Configuring intrusion protection
Intrusion protection enables a device to take one of the following actions in response to illegal frames:
blockmac—Adds the source MAC addresses of illegal frames to the blocked MAC addresses list and discards the frames. All subsequent frames sourced from a blocked MAC address will be dropped. A blocked MAC address is restored to normal state after being blocked for three minutes. The interval is fixed and cannot be changed.
disableport—Disables the port until you bring it up manually.
disableport-temporarily—Disables the port for a specific period of time. The period can be configured with the port-security timer disableport command.
On a port operating in either the macAddressElseUserLoginSecure mode or the macAddressElseUserLoginSecureExt mode, intrusion protection is triggered only after both MAC authentication and 802.1X authentication for the same frame fail.
To configure the intrusion protection feature:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter Layer 2 Ethernet interface view. | interface interface-type interface-number | N/A |
3. Configure the intrusion protection feature. | port-security intrusion-mode { blockmac | disableport | disableport-temporarily } | By default, intrusion protection is disabled. |
4. Return to system view. | quit | N/A |
5. Set the silence timeout period during which a port remains disabled. | port-security timer disableport time-value | Optional. 20 seconds by default. |