啟用port-security
啟用port-security前需先將switchport mode由dynimic改為access,若無更改則會出現錯誤訊息。
Switch(config)#interface FastEthernet 0/1 進入FastEthernet0/1介面設定 Switch(config-if)#switchport port-security 啟用port-secruity Command rejected: FastEthernet0/1 is a dynamic port. 啟用失敗 Switch(config-if)#switchport mode access 將switchport mode更改為存取埠(access)模式 Switch(config-if)#switchport port-security 啟用port-secruity 更改完後FastEthernet0/1介面即啟用port-security
查看port-security狀態
Switch#show port-security interface fastEthernet 0/1 查看FastEthernet0/1介面port-security設定 Port Security : Enabled Port Security已啟用 Port Status : Secure-down 因尚未連接設備所以是Secure-down Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 0 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 0000.0000.0000:0 因尚未連接設也未記錄MAC Address Security Violation Count : 0
在FastEthernet0/1接上設備後再查看port-security狀態
Switch#show port-security interface fastEthernet 0/1 查看FastEthernet0/1介面port-security設定 Port Security : Enabled Port Status : Secure-up 未連接設備後狀況改為Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 00E0.8FD0.9C17:1 Mac Address也被記錄下來了 Security Violation Count : 0
手動輸入綁定Mac address
Switch(config)#interface FastEthernet 0/1 進入FastEthernet0/1介面設定 Switch(config-if)#switchport port-security mac-address 00E0.8FD0.9C17 手動輸入Mac address Found duplicate mac-address 00E0.8FD0.9C17 因mac address table已記錄Mac address所以無法輸入 Switch(config-if)#shutdown 將FastEthernet0/1介面關閉 %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down Switch(config-if)#switchport port-security mac-address 00E0.8FD0.9C17 再次手動輸入Mac address即不會出現錯誤訊息了 Switch(config-if)#no shutdown 將FastEthernet0/1介面啟動 %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up Switch(config-if)#end 切換回enable模式 Switch#show port-security interface fastEthernet 0/1 查看FastEthernet0/1介面port-security設定 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 1 Sticky MAC Addresses : 0 Last Source Address:Vlan : 00E0.8FD0.9C17:1 Security Violation Count : 0 此時如果接上別台未設定MAC Address的設備即會出現以下訊息 %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down Switch#show port-security interface fastEthernet 0/1 再查看FastEthernet0/1介面port-security設定 Port Security : Enabled Port Status : Secure-shutdown Port Status被改為Secure-shutdown Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 1 Sticky MAC Addresses : 0 Last Source Address:Vlan : 00E0.8FD0.9C17:1 Security Violation Count : 1
設定最大連線數:maximum
因為剛才FastEthernet0/1介面被系統關閉,所以要先將FastEthernet0/1介面重新啟動 Switch(config)#interface FastEthernet 0/1 進入FastEthernet0/1介面設定 Switch(config-if)#shutdown 關閉FastEthernet0/1介面 Switch(config-if)#no shutdown 啟動FastEthernet0/1介面 Switch(config-if)#switchport port-security maximum 2 設定最大連線數為2(預設為1) Switch(config-if)#end 切換回enable模式 %SYS-5-CONFIG_I: Configured from console by console Switch#show port-security interface fastEthernet 0/1 查看FastEthernet0/1介面port-security設定 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 2 最大連線數被改為2 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 00E0.8FD0.9C17:1 Security Violation Count : 0
設定自動記錄MAC Address: sticky
由於每次自己輸作MAC Address實在太麻煩了,我們可以使用sticky讓Switch自動記錄MAC Address
Switch(config)#interface FastEthernet 0/2 進入FastEthernet0/2介面設定 Switch(config-if)#switchport port-security maximum 2 設定最大連線數為2 Switch(config-if)#switchport port-sceurity mac-address sticky 設定自動記錄MAC Address 將2台設備分別接上FastEthernet0/2介面後做連線測試,讓Switch可記錄2台的MAC Address Switch(config-if)#end 切換回enable模式 %SYS-5-CONFIG_I: Configured from console by console Switch#show port-security interface fastEthernet 0/1 查看FastEthernet0/2介面port-security設定 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 2 Total MAC Addresses : 2 Configured MAC Addresses : 2 Sticky MAC Addresses : 2 自動記錄了2筆MAC Address Last Source Address:Vlan : 0090.2165.ED7D Security Violation Count : 0
自動清除已記錄的MAC Address: again type, again time
Switch中的MAC Address預設是會永久保存,如果希望Switch能自動清除可使用"again type"及"again time"設定
Switch(config-if)#switchport port-security aging type ? absolute Absolute aging (default) inactivity Aging based on inactivity time period
again type又可分為"absolute"(預設)及"inactivity"2種設定方式
absolute: 經過一段時間自動清除
inactivity: 經過一段時間未連線即自動清除
Switch(config-if)#switchport port-security aging type inactivity 將自動清除設定為"inactivity" Switch(config-if)#switchport port-security aging time 600 設定600秒後即清除MAC Address
設定違規MAC Address的處理方式: violation
當Switch偵測到未認證的MAC Address時有portect, restrict和shutdown(預設)三種處理方式
portect: 阻擋未認證的MAC Address(認證過的MAC Address接回後仍可正常使用)
restrict: 阻擋未認證的MAC Address,並記錄在log檔中(認證過的MAC Address接回後仍可正常使用)
shutdown: 把未認證的MAC Address,並關閉Port,(認證過的MAC Address接回後仍無法使用)需由管理者重新啟動後才可再使用
全站熱搜
留言列表
我的點點滴滴 (2)
