跳到主要內容

Cisco Switch : Port-Security

設定介面安全防護機制,例如禁止員工私帶筆電到公司使用,在Switch介面上綁定Mac-Address

查看有無介面設定Port-Security
SW12#show port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 1024


SW12#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
SW12(config)#interface fastEthernet 0/17
SW12(config-if)#switchport mode access
SW12(config-if)#switchport port-security
SW12(config-if)#switchport port-security maximum 1
SW12(config-if)#switchport port-security mac-address sticky
SW12(config-if)#switchport port-security violation shutdown
SW12(config-if)#^Z

查看有無介面設定Port-Security,可以看到Fa 0/17 設定最多允許一個MAC-Address,已學習到一個,違規的MAC-Address為0,防護機制為直接關掉介面
SW12#show port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
     Fa0/17              1            1                  0         Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 1024

查看介面Port-Security的Mac-Address狀態,允許的MAC-Address與介面,並且也記錄MAC-Address是如何學習
SW12#show port-security address
          Secure Mac Address Table
-------------------------------------------------------------------
Vlan    Mac Address       Type                Ports   Remaining Age
                                                         (mins)
----    -----------       ----                -----   -------------
   1    0060.6eb0.4d88    SecureSticky        Fa0/17       -
-------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 1024

詳細觀察Fa 017的介面狀態
SW12#show port-security interface fastEthernet 0/17
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address        : 0060.6eb0.4d88
Security Violation Count   : 0




SW12(config-if)#switchport port-security violation ?
  protect   Security violation protect mode  合法MAC通過,沒有違規訊息,沒有違規訊息統計
  restrict  Security violation restrict mode  合法MAC通過,有違規訊息,有違規訊息統計  
  shutdown  Security violation shutdown mode 合法MAC不會通過,有違規訊息,有違規訊息統計


。特別注意是被關掉的介面要先shutdown再no shutdown

。清除特定Mac-Address
   clear port-security sticky address 0060.6eb0.4d88

。手動新增MAC-Address
switchport port-security mac-address 0060.6eb0.4d88


留言

這個網誌中的熱門文章

使用Cisco L3 Switch做VLAN的Routing

目標: 讓VLAN100與VLAN200的電腦透過L3 Swtich做VLAN的Routing,並且可以互相存取資源與上網,另外再使用Windows Server 2012配發VLAN100,VLAN200的IP Firewall: 使用ASUS AP當Firewall,並設兩條Static Route Switch: Core Switch為Cisco 3750切VLAN 10,VLAN100,VLAN200,VLAN10為預設的VLAN,VLAN100為Sales,VLAN200為RD Edge Switch為Cisco 3750與2950,其中2950為VLAN100,3750為VLAN200,如果要By Port切VLAN也可以,這裡只是為了方便說明,所以Edge Switch都直接設為單一VLAN Core Switch的設定 原本我只想Show Running-config其中比較重要的設定,後來想想還是全部列出,用紅色標記重要的設定 Gi 1/0/1接2950 Gi 1/0/2接3750 Gi 1/0/24接Router Core-3750#show running-config Building configuration... Current configuration : 2436 bytes ! version 12.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Core-3750 ! boot-start-marker boot-end-marker ! ! ! ! no aaa new-model switch 1 provision ws-c3750g-24t system mtu routing 1546 ip routing no ip domain-lookup ! ! ! ! ! ! ! ! spanning-tree mode pvst spanning-tree portfas...

Cisco Switch 發生Loopback

User告知網路無法使用,看了Switch的狀況後,發現那個Port的狀態是Error Disable,接著又看了Switch的log Feb  8 12:14:14 TW: %DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT: DHCP_SNOOPING drop message on untrusted port, message type: DHCPNAK, MAC sa: 2c56.dc86.xxxx Feb  8 12:15:49 TW: %DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT: DHCP_SNOOPING drop message on untrusted port, message type: DHCPNAK, MAC sa: 2c56.dc86.xxxx Feb  8 12:18:00 TW: %ETHCNTR-3-LOOP_BACK_DETECTED: Keepalive packet loop-back detected on FastEthernet0/10. Feb  8 12:18:00 TW: %PM-4-ERR_DISABLE: loopback error detected on Fa0/10, putting Fa0/10 in err-disable state Feb  8 12:18:01 TW: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/10, changed state to down Feb  8 12:18:02 TW: %LINK-3-UPDOWN: Interface FastEthernet0/10, changed state to down 應該是User私接設備,除了造成Loopback之外,又在隨便發放IP....... 不過因為那個User比較特殊,先教育了一下之後,再把那個Port shutdown , no shutdown,接著把Recovery設了上去,下次如果再遇到相同狀況,10分鐘後會自動恢復 xxx...

2台 Vigor 2920建立 LAN To LAN VPN (IPsec)

我有兩台Vigor 2920,環境如下: Vigor B 撥出 LAN:192.168.1.0/24 Vigor A 撥入 LAN:172.16.1.0/24 設定如下: Vigor B設定 Vigor A設定 詳細設定請參考官網 http://www.draytek.com/index.php?option=com_k2&view=item&id=2666&Itemid=264&lang=tw