Port security modes – H3C Technologies H3C WX3000 Series Unified Switches User Manual
Page 143
18-2
Port Security Modes
describes the available port security modes.
Table 18-1
Description of port security modes
Security mode
Description
Feature
noRestriction
Port security is disabled on the port and access to the
port is not restricted.
In this mode, neither the
NTK nor the intrusion
protection feature is
triggered.
autolearn
In this mode, a port can learn a specified number of
MAC addresses and save those addresses as secure
MAC addresses.
When the number of secure MAC addresses reaches
the upper limit, the port changes to work in secure
mode and permits only frames whose source MAC
addresses are secure MAC addresses or static MAC
addresses configured by using the mac-address static
command.
secure
In this mode, the port is disabled from learning MAC
addresses.
Only those packets whose source MAC addresses
are security MAC addresses learned and static or
dynamic MAC addresses can pass through the port.
In either mode, the device
will trigger NTK and
intrusion protection upon
detecting an illegal packet.
userlogin
In this mode, port-based 802.1x authentication is
performed for access users.
In this mode, neither NTK
nor intrusion protection will
be triggered.
userLoginSecure
In this mode, a port performs 802.1x authentication of
users and services only one user passing 802.1x
authentication at a time.
userLoginSecureExt
In this mode, a port performs 802.1x authentication of
users and services users passing 802.1x
authentication.
userLoginWithOUI
Similar to the userLoginSecure mode, a port in this
mode performs 802.1x authentication of users and
services only one user passing 802.1x authentication.
The differences include:
Such a port also permits frames from a wired user
whose MAC address contains a specified OUI
(organizationally unique identifier).
For frames from a wireless user, such a port performs
OUI check at first. If the OUI check fails, the port
performs 802.1x authentication.
macAddressWithRadius
In this mode, a port performs RADIUS MAC
authentication of users.
macAddressOrUserLogi
nSecure
This mode is the combination of the userLoginSecure
and macAddressWithRadius modes, with 802.1x
authentication having a higher priority than MAC
authentication.
For a user using a wired connection, the port performs
MAC authentication upon receiving non-802.1x
frames and performs 802.1x authentication first upon
receiving 802.1x frames. If 802.1x authentication fails,
the port performs MAC authentication.
For a wireless user, 802.1x authentication is
performed first. If 802.1x authentication fails, MAC
authentication is performed.
In any of these modes, the
device triggers the NTK
and Intrusion Protection
features upon detecting an
illegal packet or illegal
event.