扫一扫
分享文章到微信
扫一扫
关注官方公众号
至顶头条
步骤1:对存在问题的端口启用端口安全
步骤2:配置学习主机mac地址
步骤3:指定安全违背行为(默认行为是永久性地关闭端口)
步骤4:如果安全违背行为准备关闭端口,就需要配置err-disable计时器,err-disable计时器是一个全局值。
配置过程
1. 配置每个端口所允许的最大mac地址数
1) 进入全局模式 configure terminal
2) 进入接口模式 interface 接口
3) 配置接口模式
switchport mode access|trunk
注意:一个接口使用默认模式(动态协商)不能启用端口安全
4) 设置最大mac数
swtichport port-security maximum 最大值
switchport port-security vlan vlan列表 [access|voice]
可以设置每个vlan中允许的最大mac数,access表示为该vlan是接入vlan,voice表示该vlan是语音vlan
2.配置端口允许的mac地址
1) 进入接口模式 interface 接口
2) 配置允许的mac地址
手工指定:
switchport port-security mac-address mac地址 [vlan vlan号|[access|voice]]
动态学习:交换机可以动态学习mac地址并加入到mac地址表中,当交换机重新启动后将丢失
粘性地址:可以动态学习或手工配置,学习后mac地址加入到mac地址表,如果保存配置文件,当交换机重新启动后,交换机不再需要动态学习的那些之前动态学习的地址了
switchport port-security mac-address sticky
3. 配置安全违背行为
1) 进入接口模式 interface 接口
2) 配置违规后的动作
switchport port-security violation protect|restrict|shutdown
protect:保护,当安全mac地址数量达到了端口所允许的最大mac地址数的时候,交换机会继续工作,但将把来自新主机的数据帧丢弃,直到删 除足够数量的mac地址使其低于最大值。
restrict:限制,交换机继续工作,向网络管理站(snmp)发出一个陷阱trap通告
shutdown:关闭,交换机将永久性或在特定时间周期内err-disable端口,并发送一个snmp的trap陷阱通告
需要配置关闭模式下的err-disable计时器
err-disable recovery cause secure-violation
启用err-disable
err-disable recovery interval 计时器
案例:
switch(config)# interface gigabitethernet0/1
switch(config-if)# switchport mode access
switch(config-if)# switchport port-security
switch(config-if)# switchport port-security maximum 50
switch(config-if)# switchport port-security mac-address sticky
--------------------------------------------------------------------
switch(config)# interface f0/1
switch(config-if)# switchport mode access
switch(config-if)# switchport port-security
switch(config-if)# switchport port-security maximum 1
switch(config-if)# switchport port-security mac-address 0000.0000.0008
switch(config-if)# switchport port-security violation restrict
switch(config)# interface f0/2
switch(config-if)# switchport mode access
switch(config-if)# switchport port-security
switch(config-if)# switchport port-security maximum 1
switch(config-if)# switchport port-security mac-address 0000.0000.0011
switch(config-if)# switchport port-security violation shutdown
-----------------------------------------------------------------------
案例:
switch(config)#int f0/1
switch(config-if)#switchport port-security
command rejected: fa0/1 is not an access port. //先启动端口安全会出现错误提示
switch(config-if)#swit mode access
switch(config-if)#switchport port-security //启动端口安全
switch(config-if)#switchport port-security maximum ?
<1-132> maximum addresses
switch(config-if)#do show mac-address-table
mac address table
-------------------------------------------
vlan mac address type ports
---- ----------- -------- -----
all 000d.6564.0280 static cpu
all 0100.0ccc.cccc static cpu
all 0100.0ccc.cccd static cpu
all 0100.0cdd.dddd static cpu
1 000b.5f2c.2097 dynamic fa0/23
1 0010.7b35.e9b6 dynamic fa0/1 //这是和路由器相连的地址
1 00a1.b003.3cd7 dynamic fa0/18
10 000b.5f2c.2097 dynamic fa0/23
20 000b.5f2c.2097 dynamic fa0/23
30 000b.5f2c.2097 dynamic fa0/23
40 000b.5f2c.2097 dynamic fa0/23
100 000b.5f2c.2097 dynamic fa0/23
200 000b.5f2c.2097 dynamic fa0/23
201 000b.5f2c.2097 dynamic fa0/23
202 000b.5f2c.2097 dynamic fa0/23
total mac addresses for this criterion: 15
------------------------------------------------------------------ ?LWpn0mN[."q 93gX [ 本 资 料 来 源 于 贵 州 学 习 网 IT认证思科认证 http://Www.gzU521.com ] ?LWpn0mN[."q 93gX
switch(config-if)#switchport port-security mac-address 0010.7b35.e9b6
switch(config-if)#switchport port-security violation shutdown
switch#show port-security interface f0/1
port security : enabled
port status : secure-up
violation mode : shutdown
aging time : 0 mins
aging type : absolute
securestatic address aging : disabled
maximum mac addresses : 1
total mac addresses : 1
configured mac addresses : 1
sticky mac addresses : 0
last source address : 0010.7b35.e9b6
security violation count : 1
-----------------------------------------------------
switch#show port-security
secure port maxsecureaddr currentaddr securityviolation security action
(count) (count) (count)
---------------------------------------------------------------------------
fa0/1 1 1 0 shutdown
---------------------------------------------------------------------------
total addresses in system (excluding one mac per port) : 0
max addresses limit in system (excluding one mac per port) : 1024
---------------------------------------------------------------------------
switch#show port-security address
secure mac address table
-------------------------------------------------------------------
vlan mac address type ports remaining age
(mins)
---- ----------- ---- ----- -------------
1 0010.7b35.e9b6 secureconfigured fa0/1 -
-------------------------------------------------------------------
total addresses in system (excluding one mac per port) : 0
max addresses limit in system (excluding one mac per port) : 1024
现在我们把mac地址为00a1.b003.3cd7的主机接入到f0/1中,此时会出现如下的信息:
00:24:08: %pm-4-err_disable: psecure-violation error detected on fa0/1, putting
fa0/1 in err-disable state
00:24:08: %port_security-2-psecure_violation: security violation occurred, caused by mac address 00a1.b003.3cd7 on port fastethernet0/1.
00:24:09: %lineproto-5-updown: line protocol on interface fastethernet0/1, chang
ed state to down
00:24:10: %link-3-updown: interface fastethernet0/1, changed state to down
-----------------------------------------
switch#show port-security
secure port maxsecureaddr currentaddr securityviolation security action
(count) (count) (count)
---------------------------------------------------------------------------
fa0/1 1 1 1 shutdown
---------------------------------------------------------------------------
total addresses in system (excluding one mac per port) : 0
max addresses limit in system (excluding one mac per port) : 1024
-------------------------------------------------------------------
switch#show port-security interface f0/1
port security : enabled
port status : secure-shutdown
violation mode : shutdown
aging time : 0 mins
aging type : absolute
securestatic address aging : disabled
maximum mac addresses : 1
total mac addresses : 1
configured mac addresses : 1
sticky mac addresses : 0
last source address : 00a1.b003.3cd7
security violation count : 1
本文来自: IXPUB技术社区(www.ixpub.net) 详细出处参考:http://www.ixpub.net/thread-866243-1-1.html
如果您非常迫切的想了解IT领域最新产品与技术信息,那么订阅至顶网技术邮件将是您的最佳途径之一。
现场直击|2021世界人工智能大会
直击5G创新地带,就在2021MWC上海
5G已至 转型当时——服务提供商如何把握转型的绝佳时机
寻找自己的Flag
华为开发者大会2020(Cloud)- 科技行者