207
• blockmac—Adds the source MAC addresses of illegal frames to the blocked MAC addresses list
and discards the frames. All subsequent frames sourced from a blocked MAC address will be
dropped. A blocked MAC address is restored to normal state after being blocked for three minutes.
The interval is fixed and cannot be changed.
• disableport—Disables the port until you bring it up manually.
• disableport-temporarily—Disables the port for a specific period of time. The period can be
configured with the port-security timer disableport command.
On a port operating in either the macAddressElseUserLoginSecure mode or the
macAddressElseUserLoginSecureExt mode, intrusion protection is triggered only after both MAC
authentication and 802.1X authentication for the same frame fail.
Follow these steps to configure the intrusion protection feature:
To do… Use the command… Remarks
Enter system view system-view —
Enter Layer 2 Ethernet interface
view
interface interface-type
interface-number
—
Configure the intrusion protection
feature
port-security intrusion-mode
{ blockmac | disableport |
disableport-temporarily }
Required
By default, intrusion protection is
disabled.
Return to system view quit —
Set the silence timeout period
during which a port remains
disabled
port-security timer disableport
time-value
Optional
20 seconds by default
Enabling port security traps
You can configure the port security module to send traps for the following categories of events:
• addresslearned—Learning of new MAC addresses.
• dot1xlogfailure/dot1xlogon/dot1xlogoff—802.1X authentication failure, success, and 802.1X
user logoff.
• ralmlogfailure/ralmlogon/ralmlogoff—MAC authentication failure, MAC authentication user
logon, and MAC authentication user logoff.
• intrusion—Detection of illegal frames.
Follow these steps to enable port security traps:
To do… Use the command… Remarks
Enter system view system-view —
Enable port security traps
port-security trap { addresslearned
| dot1xlogfailure | dot1xlogoff |
dot1xlogon | intrusion |
ralmlogfailure | ralmlogoff |
ralmlogon }
Required
By default, port security traps are
disabled.
To Next Page
Loading...
Need help?
General