cisco port security

port-security
1.switch feature that can grant access through a port only if the host with MAC address is connected
2.the feature can block "MAC address flooding"

ps:
mac address flooding
a switch is fed many frames, each containing different "source MAC addresses", by the attacker.
The intention is to consume the limited memory set aside in the switch to store the MAC address table.
this is a simple DoS attack against the switching infrastructure.

 

啟用port-security
(config-if)#switchport mode access //port security功能要在access mode下
(config-if)#switchport port-security
若機器正連到此switch,則會自動把此機器的mac當作allow的硬體位置,建議輸入此指令前,將port給shutdown
ps:
當該介面線路被拔除,預設會將port-security資料清空
但若是使用sticky功能,則會以指令自動寫在running configuration
ps:
使用該功能時,若介面1已記錄mac_a,則該mac_a到其他介面時無法使用網路,
除非將介面1對映到mac_a的資料清空
方法有:拔除線路,使用aging指令逾時自動清空,使用clear port-security指令

 

設定最大secure-mac數量
(config-if)#switchport port-security maximum < 1-1024>
動態學習mac address並儲存在address table中,重開機後會消失
ps:預設是1

ps:在1900switch為port secure max-mac-count < num>

 

在該介面指定可存取的mac
(config-if)#switchport port-security mac-address < mac addr>
< mac addr> 可將mac address設成與某個埠結合的靜態記錄
ps:
port-security maximum設3,且又指定1個port-security mac-address,則只有2個可存取的mac可動態被學習

 

啟用sticky MAC addresses
(config-if)#switchport port-security mac-address strick
會將學習的mac address儲存在running configuration,
效果類似switch自己看進來有那些mac自動執行
switchport port-security mac-address < mac addr>
若手動執行copy run sta後,重開機則不會消失
ps:似乎無法於aging合用

 

非允許的mac位置連入時處理方式
(config-if)#switchport port-security violation < protect|restrict|shutdown>
protect(保護模式):
丟掉不合法的封包,不發警告

復原方式:使用clear port-security dynamic
restrict(限制模式):
丟掉不合法的封包,發警告,送出SNMP trap和syslog訊息

復原方式:使用clear port-security dynamic
ps:
在restrict模式下,當有非法存取時,syslog訊息大致如下
Jun 3 17:18:41.888 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0000.5e00.0101 on port GigabitEthernet0/11
shutdown(關閉模式):預設
進入err-disable狀態,並將port關閉,發警告,送出SNMP trap和syslog訊息

復原方式:手動重啟介面(shutdown後在no shutdown)或透過errdisable recovery恢復
ps:
在shutdown模式下,若有非法存取時,show interface時會看到error-disable
ps:
若gi0/11為shutdown mode,當有非法存取時,syslog訊息大致如下
Jun 3 17:14:19.018 EDT: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi0/11, putting Gi0/11 in err-disable state
Jun 3 17:14:19.022 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address0003.a089.efc5 on port GigabitEthernet0/11.
Jun 3 17:14:20.022 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface Gigabit Ethernet0/11, changed state to down
Jun 3 17:14:21.023 EDT: %LINK-3-UPDOWN: Interface GigabitEthernet0/11, changed state to down

ex:
(config)# interface GigabitEthernet0/11
(config-if)# switchport access vlan 991
(config-if)# switchport mode access
(config-if)# switchport port-security
(config-if)# switchport port-security violation restrict


指定Mac-Address可存活的時間
(config-if)#switchport port-security aging [static] [min] [type]
[static] 手動輸入的Mac-Address也加入計時
[min]預設為0,表示是永久有效

[type] inactivity表示當沒有封包通過時,就開始計時,absolute為絕對時間

 

清除port-security mac
# clear port-security dynamic [address < mac > | interface < type mod/num >]


顯示port-security狀態
#show port-security [ interface | address ]

ps:
以show port-security為例,畫面大致如下
Secure Port , MaxSecureAddr(Count) , CurrentAddr(Count) , SecurityViolation(Count) , Security Action
---------------------------------------------------------------------------
Gi0/11 , 5 , 1 , 0 , Restrict
Gi0/12 , 1 , 0 , 0 , Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 6176
ps:
以show port-security interface gi0/11為例,訊息大致如下
Port Security : Enabled
Port Status : Secure-shutdown //secure-shutdown為違規發生,secure-up為狀態正常
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0 //目前學習到的mac數量
Configured MAC Addresses : 0 // 手動設定的mac數量
Sticky MAC Addresses : 0
Last Source Address : 0003.a089.efc5
Security Violation Count : 1


ps:
直接看err-disabled的介面有那些
# show interfaces status err-disabled
Port Name Status Reason
Gi0/11 Test port err-disabled psecure-violation //gi0/11進入err-disabled狀態

2008-10-09 16:59:06發表 0000-00-00 00:00:00修改   

數據分析
程式開發
計算機組織與結構
資料結構與演算法
Database and MySql
manage tool
windows
unix-like
linux service
network
network layer3
network layer2
network WAN
network service
作業系統
數位鑑識
資訊安全解決方案
資訊安全威脅
Cisco security

Cisco network
Cisco layer3
Cisco layer2



  登入      [牛的大腦] | [單字我朋友] Powered by systw.net