第一部分 端口安全
端口安全是一種第2層特性,並且能夠提供如下5種保護特性:
l 基於主機MAC地址允許流量
l 基於主機MAC地址限制流量
l 在期望的端口上阻塞單播擴散
l 避免MAC擴散***
l 避免MAC欺騙***
端口安全是一種第2層特性,並且能夠提供如下5種保護特性:
l 基於主機MAC地址允許流量
l 基於主機MAC地址限制流量
l 在期望的端口上阻塞單播擴散
l 避免MAC擴散***
l 避免MAC欺騙***
第一. 基於主機的MAC地址允許流量
端口安全能夠基於主機MAC地址而允許流量。單個端口能夠允許一個以上到某個特定數目的MAC地址。根據交換機型號的不同,他們所允許的最大MAC地址數也不相同。這種特性有助於規定每個端口所允許的主機數。例如,通過將用戶端口限制到1個學到的MAC地址,而將會議室端口限制到10個MAC地址,將有助於避免網絡的非授權訪問。
通過如下步驟,將可以根據主機MAC地址來允許流量,進而啓動端口安全:
步驟1:對存在問題的端口啓用端口安全
步驟2:配置學習主機MAC地址
步驟3:指定安全違背行爲(默認行爲是永久性地關閉端口)
步驟4:如果安全違背行爲準備關閉端口,就需要配置err-disable計時器,err-disable計時器是一個全局值。
配置過程
1. 配置每個端口所允許的最大MAC地址數
1) 進入全局模式 configure terminal
2) 進入接口模式 interface 接口
3) 配置接口模式
switchport mode access|trunk
注意:一個接口使用默認模式(動態協商)不能啓用端口安全
4) 設置最大MAC數
swtichport port-security maximum 最大值
switchport port-security vlan vlan列表 [access|voice]
可以設置每個VLAN中允許的最大MAC數,access表示爲該vlan是接入vlan,voice表示該vlan是語音vlan
端口安全能夠基於主機MAC地址而允許流量。單個端口能夠允許一個以上到某個特定數目的MAC地址。根據交換機型號的不同,他們所允許的最大MAC地址數也不相同。這種特性有助於規定每個端口所允許的主機數。例如,通過將用戶端口限制到1個學到的MAC地址,而將會議室端口限制到10個MAC地址,將有助於避免網絡的非授權訪問。
通過如下步驟,將可以根據主機MAC地址來允許流量,進而啓動端口安全:
步驟1:對存在問題的端口啓用端口安全
步驟2:配置學習主機MAC地址
步驟3:指定安全違背行爲(默認行爲是永久性地關閉端口)
步驟4:如果安全違背行爲準備關閉端口,就需要配置err-disable計時器,err-disable計時器是一個全局值。
配置過程
1. 配置每個端口所允許的最大MAC地址數
1) 進入全局模式 configure terminal
2) 進入接口模式 interface 接口
3) 配置接口模式
switchport mode access|trunk
注意:一個接口使用默認模式(動態協商)不能啓用端口安全
4) 設置最大MAC數
swtichport port-security maximum 最大值
switchport port-security vlan vlan列表 [access|voice]
可以設置每個VLAN中允許的最大MAC數,access表示爲該vlan是接入vlan,voice表示該vlan是語音vlan
2.配置端口允許的MAC地址
1) 進入接口模式 interface 接口
2) 配置允許的MAC地址
手工指定:
switchport port-security mac-address mac地址 [vlan vlan號|[access|voice]]
動態學習:交換機可以動態學習MAC地址並加入到MAC地址表中,當交換機重新啓動後將丟失
粘性地址:可以動態學習或手工配置,學習後MAC地址加入到MAC地址表,如果保存配置文件,當交換機重新啓動後,交換機不再需要動態學習的那些之前動態學習的地址了
switchport port-security mac-address sticky
1) 進入接口模式 interface 接口
2) 配置允許的MAC地址
手工指定:
switchport port-security mac-address mac地址 [vlan vlan號|[access|voice]]
動態學習:交換機可以動態學習MAC地址並加入到MAC地址表中,當交換機重新啓動後將丟失
粘性地址:可以動態學習或手工配置,學習後MAC地址加入到MAC地址表,如果保存配置文件,當交換機重新啓動後,交換機不再需要動態學習的那些之前動態學習的地址了
switchport port-security mac-address sticky
3. 配置安全違背行爲
1) 進入接口模式 interface 接口
2) 配置違規後的動作
switchport port-security violation protect|restrict|shutdown
protect:保護,當安全MAC地址數量達到了端口所允許的最大MAC地址數的時候,交換機會繼續工作,但將把來自新主機的數據幀丟棄,直到刪 除足夠數量的MAC地址使其低於最大值。
Restrict:限制,交換機繼續工作,向網絡管理站(SNMP)發出一個陷阱trap通告
Shutdown:關閉,交換機將永久性或在特定時間週期內err-disable端口,併發送一個SNMP的trap陷阱通告
需要配置關閉模式下的err-disable計時器
err-disable recovery cause secure-violation
啓用err-disable
err-disable recovery interval 計時器
案例:
