Configuring port security features
Configuring NTK
The NTK feature checks the destination MAC addresses in outbound frames to make sure that frames are
forwarded only to authenticated devices. Any unicast frame with an unknown destination MAC address
is discarded.
The NTK feature supports the following modes:
•
ntkonly: Forwards only unicast frames with authenticated destination MAC addresses.
ntk-withbroadcasts: Forwards only broadcast frames and unicast frames with authenticated
•
destination MAC addresses.
ntk-withmulticasts: Forwards only broadcast frames, multicast frames, and unicast frames with
•
authenticated destination MAC addresses.
Follow these steps to configure the NTK feature:
To do...
Enter system view
Enter Layer 2 Ethernet interface
view
Configure the NTK feature
NOTE:
Support for the NTK feature depends on the port security mode.
Configuring intrusion protection
The intrusion protection enables a device to take one of the following actions in response to illegal
frames:
blockmac—Adds the source MAC addresses of illegal frames to the blocked MAC addresses list
•
and discards the frames. All subsequent frames sourced from a blocked MAC address will be
dropped. A blocked MAC address is restored to normal state after being blocked for three minutes.
The interval is fixed and cannot be changed.
•
disableport—Disables the port until you bring it up manually.
disableport-temporarily—Disables the port for a specified period of time. The period can be
•
configured with the port-security timer disableport command.
Follow these steps to configure the intrusion protection feature:
To do...
Enter system view
Use the command...
system-view
interface interface-type
interface-number
port-security ntk-mode
{ ntk-withbroadcasts |
ntk-withmulticasts | ntkonly }
Use the command...
system-view
178
Remarks
—
—
Required
By default, NTK is disabled on a
port and all frames are allowed to
be sent.
Remarks
—