R2511-HP MSR Router Series Security Configuration Guide(V5)
134
Ste
p
Command
Remarks
2. Enter interface view.
interface interface-type
interface-number
N/A
3. Configure the NTK feature.
port-security ntk-mode
{ ntk-withbroadcasts |
ntk-withmulticasts | ntkonly }
By default, NTK is disabled on a
port and all frames are allowed to
be sent.
The following matrix shows the feature and router compatibility:
Feature MSR900 MSR93
X
MSR20-1
X
MSR20
MSR30
MSR50 MSR1000
NTK Yes No Yes Yes Yes Yes Yes
Configuring intrusion protection
Intrusion protection enables a device to take one of the following actions in response to illegal frames:
• blockmac—Adds the source MAC addresses of illegal frames to the blocked MAC addresses list
and discards the frames. All subsequent frames sourced from a blocked MAC address will be
dropped. A blocked MAC address is restored to normal state after being blocked for 3 minutes. The
interval is fixed and cannot be changed.
• disableport—Disables the port until you bring it up manually.
• disableport-temporarily—Disables the port for a specific period of time. The period can be
configured with the port-security timer disableport command.
On a port operating in either the macAddressElseUserLoginSecure mode or the
macAddressElseUserLoginSecureExt mode, intrusion protection is triggered only after both MAC
authentication and 802.1X authentication fail for the same frame.
To configure the intrusion protection feature:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enter interface view.
interface interface-type
interface-number
N/A
3. Configure the intrusion
protection feature.
port-security intrusion-mode
{ blockmac | disableport |
disableport-temporarily }
By default, intrusion protection is
disabled.
The disableport keyword is
supported only on Layer 2 Ethernet
interfaces.
4. Return to system view.
quit N/A
5. Set the silence timeout period
during which a port remains
disabled.
port-security timer disableport
time-value
Optional.
The default setting is 20 seconds.
Enabling port security traps
You can configure the port security module to send traps for the following categories of events:
• addresslearned—Learning of new MAC addresses.