跳到主要內容

Port-Security的使用情況

目標:

Port 0/8 有定只能讓3個指定的Mac-address通過,若有異常Mac-address該Port則會Shutdown,但10分鐘後會自行恢復!
會設Shutdown的原因一方便是讓使用者知道他使用非法設備連入,而自行恢復是不想讓自己太累...偷懶使用~~


設定方式:

先看有沒有啟動Port-Security
SW12-2950#show port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 1024


啟動Port-Security,並用使用Sticky紀錄Mac-Address
SW12-2950#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
SW12-2950(config)#interface fastEthernet 0/8
SW12-2950(config-if)#switchport mode access
SW12-2950(config-if)#switchport port-security
SW12-2950(config-if)#switchport port-security maximum 3
SW12-2950(config-if)#switchport port-security violation shutdown
SW12-2950(config-if)#switchport port-security mac-address sticky


再看Port-Security的狀況
SW12-2950#show port-security
Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action
                (Count)       (Count)          (Count)
---------------------------------------------------------------------------
      Fa0/8              3            3                  0         Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 2
Max Addresses limit in System (excluding one mac per port) : 1024


查看紀錄的Mac-Address
SW12-2950#show port-security address
          Secure Mac Address Table
-------------------------------------------------------------------
Vlan    Mac Address       Type                Ports   Remaining Age
                                                         (mins)
----    -----------       ----                -----   -------------
   1    0060.6eb0.0000    SecureSticky        Fa0/8        -
   1    0060.6eb0.4d88    SecureSticky        Fa0/8        -
   1    74d0.2bdd.a000    SecureSticky        Fa0/8        -
-------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 2
Max Addresses limit in System (excluding one mac per port) : 1024


show running可以看到該Port裡面有設定mac-address
interface FastEthernet0/8
 switchport mode access
 switchport port-security
 switchport port-security maximum 3
 switchport port-security mac-address sticky
 switchport port-security mac-address sticky 0060.6eb0.0000
 switchport port-security mac-address sticky 0060.6eb0.4d88
 switchport port-security mac-address sticky 74d0.2bdd.a000


查看Fa 0/8介面狀態
SW12-2950#show interfaces fastEthernet 0/8
FastEthernet0/8 is up, line protocol is up (connected)
  Hardware is Fast Ethernet, address is 0016.9dbb.17c8 (bia 0016.9dbb.17c8)
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s, media type is 100BaseTX
  input flow-control is unsupported output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 716000 bits/sec, 50 packets/sec
  5 minute output rate 32000 bits/sec, 17 packets/sec
     618000 packets input, 839246843 bytes, 0 no buffer
     Received 6023 broadcasts (4066 multicast)
     0 runts, 0 giants, 0 throttles
     1 input errors, 0 CRC, 1 frame, 0 overrun, 0 ignored
     0 watchdog, 4063 multicast, 0 pause input
     0 input packets with dribble condition detected
     339261 packets output, 58044087 bytes, 0 underruns
     0 output errors, 0 collisions, 4 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out


此時若將非法設備接入該Port後,會出現下列訊息
SW12-2950#
00:29:17: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/8, putting Fa0/8 in err-disable state
SW12-2950#
00:29:17: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0060.6eb0.1079 on port FastEthernet0/8.
00:29:18: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/8, changed state to down
SW12-2950#
00:29:19: %LINK-3-UPDOWN: Interface FastEthernet0/8, changed state to down


查看介面狀態
SW12-2950#show interfaces fastEthernet 0/8
FastEthernet0/8 is down, line protocol is down (err-disabled)
  Hardware is Fast Ethernet, address is 0016.9dbb.17c8 (bia 0016.9dbb.17c8)
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Auto-duplex, Auto-speed, media type is 100BaseTX
  input flow-control is unsupported output flow-control is unsupported
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:13, output 00:00:15, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 121000 bits/sec, 4 packets/sec
  5 minute output rate 22000 bits/sec, 4 packets/sec
     631905 packets input, 851363683 bytes, 0 no buffer
     Received 7624 broadcasts (5195 multicast)
     0 runts, 0 giants, 0 throttles
     1 input errors, 0 CRC, 1 frame, 0 overrun, 0 ignored
     0 watchdog, 5195 multicast, 0 pause input
     0 input packets with dribble condition detected
     349765 packets output, 61062788 bytes, 0 underruns
     0 output errors, 0 collisions, 4 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out

