Port security modes

Port security supports the following categories of security modes:

• MAC learning control—Includes two modes, autoLearn and secure. MAC address learning is permitted on a port in autoLearn mode and disabled in secure mode.

• Authentication—Security modes in this category implement MAC authentication, 802.1X authentication, or a combination of these two authentication methods.

Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC address. If a match is found, the port forwards the frame. If no match is found, the port learns the MAC address or performs authentication, depending on the security mode. If the frame is illegal, the port takes the pre-defined NTK, intrusion protection, or trapping action.

The maximum number of users a port supports equals the maximum number of MAC addresses that port security allows or the maximum number of concurrent users the authentication mode in use allows, whichever is smaller. For example, if 802.1X allows more concurrent users than port security's limit on the number of MAC addresses on the port in userLoginSecureExt mode, port security's limit takes effect.

Table 13 describes the port security modes and the security features.

	TIP: userLogin specifies 802.1X authentication and port-based access control. macAddress specifies MAC authentication. Else specifies that the authentication method before Else is applied first. If the authentication fails, whether to turn to the authentication method following Else depends on the protocol type of the authentication request. Typically, in a security mode with Or, the authentication method to be used depends on the protocol type of the authentication request. userLogin with Secure specifies 802.1X authentication and MAC-based access control. Ext indicates allowing multiple 802.1X users to be authenticated and serviced at the same time. A security mode without Ext allows only one user to pass 802.1X authentication.

• autoLearn

  A port in this mode can learn MAC addresses, and allows frames from learned or configured MAC addresses to pass. The automatically learned MAC addresses are secure MAC addresses. You can also configure secure MAC addresses by using the port-security mac-address security command. A secure MAC address never ages out by default.

  When the number of secure MAC addresses reaches the upper limit, the port transitions to secure mode.

  The dynamic MAC address learning function in MAC address management is disabled on ports operating in autoLearn mode, but you can configure MAC addresses by using the mac-address dynamic and mac-address static commands.

• secure

  MAC address learning is disabled on a port in secure mode. You configure MAC addresses by using the mac-address static and mac-address dynamic commands. For more information about configuring MAC address table entries, see Layer 2—LAN Switching Configuration Guide.

  A port in secure mode allows only frames sourced from secure MAC addresses and manually configured MAC addresses to pass.

• userLogin

  A port in this mode performs 802.1X authentication and implements port-based access control. The port can service multiple 802.1X users. If one 802.1X user passes authentication, all the other 802.1X users of the port can access the network without authentication.

• userLoginSecure

  A port in this mode performs 802.1X authentication and implements MAC-based access control. The port services only one user passing 802.1X authentication.

• userLoginSecureExt

  This mode is similar to the userLoginSecure mode except that this mode supports multiple online 802.1X users.

• userLoginWithOUI

  This mode is similar to the userLoginSecure mode. The difference is that a port in this mode also permits frames from one user whose MAC address contains a specific organizationally unique identifier (OUI).

  For wired users, the port performs 802.1X authentication upon receiving 802.1X frames, and performs OUI check upon receiving non-802.1X frames.

macAddressWithRadius: A port in this mode performs MAC authentication and services multiple users.

• macAddressOrUserLoginSecure

  This mode is the combination of the macAddressWithRadius and userLoginSecure modes.

  For wired users, the port performs MAC authentication upon receiving non-802.1X frames and performs 802.1X authentication upon receiving 802.1X frames.

• macAddressOrUserLoginSecureExt

  This mode is similar to the macAddressOrUserLoginSecure mode except that a port in this mode supports multiple 802.1X and MAC authentication users.

• macAddressElseUserLoginSecure

  This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority as the Else keyword implies.

  For wired users, the port performs MAC authentication upon receiving non-802.1X frames and performs MAC authentication and then, if the authentication fails, 802.1X authentication upon receiving 802.1X frames.

• macAddressElseUserLoginSecureExt

  This mode is similar to the macAddressElseUserLoginSecure mode except that a port in this mode supports multiple 802.1X and MAC authentication users as the keyword Ext implies.

	NOTE: An OUI, as defined by the IEEE, is the first 24 bits of the MAC address, which uniquely identifies a device vendor.