Configuring intrusion protection
Intrusion protection enables a device to take one of the following actions in response to illegal frames:
blockmac—Adds the source MAC addresses of illegal frames to the blocked MAC address list and discards the frames. All subsequent frames sourced from a blocked MAC address are dropped. A blocked MAC address is restored to normal state after being blocked for 3 minutes. The interval is fixed and cannot be changed.
disableport—Disables the port until you bring it up manually.
disableport-temporarily—Disables the port for a period of time. The period can be configured with the port-security timer disableport command.
To configure the intrusion protection feature:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter interface view. | interface interface-type interface-number | N/A |
3. Configure the intrusion protection feature. | port-security intrusion-mode { blockmac | disableport | disableport-temporarily } | By default, intrusion protection is disabled. |
4. Return to system view. | quit | N/A |
5. (Optional.) Set the silence timeout period during which a port remains disabled. | port-security timer disableport time-value | By default, the port silence timeout is 20 seconds. |
NOTE: On a port operating in either macAddressElseUserLoginSecure mode or macAddressElseUserLoginSecureExt mode, intrusion protection is triggered only after both MAC authentication and 802.1X authentication fail for the same frame. | ||