R3303-HP HSR6800 Routers Security Configuration Guide
172
Ste
p
Command
Remarks
3. Configure the intrusion
protection feature.
port-security intrusion-mode
{ blockmac | disableport |
disableport-temporarily }
By default, intrusion protection is
disabled.
4. Return to system view.
quit N/A
5. Set the silence timeout period
during which a port remains
disabled.
port-security timer disableport
time-value
Optional.
20 seconds by default.
Enabling port security traps
You can configure the port security module to send traps for the following categories of events:
• addresslearned—Learning of new MAC addresses.
• dot1xlogfailure/dot1xlogon/dot1xlogoff—802.1X authentication failure, success, and 802.1X
user logoff.
• ralmlogfailure/ralmlogon/ralmlogoff—MAC authentication failure, MAC authentication user
logon, and MAC authentication user logoff.
• intrusion—Detection of illegal frames.
To enable port security traps:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable port
security traps.
port-security trap { addresslearned | dot1xlogfailure
| dot1xlogoff | dot1xlogon | intrusion |
ralmlogfailure | ralmlogoff | ralmlogon }
By default, port security
traps are disabled.
Configuring secure MAC addresses
Secure MAC addresses are configured or learned in autoLearn mode and can survive link down/up
events. You can bind a secure MAC address to only one port in a VLAN.
IMPORTANT:
W
hen the maximum number of secure MAC address entries is reached, the port chan
g
es to secure mode,
and no more secure MAC addresses can be added or learned. The port allows only frames sourced from
a secure MAC address or a MAC address configured by using the mac-address dynamic or mac-address
static command to pass through.
Secure MAC addressesinclude static, sticky, and dynamic secure MAC addresses.