Port Security Configuration 127
■ After you set the port security mode to autolearn, you cannot configure any
static or blackhole MAC addresses on the port.
■ If the port is in a security mode other than noRestriction, before you can
change the port security mode, you need to restore the port security mode to
noRestriction with the undo port-security port-mode command.
If the port-security port-mode mode command has been executed on a port,
none of the following can be configured on the same port:
■ Maximum number of MAC addresses that the port can learn
■ Reflector port for port mirroring
■ Link aggregation
Configuring Port
Security Features
Configuring the NTK feature
Configuring intrusion protection
n
The port-security timer disableport command is used in conjunction with the
port-security intrusion-mode disableport-temporarily command to set the
length of time during which the port remains disabled.
c
Caution: If you configure the NTK feature and execute the port-security
intrusion-mode blockmac command on the same port, the switch will be unable
to disable the packets whose destination MAC address is illegal from being sent
out that port; that is, the NTK feature configured will not take effect on the
packets whose destination MAC address is illegal.
Tab le 82 Configure the NTK feature
Operation Command Remarks
Enter system view system-view -
Enter Ethernet port view interface interface-type
interface-number
-
Configure the NTK feature port-security ntk-mode {
ntkonly |
ntk-withbroadcasts |
ntk-withmulticasts }
Required
Be default, NTK is disabled on
a port, namely all frames are
allowed to be sent.
Tab le 83 Configure the intrusion protection feature
Operation Command Remarks
Enter system view system-view -
Enter Ethernet port view interface interface-type
interface-number
-
Set the corresponding action
to be taken by the switch
when intrusion protection is
triggered
port-security
intrusion-mode { blockmac
| disableport |
disableport-temporarily}
Required
By default, intrusion
protection is disabled.
Return to system view quit -
Set the timer during which
the port remains disabled
port-security timer
disableport timer
Optional
20 seconds by default
To Next Page
Loading...
