Port security defines various security modes that allow devices to learn legal source MAC addresses, in order for you to implement different network security management as needed. With port security, packets whose source MAC addresses cannot be learned by your switch in a security mode are considered illegal packets, and 802.1x authentication failure events are considered illegal events.

Upon detecting an illegal packet or illegal event, the system triggers the corresponding port security features and takes pre-defined actions automatically. This reduces your maintenance workload and greatly enhances system security and manageability.

1.1.2 Port Security Features

The following port security features are provided:

1) NTK (need to know): By checking the destination MAC addresses in outbound data frames on a port, NTK ensures that only successfully authenticated devices can obtain data frames from the port, thus preventing illegal devices from intercepting network data.

2) Intrusion protection: By checking the source MAC addresses in inbound data frames or the username and password in 802.1x authentication requests on a port, intrusion protection detects illegal packets (packets with illegal MAC address) or events and takes a pre-set action accordingly. The actions you can set include: disconnecting the port temporarily/permanently, and blocking packets with invalid MAC addresses.

3) Device tracking: When special data packets (generated from illegal intrusion, abnormal login/logout or other special activities) are passing through a switch port, device tracking enables the switch to send Trap messages to help the network administrator monitor special activities.

1.1.3 Port Security Modes

Table 1-1 describes the available port security modes:

Table 1-1 Description of port security modes

Security mode	Description	Feature
autolearn	In this mode, the port automatically learns MAC addresses and changes them to security MAC addresses. This security mode will automatically change to the secure mode after the amount of security MAC addresses on the port reaches the maximum number configured with the port-security max-mac-count command. After changing to the secure mode, only those packets whose source MAC addresses are security MAC addresses learned or dynamic MAC addresses configured can pass through the port.	In either mode, the device will trigger NTK and intrusion protection upon detecting an illegal packet.
secure	In this mode, the port is disabled from learning MAC addresses. Only those packets whose source MAC addresses are security MAC addresses learned, static MAC addresses or dynamic MAC addresses configured can pass through the port.
userlogin	In this mode, port-based 802.1x authentication is performed for access users.	In this mode, neither NTK nor intrusion protection will be triggered.
userlogin-secure	The port is enabled only after an access user passes the 802.1x authentication. When the port is enabled, only the packets of the successfully authenticated user can pass through the port. In this mode, only one 802.1x-authenticated user is allowed to access the port. When the port changes from the normal mode to this security mode, the system automatically removes the existing dynamic MAC address entries and authenticated MAC address entries on the port.	In any of these modes, the device will trigger NTK and intrusion protection upon detecting an illegal packet.
userlogin-withoui	This mode is similar to the userlogin-secure mode, except that, besides the packets of the single 802.1x-authenticated user, the packets whose source MAC addresses have a particular OUI are also allowed to pass through the port. When the port changes from the normal mode to this security mode, the system automatically removes the existing dynamic/authenticated MAC address entries on the port.
mac-authentication	In this mode, MAC address–based authentication is performed for access users.
userlogin-secure-or-mac	In this mode, if either of the mac-authentication and userlogin-secure modes succeeds, the user passes the authentication.
mac-else-userlogin-secure	In this mode, first the MAC-based authentication is performed. If this authentication succeeds, the mac-authentication mode is adopted, or else, the authentication in userlogin-secure mode is performed.
userlogin-secure-ext	This mode is similar to the userlogin-secure mode, except that there can be more than one 802.1x-authenticated user on the port.
userlogin-secure-or-mac-ext	This mode is similar to the userlogin-secure-or-mac mode, except that there can be more than one 802.1x-authenticated user on the port.
mac-else-userlogin-secure-ext	This mode is similar to the mac-else-userlogin-secure mode, except that there can be more than one 802.1x-authenticated user on the port.