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 50
Switch(config-if)# switchport port-security mac-address sticky
--------------------------------------------------------------------
Switch(config)# interface f0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 1
Switch(config-if)# switchport port-security mac-address 0000.0000.0008
Switch(config-if)# switchport port-security violation restrict
Switch(config)# interface f0/2
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 1
Switch(config-if)# switchport port-security mac-address 0000.0000.0011
Switch(config-if)# switchport port-security violation shutdown
-----------------------------------------------------------------------
案例:
Switch(config)#int f0/1
Switch(config-if)#switchport port-security
Command rejected: Fa0/1 is not an access port. //先啓動端口安全會出現錯誤提示
Switch(config-if)#swit mode access
Switch(config-if)#switchport port-security //啓動端口安全
Switch(config-if)#switchport port-security maximum ?
<1-132> Maximum addresses
Switch(config-if)#do show mac-address-table
Mac Address Table
-------------------------------------------
1) 進入接口模式 interface 接口
2) 配置違規後的動作
switchport port-security violation protect|restrict|shutdown
protect:保護,當安全MAC地址數量達到了端口所允許的最大MAC地址數的時候,交換機會繼續工作,但將把來自新主機的數據幀丟棄,直到刪 除足夠數量的MAC地址使其低於最大值。
Restrict:限制,交換機繼續工作,向網絡管理站(SNMP)發出一個陷阱trap通告
Shutdown:關閉,交換機將永久性或在特定時間週期內err-disable端口,併發送一個SNMP的trap陷阱通告
需要配置關閉模式下的err-disable計時器
err-disable recovery cause secure-violation
啓用err-disable
err-disable recovery interval 計時器
案例:
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 50
Switch(config-if)# switchport port-security mac-address sticky
--------------------------------------------------------------------
Switch(config)# interface f0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 1
Switch(config-if)# switchport port-security mac-address 0000.0000.0008
Switch(config-if)# switchport port-security violation restrict
Switch(config)# interface f0/2
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 1
Switch(config-if)# switchport port-security mac-address 0000.0000.0011
Switch(config-if)# switchport port-security violation shutdown
-----------------------------------------------------------------------
案例:
Switch(config)#int f0/1
Switch(config-if)#switchport port-security
Command rejected: Fa0/1 is not an access port. //先啓動端口安全會出現錯誤提示
Switch(config-if)#swit mode access
Switch(config-if)#switchport port-security //啓動端口安全
Switch(config-if)#switchport port-security maximum ?
