133
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enter interface view.
interface
interface-type
interface-number
N/A
3. Configure the NTK feature.
port-security ntk-mode
{
ntk-withbroadcasts
|
ntk-withmulticasts
|
ntkonly
}
By default, NTK is disabled on a
port and all frames are allowed to
be sent.
Configuring intrusion protection
Intrusion protection enables a device to take one of the following actions in response to illegal
frames:
• blockmac—Adds the source MAC addresses of illegal frames to the blocked MAC addresses
list and discards the frames. All subsequent frames sourced from a blocked MAC address will
be dropped. A blocked MAC address is restored to normal state after being blocked for 3
minutes. The interval is fixed and cannot be changed.
• disableport—Disables the port until you bring it up manually.
• disableport-temporarily—Disables the port for a specific period of time. The period can be
configured with the port-security timer disableport command.
On a port operating in either the macAddressElseUserLoginSecure mode or the
macAddressElseUserLoginSecureExt mode, intrusion protection is triggered only after both MAC
authentication and 802.1X authentication fail for the same frame.
To configure the intrusion protection feature:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enter interface view.
interface
interface-type
interface-number
N/A
3. Configure the intrusion
protection feature.
port-security intrusion-mode
{
blockmac
|
disableport
|
disableport-temporarily
}
By default, intrusion protection is
disabled.
The
disableport
keyword is
supported only on Layer 2
Ethernet interfaces.
4. Return to system view.
quit
N/A
5. Set the silence timeout
period during which a port
remains disabled.
port-security timer
disableport
time-value
Optional.
The default setting is 20 seconds.
Enabling port security traps
You can configure the port security module to send traps for the following categories of events:
• addresslearned—Learning of new MAC addresses.
• dot1xlogfailure/dot1xlogon/dot1xlogoff—802.1X authentication failure, success, and
802.1X user logoff.
• ralmlogfailure/ralmlogon/ralmlogoff—MAC authentication failure, MAC authentication user
logon, and MAC authentication user logoff.
• intrusion—Detection of illegal frames.
To Next Page
Loading...
Need help?
General
