port-security port-mode
Use port-security port-mode to set the port security mode of a port.
Use undo port-security port-mode to restore the default.
Syntax
port-security port-mode { autolearn | mac-authentication | mac-else-userlogin-secure | mac-else-userlogin-secure-ext | secure | userlogin | userlogin-secure | userlogin-secure-ext | userlogin-secure-or-mac | userlogin-secure-or-mac-ext | userlogin-withoui }
undo port-security port-mode
Default
A port operates in noRestrictions mode, where port security does not take effect.
Views
Interface view
Predefined user roles
network-admin
mdc-admin
Parameters
Keyword | Security mode | Description |
---|---|---|
autolearn | autoLearn | A port in this mode can learn MAC addresses. The automatically learned MAC addresses are not added to the MAC address table as dynamic MAC address. Instead, the MAC addresses are added to the secure MAC address table as secure MAC addresses. You can also configure secure MAC addresses by using the port-security mac-address security command. A port in autoLearn mode allows frames sourced from the following MAC addresses to pass:
When the number of secure MAC addresses reaches the upper limit set by the port-security max-mac-count command, the port changes to secure mode. |
mac-authentication | macAddressWithRadius | In this mode, a port performs MAC authentication for users and services multiple users. |
mac-else-userlogin-secure | macAddressElseUserLoginSecure | This mode is the combination of the macAddressWithRadius and userLoginSecure modes, with MAC authentication having a higher priority. In this mode, the port allows one 802.1X authentication user and multiple MAC authentication users to log in.
|
mac-else-userlogin-secure-ext | macAddressElseUserLoginSecureExt | Same as the macAddressElseUserLoginSecure mode except that a port in this mode supports multiple 802.1X and MAC authentication users. |
secure | secure | In this mode, MAC address learning is disabled on the port and you can configure MAC addresses by using the mac-address static and mac-address dynamic commands. The port permits only frames sourced from the following MAC addresses to pass:
|
userlogin | userLogin | In this mode, a port performs 802.1X authentication and implements port-based access control. If one 802.1X user passes authentication, all the other 802.1X users of the port can access the network without authentication. |
userlogin-secure | userLoginSecure | In this mode, a port performs 802.1X authentication and implements MAC-based access control. The port services only one user passing 802.1X authentication. |
userlogin-secure-ext | userLoginSecureExt | Same as the userLoginSecure mode, except that this mode supports multiple online 802.1X users. |
userlogin-secure-or-mac | macAddressOrUserLoginSecure | This mode is the combination of the userLoginSecure and macAddressWithRadius modes. In this mode, the port allows one 802.1X authentication user and multiple MAC authentication users to log in. In this mode, the port performs 802.1X authentication first. By default, if 802.1X authentication fails, MAC authentication is performed. However, the port in this mode processes authentication differently when the following conditions exist:
Under such conditions, the port sends a unicast EAP-Request/Identity packet to the MAC address to initiate 802.1X authentication. After that, the port immediately processes MAC authentication without waiting for the 802.1X authentication result. |
userlogin-secure-or-mac-ext | macAddressOrUserLoginSecureExt | Same as the macAddressOrUserLoginSecure mode, except that a port in this mode supports multiple 802.1X and MAC authentication users. |
userlogin-withoui | userLoginWithOUI | Similar to the userLoginSecure mode. In addition, a port in this mode also permits frames from a user whose MAC address contains a specific OUI. In this mode, the port performs OUI check at first. If the OUI check fails, the port performs 802.1X authentication. The port permits frames that pass OUI check or 802.1X authentication. |
Usage guidelines
To change the security mode for a port security enabled port, you must set the port in noRestrictions mode first. Do not change port security mode when the port has online users.
IMPORTANT: If you are configuring the autoLearn mode, first set port security's limit on the number of secure MAC addresses by using the port-security max-mac-count command. You cannot change the setting when the port is operating in autoLearn mode. | ||
When port security is enabled, you cannot enable 802.1X or MAC authentication, or change the access control mode or port authorization state. The port security automatically modifies these settings in different security modes.
As a best practice, do not enable the mac-else-userlogin-secure or mac-else-userlogin-secure-ext mode on the port where MAC authentication delay is enabled. The two modes are mutually exclusive with the MAC authentication delay feature. For more information about MAC authentication delay, see "MAC authentication commands."
Examples
# Enable port security, and set Ten-GigabitEthernet 1/0/1 to operate in secure mode.
<Sysname> system-view [Sysname] port-security enable [Sysname] interface ten-gigabitethernet 1/0/1 [Sysname-Ten-GigabitEthernet1/0/1] port-security port-mode secure
# Change the port security mode of Ten-GigabitEthernet 1/0/1 to userLogin.
[Sysname-Ten-GigabitEthernet1/0/1] undo port-security port-mode [Sysname-Ten-GigabitEthernet1/0/1] port-security port-mode userlogin
Related commands
display port-security
port-security max-mac-count