SW12-2950#show interfaces status

Port      Name               Status       Vlan       Duplex  Speed Type
Fa0/1                        connected    trunk      a-full  a-100 10/100BaseTX
Fa0/2                        connected    trunk      a-full  a-100 10/100BaseTX
Fa0/3                        notconnect   1            auto   auto 10/100BaseTX
Fa0/4                        notconnect   1            auto   auto 10/100BaseTX
Fa0/5                        connected    1          a-full  a-100 10/100BaseTX
Fa0/6                        notconnect   1            auto   auto 10/100BaseTX
Fa0/7                        notconnect   1            auto   auto 10/100BaseTX
Fa0/8                        err-disabled 1            auto   auto 10/100BaseTX
Fa0/9                        notconnect   1            auto   auto 10/100BaseTX
Fa0/10                       notconnect   1            auto   auto 10/100BaseTX
Fa0/11                       notconnect   1            auto   auto 10/100BaseTX
Fa0/12                       notconnect   1            auto   auto 10/100BaseTX
Fa0/13                       notconnect   1            auto   auto 10/100BaseTX
Fa0/14                       notconnect   1            auto   auto 10/100BaseTX
Fa0/15                       notconnect   1            auto   auto 10/100BaseTX
Fa0/16                       notconnect   1            auto   auto 10/100BaseTX
Fa0/17                       notconnect   1            auto   auto 10/100BaseTX
Fa0/18                       notconnect   1            auto   auto 10/100BaseTX
Fa0/19                       notconnect   1            auto   auto 10/100BaseTX
Fa0/20                       notconnect   1            auto   auto 10/100BaseTX
Fa0/21                       notconnect   1            auto   auto 10/100BaseTX

注意到會有err-disabled,不過因為是我們預先手動設定Port-security,不然一般出現err-disabled不會那麼好查(也可以從log查出是什麼原因造成err-disabled)

SW12-2950#show logging
Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes, 0 overruns)
    Console logging: level debugging, 80 messages logged
    Monitor logging: level debugging, 0 messages logged
    Buffer logging: level debugging, 80 messages logged
    Exception Logging: size (4096 bytes)
    File logging: disabled
    Trap logging: level informational, 84 message lines logged

Log Buffer (4096 bytes):
-4-ERR_DISABLE: psecure-violation error detected on Fa0/8, putting Fa0/8 in err-disable state
00:33:03: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0060.6eb0.1079 on port FastEthernet0/8.
00:33:04: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/8, changed state to down
00:33:05: %LINK-3-UPDOWN: Interface FastEthernet0/8, changed state to down


這時候如果要將Fa 0/8恢復正常,需先將該Port shutdown再no shutdown, 但若要達到被shutdown的port自動恢復,可以參考以下指令

SW12-2950#show errdisable detect
ErrDisable Reason    Detection status
-----------------    ----------------
udld                 Enabled
bpduguard            Enabled
security-violatio    Enabled
channel-misconfig    Enabled
psecure-violation    Enabled
dhcp-rate-limit      Enabled
unicast-flood        Enabled
vmps                 Enabled
pagp-flap            Enabled
dtp-flap             Enabled
link-flap            Enabled
gbic-invalid         Enabled
loopback             Enabled

SW12-2950#show errdisable recovery
ErrDisable Reason    Timer Status
-----------------    --------------
udld                 Disabled
bpduguard            Disabled
security-violatio    Disabled
channel-misconfig    Disabled
vmps                 Disabled
pagp-flap            Disabled
dtp-flap             Disabled
link-flap            Disabled
psecure-violation    Disabled
gbic-invalid         Disabled
dhcp-rate-limit      Disabled
unicast-flood        Disabled
loopback             Disabled

Timer interval: 300 seconds

Interfaces that will be enabled at the next timeout:

因為是測試用,所以先設定30秒
SW12-2950(config)#errdisable recovery cause psecure-violation
SW12-2950(config)#errdisable recovery interval 30


SW12-2950#show errdisable recovery
ErrDisable Reason    Timer Status
-----------------    --------------
udld                 Disabled
bpduguard            Disabled
security-violatio    Disabled
channel-misconfig    Disabled
vmps                 Disabled
pagp-flap            Disabled
dtp-flap             Disabled
link-flap            Disabled
psecure-violation    Enabled
gbic-invalid         Disabled
dhcp-rate-limit      Disabled
unicast-flood        Disabled
loopback             Disabled

Timer interval: 30 seconds

Interfaces that will be enabled at the next timeout:

(要特別注意不是security-violatio,而是psecure-violation)


30秒後可以看到恢復的訊息
00:32:30: %PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-disable state on Fa0/8
SW12-2950#
00:32:34: %LINK-3-UPDOWN: Interface FastEthernet0/8, changed state to up
00:32:35: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/8, changed state to up


