147
Configure the NTK feature
port-security ntk-mode { ntk-
withbroadcasts | ntk-
withmulticasts | ntkonly }
Required
By default, NTK is disabled on a
port and all frames are allowed to
be sent.
NOTE:
Support for the NTK feature depends on the port security mode.
Configuring intrusion protection
Intrusion protection enables a device to take one of the following actions in response to illegal frames:
blockmac—Adds the source MAC addresses of illegal frames to the blocked MAC addresses list
and discards the frames. All subsequent frames sourced from a blocked MAC address will be
dropped. A blocked MAC address is restored to normal state after being blocked for three minutes.
The interval is fixed and cannot be changed.
disableport—Disables the port until you bring it up manually.
disableport-temporarily—Disables the port for a specified period of time. The period can be
configured with the port-security timer disableport command.
Follow these steps to configure the intrusion protection feature:
Enter Layer 2 Ethernet interface
view
interface interface-type interface-
number
Configure the intrusion protection
feature
port-security intrusion-mode {
blockmac | disableport |
disableport-temporarily }
Required
By default, intrusion protection is
disabled.
Set the silence timeout period
during which a port remains
disabled
port-security timer disableport
time-value
Optional
20 seconds by default
NOTE:
On a port operating in either the macAddressElseUserLoginSecure mode or the
macAddressElseUserLoginSecureExt mode, intrusion protection is triggered only after both MAC
authentication and 802.1X authentication for the same frame fail.
Configuring port security traps
You can configure the port security module to send traps for the following categories of events:
addresslearned—Learning of new MAC addresses.
dot1xlogfailure/dot1xlogon/dot1xlogoff—802.1X authentication failure/successful 802.1X
authentication/802.1X user logoff.
To Next Page
Loading...
