To do...
Enter Layer 2 Ethernet interface
view
Configure the intrusion protection
feature
Return to system view
Set the silence timeout period
during which a port remains
disabled
NOTE:
On a port operating in either the macAddressElseUserLoginSecure mode or the
macAddressElseUserLoginSecureExt mode, intrusion protection is triggered only after both MAC
authentication and 802.1X authentication for the same frame fail.
Configuring port security traps
You can configure the port security module to send traps for the following categories of events:
•
addresslearned—Learning of new MAC addresses.
dot1xlogfailure/dot1xlogon/dot1xlogoff—802.1X authentication failure/successful 802.1X
•
authentication/802.1X user logoff.
ralmlogfailure/ralmlogon/ralmlogoff—MAC authentication failure/MAC authentication user
•
logon/MAC authentication user logoff.
•
intrusion—Detection of illegal frames.
Follow these steps to enable port security traps:
To do...
Enter system view
Enable port security traps
Configuring secure MAC addresses
Secure MAC addresses never age out or get lost if saved before the device restarts. One secure MAC
address can be added to only one port in the same VLAN. You can bind a MAC address to one port in
the same VLAN.
Secure MAC addresses can be the following types:
•
Learned by a port operating in autoLearn mode.
Manually configured at the command line interface or in the management information base (MIB).
•
Use the command...
interface interface-type
interface-number
port-security intrusion-mode
{ blockmac | disableport |
disableport-temporarily }
quit
port-security timer disableport
time-value
Use the command...
system-view
port-security trap { addresslearned
| dot1xlogfailure | dot1xlogoff |
dot1xlogon | intrusion |
ralmlogfailure | ralmlogoff |
ralmlogon }
179
Remarks
—
Required
By default, intrusion protection is
disabled.
—
Optional
20 seconds by default
Remarks
—
Required
By default, port security traps are
disabled.