beautypg.com

Port security features, Intrusion protection, Trapping – H3C Technologies H3C S7500E Series Switches User Manual

Page 170: Port security modes

background image

9-2

The security modes of the port security feature provide extended and combined use of 802.1X

authentication and MAC authentication. They apply to scenarios that require both 802.1X

authentication and MAC authentication. For scenarios that require only 802.1X authentication or MAC

authentication, you are recommended to configure 802.1X authentication or MAC authentication

rather than port security. For information about 802.1X and MAC authentication, see 802.1X

Configuration and MAC Authentication Configuration in the Security Configuration Guide.

Port Security Features

NTK

The need to know (NTK) feature checks the destination MAC addresses in outbound frames and

allows frames to be sent to only devices and hosts that have passed authentication or are using MAC

addresses on the MAC address list. This prevents illegal devices from intercepting network traffic.

Intrusion protection

The intrusion protection feature checks the source MAC addresses in inbound frames for illegal

frames and takes the pre-defined action on each detected illegal frame. The action may be disabling

the port temporarily, disabling the port permanently, or blocking frames from the illegal MAC address

for three minutes (unmodifiable).

Trapping

The trapping feature enables the device to send traps upon detecting specified frames that result from,

for example, intrusion or user login/logout operations. This helps you monitor user behaviors.

Port Security Modes

Port security supports a set of port security modes, which fall into two categories:

z

Control of MAC addresses learning: Contains two modes, autoLearn and secure. MAC address

learning is permitted on a port in autoLearn mode and disabled in secure mode. Authentication is

not involved.

z

Authentication: Security modes of this category use MAC authentication, or 802.1X authentication

or their combinations to implement authentication.

Upon receiving a frame, the port in a security mode searches the MAC address table for the source

MAC address. If a match is found, the port forwards the frame. If no match is found, the port learns the

MAC address or performs authentication according to the security mode. Upon detecting illegal

frames or events, the port takes the pre-defined action configured in NTK, intrusion protection or

trapping.

Table 9-1

describes the port security modes and the security features.

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: