[x]

Port security commands > display port-security

 

 Next

display port-security

Use display port-security to display port security configuration, operation information, and statistics for ports.

Syntax

display port-security [ interface interface-type interface-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

interface interface-type interface-number: Specifies a port by its type and number. If you do not specify a port, this command displays port security information for all ports.

Examples

# Display port security information for all ports.

<Sysname> display port-security
Global port security parameters:
   Port security          : Enabled
   AutoLearn aging time   : 0 min
   Disableport timeout    : 20 s
   MAC move               : Denied
   Authorization fail     : Online
   NAS-ID profile         : Not configured
   Dot1x-failure trap     : Disabled
   Dot1x-logon trap       : Disabled
   Dot1x-logoff trap      : Enabled
   Intrusion trap         : Disabled
   Address-learned trap   : Enabled
   Mac-auth-failure trap  : Disabled
   Mac-auth-logon trap    : Enabled
   Mac-auth-logoff trap   : Disabled
   OUI value list         :
    Index :  1           Value : 123401

 Ten-GigabitEthernet1/0/1 is link-up
   Port mode                      : userLogin
   NeedToKnow mode                : Disabled
   Intrusion protection mode      : NoAction
   Security MAC address attribute
       Learning mode              : Sticky
       Aging type                 : Periodical
   Max secure MAC addresses       : 32
   Current secure MAC addresses   : 0
   Authorization                  : Permitted
   NAS-ID profile                 : Not configured

Table 30: Command output

Field

Description

Port security

Whether the port security feature is enabled.

AutoLearn aging time

Sticky MAC address aging timer, in minutes.

Disableport timeout

Silence period (in seconds) of the port that receives illegal packets.

MAC move

Status of MAC move:

  • If the feature is enabled, this field displays Permitted.

  • If the feature is disabled, this field displays Denied.

Authorization fail

Action to be taken for users who fail authorization:

  • Online—Allows the users to go online.

  • Offline—Logs off the users.

NAS-ID profile

NAS-ID profile applied globally.

Dot1x-failure trap

Whether SNMP notifications for 802.1X authentication failures are enabled.

Dot1x-logon trap

Whether SNMP notifications for 802.1X authentication successes are enabled.

Dot1x-logoff trap

Whether SNMP notifications for 802.1X authenticated user logoffs are enabled.

Intrusion trap

Whether SNMP notifications for intrusion protection are enabled. If they are enabled, the device sends SNMP notifications after illegal packets are detected.

Address-learned trap

Whether SNMP notifications for MAC address learning are enabled. If they are enabled, the device sends SNMP notifications after it learns a new MAC address.

Mac-auth-failure trap

Whether SNMP notifications for MAC authentication failures are enabled.

Mac-auth-logon trap

Whether SNMP notifications for MAC authentication successes are enabled.

Mac-auth-logoff trap

Whether SNMP notifications for MAC authentication user logoffs are enabled.

OUI value list

List of OUI values allowed for authentication.

Port mode

Port security mode:

  • noRestrictions.

  • autoLearn.

  • macAddressWithRadius.

  • macAddressElseUserLoginSecure.

  • macAddressElseUserLoginSecureExt.

  • secure.

  • userLogin.

  • userLoginSecure.

  • userLoginSecureExt.

  • macAddressOrUserLoginSecure.

  • macAddressOrUserLoginSecureExt.

  • userLoginWithOUI.

For more information about port security modes, see Security Configuration Guide.

NeedToKnow mode

Need to know (NTK) mode:

  • NeedToKnowOnly—Allows only unicast packets with authenticated destination MAC addresses.

  • NeedToKnowWithBroadcast—Allows only unicast packets and broadcasts with authenticated destination MAC addresses.

  • NeedToKnowWithMulticast—Allows unicast packets, multicasts, and broadcasts with authenticated destination MAC addresses.

  • Disabled—NTK is disabled.

Intrusion protection mode

Intrusion protection action:

  • BlockMacAddress—Adds the source MAC address of the illegal packet to the blocked MAC address list.

  • DisablePort—Shuts down the port that receives illegal packets permanently.

  • DisablePortTemporarily—Shuts down the port that receives illegal packets for some time.

  • NoAction—Does not perform intrusion protection.

Learning mode

Secure MAC address learning mode:

  • Dynamic.

  • Sticky.

Aging type

Secure MAC address aging type:

  • Periodical—Timer aging only.

  • Inactivity—Inactivity aging feature together with the aging timer.

Max secure MAC addresses

Maximum number of secure MAC addresses (or online users) that port security allows on the port.

Current secure MAC addresses

Number of secure MAC addresses stored.

Authorization

Whether the authorization information from the authentication server (RADIUS server or local device) is ignored:

  • Permitted—Authorization information from the authentication server takes effect.

  • Ignored—Authorization information from the authentication server does not take effect.

NAS-ID profile

NAS-ID profile applied to the port.

prev

 

up

 next

Port security commands 

home

 display port-security mac-address block

© Copyright 2016 Hewlett Packard Enterprise Development LP