|
|
Feb 1(21:14-22:14)
Review experiment 15:配置交换机端口安全
交换机端口安全有三种模式:
1.Err-disabled:丢弃违规流量并shut down该端口,过300秒会恢复.
2.Protect:丢弃违规流量,适用只能学习一个端口。
3.Restrict:丢弃违规流量并创建log,适用可以学习两个以上的端口。
1.配置端口MAC地址静态绑定.
SW1(config)#inter f0/1
SW1(config-if)#swi mo acc
开启端口安全,默认允许学习一个MAC address
SW1(config-if)#switchport port-security
指定MAC 地址
SW1(config-if)#switchport port-security mac-address 0060.7064.E219
PC0 C:\>ping 192.168.1.3
Pinging 192.168.1.3 with 32 bytes of data:
Reply from 192.168.1.3: bytes=32 time<1ms TTL=128
测试机PC1 ping 1.3后,SW1 f0/1会err-disabled.
SW1#show inter f0/1
FastEthernet0/1 is down, line protocol is down (err-disabled)
SW1#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
--------------------------------------------------------------------
Fa0/1 1 1 1 Shutdown
----------------------------------------------------------------------
查看端口安全所粘滞的地址
SW1#show port-security address
Secure Mac Address Table
-------------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0060.7064.E219 SecureConfigured FastEthernet0/1 -
------------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
查看端口的所有安全属性
SW1#show port-security inter f0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0090.2170.588C:1
Security Violation Count : 0
2.配置端口MAC地址动态绑定sticky.
SW1(config)#inter f0/3
SW1(config-if)#swi mo acc
SW1(config-if)#switchport port-security
SW1(config-if)#switchport port-security mac-address sticky
PC5 Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time<1ms TTL=128
SW1#show running
这时可以查到f0/3已经动态学习到PC5 MAC address.真实设备一般用show running inter f0/3
interface FastEthernet0/3
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0002.179A.8A19
3.调整端口安全默认参数变为restrict.
SW1(config)#inter f0/2
SW1(config-if)#swi mo acc
SW1(config-if)#switchport port-security
SW1(config-if)#switchport port-security maximum 3
SW1(config-if)#switchport port-security mac-address 0060.2FDB.EBC7
SW1(config-if)#switchport port-security mac-address 0050.0FE4.3E57
两个以上MAC绑定用Restrict,只丢弃违规流量,不shutdown port
SW1(config-if)#switchport port-security violation restrict
|
|
简体中文
英语
日语
韩语
法语
西班牙语
越南语
泰语
阿拉伯语
俄语
葡萄牙语
德语
意大利语
希腊语
荷兰语
波兰语
保加利亚语
爱沙尼亚语
丹麦语
芬兰语
捷克语
罗马尼亚语
斯洛文尼亚语
瑞典语
匈牙利语
繁体中文
文言文
发表于 2019-2-10 09:40:52
置顶卡
喧嚣卡
变色卡
千斤顶