<1-132> Maximum addresses
Switch(config-if)#do show mac-address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
All 000d.6564.0280 STATIC CPU
All 0100.0ccc.cccc STATIC CPU
All 0100.0ccc.cccd STATIC CPU
All 0100.0cdd.dddd STATIC CPU
1 000b.5f2c.2097 DYNAMIC Fa0/23
1 0010.7b35.e9b6 DYNAMIC Fa0/1 //這是和路由器相連的地址
1 00a1.b003.3cd7 DYNAMIC Fa0/18
10 000b.5f2c.2097 DYNAMIC Fa0/23
20 000b.5f2c.2097 DYNAMIC Fa0/23
30 000b.5f2c.2097 DYNAMIC Fa0/23
40 000b.5f2c.2097 DYNAMIC Fa0/23
100 000b.5f2c.2097 DYNAMIC Fa0/23
200 000b.5f2c.2097 DYNAMIC Fa0/23
201 000b.5f2c.2097 DYNAMIC Fa0/23
202 000b.5f2c.2097 DYNAMIC Fa0/23
Total Mac Addresses for this criterion: 15
------------------------------------------------------------------
Switch(config-if)#switchport port-security mac-address 0010.7b35.e9b6
Switch(config-if)#switchport port-security violation shutdown
Switch#show port-security interface f0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address : 0010.7b35.e9b6
Security Violation Count : 1
-----------------------------------------------------
Switch#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Fa0/1 1 1 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
---------------------------------------------------------------------------
Switch#show port-security address
Secure Mac Address Table
-------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0010.7b35.e9b6 SecureConfigured Fa0/1 -
-------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
現在我們把mac地址爲00a1.b003.3cd7的主機接入到f0/1中,此時會出現如下的信息:
00:24:08: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting
Fa0/1 in err-disable state
00:24:08: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 00a1.b003.3cd7 on port FastEthernet0/1.
00:24:09: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, chang
ed state to down
00:24:10: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down
-----------------------------------------
Switch#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Fa0/1 1 1 1 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
-------------------------------------------------------------------
Switch#show port-security interface f0/1
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address : 00a1.b003.3cd7
Security Violation Count : 1
---- ----------- -------- -----
All 000d.6564.0280 STATIC CPU
All 0100.0ccc.cccc STATIC CPU
All 0100.0ccc.cccd STATIC CPU
All 0100.0cdd.dddd STATIC CPU
1 000b.5f2c.2097 DYNAMIC Fa0/23
1 0010.7b35.e9b6 DYNAMIC Fa0/1 //這是和路由器相連的地址
1 00a1.b003.3cd7 DYNAMIC Fa0/18
10 000b.5f2c.2097 DYNAMIC Fa0/23
20 000b.5f2c.2097 DYNAMIC Fa0/23
30 000b.5f2c.2097 DYNAMIC Fa0/23
40 000b.5f2c.2097 DYNAMIC Fa0/23
100 000b.5f2c.2097 DYNAMIC Fa0/23
200 000b.5f2c.2097 DYNAMIC Fa0/23
201 000b.5f2c.2097 DYNAMIC Fa0/23
202 000b.5f2c.2097 DYNAMIC Fa0/23
Total Mac Addresses for this criterion: 15
------------------------------------------------------------------
Switch(config-if)#switchport port-security mac-address 0010.7b35.e9b6
Switch(config-if)#switchport port-security violation shutdown
Switch#show port-security interface f0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address : 0010.7b35.e9b6
Security Violation Count : 1
-----------------------------------------------------
Switch#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Fa0/1 1 1 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
---------------------------------------------------------------------------
Switch#show port-security address
Secure Mac Address Table
-------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0010.7b35.e9b6 SecureConfigured Fa0/1 -
-------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
現在我們把mac地址爲00a1.b003.3cd7的主機接入到f0/1中,此時會出現如下的信息:
00:24:08: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting
Fa0/1 in err-disable state
00:24:08: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 00a1.b003.3cd7 on port FastEthernet0/1.
