204
• disableport-temporarily—Disables the port for a specific period of time. The period can be
configured with the port-security timer disableport command.
On a port operating in either the macAddressElseUserLoginSecure mode or the
macAddressElseUserLoginSecureExt mode, intrusion protection is triggered only after both MAC
authentication and 802.1X authentication for the same frame fail.
To configure the intrusion protection feature:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter Layer 2 Ethernet
interface view.
interface interface-type
interface-number
N/A
3. Configure the intrusion
protection feature.
port-security intrusion-mode
{ blockmac | disableport |
disableport-temporarily }
By default, intrusion protection is
disabled.
4. Return to system view.
quit N/A
5. Set the silence timeout period
during which a port remains
disabled.
port-security timer disableport
time-value
Optional.
20 seconds by default.
Enabling port security traps
You can configure the port security module to send traps for the following categories of events:
• addresslearned—Learning of new MAC addresses.
• dot1xlogfailure/dot1xlogon/dot1xlogoff—802.1X authentication failure, success, and 802.1X
user logoff.
• ralmlogfailure/ralmlogon/ralmlogoff—MAC authentication failure, MAC authentication user
logon, and MAC authentication user logoff.
• intrusion—Detection of illegal frames.
To enable port security traps:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enable port security traps.
port-security trap { addresslearned
| dot1xlogfailure | dot1xlogoff |
dot1xlogon | intrusion |
ralmlogfailure | ralmlogoff |
ralmlogon }
By default, port security traps are
disabled.
Configuring secure MAC addresses
Secure MAC addresses are configured or learned in autoLearn mode and can survive link down/up
events. You can bind a secure MAC address to only one port in a VLAN.
To Next Page
Loading...
Need help?
General