实验 15:配置交换机端口安全

Nicholas_Hong

实验 15:配置交换机端口安全
实验目标:
        理解端口安全的基本命令.
实验步骤:
        1.配置端口MAC地址静态绑定.
        2.配置端口MAC地址动态绑定sticky.
        3.调整端口安全默认参数.
交换机端口安全有三种模式:
1.Err-disabled过300秒会恢复.
2.Protect:丢弃违规流量.
3.Restrict:丢弃违规流量并创建log.
1.配置端口MAC地址静态绑定.
SW1(config)#inter f0/1
SW1(config-if)#swi mo acc
开启端口安全,默认允许学习一个MAC address
SW1(config-if)#switchport port-security
SW1(config-if)#switchport port-security mac-address 0060.7064.E219
PC0 C:\>ping 192.168.1.3
Pinging 192.168.1.3 with 32 bytes of data:
Reply from 192.168.1.3: bytes=32 time<1ms TTL=128
测试机PC1ping 1.3后,SW1 f0/1会err-disabled.
SW1#show inter f0/1
FastEthernet0/1 is down, line protocol is down (err-disabled)
SW1#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
               (Count)       (Count)        (Count)
--------------------------------------------------------------------
        Fa0/1        1          1                 1         Shutdown
----------------------------------------------------------------------
SW1#show port-security address
                        Secure Mac Address Table
-------------------------------------------------------------------------------
Vlan        Mac Address        Type                        Ports                Remaining Age
                                                                (mins)
----        -----------        ----                        -----                -------------
1        0060.7064.E219        SecureConfigured        FastEthernet0/1                -
------------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 1024
SW1#show port-security inter f0/1
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 1
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0090.2170.588C:1
Security Violation Count   : 0
2.配置端口MAC地址动态绑定sticky.
SW1(config)#inter f0/3
SW1(config-if)#swi mo acc
SW1(config-if)#switchport port-security
SW1(config-if)#switchport port-security mac-address sticky
PC5 Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time<1ms TTL=128
SW1#show running
这时可以查到f0/3已经动态学习到PC5 MAC address.真实设备一般用show running inter f0/3
interface FastEthernet0/3
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0002.179A.8A19
3.调整端口安全默认参数.
SW1(config)#inter f0/2
SW1(config-if)#swi mo acc
SW1(config-if)#switchport port-security
SW1(config-if)#switchport port-security maximum 3
SW1(config-if)#switchport port-security mac-address 0060.2FDB.EBC7
SW1(config-if)#switchport port-security mac-address 0050.0FE4.3E57
两个以上MAC绑定用Restrict,只丢弃违规流量,不shutdown port
SW1(config-if)#switchport port-security violation restrict

f1662

f1662