設定介面安全防護機制,例如禁止員工私帶筆電到公司使用,在Switch介面上綁定Mac-Address
查看有無介面設定Port-Security
SW12#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
SW12#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SW12(config)#interface fastEthernet 0/17
SW12(config-if)#switchport mode access
SW12(config-if)#switchport port-security
SW12(config-if)#switchport port-security maximum 1
SW12(config-if)#switchport port-security mac-address sticky
SW12(config-if)#switchport port-security violation shutdown
SW12(config-if)#^Z
查看有無介面設定Port-Security,可以看到Fa 0/17 設定最多允許一個MAC-Address,已學習到一個,違規的MAC-Address為0,防護機制為直接關掉介面
SW12#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Fa0/17 1 1 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
查看介面Port-Security的Mac-Address狀態,允許的MAC-Address與介面,並且也記錄MAC-Address是如何學習
SW12#show port-security address
Secure Mac Address Table
-------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0060.6eb0.4d88 SecureSticky Fa0/17 -
-------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
詳細觀察Fa 017的介面狀態
SW12#show port-security interface fastEthernet 0/17
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address : 0060.6eb0.4d88
Security Violation Count : 0
SW12(config-if)#switchport port-security violation ?
protect Security violation protect mode 合法MAC通過,沒有違規訊息,沒有違規訊息統計
restrict Security violation restrict mode 合法MAC通過,有違規訊息,有違規訊息統計
shutdown Security violation shutdown mode 合法MAC不會通過,有違規訊息,有違規訊息統計
查看有無介面設定Port-Security
SW12#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
SW12#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SW12(config)#interface fastEthernet 0/17
SW12(config-if)#switchport mode access
SW12(config-if)#switchport port-security
SW12(config-if)#switchport port-security maximum 1
SW12(config-if)#switchport port-security mac-address sticky
SW12(config-if)#switchport port-security violation shutdown
SW12(config-if)#^Z
查看有無介面設定Port-Security,可以看到Fa 0/17 設定最多允許一個MAC-Address,已學習到一個,違規的MAC-Address為0,防護機制為直接關掉介面
SW12#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Fa0/17 1 1 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
查看介面Port-Security的Mac-Address狀態,允許的MAC-Address與介面,並且也記錄MAC-Address是如何學習
SW12#show port-security address
Secure Mac Address Table
-------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0060.6eb0.4d88 SecureSticky Fa0/17 -
-------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
詳細觀察Fa 017的介面狀態
SW12#show port-security interface fastEthernet 0/17
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address : 0060.6eb0.4d88
Security Violation Count : 0
SW12(config-if)#switchport port-security violation ?
protect Security violation protect mode 合法MAC通過,沒有違規訊息,沒有違規訊息統計
restrict Security violation restrict mode 合法MAC通過,有違規訊息,有違規訊息統計
shutdown Security violation shutdown mode 合法MAC不會通過,有違規訊息,有違規訊息統計
。特別注意是被關掉的介面要先shutdown再no shutdown
。清除特定Mac-Address
clear port-security sticky address 0060.6eb0.4d88
。手動新增MAC-Address
switchport port-security mac-address 0060.6eb0.4d88
留言
張貼留言