wiki:site:cisco:port_security:start
Port security
Static
Staticke adresy jsou ulozene v address-table a v running-configu (lze je tedy ulozit)
Switch(config)# interface fastethernet 0/0
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security mac-address [mac-address]
Dynamic
Dynamicke adresy si switch zjisti sam, adresy jsou ulozene jen v address-table, po restartu switche nebo spadnuti portu se vsak smazou
Switch(config)# interface fastethernet 0/0
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Sticky
To same jako Dynamic, jen jsou zaroven v running-configu, lze je tedy ulozit
Switch(config)# interface fastethernet 0/0
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security maximum 50
Switch(config-if)# switchport port-security mac-address sticky
Switch# show port security interface fastethernet 0/0
Switch# show port security address
Jak se zbavit nechtenych MAC:
Switch# clear port-security sticky interface [port-number] access
nebo
Switch# clear port-security dynamic [address mac-addr | interface type mod/num]
Switch(config-if)# shutdown
Switch(config-if)# no shutdown
nebo
Switch(config-if)# no switchport port-security
Switch(config-if)# switchport port-security
nebo
Switch# reload
Nastavení události při zjištění nepovolené MAC:
- Switch(config-if)# switchport port-security violation {shutdown | restrict | protect}
- shutdown - port okamžitě přejde do Errdisable stavu, nahozen musí být ručně nebo pomocí Errdisable recovery
- restrict - port zůstane up, rámce s nepovolenou MAC jsou zahazovány a počítá je counter, může být odeslána SNMP/Syslog zpráva
- protect - port zůstane up, nepovolené rámce jsou zahazovány, nic se nezaznamenává
Příklad Syslog zprávy:
Jun 3 17:18:41.888 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0000.5e00.0101 on port GigabitEthernet0/11.
Příklad Syslog zprávy v režimu security violation shutdown:
Jun 3 17:14:19.018 EDT: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi0/11, putting Gi0/11 in err-disable state Jun 3 17:14:19.022 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0003.a089.efc5 on port GigabitEthernet0/11. Jun 3 17:14:20.022 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface Gigabit Ethernet0/11, changed state to down Jun 3 17:14:21.023 EDT: %LINK-3-UPDOWN: Interface GigabitEthernet0/11, changed state to down
Show příkazy:
Switch# show port-security interface gigabitethernet 0/11
Switch# show port-security interface gigabitethernet 0/11 Port Security : Enabled Port Status : Secure-shutdown Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 0 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address : 0003.a089.efc5 Security Violation Count : 1 Switch#
Switch# show interfaces status err-disabled
Switch# show interfaces status err-disabled Port Name Status Reason Gi0/11 Test port err-disabled psecure-violation Switch# TIP When a port is moved to the errdisable state, you must either manually cycle it or configure the switch to automatically re-enable ports after a prescribed delay. To manually cycle a port and return it to service, use the following commands: Switch(config)# interface Gi 0/11 Switch(config-if)# shutdown Switch(config-if)# no shutdown
Switch# show port-security
Switch# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Gi0/11 5 1 0 Restrict
Gi0/12 1 0 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 6176
Switch#
wiki/site/cisco/port_security/start.txt · Last modified: 2018/01/23 09:57 by root
