2016年10月25日星期二

交换机端口安全最佳实践配置

sticky 与 aging 同时配置之后,aging不会生效,因为他们不能同时使用
sticky 的配置是学习mac地址后与端口绑定(而且是永久绑定,除非手动清除),这样同一台设备再接其他交换机的端口时,就会进入err-disable。

以下配置,不会在端口下保存MAC地址,也就是说,一部电脑插上交换机的f0/3口后,去插f0/6口是不会出现err-disable状态的。

XYJ-C2960_11#show port-security int f0/10 | in Aging
Aging Time                 : 1 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled

XYJ-C2960_11(config)#int f0/10
XYJ-C2960_11(config-if)#switchport port-security
XYJ-C2960_11(config-if)#switchport port-security violation shutdown
XYJ-C2960_11(config-if)#switchport port-security maximum 1

XYJ-C2960_11(config-if)#do show port-s int f0/10 | in Aging
Aging Time                 : 1 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Enabled
以下三条命令基本上测不出来什么实际效果,虽然有细微不同,所以有与无均可。
switchport port-security aging type inactivity | absolute
switchport port-security aging time 1
switchport port-security aging static
要说出确切不同,就是没有配置aging,那么mac地址被记录一次后就再也不过期了,让后如果max为3,就是说接了三台pc后,第四台就会触发errdisable。
如果说aging配置了,并且为3分钟,那么接了三台后,第四台不会触发,因为没5分钟后自动清除该表表项
XYJ-C2960_9#show port-security interface f0/23 add
               Secure Mac Address Table
-----------------------------------------------------------------------------
Vlan    Mac Address       Type                          Ports   Remaining Age
                                                                   (mins)    
----    -----------       ----                          -----   -------------
  11    000c.29e1.0542    SecureDynamic                 Fa0/23       -
  11    6400.6a95.9017    SecureDynamic                 Fa0/23       -
-----------------------------------------------------------------------------
Total Addresses: 2

XYJ-C2960_9#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
XYJ-C2960_9(config)#int f0/23
XYJ-C2960_9(config-if)#switchport port-security aging time 5
XYJ-C2960_9(config-if)#end
XYJ-C2960_9#show port-security interface f0/23 ad
               Secure Mac Address Table
-----------------------------------------------------------------------------
Vlan    Mac Address       Type                          Ports   Remaining Age
                                                                   (mins)    
----    -----------       ----                          -----   -------------
  11    000c.29e1.0542    SecureDynamic                 Fa0/23       5
  11    6400.6a95.9017    SecureDynamic                 Fa0/23       5
-----------------------------------------------------------------------------
Total Addresses: 2
因为是使用shutdown的惩罚,所以要启用自动恢复,才可以避免手动操作的麻烦 
XYJ-C2960_11(config)#errdisable recovery cause psecure-violation
XYJ-C2960_11(config)#errdisable recovery interval 30
XYJ-C2960_11#show errdisable recovery 
ErrDisable Reason            Timer Status
-----------------            --------------
arp-inspection               Disabled
bpduguard                    Disabled
channel-misconfig (STP)      Disabled
dhcp-rate-limit              Disabled
dtp-flap                     Disabled
gbic-invalid                 Disabled
inline-power                 Disabled
link-flap                    Disabled
mac-limit                    Disabled
loopback                     Disabled
pagp-flap                    Disabled
port-mode-failure            Disabled
pppoe-ia-rate-limit          Disabled
psecure-violation            Enabled
security-violation           Disabled
sfp-config-mismatch          Disabled
small-frame                  Disabled
storm-control                Disabled
udld                         Disabled
vmps                         Disabled
psp                          Disabled

Timer interval: 30 seconds

Interfaces that will be enabled at the next timeout:
发帖者 时间:

没有评论:

发表评论

订阅: 博文评论 (Atom)