179
To do… Use the command… Remarks
Enter Layer 2 Ethernet interface
view
interface interface-type
interface-number
—
Configure the intrusion protection
feature
port-security intrusion-mode
{ blockmac | disableport |
disableport-temporarily }
Required
By default, intrusion protection is
disabled.
Return to system view quit —
Set the silence timeout period
during which a port remains
disabled
port-security timer disableport
time-value
Optional
20 seconds by default
NOTE:
On a port operating in either the macAddressElseUserLoginSecure mode or the
macAddressElseUserLoginSecureExt mode, intrusion protection is triggered only after both MAC
authentication and 802.1X authentication for the same frame fail.
Configuring port security traps
You can configure the port security module to send traps for the following categories of events:
• addresslearned—Learning of new MAC addresses.
• dot1xlogfailure/dot1xlogon/dot1xlogoff—802.1X authentication failure/successful 802.1X
authentication/802.1X user logoff.
• ralmlogfailure/ralmlogon/ralmlogoff—MAC authentication failure/MAC authentication user
logon/MAC authentication user logoff.
• intrusion—Detection of illegal frames.
Follow these steps to enable port security traps:
To do… Use the command… Remarks
Enter system view system-view —
Enable port security traps
port-security trap { addresslearned
| dot1xlogfailure | dot1xlogoff |
dot1xlogon | intrusion |
ralmlogfailure | ralmlogoff |
ralmlogon }
Required
By default, port security traps are
disabled.
Configuring secure MAC addresses
Secure MAC addresses never age out or get lost if saved before the device restarts. One secure MAC
address can be added to only one port in the same VLAN. You can bind a MAC address to one port in
the same VLAN.
Secure MAC addresses can be the following types:
• Learned by a port operating in autoLearn mode.
• Manually configured at the command line interface or in the management information base (MIB).
To Next Page
Loading...
