实验一:Port-security
1.SW1和SW2创建VLAN10,R1-R4划分到VLAN10,静态分配IP
2. SW之间的Fa0/24 shutdown;Fa0/23指定成access,并且划分到VLAN10
3.在SW2的Fa0/23接口开启Port-security,指定接口最多可以学习3个MAC地址.观察SW2 Fa0/23的状态
4.实验port-security的三种违规动作
5.实验port-security的三种mac-address的学习方式
6.设置port-security动态学习到的MAC地址的aging time为1min
实验完成,还原配置
R1的配置
R1(config)#int f0/0
R1(config-if)#ip add 10.10.1.1 255.255.255.0
R1(config-if)#no sh
R1(config)#sh int f0/0
FastEthernet0/0 is up, line protocol is up
Hardware is AmdFE, address is 0002.4b1e.efe0 (bia 0002.4b1e.efe0)
R2的配置
R2(config)#int f0/0
R2(config-if)#ip add 10.10.1.2 255.255.255.0
R2(config-if)#no sh
R2(config)#sh int f0/0
FastEthernet0/0 is up, line protocol is up
Hardware is AmdFE, address is 0013.8046.8e40 (bia 0013.8046.8e40)
R3的配置
R3(config)#int f0/0
R3(config-if)#ip add 10.10.1.3 255.255.255.0
R3(config-if)#no sh
R2(config)#sh int f0/0
FastEthernet0/0 is up, line protocol is up
Hardware is AmdFE, address is 000c.ce3a.b7e0 (bia 000c.ce3a.b7e0)
R4的配置
R4(config)#int e0/0
R4(config-if)#ip add 10.10.1.4 255.255.255.0
R4(config-if)#no sh
SW1的配置
SW1(config)# vlan 10
SW1(config)#int range f0/1 - 3
SW1(config-if)#switchport mode access
SW1(config-if)#switchport access vlan 10
SW2的配置
SW2(config)# vlan 10
SW2(config)#int range f0/4
SW2(config-if)#switchport mode access
SW2(config-if)#switchport access vlan 10
SW2(config)# interface fastethernet0/23
SW2(config-if)# switchport mode access
SW2(config-if)# switchport port-security
SW2(config-if)# switchport port-security maximum 3
SW2(config-if)# switchport port-security aging time 1 // 改老化时间1min
SW2(config-if)# switchport port-security aging type {absolute | inactivity} // 缺省老化时间300s
SW2#sh port-security int f0/23
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 1 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 3
Total MAC Addresses : 2
Configured MAC Addresses : 2
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0013.8046.8e40:10
Security Violation Count : 1
SW2(config-if)# switchport port-security mac-address sticky
SW2(config-if)# switchport port-security mac-address 0002.4b1e.efe0
SW2(config-if)# switchport port-security mac-address 0013.8046.8e40
*Mar 1 02:30:49.277: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/23, putting Fa0/23 in err-disable state
SW2#sh int f0/23 status err-disabled
Port Name StatusReason Err-disabled Vlans
Fa0/23 err-disabled psecure-violation
SW2(config-if)# switchport port-security violation restrict
// 违反行为改成restrict,接口不会关闭,弹出log,多余的帧丢弃
SW2(config-if)#sh
SW2(config-if)#no sh
*Mar 1 02:16:28.422: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0002.4b1e.efe0 on port FastEthernet0/23.
SW2(config-if)# switchport port-security violation protected
// 违反行为改成protected,接口不会关闭,多余的帧丢弃
SW2(config-if)#sh
SW2(config-if)#no sh
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。