1.2 Port Security Configuration

1.2.1 Configuring Port Security

Table 1-2 Configure port security

Operation	Command	Description
Enter system view	system-view	—
Enable port security	port-security enable	Required
Set OUI value for user authentication	port-security oui OUI-value index index-value	Optional
Enable the sending of specific types of trap messages	port-security trap { addresslearned \| intrusion \| dot1xlogon \| dot1xlogoff \| dot1xlogfailure \| ralmlogon \| ralmlogoff \| ralmlogfailure }*	Optional By default, the sending of trap messages is disabled.
Enter Ethernet port view	interface interface-type interface-number	—
Set the security mode of the port	port-security port-mode mode	Required You can choose a mode as required.
Set the maximum number of MAC addresses allowed on the port	port-security max-mac-count count-value	Optional By default, there is no limit on the number of MAC addresses.
Set the NTK transmission mode	port-security ntk-mode { ntkonly \| ntk-withbroadcasts \| ntk-withmulticasts }	Required By default, no packet transmission mode of the NTK feature is set on the port.
Set the action to be taken after intrusion protection is triggered.	port-security intrusion-mode { disableport \| disableport-temporarily \| blockmac }	Required By default, no specific intrusion detection mode is configured.
Configure the port to ignore the authorization information delivered from the RADIUS server	port-security authorization ignore	Optional By default, the authorization information delivered by the server is applied to the port.
Return to system view	quit	—
Set the time during which a port is temporarily disabled	port-security timer disableport timer	Optional By default, it is 20 seconds.

& Note:

After the port-security intrusion-mode disableport-temporarily command is executed on a port, the time set by the port-security timer disableport timer command determines how long the port can be temporarily disabled.

To avoid confliction, the following restrictions on the 802.1x authentication and MAC address authentication will be taken after port security is enabled:

1) The access control mode (set by the dot1x port-control command) automatically changes to auto.

2) The dot1x, dot1x port-method, dot1x port-control, and mac-authentication commands cannot be used.

& Note:

l For details about 802.1x authentication, refer to the 802.1x part of S3600 S3600 Series Ethernet Switches Operation Manual.

l You cannot add a port configured with port security to a link aggregation group.

l You cannot configure the port-security port-mode mode command on a port if the port is in a link aggregation group.

1.2.2 Configuring Security MAC Addresses

Security MAC addresses are special type of MAC addresses. They are similar to static MAC addresses. One security MAC address can only be added to one port in the same VLAN. So you can bind a MAC address to one port in the same VLAN.

Security MAC addresses can be learned by the auto-learn function of port security. In addition, you can manually configure them through CLI or MIB.

Before adding security MAC addresses to a port, you must configure the port security mode to autolearn. After this configuration, the port changes its way to learn MAC addresses.

l The port deletes original dynamic MAC addresses;

l If the amount of security MAC addresses has not yet reach the maximum number, the port will learn new MAC addresses and turn them to security MAC addresses;

l If the amount of security MAC addresses reaches the maximum number, the port will not be able to learn new MAC addresses and the port mode will be changed from autolearn to secure.

& Note:

The security MAC addresses manually configured are written to the configuration file; they will not get lost when the port is up or down. As long as the configuration file is saved, the security MAC addresses can be restored after the switch reboots.

Table 1-3 Configure a security MAC address

Operation	Command	Description
Enter system view	system-view	—
Enable port security	port-security enable	Required
Enter Ethernet port view	interface interface-type interface-number	—
Set the maximum number of security MAC addresses allowed on the port	port-security max-mac-count count-value	Required By default, there is no limit on the maximum number of security MAC addresses.
Set the port security mode to autolearn	port-security port-mode autolearn	Required
Add a security MAC address	mac-address security mac-address [ interface interface-type interface-number ] vlan vlan-id	Required You can execute this command in system view as well as Ethernet port view. When using this command in system view, you should specify interface interface-type interface-number.

Note that:

1) If the port-security port-mode autolearn command is configured on a port, you should not configure the following on the same port:

l Static and black-hole MAC addresses

l Voice VLAN feature

l 802.1x feature

l Link aggregation

l Configurate Mirror Reflector port

2) The port-security max-mac-count count-value command cannot be configured together with the mac-address max-mac-count count command.

