Basic mode—In this mode, a port can learn the specified number of MAC addresses and save those addresses as secure MAC addresses. It permits only frames whose source MAC addresses are secure MAC addresses or configured static MAC addresses. When the number of secure MAC addresses reaches the upper limit, no more secure MAC addresses can be added.

Advanced mode—Port security supports 802.1X and MAC authentication. Different port security modes represent different combinations of the two methods.

Table 127 describes the advanced security modes. Table 127 Advanced security modes

Advanced mode

Description

MAC-Auth

A port performs MAC authentication for users. It services multiple users.

 

 

 

A port performs 802.1X authentication and implements port-based access

 

control.

 

In this mode, a port can service multiple 802.1X users. If one 802.1X user

802.1X Port Based

passes authentication, all the other 802.1X users of the port can access the

 

network without authentication.

 

In this mode, neither outbound restriction nor intrusion protection will be

 

triggered.

 

 

802.1X Single Host

A port performs 802.1X authentication and implements MAC-based access

control. It services only one user passing 802.1X authentication.

 

 

 

802.1X MAC Based

A port performs 802.1X authentication of users and implements MAC-based

access control. The port in this mode supports multiple online 802.1X users.

 

 

 

 

Similar to the 802.1X Single Host mode, a port in this mode performs

 

802.1X authentication of users and allows only one 802.1X user to access

802.1X MAC Based Or

at a time.

The port also permits frames from a wired terminal whose MAC address

OUI

contains a specific OUI.

 

 

For frames from a wireless user, the port performs OUI check at first. If the

 

OUI check fails, the port performs 802.1X authentication.

 

 

 

This mode is the combination of the 802.1X Single Host and MAC-Auth

 

modes, with 802.1X authentication having higher priority.

MAC-Auth Or 802.1X

For wired users, the port performs MAC authentication upon receiving

non-802.1X frames and performs 802.1X authentication upon receiving

Single Host

802.1X frames.

 

 

For wireless users, 802.1X authentication is performed first. If 802.1X

 

authentication fails, MAC authentication is performed.

 

 

MAC-Auth Or 802.1X

Similar to the MAC-Auth Or 802.1X Single Host mode, except that it

MAC Based

supports multiple 802.1X and MAC authentication users on the port.

 

 

 

This mode is the combination of the MAC-Auth and 802.1X Single Host

 

modes, with MAC authentication having higher priority.

MAC-Auth Else 802.1X

A port in this mode performs only MAC authentication for non-802.1X

Single Host

frames.

 

For 802.1X frames, the port performs MAC authentication and then, if

 

MAC authentication fails, 802.1X authentication.

 

 

MAC-Auth Else 802.1X

Similar to the MAC-Auth Else 802.1X Single Host mode, except that it

MAC Based

supports multiple 802.1X and MAC authentication users on the port.

 

 

422