啟用port-security
Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int fa0/1
Switch(config-if)#switchport port-security ##Switchport預設為dynamic,須改為access才可啟用port-secruity
Command rejected: FastEthernet0/1 is a dynamic port.
Switch(config-if)#switchport mode access ##將switchport mode更改為存取埠(access)模式
Switch(config-if)#switchport port-security ##啟用port-secruity
Switch#show port-security interface fa0/1 ##查詢fa0/1的port-secruity狀態
手動輸入綁定Mac address
Switch(config)#int fa0/1
Switch(config-if)#switchport port-security mac-address 00d0.ffa7.5801 ##設定靜態MAC
Found duplicate mac-address 00d0.ffa7.5801. ##因MAC Address-Table已有此MAC紀錄,需要先關閉此介面才可設定
Switch(config-if)#shutdown
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
Switch(config-if)#switchport port-security mac-address 00d0.ffa7.5801
Switch(config-if)#no shutdown
Switch(config-if)#
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
Switch(config-if)#
Switch#show port-security interface fa0/1 ##查詢fa0/1的port-secruity狀態
Switch#show port-security address ##查詢Secure Mac Address Table
設定MAC最大連線數
Switch(config-if)#switchport port-security maximum 2 ##設定最大連線數為2(預設為1)
Switch(config-if)#switchport port-security mac-address 00d0.ffa7.5802 ##設定靜態MAC
Switch(config-if)#shutdown
Switch(config-if)#no shutdown
Switch(config-if)#do show port-security interface fa0/1 ##查詢fa0/1的port-secruity狀態
設定自動紀錄MAC(Sticky)
Switch(config)#int fa0/2
Switch(config-if)#switchport mode access
Switch(config-if)#switchport port-security
Switch(config-if)#switchport port-security maximum 2
Switch(config-if)#switchport port-sceurity mac-address sticky ##設定自動記錄MAC
此時可以分別接上2台設備做連線測試,讓Switch可記錄2台的MAC Address,學習到的MAC會自動寫入Run組態檔
Switch(config-if)#do show port-security interface fa0/2 ##查詢fa0/2的port-secruity狀態
Switch#show port-security address ##查詢Secure Mac Address Table
設定違規安全MAC處理方式(Violation Mode)
Switch(config-if)#switchport port-security violation ?
protect Security violation protect mode ##保護認證過的MAC,阻擋未認證的MAC
restrict Security violation restrict mode ##保護認證過的MAC,阻擋未認證的MAC,並紀錄在Log中
shutdown Security violation shutdown mode ##此為預設值,會讓該Port Shutdown,被停用後必須輸入shutdown再輸入no shutdown才可以解除
其他指令
Switch#show mac-address-table ##查詢交換器上的mac table
Switch#clear mac-address-table ##清除交換器上的mac table
Switch#show port-security address ##查詢Secure Mac Address Table
Switch#clear port-security all ##清除Secure Mac Address Table
沒有留言:
張貼留言