1-9
To do…
Use the command…
Remarks
Configure the intrusion
protection feature
port-security intrusion-mode
{
blockmac
|
disableport
|
disableport-temporarily
}
Required
By default, intrusion protection
is disabled.
Return to system view
quit
—
Set the silence timeout during
which a port remains disabled
port-security timer
disableport
time-value
Optional
20 seconds by default
On a port operating in either the macAddressElseUserLoginSecure mode or the
macAddressElseUserLoginSecureExt mode, intrusion protection is triggered only after both MAC
authentication and 802.1X authentication for the same frame fail.
Configuring Trapping
The trapping feature enables a device to send trap information in response to four types of events:
z
addresslearned
: A port learns a new address.
z
dot1xlogfailure/dot1xlogon/dot1xlogoff
: A port learns 802.1x authentication failure/successful
802.1x authentication/802.1x user logoff.
z
ralmlogfailure
/
ralmlogoff
: A port learns MAC authentication failure/MAC authentication user
logoff.
z
intrusion
: A port learns illegal frames.
Follow these steps to configure port security trapping:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enable port security
traps
port-security trap
{
addresslearned
|
dot1xlogfailure
|
dot1xlogoff
|
dot1xlogon
|
intrusion
|
ralmlogfailure
|
ralmlogoff
|
ralmlogon
}
Required
By default, no port security trap
is enabled.
Configuring Secure MAC Addresses
Secure MAC addresses are special MAC addresses. They never age out or get lost if saved before the
device restarts. One secure MAC address can be added to only one port in the same VLAN. Thus, you
can bind a MAC address to one port in the same VLAN.
Secure MAC addresses can be:
z
Learned by a port working in autoLearn mode.
z
Manually configured through the command line interface (CLI) or management information base
(MIB).
When the maximum number of secure MAC addresses is reached, no more can be added. The port
allows only the packets with the source MAC address being the secure MAC address.
Summary of Contents for S5500-SI Series
Page 161: ...3 10 GigabitEthernet1 0 1 2 MANUAL...
Page 220: ...1 7 Clearing ARP entries from the ARP table may cause communication failures...
Page 331: ...1 7 1 1 ms 1 ms 1 ms 1 1 6 1 2 1 ms 1 ms 1 ms 1 1 4 1 3 1 ms 1 ms 1 ms 1 1 2 2 Trace complete...
Page 493: ...2 8...
Page 1111: ...1 10 Installing patches Installation completed and patches will continue to run after reboot...