Port security modes
Port security supports the following categories of security modes:
MAC learning control—Includes two modes: autoLearn and secure. MAC address learning is permitted on a port in autoLearn mode and disabled in secure mode.
Authentication—Security modes in this category implement MAC authentication, 802.1X authentication, or a combination of these two authentication methods.
Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC address. If a match is found, the port forwards the frame. If no match is found, the port learns the MAC address or performs authentication, depending on the security mode. If the frame is illegal, the port takes the predefined NTK or intrusion protection action, or sends SNMP notifications. Outgoing frames are not restricted by port security's NTK action unless they trigger the NTK feature.
Table 22 describes the port security modes and the security features.
Table 22: Port security modes
Purpose | Security mode | Features that can be triggered | |
---|---|---|---|
Turning off the port security feature | noRestrictions (the default mode) In this mode, port security is disabled on the port and access to the port is not restricted. | N/A | |
autoLearn | NTK/intrusion protection | ||
secure | |||
userLogin | N/A | ||
userLoginSecure | NTK/intrusion protection | ||
userLoginSecureExt | |||
userLoginWithOUI | |||
macAddressWithRadius | NTK/intrusion protection | ||
Performing a combination of MAC authentication and 802.1X authentication | Or | macAddressOrUserLoginSecure | NTK/intrusion protection |
macAddressOrUserLoginSecureExt | |||
Else | macAddressElseUserLoginSecure | ||
macAddressElseUserLoginSecureExt |
The mode names are illustrated as follows:
userLogin specifies 802.1X authentication and port-based access control. userLogin with Secure specifies 802.1X authentication and MAC-based access control. Ext indicates allowing multiple 802.1X users to be authenticated and serviced at the same time. A security mode without Ext allows only one user to pass 802.1X authentication.
macAddress specifies MAC authentication.
Else specifies that the authentication method before Else is applied first. If the authentication fails, whether to turn to the authentication method following Else depends on the protocol type of the authentication request.
Or specifies that the authentication method following Or is applied first. If the authentication fails, the authentication method before Or is applied.
Controlling MAC address learning
autoLearn.
A port in this mode can learn MAC addresses. The automatically learned MAC addresses are not added to the MAC address table as dynamic MAC address. Instead, these MAC addresses are added to the secure MAC address table as secure MAC addresses. You can also configure secure MAC addresses by using the port-security mac-address security command.
A port in autoLearn mode allows frames sourced from the following MAC addresses to pass:
Secure MAC addresses.
MAC addresses configured by using the mac-address dynamic and mac-address static commands.
When the number of secure MAC addresses reaches the upper limit, the port transitions to secure mode.
secure.
MAC address learning is disabled on a port in secure mode. You configure MAC addresses by using the mac-address static and mac-address dynamic commands. For more information about configuring MAC address table entries, see Layer 2—LAN Switching Configuration Guide.
A port in secure mode allows only frames sourced from the following MAC addresses to pass:
Secure MAC addresses.
MAC addresses configured by using the mac-address dynamic and mac-address static commands.
Performing 802.1X authentication
userLogin.
A port in this mode performs 802.1X authentication and implements port-based access control. The port can service multiple 802.1X users. Once an 802.1X user passes authentication on the port, any subsequent 802.1X users can access the network through the port without authentication.
userLoginSecure.
A port in this mode performs 802.1X authentication and implements MAC-based access control. The port services only one user passing 802.1X authentication.
userLoginSecureExt.
This mode is similar to the userLoginSecure mode except that this mode supports multiple online 802.1X users.
userLoginWithOUI.
This mode is similar to the userLoginSecure mode. The difference is that a port in this mode also permits frames from one user whose MAC address contains a specific OUI.
In this mode, the port performs OUI check at first. If the OUI check fails, the port performs 802.1X authentication. The port permits frames that pass OUI check or 802.1X authentication.
NOTE: An OUI is a 24-bit number that uniquely identifies a vendor, manufacturer, or organization. In MAC addresses, the first three octets are the OUI. | ||
Performing MAC authentication
macAddressWithRadius: A port in this mode performs MAC authentication, and services multiple users.
Performing a combination of MAC authentication and 802.1X authentication
macAddressOrUserLoginSecure.
This mode is the combination of the macAddressWithRadius and userLoginSecure modes. The mode allows one 802.1X authentication user and multiple MAC authentication users to log in.
In this mode, the port performs 802.1X authentication first. By default, if 802.1X authentication fails, MAC authentication is performed.
However, the port in this mode processes authentication differently when the following conditions exist:
The port is enabled with parallel processing of MAC authentication and 802.1X authentication.
The port is enabled with the 802.1X unicast trigger.
The port receives a packet from an unknown MAC address.
Under such conditions, the port sends a unicast EAP-Request/Identity packet to the MAC address to initiate 802.1X authentication. After that, the port immediately processes MAC authentication without waiting for the 802.1X authentication result.
macAddressOrUserLoginSecureExt.
This mode is similar to the macAddressOrUserLoginSecure mode, except that this mode supports multiple 802.1X and MAC authentication users.
macAddressElseUserLoginSecure.
This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority as the Else keyword implies. The mode allows one 802.1X authentication user and multiple MAC authentication users to log in.
In this mode, the port performs MAC authentication upon receiving non-802.1X frames. Upon receiving 802.1X frames, the port performs MAC authentication and then, if the authentication fails, 802.1X authentication.
macAddressElseUserLoginSecureExt.
This mode is similar to the macAddressElseUserLoginSecure mode except that this mode supports multiple 802.1X and MAC authentication users as the Ext keyword implies.