blockmac: Adds the source MAC addresses of illegal frames to the blocked MAC addresses list
and discards frames with blocked source MAC addresses. A blocked MAC address is restored to
normal after being blocked for three minutes, which is fixed and cannot be changed.
disableport: Disables the port permanently.
disableport-temporarily: Disables the port for a specified period of time. Use the port-security
timer disableport command to set the period.
Follow these steps to configure the intrusion protection feature:
To do...
Enter system view
Enter interface view
Configure the intrusion
protection feature
Return to system view
Set the silence timeout during
which a port remains disabled
On
a
port
macAddressElseUserLoginSecureExt mode, intrusion protection is triggered only after both MAC
authentication and 802.1X authentication for the same frame fail.
Configuring Trapping
The trapping feature enables a device to send trap information in response to four types of events:
addresslearned: Learning of a new address.
dot1xlogfailure/dot1xlogon/dot1xlogoff:
authentication/802.1x user logoff.
ralmlogfailure/ralmlogoff: MAC authentication failure/MAC authentication user logoff.
intrusion: Finding of illegal frames.
Follow these steps to configure port security trapping:
To do...
Enter system view
Enable port security traps
Use the command...
system-view
interface interface-type
interface-number
port-security intrusion-mode
{ blockmac | disableport |
disableport-temporarily }
quit
port-security timer
disableport time-value
operating
in
either
Use the command...
system-view
port-security trap
{ addresslearned |
dot1xlogfailure | dot1xlogoff |
dot1xlogon | intrusion |
ralmlogfailure | ralmlogoff |
ralmlogon }
the
macAddressElseUserLoginSecure
802.1x
authentication
1-9
Remarks
—
—
Required
By default, intrusion protection
is disabled.
—
Optional
20 seconds by default
mode
failure/successful
Remarks
—
Required
By default, no port security trap
is enabled.
or
the
802.1x