00:24:09: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, chang
ed state to down
00:24:10: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down
-----------------------------------------
Switch#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Fa0/1 1 1 1 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
-------------------------------------------------------------------
Switch#show port-security interface f0/1
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address : 00a1.b003.3cd7
Security Violation Count : 1
4.配置MAC地址持續時間
1) 進入接口模式 interface 接口
2) 配置持續時間
switchport port-security aging time 時間 type absolute|inactivity
absolute模式:當持續時間過後,安全端口上的地址將被絕對刪除
inactivity模式:在持續時間內,沒有使用的端口將被刪除
案例:
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# switchport port-security aging time 120
-------------------------------------------------------------------------
Switch(config-if)# switchport port-security aging time 2
Switch(config-if)# switchport port-security aging type inactivity
Switch(config-if)# switchport port-security aging static
1) 進入接口模式 interface 接口
2) 配置持續時間
switchport port-security aging time 時間 type absolute|inactivity
absolute模式:當持續時間過後,安全端口上的地址將被絕對刪除
inactivity模式:在持續時間內,沒有使用的端口將被刪除
案例:
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# switchport port-security aging time 120
-------------------------------------------------------------------------
Switch(config-if)# switchport port-security aging time 2
Switch(config-if)# switchport port-security aging type inactivity
Switch(config-if)# switchport port-security aging static
5.驗證結果
show port-security [interface 接口] address
show port-security [interface 接口] address
案例:
CCIE-LAB(V135)
題目要求:
At sw1 port 15, there is a host need to be protected. You must config this port to protect it and must use arp command to bind the host’s ip address and mac address. Mac addresses 0080.2222.3333 and ip 172.1.1.1/24.
配置:
SW1
interface f0/15
switchport mode access
siwtchport port-security maximum 1
switchport port-security mac-address 0080.2222.3333
switchport port-security violation protect
arp 172.1.1.1 0080.2222.3333 arpa f0/15
CCIE-LAB(V135)
題目要求:
At sw1 port 15, there is a host need to be protected. You must config this port to protect it and must use arp command to bind the host’s ip address and mac address. Mac addresses 0080.2222.3333 and ip 172.1.1.1/24.
配置:
SW1
interface f0/15
switchport mode access
siwtchport port-security maximum 1
switchport port-security mac-address 0080.2222.3333
switchport port-security violation protect
arp 172.1.1.1 0080.2222.3333 arpa f0/15
CCIE-LAB(V142)
題目要求:安全部分
SW1的Fa0/12連接外部Public network drop的機器,這臺機器的IP ADDRESS=X.X.X.X; MAC=0000.8333.3333,保證沒有其他機器可使用這個端口。(考試沒給出IP Address,故沒必要用arp命令)
配置:
sw1
config termi
interface f0/12
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address 0000.8333.3333
switchport port-security violation protect
no shut
題目要求:安全部分
SW1的Fa0/12連接外部Public network drop的機器,這臺機器的IP ADDRESS=X.X.X.X; MAC=0000.8333.3333,保證沒有其他機器可使用這個端口。(考試沒給出IP Address,故沒必要用arp命令)
配置:
sw1
config termi
interface f0/12
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address 0000.8333.3333
switchport port-security violation protect
no shut
CCIE-LAB(V148)
題目要求:
Configure Sw2-Fa0/2 so that it only accepts traffic from R2. If another host is attached to the port then the traffic should be dropped, but the port should remain enabled.
配置:
SW2
Interface f0/2
Switchport mode access
Switchport port-security
Switchport port-securtiy mac-address R2的mac地址
Switchport port-security maximum 1
Switchport port-security violation protect
題目要求:
Configure Sw2-Fa0/2 so that it only accepts traffic from R2. If another host is attached to the port then the traffic should be dropped, but the port should remain enabled.
配置:
SW2
Interface f0/2
Switchport mode access
Switchport port-security
Switchport port-securtiy mac-address R2的mac地址
Switchport port-security maximum 1
Switchport port-security violation protect
CCIE-LAB(yy)
題目要求:
VLAN_B need tight (high) security, configure the ports in this VLAN to physical address of the routers that are currently attached to them.
This configuration should survive the reboot of the switch.
Log violations of this policy while allowing correct traffic to proceed.
