beautypg.com

Configuring port security features, Configuring ntk, Configuring intrusion protection – H3C Technologies H3C WX3000E Series Wireless Switches User Manual

Page 242

background image

228

Configuring port security features

Configuring NTK

The NTK feature checks the destination MAC addresses in outbound frames to make sure that frames are

forwarded only to authenticated devices. Any unicast frame with an unknown destination MAC address
is discarded. Not all port security modes support triggering the NTK feature. For more information,

see

Table 10.

The NTK feature supports the following modes:

ntkonly—Forwards only unicast frames with authenticated destination MAC addresses.

ntk-withbroadcasts—Forwards only broadcast frames and unicast frames with authenticated
destination MAC addresses.

ntk-withmulticasts—Forwards only broadcast frames, multicast frames, and unicast frames with
authenticated destination MAC addresses.

To configure the NTK feature:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter interface view.

interface interface-type
interface-number

N/A

3.

Configure the NTK feature.

port-security ntk-mode

{ ntk-withbroadcasts |
ntk-withmulticasts | ntkonly }

By default, NTK is disabled on a
port and all frames are allowed to

be sent.

Configuring intrusion protection

The intrusion protection enables a device to take one of the following actions in response to illegal

frames:

blockmac—Adds the source MAC addresses of illegal frames to the blocked MAC addresses list
and discards the frames. All subsequent frames sourced from a blocked MAC address will be

dropped. A blocked MAC address is restored to normal state after being blocked for three minutes.
The interval is fixed and cannot be changed.

disableport—Disables the port until you bring it up manually.

disableport-temporarily—Disables the port for a specific period of time. The period can be
configured with the port-security timer disableport command.

On a port operating in either the macAddressElseUserLoginSecure mode or the

macAddressElseUserLoginSecureExt mode, intrusion protection is triggered only after both MAC

authentication and 802.1X authentication for the same frame fail.
To configure the intrusion protection feature:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enter interface view.

interface interface-type
interface-number

N/A