202
Step Command Remarks
2. Enter Layer 2 Ethernet
interface view.
interface interface-type
interface-number
N/A
3. Configure the intrusion
protection feature.
port-security intrusion-mode
{ blockmac | disableport |
disableport-temporarily }
By default, intrusion protection is
disabled.
4. Return to system view.
quit N/A
5. Set the silence timeout period
during which a port remains
disabled.
port-security timer disableport
time-value
Optional.
20 seconds by default.
Enabling port security traps
You can configure the port security module to send traps for the following categories of events:
• addresslearned—Learning of new MAC addresses.
• dot1xlogfailure/dot1xlogon/dot1xlogoff—802.1X authentication failure, success, and 802.1X
user logoff.
• ralmlogfailure/ralmlogon/ralmlogoff—MAC authentication failure, MAC authentication user
logon, and MAC authentication user logoff.
• intrusion—Detection of illegal frames.
To enable port security traps:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enable port security traps.
port-security trap { addresslearned
| dot1xlogfailure | dot1xlogoff |
dot1xlogon | intrusion |
ralmlogfailure | ralmlogoff |
ralmlogon }
By default, port security traps are
disabled.
Configuring secure MAC addresses
Secure MAC addresses are configured or learned in autoLearn mode and can survive link down/up
events. You can bind a secure MAC address to only one port in a VLAN.
IMPORTANT:
hen the maximum number of secure MAC address entries is reached, the port chan
es to secure mode,
and no more secure MAC addresses can be added or learned. The port allows only frames sourced from
a secure MAC address or a MAC address configured by using the mac-address dynamic or mac-address
static command to pass through.
Secure MAC addresses fall into static, sticky and dynamic secure MAC addresses.
To Next Page
Loading...
Need help?
General
