Example: Configuring port security in autoLearn mode

Network configuration

As shown in Figure 94, configure HundredGigE 1/0/1 on the device to meet the following requirements:

Figure 94: Network diagram

Procedure

# Enable port security.

<Device> system-view
[Device] port-security enable

# Set the secure MAC aging timer to 30 minutes.

[Device] port-security timer autolearn aging 30

# Set port security's limit on the number of secure MAC addresses to 64 on HundredGigE 1/0/1.

[Device] interface hundredgige 1/0/1
[Device-HundredGigE1/0/1] port-security max-mac-count 64

# Set the port security mode to autoLearn.

[Device-HundredGigE1/0/1] port-security port-mode autolearn

# Configure the port to be silent for 30 seconds after the intrusion protection feature is triggered.

[Device-HundredGigE1/0/1] port-security intrusion-mode disableport-temporarily
[Device-HundredGigE1/0/1] quit
[Device] port-security timer disableport 30

Verifying the configuration

# Verify the port security configuration.

[Device] display port-security interface hundredgige 1/0/1
Global port security parameters:
   Port security          : Enabled
   AutoLearn aging time   : 30 min
   Disableport timeout    : 30 s
   MAC move               : Denied
   Authorization fail     : Online
   NAS-ID profile         : Not configured
   Dot1x-failure trap     : Disabled
   Dot1x-logon trap       : Disabled
   Dot1x-logoff trap      : Disabled
   Intrusion trap         : Disabled
   Address-learned trap   : Disabled
   Mac-auth-failure trap  : Disabled
   Mac-auth-logon trap    : Disabled
   Mac-auth-logoff trap   : Disabled
   Open authentication    : Disabled
   OUI value list         :
    Index :  1           Value : 123401

 HundredGigE1/0/1 is link-up
   Port mode                      : autoLearn
   NeedToKnow mode                : Disabled
   Intrusion protection mode      : DisablePortTemporarily
   Security MAC address attribute
       Learning mode              : Sticky
       Aging type                 : Periodical
   Max secure MAC addresses       : 64
   Current secure MAC addresses   : 0
   Authorization                  : Permitted
   NAS-ID profile                 : Not configured
   Free VLANs                     : Not configured
   Open authentication            : Disabled

The port allows for MAC address learning, and you can view the number of learned MAC addresses in the Current secure MAC addresses field.

# Display additional information about the learned MAC addresses.

[Device] interface hundredgige 1/0/1
[Device-HundredGigE1/0/1] display this
#
interface HundredGigE1/0/1
 port-security max-mac-count 64
 port-security port-mode autolearn
 port-security mac-address security sticky 0002-0000-0015 vlan 1
 port-security mac-address security sticky 0002-0000-0014 vlan 1
 port-security mac-address security sticky 0002-0000-0013 vlan 1
 port-security mac-address security sticky 0002-0000-0012 vlan 1
 port-security mac-address security sticky 0002-0000-0011 vlan 1
#
[Device-HundredGigE1/0/1] quit

# Verify that the port security mode changes to secure after the number of MAC addresses learned by the port reaches 64.

[Device] display port-security interface hundredgige 1/0/1

# Verify that the port will be disabled for 30 seconds after it receives a frame with an unknown MAC address. (Details not shown.)

# After the port is re-enabled, delete several secure MAC addresses.

[Device] undo port-security mac-address security sticky 0002-0000-0015 vlan 1
[Device] undo port-security mac-address security sticky 0002-0000-0014 vlan 1
…

# Verify that the port security mode of the port changes to autoLearn, and the port can learn MAC addresses again. (Details not shown.)