HP 5500 Ei 5500 Si Switch Series Configuration Guide

 206 
•  MAC learning control —Includes two modes, autoLearn and secure. MAC address learning is 
permitted on a port in autoLearn mo de and disabled in secure mode.  
•   Authentication —Security modes in this category implement MAC authentication, 802.1X 
authentication, or a combination of these two authentication methods. 
Upon receiving a frame, the port in a security mode searches the MAC address table for the source MAC 
address. If a match is found, the port forwards the fr ame. If no match is...

 207 
Controlling MAC address learning 
•  autoLearn 
A port in this mode can learn MAC addresses, an d allows frames from learned or configured 
MAC addresses to pass. The automatically learned MAC addresses are secure MAC addresses. 
You can also configure secure  MAC addresses by using the  port-security mac-address security 
command. A secure MAC address never ages out by default. 
When the number of secure MAC addresses reaches the upper limit, the port transitions to secure 
mode. 
The dynamic MAC...

 208 
This mode is similar to the macAddressOrUserLoginSecure mode exce pt that a port in this mode 
supports multiple 802.1X and MAC authentication users. 
•   macAddressElseUserLoginSecure 
This mode is the combination of the macAddres sWithRadius and userLoginSecure modes, with 
MAC authentication having a higher priority as the  Else keyword implies.  
For non-802.1X frames, a port in this mode perf orms only MAC authentication. For 802.1X frames, 
it performs MAC authentication and then, if th e...

 209 
Enabling port security 
Enabling or disabling port security resets the following security settings to the default:  
•   802.1X access control mode is MAC-based,  and the port authorization state is auto. 
•   Port security mode is noRestrictions.  
When port security is enabled, you cannot manually enable 802.1X or MAC authentication, or change 
the access control mode or port authorization stat e. The port security automatically modifies these 
settings in different security modes. 
You cannot...

 210 
Setting the port security mode 
After enabling port security, you can change the port security mode of a port only when the port is 
operating in noRestrictions (the default) mode. To ch ange the port security mode for a port in any other 
mode, first use the undo port-security port-mode  command to restore the default port security mode. 
You can specify a port security mode when port securi ty is disabled, but your configuration cannot take 
effect. 
You cannot change the port security mode  of a...

 211 
Configuring port security features 
Configuring NTK 
The NTK feature checks the destination MAC addresses in outbound frames to make sure that frames are 
forwarded only to authenticated devices. Any unicast frame with an unknown destination MAC address 
is discarded. Not all port security modes support triggering the NTK feature. For more information, 
see  Tabl e  1 1. 
T

he NTK feature supports  the following modes: 
•   ntkonly —Forwards only unicast frames with authenticated destination MAC...

 212 
Step Command Remarks 
2.  Enter Layer 2 Ethernet 
interface view.  interface
 interface-type 
interface-number   N/A 
3.
  Configure the intrusion 
protection feature.  port-security intrusion-mode
 
{  blockmac  | disableport  | 
disableport-temporarily  } By default, intrusion protection is 
disabled. 
4.
  Return to system view. 
quit  N/A 
5.  Set the silence timeout period 
during which a port remains 
disabled.   port-security timer 
disableport 
time-value  Optional. 
20 seconds by default....

 213 
Table 12 A comparison of static, sticky, and dynamic secure MAC addresses 
Type  Address sources  Aging mechanism  Can be saved and 
survive a device 
reboot? 
Static Manually added Not available.  
They never age out unless you manually remove 
them, change the port security mode, or disable 
the port security feature. 
Yes. 
Sticky Manually added or 
automatically learned 
when the dynamic 
secure MAC function 
(port-security 
mac-address 
dynamic
) is disabled.  Sticky MAC addresses by default...

 214 
Step Command Remarks 
3.  Configure a secure MAC 
address. 
• Approach 1 (in system view): 
port-security mac-address 
security  [ sticky ] mac-address  
interface interface-type 
interface-number  vlan vlan-id 
• Approach 2 (in interface view): 
a.  interface  interface-type 
interface-numbe r 
b.  port-security  mac-address  
security  [ sticky ] 
mac-address  vlan  vlan-id  
c.   quit  Use either approach. 
No secure MAC address exists by 
default. 
4.
  Enter Layer 2 Ethernet 
interface view....

 215 
Task Command Remarks 
Display port security configuration 
information, operation 
information, and statistics about 
one or more ports or all ports. display port-security
 [ interface 
interface-list  ] [ | { begin | exclude  
|  include  } regular-expression  ]  Available in any view 
Display information about secure 
MAC addresses.
  display port-security mac-address 
security
 [ interface  interface-type 
interface-number ] [ vlan  vlan-id ] 
[ count ] [  | { begin  | exclude  | 
include  }...