原文地址:http://chezw.blog.51cto.com/67821/134572
下面在Cisco交换机上实现简单的端口绑定,举Cisco 3550为例:
//进入通用配置模式
3550(config)# Interface fastethernet 0/1
//进入需要配置的具体端口配置模式
3550(config-if)#switchport mode access
//设置交换机的端口模式为access模式,注意缺省是dynamic
//dynamic模式下是不能使用Port-security功能的
3550(config-if)#switchport port-secruity
//启用端口安全模式
3550(config-if )switchport port-security mac-address <后面写上主机的MAC地址>
//配置该端口要绑定的主机的MAC地址
switch(config-if)#switchport port-security maximum 1
//其实缺省就是1个
switch(config-if)#switchport port-security violation shutdown
//设置违反端口安全规则,缺省是shutdown
看看下面的配置:
3550(config)#mac access-list extended mac-n
//配置一个命名的MAC地址访问控制列表,命名为mac-n
3550(config-ext-macl)#permit host 0001.a1db.f987 any
//源MAC地址为0001.a1db.f987的主机可以访问任意主机
3550(config-ext-macl)#permit any host 0001.a1db.f987
//所有主机可以访问目的MAC地址为0001.a1db.f987的主机
3550(config)#ip access-list extended ip-n
//配置命名的IP地址访问控制列表,命名为ip-n
3550(config-ext-nacl)#permit ip 172.0.0.1 0.0.0.0 any
//允许172.0.0.1地址在网内工作
3550(config-if )#interface fa0/1
//进入配置具体端口的模式
3550(config-if )#mac access-group mac-n in
3550(config-if )#ip access-group ip-n in
2950 (config-if-range)#switchport mode Access
2950 (config-if-range)#switchport port-security
2950 (config-if-range)#switchport port-security mac-address violation restrict
2950 (config-if-range)#switchport port-security mac-address sticky
cisco(config)#arp 10.138.208.81 0000.e268.9980 ARPA
原文地址:http://blog.csdn.net/alone_map/article/details/51840512
Switch通过Arp泛红来进行MAC地址的学习,并汇聚成一张"MAC address tables",一个端口下可以有多个MAC地址的学习,因为MAC地址表的本身是有限制的,如果超过了最大定义的MAC数量,那么以后发来的MAC寻址在网络中都会进行以arp泛红的形式进行通话,这样就可以在任意的主机上抓取通信的内容,安全性得不到最大的保障。另外端口安全与arp绑定有类似的功能,灵活运用可以限制主机上网数量,总结一下端口安全配置及简单应用。
机通过该交换机的这个端口。
先访问此端口的MAC地址)。
、不报警也不放行、报警并关闭端口。
端口安全配置命令如下:
1.interface f0/1
2.switchport mode access
3.switchport port-security
4.switchport port-security maximun 1
5.switchport port-security mac-address [0001.0001.0001\sticky]
6.switchport port-security violation
7.show port-security interface f0/1
8.show port-security address
完成安全端口的配置
(例如)exp1:为f0/1端口指定一个MAC地址通过,其他MAC地址想要通过时拒绝并报警,但不关闭端口
1.interface f0/1
2.switchport mode access
3.switchport port-security
4.switchport port-security maximun 1
5.switchport port-security mac-address 0001.0001.0001
6.switchport port-security violation
7.show port-security interface f0/1
Port Security
Port Status
Violation Mode
Aging Time
Aging Type
SecureStatic Address Aging : Disabled
Maximum MAC Addresses
Total MAC Addresses
Configured MAC Addresses
Sticky MAC Addresses
Last Source Address:Vlan
属的vlan,本例中是0002.0002.0002 vlan1,因为策略中绑定的是0001.0001.0001这个MAC,所以显然0002.0002.0002这个MAC没有被放行通过。
Security Violation Count
8.show port-security address
-------------------------------------------------------------------------------
Vlan
----
1
------------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)
Max Addresses limit in System (excluding one mac per port) : 1024
以上信息也可以看出绑定的是0001.0001.0001MAC
(例如)exp2:让f0/1端口只允许一个MAC地址通过(通常是第一个访问端口的主机MAC地址),其他的一
律拒绝,如果有其他MAC企图通过时,关闭端口
1.interface f0/1
2.switchport mode access
3.switchport port-security
4.switchport port-security maximun 1
5.switchport port-security mac-address sticky
6.switchport port-security violation shutdown
7.show port-security interface f0/1
Switch#show port-security interface f0/1
Port Security
Port Status
Violation Mode
Aging Time
Aging Type
SecureStatic Address Aging : Disabled
Maximum MAC Addresses
Total MAC Addresses
Configured MAC Addresses
Sticky MAC Addresses
Last Source Address:Vlan
Security Violation Count
8.show port-security address
-------------------------------------------------------------------------------
Vlan
----
1
------------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)
Max Addresses limit in System (excluding one mac per port) : 1024
这样如果有不是MAC为0002.0002.0002的MAC要通过f0/1端口的时候,端口就会自动shutdown。查看端口状态如下
Switch#show interfaces f0/1
FastEthernet0/1 is down, line protocol is down (err-disabled)
Switch#show port-security interface f0/1
Port Security
Port Status
Violation Mode
Aging Time
Aging Type
SecureStatic Address Aging : Disabled
Maximum MAC Addresses
Total MAC Addresses
Configured MAC Addresses
Sticky MAC Addresses
Last Source Address:Vlan
Security Violation Count
MAC地址为0001.0001.0001的MAC地址企图通过端口f0/1,而导致了f0/1端口关闭。在show interface
f0/1中可以看到提示信息FastEthernet0/1 is down, line protocol is down (err-disabled)。
现在用普通的方法进行端口的启用:进入f0/1执行no shutdown命令
Switch(config)#interface f0/1
Switch(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to down
无法进行端口的启用,正确的启用方法为:先进性shutdown关闭,再no shutdown启用。
Switch(config)#interface f0/1
Switch(config-if)#shutdown
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down
Switch(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
Switch(config-if)#do show interface f0/1
FastEthernet0/1 is up, line protocol is up (connected)
链路及协议都up,启用成功。
方法二可以使用策略关闭的端口自动恢复,详细见端口广播风暴抑制。
命令:
L5(config)#errdisable recovery cause security-violation
L5(config)#errdisable recovery interval 1800
L5#show errdisable recovery