News
发布日期:2022-04-26 浏览次数:3420 来源:杨广成
思科端口安全port-security配置实例与演示-EI CCNP企业基础架构
文档提供:WOLF-LAB 杨广成 CCIE#29957;HCIE#12877
需求描述
1. 实验室交换机架登陆:
Rack 99 192.168.9.99
Rack 98 192.168.9.98
Rack 100 192.168.9.100
做实验之前,请重启设备,做完实验后,请勿保存。想要通过外网登陆机架请联系WOLFLAB,获取登陆方式。
2. 配置R1的接口地址分别为1.1.1.1/24,R2的接口地址为1.1.1.2/24。在sw1的F0/1接口上开启端口安全。show port-security interface f0/1查看端口安全的相关参数。
R1: interface Ethernet0 ip address 1.1.1.1 255.255.255.0 R2: interface Ethernet0 ip address 1.1.1.2 255.255.255.0 |
SW1: interface FastEthernet0/1 switchport mode access switchport port-security //开启端口安全开关
SW1#show port-security interface f0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 //开启端口安全,接口默认最多学习1个mac地址。 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 0003.6b26.0020:1 Security Violation Count : 0 |
3. 配置sw1的F0/1接口,最多学到3个mac地址,并且在sw1的F0/1接口静态指定一个mac地址为a.a.a。
SW1: interface FastEthernet0/1 switchport port-security maximum 3 switchport port-security mac-address 000a.000a.000a |
4. 在R1上修改接口的mac地址为b.b.b,c.c.c,此时在R1上ping 1.1.1.2。
R1: interface Ethernet0/0 mac-address 000b.000b.000b mac-address 000c.000c.000c |
SW1# %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting Fa0/1 in err-disable state % VIOLATION: Security violation occurred, caused by MAC address 000c.000c.000c on port FastEthernet0/1.
SW1#show port-security interface f0/1 Port Security : Enabled Port Status : Secure-shutdown //违反端口安全,接口被err-disable Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 3 Total MAC Addresses : 1 Configured MAC Addresses : 1 Sticky MAC Addresses : 0 Last Source Address:Vlan : 000c.000c.000c:1 Security Violation Count : 1 |
5. 由于sw1的F0/1接口违反端口安全被置为err-disable状态。配置该接口能够在30秒后自动恢复。
SW1: errdisable recovery cause security-violation errdisable recovery interval 30 |
6. 配置sw1的F0/1接口,若是违反端口安全,仅是将其流量drop掉。
SW1: interface FastEthernet0/1 switchport port-security violation protect |
7. 配置sw1的F0/1接口,最多学习到5个mac地址,并且将动态学习到的mac地址粘贴至该接口下,不会老化。
SW1: interface FastEthernet0/1 switchport port-security maximum 5 switchport port-security mac-address sticky |
8. 在sw1的F0/1接口关闭端口安全,删除R1接口的mac地址。在sw1上配置基于R1的源mac地址限制流量,然后在R1上ping 1.1.1.2。
SW1: interface FastEthernet0/1 no switchport port-security
mac-address-table static 0003.6b26.0020 vlan 1 drop //此时在R1上ping 1.1.1.2不通。 |
9. 删除第8题sw1上的配置。在sw1上配置基于IP地址的VACL,不允许R1访问1.1.1.2。
SW1: no mac-address-table static 0003.6b26.0020 vlan 1 drop
access-list 1 permit 1.1.1.1
vlan access-map A 10 action drop match ip address 1 vlan access-map A 20 //类似于route-map,需要放行其他。 action forward
vlan filter A vlan-list 1-4094 |
10. 删除第9题sw1上基于IP的VACL。在sw1上配置基于MAC地址的VACL,不允许R1访问1.1.1.2。
SW1: no vlan filter A vlan-list 1-4094
mac access-list extended MAC permit host 0003.6b26.0020 any
vlan access-map B 10 action drop match mac address MAC vlan access-map B 20 action forward
vlan filter B vlan-list 1-4094 |
EI CCNP企业基础架构课程循环开班中,
联系网站客服,获取基础课免费学习资料