圖:
VLAN B---VLAN12
配置:
SW2
conf t
interface range f0/2,f0/5
shut down
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address sticky
switchport port-security violation restrict
另外解決方案:
sw2
config terminal
show mac-address-table //查看r2和r5的mac地址
interface f0/2
shut
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address r2的mac地址
switchport port-security violation restrict
no shut
interface f0/5
shut
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address r2的mac地址
switchport port-security violation restrict
no shut
題目要求:
VLAN_B need tight (high) security, configure the ports in this VLAN to physical address of the routers that are currently attached to them.
This configuration should survive the reboot of the switch.
Log violations of this policy while allowing correct traffic to proceed.
圖:
VLAN B---VLAN12
配置:
SW2
conf t
interface range f0/2,f0/5
shut down
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address sticky
switchport port-security violation restrict
另外解決方案:
sw2
config terminal
show mac-address-table //查看r2和r5的mac地址
interface f0/2
shut
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address r2的mac地址
switchport port-security violation restrict
no shut
interface f0/5
shut
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address r2的mac地址
switchport port-security violation restrict
no shut
案例:
CCIE-LAB(V180)
題目要求:
The customer wants to connect guest Ipphones to Sw4 f0/11-15
l He wants to protecte interface from a user connecting a PC or a hub
l He wants the interface to learning first mac-address connected and become part of the configuration
l He does not want to have to manually bring backup the interface if the encounter a security viotation,but he do to ensure that the phones’s address is the only one allowed,and be able to check eth steales violation.
配置:
sw4
config termi
mls qos
interface range f0/11 –15
switchport mode access
switchport voice vlan dot1p
switchport port-security
switchport port-security mac-address sticky
switchport port-security violation restrict
mls qos trust cos
CCIE-LAB(V180)
題目要求:
The customer wants to connect guest Ipphones to Sw4 f0/11-15
l He wants to protecte interface from a user connecting a PC or a hub
l He wants the interface to learning first mac-address connected and become part of the configuration
l He does not want to have to manually bring backup the interface if the encounter a security viotation,but he do to ensure that the phones’s address is the only one allowed,and be able to check eth steales violation.
配置:
sw4
config termi
mls qos
interface range f0/11 –15
switchport mode access
switchport voice vlan dot1p
switchport port-security
switchport port-security mac-address sticky
switchport port-security violation restrict
mls qos trust cos
第二. 基於主機MAC地址限制流量
對於MAC過濾的特性,它能夠根據主機MAC地址來限制流量,在使用該特性的情況下,交換機能夠丟棄源自所配置MAC地址的流量。通過使用這種特性,網絡管理源能夠防止未授權主機向網絡發送流量。
注意,交換機只允許對單播的源MAC地址流量進行過濾,而不允許對多播的源MAC地址流量進行過濾。他對採用多播源MAC地址發送數據報的規範是無效的。
