Differences

This shows you the differences between two versions of the page.

--- wiki:site:cisco:port_security:start [2016/01/18 22:14]
root vytvořeno
+++ wiki:site:cisco:port_security:start [2018/01/23 09:57] (current)
root
@@ Line 22: / Line 22: @@
 >Switch# **show port security address**
-== Jak se zbavit nechtenych MAC: ==
+=== Jak se zbavit nechtenych MAC: ===
 >Switch# **clear port-security sticky interface** [//port-number//] **access**
+nebo
+>Switch# **clear port-security dynamic [address** //mac-addr// **| interface** //type mod/num//**]**
 >Switch(config-if)# **shutdown**
 >Switch(config-if)# **no shutdown**
@@ Line 32: / Line 35: @@
 nebo
 >Switch# **reload**
+=== Nastavení události při zjištění nepovolené MAC: ===
+  * Switch(config-if)# **switchport port-security violation {shutdown | restrict | protect}**
+  * **shutdown** - port okamžitě přejde do //Errdisable// stavu, nahozen musí být ručně nebo pomocí Errdisable recovery
+  * **restrict** - port zůstane up, rámce s nepovolenou MAC jsou zahazovány a počítá je counter, může být odeslána SNMP/Syslog zpráva
+  * **protect** - port zůstane up, nepovolené rámce jsou zahazovány, nic se nezaznamenává
+Příklad Syslog zprávy:
+<code>
+Jun  3 17:18:41.888 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation
+  occurred, caused by MAC address 0000.5e00.0101 on port GigabitEthernet0/11.
+</code>
+Příklad Syslog zprávy v režimu security violation **shutdown**:
+<code>
+Jun  3 17:14:19.018 EDT: %PM-4-ERR_DISABLE: psecure-violation error detected on
+  Gi0/11, putting Gi0/11 in err-disable state
+Jun  3 17:14:19.022 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation
+  occurred, caused by MAC address 0003.a089.efc5 on port GigabitEthernet0/11.
+Jun  3 17:14:20.022 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface Gigabit
+  Ethernet0/11, changed state to down
+Jun  3 17:14:21.023 EDT: %LINK-3-UPDOWN: Interface GigabitEthernet0/11, changed
+  state   to down
+</code>
+=== Show příkazy: ===
+Switch# **show port-security interface gigabitethernet 0/11**
+<code>
+Switch# show port-security interface gigabitethernet 0/11
+Port Security                : Enabled
+Port Status                  : Secure-shutdown
+Violation Mode               : Shutdown
+Aging Time                   : 0 mins
+Aging Type                   : Absolute
+SecureStatic Address Aging   : Disabled
+Maximum MAC Addresses        : 1
+Total MAC Addresses          : 0
+Configured MAC Addresses     : 0
+Sticky MAC Addresses         : 0
+Last Source Address          : 0003.a089.efc5
+Security Violation Count     : 1
+Switch#
+</code>
+Switch# **show interfaces status err-disabled**
+<code>
+Switch# show interfaces status err-disabled
+Port       Name                 Status       Reason
+Gi0/11    Test port            err-disabled psecure-violation
+Switch#
+TIP
+When a port is moved to the errdisable state, you must either manually cycle it
+or configure the switch to automatically re-enable ports after a prescribed delay.
+To manually cycle a port and return it to service, use the following commands:
+Switch(config)# interface Gi 0/11
+Switch(config-if)# shutdown
+Switch(config-if)# no shutdown
+</code>
+Switch# **show port-security**
+<code>
+Switch# show port-security
+Secure Port  MaxSecureAddr   CurrentAddr  SecurityViolation  Security Action
+                  (Count)        (Count)           (Count)
+---------------------------------------------------------------------------
+     Gi0/11                5             1                    0          Restrict
+     Gi0/12                1             0                    0          Shutdown
+---------------------------------------------------------------------------
+Total Addresses in System (excluding one mac per port)      : 0
+Max Addresses limit in System (excluding one mac per port) : 6176
+Switch#
+</code>

wiki.lkaplan.cz

User Tools

Site Tools

Differences

Page Tools