The H3C switch port security mode that you need to know most

What you need to know most about the H3C switch port security mode is that we often use a network technology application for network management and network device configuration. Many readers often encounter such application requirements. In fact, the most direct and simple method for user network access control is to configure port-based security mode, not only for Cisco switches, the H3C switch has similar functions and looks more powerful. The port security mode configured on www.2cto.com on the H3C Ethernet switch can be divided into two categories: control MAC address learning and authentication. To control MAC address learning, you do not need to authenticate access users. However, you can allow or disable automatic learning of specified MAC addresses, that is, to allow or prohibit adding the corresponding MAC address to the MAC address table of the local switch, this method can be used to control network access. The authentication class uses MAC address authentication or IEEE 802.1X authentication mechanism, or both authentication to implement network access control for access users. The H3C Ethernet switch port in safe mode is configured. After receiving the data packet sent by the user, first query the MAC address of the corresponding user in the local MAC address table. If the source MAC address of the packet is already in the MAC address table of the local switch, the packet is directly forwarded. Otherwise, the corresponding processing is performed based on the security mode of the port, when illegal packets are detected, the port is triggered to implement corresponding security protection features. The port security modes that can be configured in the H3C Ethernet switch and their working principles are as follows. 1. in autoLearn mode and secure mode, you can manually configure the autoLearn mode or dynamically learn the MAC address, the obtained MAC address is Secure MAC (Secure MAC address ). In this mode, only packets with the active MAC as the Secure MAC can pass through this port. However, after the number of Secure MAC address entries under the Port exceeds the maximum number of Secure MAC addresses allowed by the port, this port will not add a new Secure MAC, and the port will be automatically converted to the Secure mode. If you directly set the port security mode to the Secure mode, the port is immediately prohibited from learning the new MAC address. Only the source MAC address is configured statically on the switch, or the packets from the dynamically learned MAC address can be forwarded through this port. According to the preceding descriptions, we can conclude that the packet processing process in autoLearn and secure modes is as follows: 1-1.

Figure 19-1 flowchart of Packet Handling in the secure Mode of autoLearn and secure ports 2. the single IEEE 802.1X Authentication mode adopts a single IEEE 802.1x Authentication mode. The port security mode also includes the following: l userlogin: Port-based IEEE 802.1x authentication for access users, only Authenticated Users are allowed to access the service.
L userLoginSecure: Use IEEE 802.1x authentication based on the user's MAC address for Access Users (that is, the monoclonal antibody mentioned in the Cisco IOS switch ). Only packets with the source MAC address as the MAC address of the switch are received, but only user data packets with 802.1x authentication are allowed to pass. In this mode, a port can be connected to a maximum of 802.1x Authenticated Users (that is, IEEE 802.1X single host mode ). L userLoginSecureExt: similar to userLoginSecure, but there can be multiple 802.1x authenticated users under the Port (that is, IEEE 802.1X multi-host mode ). L userLoginWithOUI: similar to userLoginSecure, a port allows up to one 802.1x authenticated user, but the user's data packet must also contain a allowed OUI (organization unique identifier ). Because the IEEE 802.1X authentication for H3C Ethernet switches will be introduced in chapter 21st of this book, we will not repeat it here. 3. MAC address Authentication Mode MAC address authentication security mode is macAddressWithRadius mode. MAC address authentication is a network access control method based on ports and users' MAC addresses. It does not require users to install any client software. After the vswitch detects the user's MAC address for the first time on the port with MAC address authentication enabled, it starts authentication for the user. During authentication, you do not need to manually enter the user name or password because it is based on the user's MAC address. If the authentication succeeds, the user is allowed to access network resources through the port. Otherwise, the user's MAC address is added as "Silent MAC ". During the silent time (you can use the silent timer configuration), user messages from this MAC address are discarded directly when they arrive to prevent unauthorized MAC authentication for a short period of time. Currently, H3C Ethernet switches support "local authentication" and "RADIUS Remote Authentication. The configuration of RADIUS Server Authentication for H3C Ethernet switches is described in Chapter 20th of this book. The configuration of MAC address authentication is described in Section 19.5 of this chapter. 4. The "and" Mode means "and", which means that all conditions must be met at the same time. And port security mode includes the following two seed modes: l macAddressAndUserLoginSecure: when a user's MAC address is not in the forwarding table, the access user first performs MAC address authentication, after the MAC address is successfully authenticated, perform IEEE 802.1x authentication. This user is allowed to access the network only when both authentication methods are successful. In this mode, the port allows only one user to access the network, that is, the first user who passes the two authentication methods. Www.2cto.com l macAddressAndUserLoginSecureExt: similar to macAddressAndUserLoginSecure. However, in this mode, you can access multiple ports. According to the preceding descriptions, we can conclude that the packet processing process for the two and port security sub-modes is described in 19-2.

Figure 19-2 and port security mode packet processing flowchart 5. the else mode "else" means "another", that is, you can try other authentication methods after the authentication fails. The else port security mode includes the following two sub-modes: l macAddressElseUserLoginSecure: when the user's MAC address is not in the forwarding table, the access user is first authenticated by the MAC address. If the authentication succeeds, the access user is directly authenticated, if the MAC address authentication fails, try 802.1x authentication again. In this mode, multiple users can pass MAC address authentication on the port, but the port only allows access to one user through 802.1x authentication, that is, the first user who passes 802.1x authentication. L macAddressElseUserLoginSecureExt: similar to macAddressElseUserLoginSecure. However, in this mode, the port is allowed to pass IEEE 802.1X authentication by multiple users. According to the preceding descriptions, we can conclude that the packet processing process of the two else port security sub-modes is 19-3.

Figure 19-3 flowchart of packet processing in the Secure Mode of else port 6. The "or" Mode means "or", that is, you can choose one of the authentication methods. Or port security mode includes the following two sub-modes: l macAddressOrUserLoginSecure: when the user's MAC address is not in the forwarding table, the access user can still perform IEEE 802.1x authentication after passing the MAC address authentication; however, after the access user passes the IEEE 802.1x authentication, MAC address authentication is not performed. In this mode, there can be multiple MAC address-based authenticated users, but the port only allows access to one authenticated 802.1x user, that is, the first user who passes 802.1x authentication. Www.2cto.com l macAddressOrUserLoginSecureExt: similar to macAddressOrUserLoginSecure. However, in this mode, multiple users can pass IEEE 802.1x authentication. According to the preceding descriptions, we can conclude that the packet processing process of the two or port security sub-modes is as shown in Figure 19-4.

Figure 19-4 or port security mode packet processing Flowchart
Source http://blog.csdn.net/lycb_gz/article/details/8088517