
Syntax
port-security timer disableport time-value
undo port-security timer disableport
Default
The port silence period is twenty seconds.
Views
System view
Predefined user roles
network-admin
Parameters
fourth dimension-value : Specifies the silence menstruation in seconds during which the port remains disabled. The value is in the range of twenty to 300.
Usage guidelines
If yous configure the intrusion protection activity every bit disabling the port temporarily, utilise this command to set the silence flow.
Examples
# Configure the intrusion protection action on GigabitEthernet 1/0/ane as disabling the port temporarily, and set the port silence period to xxx seconds.
<Sysname> organization-view
[Sysname] port-security timer disableport 30
[Sysname] interface gigabitethernet 1/0/ane
[Sysname- GigabitEthernet1/0/1 ] port-security intrusion-mode disableport-temporarily
Related commands
brandish port-security
port-security intrusion-mode
port-security traffic-statistics enable
Employ port-security traffic-statistics enable to enable traffic statistics for 802.1X and MAC authentication users.
Use undo port-security traffic-statistics enable to disable traffic statistics for 802.1X and MAC authentication users.
Syntax
port-security traffic-statistics enable
disengage port-security traffic-statistics enable
Default
The device does not collect traffic statistics for 802.1X and MAC authentication users. 802.1X and MAC hallmark user statistics collected and sent to the bookkeeping server only include the online duration of the users.
Views
Organisation view
Predefined user roles
network-admin
Usage guidelines
This control is available in Release 6312 and later on.
To collect and transport traffic statistics of 802.1X and MAC authentication users to the accounting server in addition to their online duration, use this command to enable the traffic statistics feature for 802.1X and MAC authentication users.
This feature takes event only on users that come online after the characteristic is enabled.
This feature takes upshot on 802.1X and MAC authentication users when port security is enabled, or when 802.1X and MAC authentication are separately enabled on the device.
If a port performs MAC authentication or 802.1X authentication in MAC-based access control mode, this feature collects user traffic statistics on a per-MAC ground on the port.
If a port performs 802.1X authentication in port-based access command mode, this feature collects user traffic statistics on a per-port footing on the port.
With this feature enabled, the device requires more than ACL resources for new 802.1X or MAC authentication users. If the device has run out of ACL resource, the authentication will neglect for new 802.1X or MAC hallmark users.
Enable this feature just if traffic accounting is required and just if there are sufficient ACL resource. If the network has a large number of online 802.1X and MAC authentication users when this characteristic is enabled, ACL resources might become insufficient. This effect causes authentication failure of new 802.1X and MAC authentication users. For more information most 802.1X and MAC authentication, see Security Configuration Guide.
Examples
# Enable traffic statistics for 802.1X and MAC authentication users.
<Sysname> organization-view
[Sysname] port-security traffic-statistics enable
snmp-agent trap enable port-security
Use snmp-agent trap enable port-security to enable SNMP notifications for port security.
Use undo snmp-amanuensis trap enable port-security to disable SNMP notifications for port security.
Syntax
snmp-agent trap enable port-security [ address-learned | dot1x-failure | dot1x-logoff | dot1x-logon | intrusion | mac-auth-failure | mac-auth-logoff | mac-auth-logon ] *
undo snmp-agent trap enable port-security [ address-learned | dot1x-failure | dot1x-logoff | dot1x-logon | intrusion | mac-auth-failure | mac-auth-logoff | mac-auth-logon ] *
Default
All port security SNMP notifications are disabled.
Views
System view
Predefined user roles
network-admin
Parameters
address-learned : Specifies notifications nearly MAC address learning.
dot1x-failure : Specifies notifications nigh 802.1X authentication failures.
dot1x-logoff : Specifies notifications near 802.1X user logoffs.
dot1x-logon : Specifies notifications almost 802.1X authentication successes.
intrusion : Specifies notifications well-nigh illegal frame detection.
mac-auth-failure : Specifies notifications about MAC authentication failures.
mac-auth-logoff : Specifies notifications about MAC authentication user logoffs.
mac-auth-logon : Specifies notifications almost MAC authentication successes.
Usage guidelines
To report critical port security events to an NMS, enable SNMP notifications for port security. For port security event notifications to be sent correctly, you must also configure SNMP on the device. For more than information almost SNMP configuration, run across Network Management and Monitoring Configuration Guide.
If you do not specify a notification, this control enables all SNMP notifications for port security.
For this command to have outcome, make sure the intrusion protection characteristic is configured.
Examples
# Enable SNMP notifications about MAC address learning.
<Sysname> arrangement-view
[Sysname] snmp-agent trap enable port-security address-learned
Related commands
brandish port-security
port-security enable
For Which Reason Does An Administrator Disable Mac Address Learning Within A Vlan,
Source: http://www.h3c.com/en/d_202009/1339229_294551_0.htm
Posted by: williamscomentse.blogspot.com
0 Response to "For Which Reason Does An Administrator Disable Mac Address Learning Within A Vlan"
Post a Comment