===== Port security =====
=== Static ===
Staticke adresy jsou ulozene v address-table a v running-configu (lze je tedy ulozit)
>Switch(config)# **interface** //fastethernet 0/0//
>Switch(config-if)# **switchport mode access**
>Switch(config-if)# **switchport port-security mac-address** //[mac-address]//
=== Dynamic ===
Dynamicke adresy si switch zjisti sam, adresy jsou ulozene jen v address-table, po restartu switche nebo spadnuti portu se vsak smazou
>Switch(config)# **interface** //fastethernet 0/0//
>Switch(config-if)# **switchport mode access**
>Switch(config-if)# **switchport port-security**
=== Sticky ===
To same jako Dynamic, jen jsou zaroven v running-configu, lze je tedy ulozit
>Switch(config)# **interface** //fastethernet 0/0//
>Switch(config-if)# **switchport mode access**
>Switch(config-if)# **switchport port-security maximum** //50//
>Switch(config-if)# **switchport port-security mac-address sticky**
>Switch# **show port security interface** //fastethernet 0/0//
>Switch# **show port security address**
=== Jak se zbavit nechtenych MAC: ===
>Switch# **clear port-security sticky interface** [//port-number//] **access**
nebo
>Switch# **clear port-security dynamic [address** //mac-addr// **| interface** //type mod/num//**]**
>Switch(config-if)# **shutdown**
>Switch(config-if)# **no shutdown**
nebo
>Switch(config-if)# **no switchport port-security**
>Switch(config-if)# **switchport port-security**
nebo
>Switch# **reload**
=== Nastavení události při zjištění nepovolené MAC: ===
* Switch(config-if)# **switchport port-security violation {shutdown | restrict | protect}**
* **shutdown** - port okamžitě přejde do //Errdisable// stavu, nahozen musí být ručně nebo pomocí Errdisable recovery
* **restrict** - port zůstane up, rámce s nepovolenou MAC jsou zahazovány a počítá je counter, může být odeslána SNMP/Syslog zpráva
* **protect** - port zůstane up, nepovolené rámce jsou zahazovány, nic se nezaznamenává
Příklad Syslog zprávy:
Jun 3 17:18:41.888 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation
occurred, caused by MAC address 0000.5e00.0101 on port GigabitEthernet0/11.
Příklad Syslog zprávy v režimu security violation **shutdown**:
Jun 3 17:14:19.018 EDT: %PM-4-ERR_DISABLE: psecure-violation error detected on
Gi0/11, putting Gi0/11 in err-disable state
Jun 3 17:14:19.022 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation
occurred, caused by MAC address 0003.a089.efc5 on port GigabitEthernet0/11.
Jun 3 17:14:20.022 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface Gigabit
Ethernet0/11, changed state to down
Jun 3 17:14:21.023 EDT: %LINK-3-UPDOWN: Interface GigabitEthernet0/11, changed
state to down
=== Show příkazy: ===
Switch# **show port-security interface gigabitethernet 0/11**
Switch# show port-security interface gigabitethernet 0/11
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address : 0003.a089.efc5
Security Violation Count : 1
Switch#
Switch# **show interfaces status err-disabled**
Switch# show interfaces status err-disabled
Port Name Status Reason
Gi0/11 Test port err-disabled psecure-violation
Switch#
TIP
When a port is moved to the errdisable state, you must either manually cycle it
or configure the switch to automatically re-enable ports after a prescribed delay.
To manually cycle a port and return it to service, use the following commands:
Switch(config)# interface Gi 0/11
Switch(config-if)# shutdown
Switch(config-if)# no shutdown
Switch# **show port-security**
Switch# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Gi0/11 5 1 0 Restrict
Gi0/12 1 0 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 6176
Switch#