6-7Configuring ProcedureFollow these steps to enable any other port security mode:To do… Use the command… RemarksEnter system view system-view —Set an OUI value foruser authenticationport-security oui oui-value indexindex-valueOptionalNot configured by default.The command is required forthe userlogin-withoui mode.Enter interface view interface interface-typeinterface-number —Set the port securitymodeport-security port-mode { autolearn |mac-authentication |mac-else-userlogin-secure |mac-else-userlogin-secure-ext |secure | userlogin | userlogin-secure| userlogin-secure-ext |userlogin-secure-or-mac |userlogin-secure-or-mac-ext |userlogin-withoui }RequiredBy default, a port operates innoRestrictions mode.z You cannot change the maximum number of secure MAC addresses allowed on a port thatoperates in autoLearn mode.z OUI, defined by IEEE, is the first 24 bits of the MAC address and uniquely identifies a devicevendor.z You can configure multiple OUI values. However, a port in userLoginWithOUI mode allows onlyone 802.1X user and one user whose MAC address contains a specified OUI.z After enabling port security, you can change the port security mode of a port only when the port isoperating in noRestrictions mode, the default mode. To change the port security mode of a portoperating in any other mode, use the undo port-security port-mode command to restore thedefault port security mode at first.z You cannot change the port security mode of a port with users online.Configuring Port Security FeaturesConfiguring NTKThe need to know (NTK) feature checks the destination MAC addresses in outbound frames to allowframes to be forwarded to only devices passing authentication. The NTK feature supports threemodes:z ntkonly: Forwards only frames destined for authenticated MAC addresses.z ntk-withbroadcasts: Forwards only frames destined for authenticated MAC addresses or thebroadcast address.