Port security交換port的安全性

Port security可以將portmac紀錄數量設定上限,一旦超過,port就會自動關閉。

如果沒有更換裝置來存取此網路點,就有可能是系統中毒,導致系統mac更換。

Switch>en

Switch#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

大量介面設定

Switch(config)#int range fastethernet 0/1 – 24

 

Switch(config-if-range)#switchport port-security

Command rejected: FastEthernet0/1 is a dynamic port.

Command rejected: FastEthernet0/2 is a dynamic port.

Command rejected: FastEthernet0/3 is a dynamic port.

Command rejected: FastEthernet0/4 is a dynamic port.

Command rejected: FastEthernet0/5 is a dynamic port.

Command rejected: FastEthernet0/6 is a dynamic port.

Command rejected: FastEthernet0/7 is a dynamic port.

Command rejected: FastEthernet0/8 is a dynamic port.

Command rejected: FastEthernet0/9 is a dynamic port.

Command rejected: FastEthernet0/10 is a dynamic port.

Command rejected: FastEthernet0/11 is a dynamic port.

Command rejected: FastEthernet0/12 is a dynamic port.

Command rejected: FastEthernet0/13 is a dynamic port.

Command rejected: FastEthernet0/14 is a dynamic port.

Command rejected: FastEthernet0/15 is a dynamic port.

Command rejected: FastEthernet0/16 is a dynamic port.

Command rejected: FastEthernet0/17 is a dynamic port.

Command rejected: FastEthernet0/18 is a dynamic port.

Command rejected: FastEthernet0/19 is a dynamic port.

Command rejected: FastEthernet0/20 is a dynamic port.

Command rejected: FastEthernet0/21 is a dynamic port.

Command rejected: FastEthernet0/22 is a dynamic port.

Command rejected: FastEthernet0/23 is a dynamic port.

Command rejected: FastEthernet0/24 is a dynamic port.

Switch(config-if-range)#switchport port-security mac-address sticky

Switch(config-if-range)#switchport port-security maximum 1

Switch(config-if-range)#switchport port-security violation shutdown

Switch(config-if-range)#exit

Switch會學習到pcmac address

PC>PING 192.168.1.200

 

Pinging 192.168.1.200 with 32 bytes of data:

 

Reply from 192.168.1.200: bytes=32 time=1ms TTL=128

Reply from 192.168.1.200: bytes=32 time=0ms TTL=128

Reply from 192.168.1.200: bytes=32 time=0ms TTL=128

Reply from 192.168.1.200: bytes=32 time=0ms TTL=128

此時如果我們將此網路端點接至其他設備時,在其他設備上網路孔還是會亮綠燈的。

 

這樣並不是因為失效,沒有任何動作的話,switch是不會學習到Mac Address的。

所以要做一些動作: ping

 

此時就會發現switch port被關閉了

 

從指令上來看

Switch#show interface fastethernet 0/1

FastEthernet0/1 is down, line protocol is down (err-disabled)

 

那這樣子的話就必須將port-security的紀錄清除掉,並重新啟動該port

Switch#clear port-security all

Switch#conf t

Enter configuration commands, one per line.  End with CNTL/Z.

Switch(config)#interface fastethernet 0/1

%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to down

Switch(config-if)#sh

 

%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down

Switch(config-if)#no sh

 

Switch(config-if)#

%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up

 

%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up

在這邊可以知道說,如果是遇到port security的話,必須先手動關閉port後,才將port重新啟動。

創作者介紹
創作者 林作倉 的頭像
林作倉

林作倉

林作倉 發表在 痞客邦 留言(0) 人氣()