1.3 Displaying Port Security Configuration

After the above configuration, you can use the display command in any view to display port security information and verify your configuration.

Table 1-4 Display port security configuration

Operation	Command	Description
Display information about port security configuration	display port-security [ interface interface-list ]	You can execute the display command in any view.
Display information about security MAC address configuration	display mac-address security [ interface interface-type interface-number ] [ vlan vlan-id ] [ count ]	You can execute the display command in any view.

1.4 Port Security Configuration Example

I. Network requirements

l Enable port security on port Ethernet1/0/1 of switch A.

l Set the maximum number of the MAC addresses allowed on the port to 80.

l Set the port security mode to autolearn.

l Add the MAC address 0001-0002-0003 of PC1 as a security MAC address to VLAN 1.

II. Network diagram

Figure 1-1 Network diagram for port security configuration

III. Configuration procedure

Configure switch A as follows:

# Enter system view.

<S3600> system-view

# Enable port security.

[S3600] port-security enable

# Enter Ethernet1/0/1 port view.

[S3600] interface Ethernet1/0/1

# Set the maximum number of MAC addresses allowed on the port to 80.

[S3600-Ethernet1/0/1] port-security max-mac-count 80

# Set the port security mode to autolearn.

[S3600-Ethernet1/0/1] port-security port-mode autolearn

# Add the MAC address 0001-0002-0003 of PC1 as a security MAC address to VLAN 1.

[S3600-Ethernet1/0/1] mac-address security 0001-0002-0003 vlan 1

Chapter 2 Port Binding Configuration

2.1 Port Binding Overview

2.1.1 Introduction

Port binding enables the network administrator to bind the MAC and IP addresses of a legal user to a specific port. After the binding, only the user whose device MAC address is identical with the bound MAC address can use the bound IP address to access the network through the port. This improves network security and enhances security monitoring.

2.1.2 Configuring Port Binding

Table 2-1 Configure port binding

Operation	Command	Description
Enter system view	system-view	—
Bind the MAC address and IP address of a legal user to a specific port	am user-bind mac-addr mac-address ip-addr ip-address interface interface-type interface-number	Optional
Enter Ethernet port view	interface interface-type interface-number	—
Bind the MAC address and IP address of a legal user to the current port	am user-bind mac-addr mac-address ip-addr ip-address	Optional

& Note:

An IP address can be bound with only one MAC address, and vice versa.

2.2 Displaying Port Binding Configuration

After the above configuration, you can use the display command in any view to display port binding information and verify your configuration.

Table 2-2 Display port binding configuration

Operation	Command	Description
Display port binding information	display am user-bind [ interface interface-type interface-number \| mac-addr mac-addr \| ip-addr ip-addr]	You can execute the display command in any view.

2.3 Port Binding Configuration Example

I. Network requirements

It is required to bind the MAC and IP addresses of PC1 to Ethernet1/0/1 on switch A, so as to prevent malicious users from using the IP address they steal from PC1 to access the network.

II. Network diagram

Figure 2-1 Network diagram for port binding configuration

III. Configuration procedure

Configure switch A as follows:

# Enter system view.

<S3600> system-view

# Enter Ethernet1/0/1 port view.

[S3600] interface Ethernet1/0/1

# Bind the MAC address and the IP address of PC1 to Ethernet1/0/1.

[S3600-Ethernet1/0/1] am user-bind mac-addr 0001-0002-0003 ip-addr 10.12.1.1

H3C S3600 Series Ethernet Switches Operation Manual-Release 1510(V1.04)

1.1.3 Port Security Modes

1.3 Displaying Port Security Configuration

I. Network requirements

II. Network diagram

III. Configuration procedure

Chapter 2 Port Binding Configuration

I. Network requirements

II. Network diagram

III. Configuration procedure

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us