Configuration prerequisites
Before you set a port security mode for a port, complete the following tasks:
Disable 802.1X and MAC authentication.
•
Verify that the port does not belong to any aggregation group or service loopback group.
•
If you are configuring the autoLearn mode, set port security's limit on the number of MAC addresses.
•
You cannot change the setting when the port is operating in autoLearn mode.
Configuration procedure
To enable a port security mode:
Step
1.
Enter system view.
2.
Set an OUI value for
user authentication.
3.
Enter Layer 2 Ethernet
interface view.
4.
Set the port security
mode.
Configuring port security features
Configuring NTK
The NTK feature checks the destination MAC addresses in outbound frames to make sure that frames are
forwarded only to authenticated devices. Any unicast frame with an unknown destination MAC address
is discarded. Not all port security modes support triggering the NTK feature. For more information,
see
Table 8.
The NTK feature supports the following modes:
ntkonly—Forwards only unicast frames with authenticated destination MAC addresses.
•
ntk-withbroadcasts—Forwards only broadcast frames and unicast frames with authenticated
•
destination MAC addresses.
Command
system-view
port-security oui oui-value index
index-value
interface interface-type
interface-number
port-security port-mode { autolearn |
mac-authentication |
mac-else-userlogin-secure |
mac-else-userlogin-secure-ext | secure
| userlogin | userlogin-secure |
userlogin-secure-ext |
userlogin-secure-or-mac |
userlogin-secure-or-mac-ext |
userlogin-withoui }
118
Remarks
N/A
Required for the userlogin-withoui
mode.
Not configured by default.
To set multiple OUI values, repeat this
step.
N/A
By default, a port operates in
noRestrictions mode.