3Com Switch 7750 Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

201

202

203

204

205

206

207

208

209

210

Port Security Overview 201

■ When a port works in the mac-else-userlogin-secure mode or the

mac-else-userlogin-secure-ext mode, for the same packet, intrusion

protection can be triggered only after both MAC authentication and 802.1x

authentication fail.

■ When a port works in the userlogin-secure-oui mode, intrusion protection

will not be triggered even if the port receives a frame with an OUI value that is

not the specified one.

userlogin-se

cure

The port is enabled only after an access user passes the

MAC-based 802.1x authentication. When the port is

enabled, only the packets of the successfully authenticated

user can pass through the port.

In this mode, only one 802.1x-authenticated user is allowed

to access the port.

When the port changes from the normal mode to this

security mode, the system automatically removes the

existing dynamic MAC address entries and authenticated

MAC address entries on the port.

In any of these

modes, the

device will

trigger NTK and

intrusion

protection upon

detecting an

illegal packet.

userlogin-se

cure-ext

This mode is similar to the userlogin-secure mode, except

that there can be more than one 802.1x-authenticated user

on the port.

userlogin-se

cure-oui

This mode is similar to the userlogin-secure mode, except

that, besides the packets of the single 802.1x-authenticated

user, the packets whose source MAC addresses have a

particular OUI are also allowed to pass through the port.

When the port changes from the normal mode to this

security mode, the system automatically removes the

existing dynamic/authenticated MAC address entries on the

port.

macAddress

WithRadius

In this mode, MAC address-based authentication is

performed for access users.

userlogin-se

cure-or-mac

In this mode, the two kinds of authentication in

macAddressWithRadius and userlogin-secure modes can

be performed simultaneously.

In this mode, there can be only one authenticated 802.1x

user on the port.

userlogin-se

cure-or-mac

-ext

This mode is similar to the userlogin-secure-or-mac mode,

except that there can be more than one authenticated

802.1x user on the port.

mac-else-us

erlogin-secu

MAC authentication is performed first on the accessing user.

If the MAC authentication succeeds, the access user has the

accessibility; otherwise, 802.1x authentication is performed

on the access user.

In this mode, there can be only one authenticated 802.1x

user on the port.

mac-else-us

erlogin-secu

re-ext

This mode is similar to the mac-else-userlogin-secure

mode, except that there can be more than one

authenticated 802.1x user on the port.

Table 129 Description of port security modes

Security

mode Description Feature