Port security交換port的安全性
Port security可以將port的mac紀錄數量設定上限,一旦超過,port就會自動關閉。
如果沒有更換裝置來存取此網路點,就有可能是系統中毒,導致系統mac更換。
|
Switch>en Switch#conf t Enter configuration commands, one per line. End with CNTL/Z. 大量介面設定 Switch(config)#int range fastethernet 0/1 – 24
Switch(config-if-range)#switchport port-security Command rejected: FastEthernet0/1 is a dynamic port. Command rejected: FastEthernet0/2 is a dynamic port. Command rejected: FastEthernet0/3 is a dynamic port. Command rejected: FastEthernet0/4 is a dynamic port. Command rejected: FastEthernet0/5 is a dynamic port. Command rejected: FastEthernet0/6 is a dynamic port. Command rejected: FastEthernet0/7 is a dynamic port. Command rejected: FastEthernet0/8 is a dynamic port. Command rejected: FastEthernet0/9 is a dynamic port. Command rejected: FastEthernet0/10 is a dynamic port. Command rejected: FastEthernet0/11 is a dynamic port. Command rejected: FastEthernet0/12 is a dynamic port. Command rejected: FastEthernet0/13 is a dynamic port. Command rejected: FastEthernet0/14 is a dynamic port. Command rejected: FastEthernet0/15 is a dynamic port. Command rejected: FastEthernet0/16 is a dynamic port. Command rejected: FastEthernet0/17 is a dynamic port. Command rejected: FastEthernet0/18 is a dynamic port. Command rejected: FastEthernet0/19 is a dynamic port. Command rejected: FastEthernet0/20 is a dynamic port. Command rejected: FastEthernet0/21 is a dynamic port. Command rejected: FastEthernet0/22 is a dynamic port. Command rejected: FastEthernet0/23 is a dynamic port. Command rejected: FastEthernet0/24 is a dynamic port. Switch(config-if-range)#switchport port-security mac-address sticky Switch(config-if-range)#switchport port-security maximum 1 Switch(config-if-range)#switchport port-security violation shutdown Switch(config-if-range)#exit |
Switch會學習到pc的mac address
|
PC>PING 192.168.1.200
Pinging 192.168.1.200 with 32 bytes of data:
Reply from 192.168.1.200: bytes=32 time=1ms TTL=128 Reply from 192.168.1.200: bytes=32 time=0ms TTL=128 Reply from 192.168.1.200: bytes=32 time=0ms TTL=128 Reply from 192.168.1.200: bytes=32 time=0ms TTL=128 |
此時如果我們將此網路端點接至其他設備時,在其他設備上網路孔還是會亮綠燈的。
這樣並不是因為失效,沒有任何動作的話,switch是不會學習到Mac Address的。
所以要做一些動作: ping
此時就會發現switch port被關閉了
從指令上來看
|
Switch#show interface fastethernet 0/1 FastEthernet0/1 is down, line protocol is down (err-disabled) |
那這樣子的話就必須將port-security的紀錄清除掉,並重新啟動該port。
|
Switch#clear port-security all Switch#conf t Enter configuration commands, one per line. End with CNTL/Z. Switch(config)#interface fastethernet 0/1 %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to down Switch(config-if)#sh
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down Switch(config-if)#no sh
Switch(config-if)# %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up |
在這邊可以知道說,如果是遇到port security的話,必須先手動關閉port後,才將port重新啟動。
留言列表