交換機允許在整個VLAN或單個接口上配置單播過濾。如果數據幀採用的源MAC地址沒有被指定,那麼交換機就可以正常地傳遞數據幀。對於基於cisco IOS軟件的交換機,它只支持重啓之後仍然存在的單播過濾。
配置過程:
1) 進入全局模式 configure terminal
2) 配置限制MAC地址流量
mac-address-table static MAC地址 vlan vlan號 drop
3) 驗證結果
show mac-address-table static vlan 1
對於MAC過濾的特性,它能夠根據主機MAC地址來限制流量,在使用該特性的情況下,交換機能夠丟棄源自所配置MAC地址的流量。通過使用這種特性,網絡管理源能夠防止未授權主機向網絡發送流量。
注意,交換機只允許對單播的源MAC地址流量進行過濾,而不允許對多播的源MAC地址流量進行過濾。他對採用多播源MAC地址發送數據報的規範是無效的。
交換機允許在整個VLAN或單個接口上配置單播過濾。如果數據幀採用的源MAC地址沒有被指定,那麼交換機就可以正常地傳遞數據幀。對於基於cisco IOS軟件的交換機,它只支持重啓之後仍然存在的單播過濾。
配置過程:
1) 進入全局模式 configure terminal
2) 配置限制MAC地址流量
mac-address-table static MAC地址 vlan vlan號 drop
3) 驗證結果
show mac-address-table static vlan 1
案例:
switch(config)#mac-address-table static 0000.0000.0008 vlan 1 drop
switch#show mac-address-table static vlan 1
Mac Address Table
-------------------------------------------
switch(config)#mac-address-table static 0000.0000.0008 vlan 1 drop
switch#show mac-address-table static vlan 1
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 000d.6564.0280 STATIC CPU
1 0100.0ccc.cccc STATIC CPU
1 0100.0ccc.cccd STATIC CPU
1 0100.0cdd.dddd STATIC CPU
1 0000.0000.0008 STATIC Drop
Total Mac Addresses for this criterion: 5
---- ----------- -------- -----
1 000d.6564.0280 STATIC CPU
1 0100.0ccc.cccc STATIC CPU
1 0100.0ccc.cccd STATIC CPU
1 0100.0cdd.dddd STATIC CPU
1 0000.0000.0008 STATIC Drop
Total Mac Addresses for this criterion: 5
第三。阻塞端口的單播或多播擴散
默認情況下,如果數據包具有未知的目標MAC地址,那麼交換機將把它擴散到與接收端口的VLAN相同的VLAN中所有端口。某些端口不需要擴散功能。例如,如果某個端口只有手工分配的MAC地址,並且沒有連接所配置MAC地址之外的其它任何網絡設備,那麼它就不需要接收擴散數據包。此外,如果端口已經學到最大數目的MAC地址,那麼對於通過配置安全MAC地址或端口啓用端口安全的端口,它就不必接收未知的單播擴散。
通過使用單播或多播擴散阻塞的特性,將可以避免在不必要的端口上轉發單播擴散流量。通過以每個端口爲基礎而限制流量大小,不僅可以增加網絡的安全限制,並且還可以防止網絡設備徒然地處理無定向的數據包。
默認情況下,如果數據包具有未知的目標MAC地址,那麼交換機將把它擴散到與接收端口的VLAN相同的VLAN中所有端口。某些端口不需要擴散功能。例如,如果某個端口只有手工分配的MAC地址,並且沒有連接所配置MAC地址之外的其它任何網絡設備,那麼它就不需要接收擴散數據包。此外,如果端口已經學到最大數目的MAC地址,那麼對於通過配置安全MAC地址或端口啓用端口安全的端口,它就不必接收未知的單播擴散。
通過使用單播或多播擴散阻塞的特性,將可以避免在不必要的端口上轉發單播擴散流量。通過以每個端口爲基礎而限制流量大小,不僅可以增加網絡的安全限制,並且還可以防止網絡設備徒然地處理無定向的數據包。
配置過程:
1) 進入全局模式 configure terminal
2) 進入接口模式 interface 接口
3) 配置其端口阻塞單播
switchport block unicast
4) 配置其端口阻塞多播流量
switchport block multicast
5) 驗證結果
show interface 接口 switchport
1) 進入全局模式 configure terminal
2) 進入接口模式 interface 接口
3) 配置其端口阻塞單播
switchport block unicast
4) 配置其端口阻塞多播流量
switchport block multicast
5) 驗證結果
show interface 接口 switchport
案例:
Switch# configure terminal
Switch(config)# interface fa0/1
Switch(config-if)# switchport block multicast
Switch(config-if)# switchport block unicast
Switch(config-if)# end
Switch#show interface f0/1 switchport
Switch# configure terminal
Switch(config)# interface fa0/1
Switch(config-if)# switchport block multicast
Switch(config-if)# switchport block unicast
Switch(config-if)# end
Switch#show interface f0/1 switchport
案例:
CCIE-LAB(V160)
題目要求:
在SW2種fa0/10上阻塞所有未知的組播流量
配置:
SW2
config termi
interface f0/10
switchport block multicast
CCIE-LAB(V160)
題目要求:
在SW2種fa0/10上阻塞所有未知的組播流量
配置:
SW2
config termi
interface f0/10
switchport block multicast