port-security port-mode
Syntax
port-security port-mode { autolearn | mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secure-ext | secure | userlogin | userlogin-secure | userlogin-secure-ext | userlogin-secure-or-mac | userlogin-secure-or-mac-ext | userlogin-withoui }
undo port-security port-mode
View
Layer 2 Ethernet interface view
Default level
2: System level
Parameters
Keyword | Security mode | Description |
---|---|---|
autolearn | autoLearn | In this mode, a port can learn MAC addresses, and allows frames sourced from learned or configured the MAC addresses to pass. The dynamically learned MAC addresses are secure MAC addresses. You can also configure secure MAC addresses by using the port-security mac-address security command. A secure MAC address never ages out by default. In addition, you can configure MAC addresses manually by using the mac-address dynamic and mac-address static commands for a port in autoLearn mode. When the number of secure MAC addresses reaches the upper limit set by the port-security max-mac-count command, the port changes to secure mode. |
mac-authentication | macAddressWithRadius | In this mode, a port performs MAC authentication for users and services multiple users. |
mac-else-userlogin-secure | macAddressElseUserLoginSecure | This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority.
|
mac-else-userlogin-secure-ext | macAddressElseUserLoginSecureExt | Similar to the macAddressElseUserLoginSecure mode except that a port in this mode supports multiple 802.1X and MAC authentication users. |
secure | secure | In this mode, MAC address learning is disabled on the port and you can configure MAC addresses by using the mac-address static and mac-address dynamic commands. The port permits only frames sourced from secure MAC addresses and MAC addresses you manually configured by using the mac-address static and mac-address dynamic commands. |
userlogin | userLogin | In this mode, a port performs 802.1X authentication and implements port-based access control. If one 802.1X user passes authentication, all the other 802.1X users of the port can access the network without authentication. |
userlogin-secure | userLoginSecure | In this mode, a port performs 802.1X authentication and implements MAC-based access control. It services only one user passing 802.1X authentication. |
userlogin-secure-ext | userLoginSecureExt | Similar to the userLoginSecure mode except that this mode supports multiple online 802.1X users. |
userlogin-secure-or-mac | macAddressOrUserLoginSecure | This mode is the combination of the userLoginSecure and macAddressWithRadius modes. For wired users, the port performs MAC authentication upon receiving non-802.1X frames and performs 802.1X authentication upon receiving 802.1X frames. |
userlogin-secure-or-mac-ext | macAddressOrUserLoginSecureExt | Similar to the macAddressOrUserLoginSecure mode except that a port in this mode supports multiple 802.1X and MAC authentication users. |
userlogin-withoui | userLoginWithOUI | Similar to the userLoginSecure mode. In addition, a port in this mode also permits frames from a user whose MAC address contains a specific OUI (organizationally unique identifier). For wired users, the port performs 802.1X authentication upon receiving 802.1X frames, and performs OUI check upon receiving non-802.1X frames. |
Description
Use port-security port-mode to set the port security mode of a port.
Use undo port-security port-mode to restore the default.
By default, a port operates in noRestrictions mode, where port security does not take effect.
To change the security mode of a port security enabled port, you must set the port in noRestrictions mode first. When the port has online users, you cannot change port security mode.
IMPORTANT: If you are configuring the autoLearn mode, first set port security's limit on the number of MAC addresses by using the port-security max-mac-count command. You cannot change the setting when the port is operating in autoLearn mode. | ||
When port security is enabled, you cannot manually enable 802.1X or MAC authentication, or change the access control mode or port authorization state. The port security automatically modifies these settings in different security modes.
Related commands: display port-security.
Examples
# Enable port security and set port Ethernet 1/0/1 in secure mode.
<Sysname> system-view [Sysname] port-security enable [Sysname] interface ethernet 1/0/1 [Sysname-Ethernet1/0/1] port-security port-mode secure
# Change the port security mode of port Ethernet 1/0/1 to userLogin.
[Sysname-Ethernet1/0/1] undo port-security port-mode [Sysname-Ethernet1/0/1] port-security port-mode userlogin