1.基本概念
通过在交换机的特定接口上部署接口安全(Port Security),实现相应安全要求。
2.基本配置
![图片[1]-6.2 接口安全-大赛人网](https://www.dsrw.com/wp-content/uploads/2023/03/图片7-7.png)
1)配置端口安全,允许接入一台设备,超出发出警告但能正常转发数据。
[SW1]interface GigabitEthernet 0/0/1
[SW1-GigabitEthernet0/0/1]port-security enable
[SW1-GigabitEthernet0/0/1]port-security max-mac-num 1
[SW1-GigabitEthernet0/0/1]port-security protect-action restrict
[SW1]interface GigabitEthernet 0/0/2
[SW1-GigabitEthernet0/0/2]port-security enable
[SW1-GigabitEthernet0/0/2]port-security max-mac-num 1
[SW1-GigabitEthernet0/0/2]port-security protect-action restrict
2)配置端口安全,允许接入两台台设备,超出发出警告并关闭转发数据。
[SW1]interface GigabitEthernet 0/0/3
[SW1-GigabitEthernet0/0/3]port-security enable
[SW1-GigabitEthernet0/0/3]port-security max-mac-num 2
[SW1-GigabitEthernet0/0/3]port-security protect-action shutdown
3)查看端口安全
[SW1]display mac-address security
MAC Address VLAN/ PEVLAN CEVLAN Port Type LSP/LSR-ID
VSI/SI MAC-Tunnel
5489-98ba-2ced 1 - - GE0/0/1 security -
5489-984a-795b 1 - - GE0/0/2 security -
5489-980c-3049 1 - - GE0/0/3 security -
4)集线器添加设备会出发SW1的G0/0/3shutdown
<SW1>display interface brief
InUti/OutUti: input utility/output utility
Interface PHY Protocol InUti OutUti inErrors outErrors
GigabitEthernet0/0/1 up up 0% 0% 0 0
GigabitEthernet0/0/2 up up 0% 0% 0 0
GigabitEthernet0/0/3 *down down 0% 0% 0 0
4)在指定间隔时间后将接口恢复为UP
[SW1]interface GigabitEthernet 0/0/3
[SW1-GigabitEthernet0/0/3]undo shutdown
[SW1]error-down auto-recovery cause auto-defend interval 30
3.Sticky MAC地址
接口激活端口安全后,所学习到地址被称为动态安全MAC地址,在交换机重启后会丢失,把动态MAC地址转换成Sticky MAC地址后保存,重启后不会丢失。
![图片[2]-6.2 接口安全-大赛人网](https://www.dsrw.com/wp-content/uploads/2023/03/图片8-8.png)
1)查看 MAC地址表
PC1>ping 192.168.1.1
From 192.168.1.1: bytes=32 seq=1 ttl=128 time=47 ms
PC1>ping 192.168.1.2
Ping 192.168.1.2: 32 data bytes, Press Ctrl_C to break
[SW1]dis mac-address
5489-981c-2e25 1 - - GE0/0/3 dynamic 0/-
5489-9835-4a13 1 - - GE0/0/1 dynamic 0/-
5489-985d-163e 1 - - GE0/0/2 dynamic 0/-
2)SW1设置端口1安全,并配置为Sticky MAC地址
[SW1]interface GigabitEthernet 0/0/1
[SW1-GigabitEthernet0/0/1]port-security enable
[SW1-GigabitEthernet0/0/1]port-security max-mac-num 1
[SW1-GigabitEthernet0/0/1]port-security mac-address sticky
3)SW1设置端口2安全,并配置为Sticky MAC地址
[SW1]interface GigabitEthernet 0/0/2
[SW1-GigabitEthernet0/0/2]port-security enable
[SW1-GigabitEthernet0/0/2]port-security max-mac-num 1
[SW1-GigabitEthernet0/0/2]port-security mac-address sticky
4)SW1设置端口3安全,并配置为Sticky MAC地址,接口与MAC地址绑定
[SW1]interface GigabitEthernet 0/0/3
[SW1-GigabitEthernet0/0/3]port-security enable
[SW1-GigabitEthernet0/0/3]port-security max-mac-num 1
[SW1-GigabitEthernet0/0/3]port-security mac-address sticky
[SW1-GigabitEthernet0/0/3]port-security mac-address sticky 5489-981c-2e25 vlan 1
[SW1]display mac-address
5489-981c-2e25 1 - - GE0/0/3 sticky -
5)PC1和PC2通信查看MAC地址表,save保存
PC1>ping 192.168.1.3
From 192.168.1.3: bytes=32 seq=1 ttl=128 time=31 ms
PC2>ping 192.168.1.3
From 192.168.1.3: bytes=32 seq=1 ttl=128 time=32 ms
[SW1]display mac-address
5489-981c-2e25 1 - - GE0/0/3 sticky -
5489-9835-4a13 1 - - GE0/0/1 sticky -
5489-985d-163e 1 - - GE0/0/2 sticky -
<SW1>save
The current configuration will be written to the device.
Are you sure to continue?[Y/N]y
Info: Please input the file name ( *.cfg, *.zip ) [vrpcfg.zip]:
Now saving the current configuration to the slot 0.
Save the configuration successfully.
6)重启交换机查看MAC地址表
<SW1>display mac-address
5489-981c-2e25 1 - - GE0/0/3 sticky -
5489-9835-4a13 1 - - GE0/0/1 sticky -
5489-985d-163e 1 - - GE0/0/2 sticky -
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
请登录后查看评论内容