1-2Port Security FeaturesNTKThe need to know (NTK) feature checks the destination MAC addresses in outbound frames and allowsframes to be sent to only devices passing authentication, thus preventing illegal devices fromintercepting network traffic.Intrusion protectionThe intrusion protection feature checks the source MAC addresses in inbound frames and takes apre-defined action accordingly upon detecting illegal frames. The action may be disabling the porttemporarily, disabling the port permanently, or blocking frames from the MAC address for three minutes(unmodifiable).TrapThe trap feature enables the device to send trap messages upon detecting specified frames that resultfrom, for example, intrusion or user login/logout operations, helping you monitor special activities.Port Security ModesTable 1-1 details the port security modes.Table 1-1 Port security modesSecurity mode Description FeaturesnoRestrictions Port security is disabled on the port and accessto the port is not restricted.In this mode, neitherthe NTK nor theintrusion protectionfeature is triggered.autoLearnIn this mode, a port can learn a specifiednumber of MAC addresses and save thoseaddresses as secure MAC addresses. Itpermits only frames whose source MACaddresses are secure MAC addresses or staticMAC addresses configured by using themac-address static command.When the number of secure MAC addressesreaches the upper limit, the port changes towork in secure mode and no more secure MACaddresses can be added.secureIn this mode, learning MAC address is disabledon the port. The port permits only frames whosesource MAC addresses are secure MACaddresses or static MAC addresses configuredby using the mac-address static command.In either mode, thedevice will trigger NTKand intrusionprotection upondetecting an illegalframe.In autoLearn mode,dynamic MACaddress learning isdisabled.userLoginIn this mode, a port performs 802.1Xauthentication of users in portbased mode.A port in this mode can service multiple 802.1Xusers, but allows only one at a moment.In this mode, neitherNTK nor intrusionprotection will betriggered.