To do...
Set the port security mode
NOTE:
After enabling port security, you can change the port security mode of a port only when the port is
operating in noRestrictions (the default) mode. To change the port security mode for a port in any other
mode, use the undo port-security port-mode command to restore the default port security mode first.
Configuring port security features
Configuring NTK
The NTK feature checks the destination MAC addresses in outbound frames to make sure that frames are
forwarded only to authenticated devices. Any unicast frame with an unknown destination MAC address
is discarded. Not all port security modes support triggering the NTK feature. For more information,
see
Table 10.
The NTK feature supports the following modes:
ntkonly—Forwards only unicast frames with authenticated destination MAC addresses.
•
ntk-withbroadcasts—Forwards only broadcast frames and unicast frames with authenticated
•
destination MAC addresses.
ntk-withmulticasts—Forwards only broadcast frames, multicast frames, and unicast frames with
•
authenticated destination MAC addresses.
Follow these steps to configure the NTK feature:
To do...
Enter system view
Enter Layer 2 Ethernet interface
view
Configure the NTK feature
Configuring intrusion protection
Intrusion protection enables a device to take one of the following actions in response to illegal frames:
Use the command...
port-security port-mode { autolearn |
mac-authentication |
mac-else-userlogin-secure |
mac-else-userlogin-secure-ext | secure
| userlogin | userlogin-secure |
userlogin-secure-ext |
userlogin-secure-or-mac |
userlogin-secure-or-mac-ext |
userlogin-withoui }
Use the command...
system-view
interface interface-type
interface-number
port-security ntk-mode
{ ntk-withbroadcasts |
ntk-withmulticasts | ntkonly }
206
Remarks
Required
By default, a port operates in
noRestrictions mode.
Remarks
—
—
Required
By default, NTK is disabled on a
port and all frames are allowed to
be sent.