Manualshelf

R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution
181182183184185186187188189190
171
Configuring port security features
Configuring NTK
The NTK feature checks destination MAC addresses in outbound frames to make sure frames are
forwarded only to authenticated devices. Any unicast frame with an unknown destination MAC address
is discarded. Not all port security modes support triggering the NTK feature. For more information,
see Table 8.
T
he NTK feature supports the following modes:
ntkonly—Forwards only unicast frames with authenticated destination MAC addresses.
ntk-withbroadcasts—Forwards only broadcast frames and unicast frames with authenticated
destination MAC addresses.
ntk-withmulticasts—Forwards only broadcast frames, multicast frames, and unicast frames with
authenticated destination MAC addresses.
To configure the NTK feature:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter interface view.
interface interface-type
interface-number
N/A
3. Configure the NTK feature.
port-security ntk-mode
{ ntk-withbroadcasts |
ntk-withmulticasts | ntkonly }
By default, NTK is disabled on a
port and all frames are allowed to
be sent.
Configuring intrusion protection
Intrusion protection enables a device to take one of the following actions in response to illegal frames:
blockmacAdds the source MAC addresses of illegal frames to the blocked MAC addresses list
and discards the frames. All subsequent frames sourced from a blocked MAC address will be
dropped. A blocked MAC address is restored to normal state after being blocked for 3 minutes. The
interval is fixed and cannot be changed.
disableportDisables the port until you bring it up manually.
disableport-temporarily—Disables the port for a specific period of time. The period can be
configured with the port-security timer disableport command.
On a port operating in either the macAddressElseUserLoginSecure mode or the
macAddressElseUserLoginSecureExt mode, intrusion protection is triggered only after both MAC
authentication and 802.1X authentication fail for the same frame.
To configure the intrusion protection feature:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter interface view.
interface interface-type
interface-number
N/A