display port-security

Syntax

display port-security [ interface interface-list ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

2: System level

Parameters

interface interface-list: Specifies Ethernet ports by an Ethernet port list in the format of { interface-type interface-number [ to interface-type interface-number ] }&<1-10>, where &<1-10> means that you can specify up to 10 ports or port ranges. The starting port and ending port of a port range must be of the same type, and the ending port number must be greater than the starting port number.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display port-security to display port security configuration information, operation information, and statistics for one or more ports.

If the interface interface-list parameter is not provided, the command displays port security information, operation information, and status about all ports.

Related commands: port-security enable, port-security port-mode, port-security ntk-mode, port-security intrusion-mode, port-security max-mac-count, port-security mac-address security, port-security authorization ignore, port-security oui, and port-security trap.

Examples

# Display port security configuration information, operation information, and statistics for all ports.

<Sysname> display port-security
 Equipment port-security is enabled
 AddressLearn trap is enabled
 Intrusion trap is enabled
 Dot1x logon trap is enabled
 Dot1x logoff trap is enabled
 Dot1x logfailure trap is enabled
 RALM logon trap is enabled
 RALM logoff trap is enabled
 RALM logfailure trap is enabled
 AutoLearn aging time is 1 minutes
 Disableport Timeout: 20s
 OUI value:
   Index is 1,  OUI value is 000d1a
   Index is 2,  OUI value is 003c12

Ethernet1/0/1 is link-down
    Port mode is userLoginWithOUI
    NeedToKnow mode is NeedToKnowOnly
    Intrusion Portection mode is DisablePort
    Max MAC address number is 50
    Stored MAC address number is 0
    Authorization is ignored
   Security MAC address learning mode is sticky
   Security MAC address aging type is absolute   
 Ethernet1/0/2 is link-down
    Port mode is noRestriction
    NeedToKnow mode is disabled
    Intrusion mode is NoAction
    Max MAC address number is not configured
    Stored MAC address number is 0
    Authorization is permitted
   Security MAC address learning mode is sticky
   Security MAC address aging type is absolute   

Table 22: Command output

Field

Description

Equipment port-security

Whether the port security is enabled or not.

AddressLearn trap

Whether trapping for MAC address learning is enabled or not. If it is enabled, the port sends trap information after it learns a new MAC address.

Intrusion trap

Whether trapping for intrusion protection is enabled or not. If it is enabled, the port sends trap information after it detects illegal packets.

Dot1x logon trap

Whether trapping for 802.1X logon is enabled or not. If it is enabled, the port sends trap information after a user passes 802.1X authentication.

Dot1x logoff trap

Whether trapping for 802.1X logoff is enabled or not. If it is enabled, the port sends trap information after an 802.1X user logs off.

Dot1x logfailure

Whether trapping for 802.1X authentication failure is enabled or not. If it is enabled, the port sends trap information after a user fails 802.1X authentication.

RALM logon trap

Whether trapping for MAC authentication success is enabled or not. If it is enabled, the port sends trap information when a user passes MAC address authentication.

RALM logoff trap

Whether trapping for MAC authenticated user logoff is enabled or not. If it is enabled, traps are sent when a MAC address authenticated user logs off.

RALM logfailure trap

Whether trapping for MAC authentication failure is enabled or not. If it is enabled, the port sends trap information when a user fails MAC address authentication.

AutoLearn aging time

Secure MAC aging timer. The timer applies to sticky or dynamic secure MAC addresses.

Disableport Timeout

Silence timeout period of the port that receives illegal packets, in seconds.

OUI value

List of OUI values allowed

Port mode

Port security mode:

  • noRestrictions

  • autoLearn

  • macAddressWithRadius

  • macAddressElseUserLoginSecure

  • macAddressElseUserLoginSecureExt

  • secure

  • userLogin

  • userLoginSecure

  • userLoginSecureExt

  • macAddressOrUserLoginSecure

  • macAddressOrUserLoginSecureExt

  • userLoginWithOUI

NeedToKnow mode

Need to know (NTK) mode:

  • NeedToKnowOnly—Allows only unicast packets with authenticated destination MAC addresses.

  • NeedToKnowWithBroadcast—Allows only unicast packets and broadcasts with authenticated destination MAC addresses.

  • NeedToKnowWithMulticast—Allows unicast packets, multicasts and broadcasts with authenticated destination MAC addresses.

Intrusion mode

Intrusion protection action mode:

  • BlockMacAddress—Adds the source MAC address of the illegal packet to the blocked MAC address list.

  • DisablePort—Shuts down the port that receives illegal packets permanently.

  • DisablePortTemporarily—Shuts down the port that receives illegal packets for some time.

  • NoAction—Performs no intrusion protection.

Max MAC address number

Maximum number of MAC addresses that port security allows on the port.

Stored MAC address number

Number of MAC addresses stored

Authorization

Whether the authorization information from the server is ignored or not:

  • permitted—Authorization information from the RADIUS server takes effect.

  • ignored—Authorization information from the RADIUS server does not take effect.

Security MAC address learning mode

Secure MAC address learning mode:

  • sticky—Learns MAC addresses as sticky secure MAC addresses.

  • dynamic—Learns MAC addresses as dynamic secure MAC addresses.

Security MAC address aging type

Secure MAC address aging type:

  • absolute—Timer aging

  • inactivity—Inactivity aging