autoLearn configuration example
Network requirements
As shown in Figure 69, configure port GigabitEthernet 1/0/1 on the device to meet the following requirements:
Accept up to 64 users without authentication.
Be permitted to learn and add MAC addresses as sticky MAC addresses, and set the secure MAC aging timer to 30 minutes.
Stop learning MAC addresses after the number of secure MAC addresses reaches 64. If any frame with an unknown MAC address arrives, intrusion protection starts, and the port shuts down and stays silent for 30 seconds.
Figure 69: Network diagram
Configuration procedure
# Enable port security.
<Device> system-view [Device] port-security enable
# Set the secure MAC aging timer to 30 minutes.
[Device] port-security timer autolearn aging 30
# Set port security's limit on the number of secure MAC addresses to 64 on port GigabitEthernet 1/0/1.
[Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] port-security max-mac-count 64
# Set the port security mode to autoLearn.
[Device-GigabitEthernet1/0/1] port-security port-mode autolearn
# Configure the port to be silent for 30 seconds after the intrusion protection feature is triggered.
[Device-GigabitEthernet1/0/1] port-security intrusion-mode disableport-temporarily [Device-GigabitEthernet1/0/1] quit [Device] port-security timer disableport 30
Verifying the configuration
# Verify the port security configuration.
[Device] display port-security interface gigabitethernet 1/0/1
Port security parameters:
Port security : Enabled
AutoLearn aging time : 30 min
Disableport timeout : 30 s
MAC move : Denied
Authorization fail : Online
NAS-ID profile is not configured
Dot1x-failure trap : Disabled
Dot1x-logon trap : Disabled
Dot1x-logoff trap : Enabled
Intrusion trap : Disabled
Address-learned trap : Enabled
Mac-auth-failure trap : Disabled
Mac-auth-logon trap : Enabled
Mac-auth-logoff trap : Disabled
OUI value list :
GigabitEthernet1/0/1 is link-up
Port mode : autoLearn
NeedToKnow mode : Disabled
Intrusion protection mode : DisablePortTemporarily
Security MAC address attribute
Learning mode : Sticky
Aging type : Periodical
Max secure MAC addresses : 64
Current secure MAC addresses : 5
Authorization : Permitted
NAS-ID profile is not configured
The output shows the following information:
The port security's limit on the number of secure MAC addresses on the port is 64.
The port security mode is autoLearn.
The intrusion protection action is disabling the port (DisablePortTemporarily) for 30 seconds.
The port allows for MAC address learning, and you can display the number of learned MAC addresses in the Current number of secure MAC addresses field.
# Display additional information about the learned MAC addresses.
[Device] interface gigabitethernet 1/0/1 [Device-GigabitEthernet1/0/1] display this # interface GigabitEthernet1/0/1 port-security max-mac-count 64 port-security port-mode autolearn port-security mac-address security sticky 0002-0000-0015 vlan 1 port-security mac-address security sticky 0002-0000-0014 vlan 1 port-security mac-address security sticky 0002-0000-0013 vlan 1 port-security mac-address security sticky 0002-0000-0012 vlan 1 port-security mac-address security sticky 0002-0000-0011 vlan 1 # [Device-GigabitEthernet1/0/1] quit
# Verify that the port security mode changes to secure after the number of MAC addresses learned by the port reaches 64.
[Device] display port-security interface gigabitethernet 1/0/1
# Verify that the port will be disabled for 30 seconds after it receives a frame with an unknown MAC address. (Details not shown.)
# After the port is re-enabled, delete several secure MAC addresses.
[Device] undo port-security mac-address security sticky 0002-0000-0015 vlan 1 [Device] undo port-security mac-address security sticky 0002-0000-0014 vlan 1
# Verify that the port security mode of the port changes to autoLearn, and the port can learn MAC addresses again. (Details not shown.)