206
To do… Use the command… Remarks
Set the port security mode
port-security port-mode { autolearn |
mac-authentication |
mac-else-userlogin-secure |
mac-else-userlogin-secure-ext | secure
| userlogin | userlogin-secure |
userlogin-secure-ext |
userlogin-secure-or-mac |
userlogin-secure-or-mac-ext |
userlogin-withoui }
Required
By default, a port operates in
noRestrictions mode.
NOTE:
fter enablin
port security, you can change the port security mode of a port only when the port is
operating in noRestrictions (the default) mode. To change the port security mode for a port in any other
mode, use the undo port-security port-mode command to restore the default port security mode first.
Configuring port security features
Configuring NTK
The NTK feature checks the destination MAC addresses in outbound frames to make sure that frames are
forwarded only to authenticated devices. Any unicast frame with an unknown destination MAC address
is discarded. Not all port security modes support triggering the NTK feature. For more information,
see Table 10.
T
h
e NTK feature supports the following modes:
• ntkonly—Forwards only unicast frames with authenticated destination MAC addresses.
• ntk-withbroadcasts—Forwards only broadcast frames and unicast frames with authenticated
destination MAC addresses.
• ntk-withmulticasts—Forwards only broadcast frames, multicast frames, and unicast frames with
authenticated destination MAC addresses.
Follow these steps to configure the NTK feature:
To do… Use the command… Remarks
Enter system view system-view —
Enter Layer 2 Ethernet interface
view
interface interface-type
interface-number
—
Configure the NTK feature
port-security ntk-mode
{ ntk-withbroadcasts |
ntk-withmulticasts | ntkonly }
Required
By default, NTK is disabled on a
port and all frames are allowed to
be sent.
Configuring intrusion protection
Intrusion protection enables a device to take one of the following actions in response to illegal frames:
To Next Page
Loading...
Need help?
General