1-8Configuring Port Security FeaturesConfiguring NTKThe need to know (NTK) feature checks the destination MAC addresses in outbound frames to allowframes to be forwarded to only devices passing authentication. The NTK feature supports three modes:z ntkonly: Forwards only frames destined for authenticated MAC addresses.z ntk-withbroadcasts: Forwards only frames destined for authenticated MAC addresses or thebroadcast address.z ntk-withmulticasts: Forwards only frames destined for authenticated MAC addresses, multicastaddresses, or the broadcast address.By default, NTK is disabled on a port and the port forwards all frames. With NTK configured, a port willdiscard any unicast packet with an unknown MAC address no matter in which mode it operates.Follow these steps to configure the NTK feature:To do… Use the command… RemarksEnter system view system-view —Enter interface view interface interface-typeinterface-number —Configure the NTK featureport-security ntk-mode{ ntk-withbroadcasts |ntk-withmulticasts | ntkonly }RequiredBy default, NTK is disabled ona port and all frames areallowed to be sent.Support for the NTK feature depends on the port security mode.Configuring Intrusion ProtectionThe intrusion protection enables a device to perform either of the following security policies when itdetects illegal frames:z blockmac: Adds the source MAC addresses of illegal frames to the blocked MAC addresses listand discards frames with blocked source MAC addresses. A blocked MAC address is restored tonormal after being blocked for three minutes, which is fixed and cannot be changed.z disableport: Disables the port permanently.z disableport-temporarily: Disables the port for a specified period of time. Use the port-securitytimer disableport command to set the period.Follow these steps to configure the intrusion protection feature:To do… Use the command… RemarksEnter system view system-view —Enter interface view interface interface-typeinterface-number —