因為異常Mac-Address還接在Fa 0/8,所以該Port又被Shutdown

00:33:03: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/8, putting Fa0/8 in err-disable state
SW12-2950#
00:33:03: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0060.6eb0.1079 on port FastEthernet0/8.
SW12-2950#
00:33:04: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/8, changed state to down
SW12-2950#
00:33:05: %LINK-3-UPDOWN: Interface FastEthernet0/8, changed state to down


後記:

Port-Security使用不難,難是難在後續的管理
*被禁止的Port要如何恢復,是管理員手動恢復還是自動恢復?
*非法的Mac-address接上後,讓Port是要設為Shutdown or Protect or Restrict ?
*Mac-Address是要手動輸入或是先設為Stick,還有後續的新增/修改 ?


err-disable

查看那些功能會導致err-disable
SW12-2950#show errdisable detect
ErrDisable Reason    Detection status
-----------------    ----------------
udld                 Enabled
bpduguard            Enabled
security-violatio    Enabled
channel-misconfig    Enabled
psecure-violation    Enabled
dhcp-rate-limit      Enabled
unicast-flood        Enabled
vmps                 Enabled
pagp-flap            Enabled
dtp-flap             Enabled
link-flap            Enabled
gbic-invalid         Enabled
loopback             Enabled


查看err-disabled的原因
SW12-2950#show interfaces status err-disabled

Port      Name               Status       Reason
Fa0/8                        err-disabled psecure-violation







留言

這個網誌中的熱門文章

使用Cisco L3 Switch做VLAN的Routing

目標: 讓VLAN100與VLAN200的電腦透過L3 Swtich做VLAN的Routing,並且可以互相存取資源與上網,另外再使用Windows Server 2012配發VLAN100,VLAN200的IP Firewall: 使用ASUS AP當Firewall,並設兩條Static Route Switch: Core Switch為Cisco 3750切VLAN 10,VLAN100,VLAN200,VLAN10為預設的VLAN,VLAN100為Sales,VLAN200為RD Edge Switch為Cisco 3750與2950,其中2950為VLAN100,3750為VLAN200,如果要By Port切VLAN也可以,這裡只是為了方便說明,所以Edge Switch都直接設為單一VLAN Core Switch的設定 原本我只想Show Running-config其中比較重要的設定,後來想想還是全部列出,用紅色標記重要的設定 Gi 1/0/1接2950 Gi 1/0/2接3750 Gi 1/0/24接Router Core-3750#show running-config Building configuration... Current configuration : 2436 bytes ! version 12.2 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Core-3750 ! boot-start-marker boot-end-marker ! ! ! ! no aaa new-model switch 1 provision ws-c3750g-24t system mtu routing 1546 ip routing no ip domain-lookup ! ! ! ! ! ! ! ! spanning-tree mode pvst spanning-tree portfas...

Cisco Switch 發生Loopback

User告知網路無法使用,看了Switch的狀況後,發現那個Port的狀態是Error Disable,接著又看了Switch的log Feb  8 12:14:14 TW: %DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT: DHCP_SNOOPING drop message on untrusted port, message type: DHCPNAK, MAC sa: 2c56.dc86.xxxx Feb  8 12:15:49 TW: %DHCP_SNOOPING-5-DHCP_SNOOPING_UNTRUSTED_PORT: DHCP_SNOOPING drop message on untrusted port, message type: DHCPNAK, MAC sa: 2c56.dc86.xxxx Feb  8 12:18:00 TW: %ETHCNTR-3-LOOP_BACK_DETECTED: Keepalive packet loop-back detected on FastEthernet0/10. Feb  8 12:18:00 TW: %PM-4-ERR_DISABLE: loopback error detected on Fa0/10, putting Fa0/10 in err-disable state Feb  8 12:18:01 TW: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/10, changed state to down Feb  8 12:18:02 TW: %LINK-3-UPDOWN: Interface FastEthernet0/10, changed state to down 應該是User私接設備,除了造成Loopback之外,又在隨便發放IP....... 不過因為那個User比較特殊,先教育了一下之後,再把那個Port shutdown , no shutdown,接著把Recovery設了上去,下次如果再遇到相同狀況,10分鐘後會自動恢復 xxx...

2台 Vigor 2920建立 LAN To LAN VPN (IPsec)

我有兩台Vigor 2920,環境如下: Vigor B 撥出 LAN:192.168.1.0/24 Vigor A 撥入 LAN:172.16.1.0/24 設定如下: Vigor B設定 Vigor A設定 詳細設定請參考官網 http://www.draytek.com/index.php?option=com_k2&view=item&id=2666&Itemid=264&lang=tw