R3303-HP HSR6800 Routers Security Configuration Guide
166
Port security modes
Port security supports the following categories of security mode:
• MAC learning control—Includes autoLearn and secure. MAC address learning is permitted on
ports in autoLearn mode and disabled on ports in secure mode.
• Authentication—Implements MAC authentication, 802.1X authentication, or a combination of the
two authentication methods.
Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC
address. If a match is found, the port forwards the frame. If no match is found, the port learns the MAC
address or performs authentication, depending on the security mode. If the frame is illegal, the port takes
the pre-defined NTK, intrusion protection, or trapping action.
The maximum number of users a port supports equals the maximum number of MAC addresses that port
security allows or the maximum number of concurrent users the authentication mode in use allows,
whichever is smaller. For example, if 802.1X allows more concurrent users than port security's limit on the
number of MAC addresses on the port in userLoginSecureExt mode, port security's limit takes effect.
Table 8 de
scribes the port security modes and the security features.
Table 8 Port security modes
Purpose Security mode
Features that can be
tri
gg
ered
Turning off the port security
feature
noRestrictions (the default mode).
In this mode, port security is disabled on the port
and access to the port is not restricted.
N/A
Controlling MAC address
learning
autoLearn
NTK/intrusion
protection
secure
Performing 802.1X
authentication
userLogin N/A
userLoginSecure
NTK/intrusion
protection
userLoginSecureExt
userLoginWithOUI
Performing MAC authentication macAddressWithRadius
NTK/intrusion
protection
Performing a combination of
MAC authentication and
802.1X authentication
Or
macAddressOrUserLoginSecure
NTK/intrusion
protection
macAddressOrUserLoginSecureExt
Else
macAddressElseUserLoginSecure
macAddressElseUserLoginSecureExt