二層Port-security實驗

實驗一：Port-security

1.SW1和SW2創(chuàng)建VLAN10,R1-R4劃分到VLAN10,靜態(tài)分配IP

2. SW之間的Fa0/24 shutdown;Fa0/23指定成access,并且劃分到VLAN10

3.在SW2的Fa0/23接口開啟Port-security,指定接口最多可以學習3個MAC地址.觀察SW2 Fa0/23的狀態(tài)

4.實驗port-security的三種違規(guī)動作

5.實驗port-security的三種mac-address的學習方式

6.設置port-security動態(tài)學習到的MAC地址的aging time為1min

實驗完成,還原配置

R1的配置

R1(config)#int f0/0

R1(config-if)#ip add 10.10.1.1 255.255.255.0

R1(config-if)#no sh

R1(config)#sh int f0/0

? FastEthernet0/0 is up, line protocol is up?

? ? Hardware is AmdFE, address is 0002.4b1e.efe0 (bia 0002.4b1e.efe0)

R2的配置

R2(config)#int f0/0

R2(config-if)#ip add 10.10.1.2 255.255.255.0

R2(config-if)#no sh

R2(config)#sh int f0/0

? FastEthernet0/0 is up, line protocol is up?

? ? Hardware is AmdFE, address is 0013.8046.8e40 (bia 0013.8046.8e40)

R3的配置

R3(config)#int f0/0

R3(config-if)#ip add 10.10.1.3 255.255.255.0

R3(config-if)#no sh

R2(config)#sh int f0/0

? FastEthernet0/0 is up, line protocol is up?

? ? Hardware is AmdFE, address is?000c.ce3a.b7e0 (bia 000c.ce3a.b7e0)

R4的配置

R4(config)#int e0/0

R4(config-if)#ip add 10.10.1.4 255.255.255.0

R4(config-if)#no sh

SW1的配置

SW1(config)# vlan 10

SW1(config)#int range f0/1 - 3

SW1(config-if)#switchport mode access

SW1(config-if)#switchport access vlan 10

SW2的配置

SW2(config)# vlan 10

SW2(config)#int range f0/4

SW2(config-if)#switchport mode access

SW2(config-if)#switchport access vlan 10

SW2(config)# interface fastethernet0/23

SW2(config-if)# switchport mode access

SW2(config-if)# switchport port-security

SW2(config-if)# switchport port-security maximum 3

SW2(config-if)# switchport port-security aging time 1 ??// 改老化時間1min

SW2(config-if)# switchport port-security aging type {absolute | inactivity} ?// 缺省老化時間300s

SW2#sh port-security int f0/23

? Port Security ? ? ? ? ? ? ?: Enabled

? Port Status ? ? ? ? ? ? ? ?: Secure-shutdown

? Violation Mode ? ? ? ? ? ? : Shutdown

? Aging Time ? ? ? ? ? ? ? ? : 1 mins

? Aging Type ? ? ? ? ? ? ? ? : Absolute

? SecureStatic Address Aging : Disabled

? Maximum MAC Addresses ? ? ?: 3

? Total MAC Addresses ? ? ? ?: 2

? Configured MAC Addresses ? : 2

? Sticky MAC Addresses ? ? ? : 0

? Last Source Address:Vlan ? : 0013.8046.8e40:10

? Security Violation Count ? : 1

SW2(config-if)# switchport port-security mac-address sticky

SW2(config-if)# switchport port-security mac-address 0002.4b1e.efe0

SW2(config-if)# switchport port-security mac-address?0013.8046.8e40

? *Mar ?1 02:30:49.277: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/23, putting Fa0/23 in err-disable state

SW2#sh int f0/23 status err-disabled

? Port ? ? ? ? ?Name ? ? ? StatusReason ? ? ? ? Err-disabled Vlans

? Fa0/23 ? ? ? ? ? ? ? err-disabled psecure-violation

SW2(config-if)# switchport port-security?violation restrict ? ?

? ? ? ? ? ? ? ? ? // 違反行為改成restrict，接口不會關閉，彈出log，多余的幀丟棄

SW2(config-if)#sh ?

SW2(config-if)#no sh

? *Mar ?1 02:16:28.422: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0002.4b1e.efe0 on port FastEthernet0/23.

SW2(config-if)# switchport port-security?violation protected???

? ? ? ? ? ? ? ? ?// 違反行為改成protected，接口不會關閉，多余的幀丟棄

SW2(config-if)#sh ?

SW2(config-if)#no sh