Setting the port security mode
Port security modes except the userLogin mode are supported only on the following ports:
Layer 2 Ethernet ports on the following modules:
HMIM-8GSW.
HMIM-24GSW.
HMIM-24GSWP.
SIC-4GSW.
SIC-4GSWP
Fixed Layer 2 Ethernet ports on the following routers:
MSR954 (JH296A/JH297A/JH298A/JH299A/JH373A).
MSR958 (JH300A/JH301A).
MSR2004-24/2004-48.
MSR1002-4/1003-8S.
Before you set a port security mode for a port, complete the following tasks:
Disable 802.1X and MAC authentication.
Verify that the port does not belong to an aggregation group.
If you are configuring the autoLearn mode, set port security's limit on the number of secure MAC addresses. You cannot change the setting when the port is operating in autoLearn mode.
When you set the port security mode, follow these guidelines:
You can specify a port security mode when port security is disabled, but your configuration cannot take effect.
Changing the port security mode of a port logs off the online users of the port.
Do not enable 802.1X authentication or MAC authentication on a port where port security is configured.
To set the port security mode:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. (Optional.) Set an OUI value for user authentication. | port-security oui index index-value mac-address oui-value | By default, no OUI values are configured for user authentication. This command is required for the userlogin-withoui mode. You can set multiple OUIs, but when the port security mode is userlogin-withoui, the port allows one 802.1X user and only one user that matches one of the specified OUIs. |
3. Enter interface view. | interface interface-type interface-number |
|
4. Set the port security mode. | port-security port-mode { autolearn | mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secure-ext | secure | userlogin | userlogin-secure | userlogin-secure-ext | userlogin-secure-or-mac | userlogin-secure-or-mac-ext | userlogin-withoui } | By default, a port operates in noRestrictions mode. After enabling port security, you can change the port security mode of a port only when the port is operating in noRestrictions (the default) mode. To change the port security mode for a port in any other mode, first use the undo port-security port-mode command to restore the default port security mode. |