{"id":866,"date":"2008-10-07T21:35:00","date_gmt":"2008-10-07T13:35:00","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=866"},"modified":"2023-11-07T21:53:49","modified_gmt":"2023-11-07T13:53:49","slug":"cisco-port-security","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/866","title":{"rendered":"Cisco Port Security"},"content":{"rendered":"\n

port-security
1.switch feature that can grant access through a port only if the host with MAC address is connected
2.the feature can block “MAC address flooding”<\/p>\n\n\n\n

ps:
mac address flooding
a switch is fed many frames, each containing different “source MAC addresses”, by the attacker.
The intention is to consume the limited memory set aside in the switch to store the MAC address table. this is a simple DoS attack against the switching infrastructure.<\/p>\n\n\n\n

\u555f\u7528port-security
(config-if)#switchport mode access \/\/port security\u529f\u80fd\u8981\u5728access mode\u4e0b
(config-if)#switchport port-security<\/strong>
\u82e5\u6a5f\u5668\u6b63\u9023\u5230\u6b64switch,\u5247\u6703\u81ea\u52d5\u628a\u6b64\u6a5f\u5668\u7684mac\u7576\u4f5callow\u7684\u786c\u9ad4\u4f4d\u7f6e,\u5efa\u8b70\u8f38\u5165\u6b64\u6307\u4ee4\u524d,\u5c07port\u7d66shutdown
ps:
\u7576\u8a72\u4ecb\u9762\u7dda\u8def\u88ab\u62d4\u9664,\u9810\u8a2d\u6703\u5c07port-security\u8cc7\u6599\u6e05\u7a7a
\u4f46\u82e5\u662f\u4f7f\u7528sticky\u529f\u80fd,\u5247\u6703\u4ee5\u6307\u4ee4\u81ea\u52d5\u5beb\u5728running configuration
ps:
\u4f7f\u7528\u8a72\u529f\u80fd\u6642,\u82e5\u4ecb\u97621\u5df2\u8a18\u9304mac_a,\u5247\u8a72mac_a\u5230\u5176\u4ed6\u4ecb\u9762\u6642\u7121\u6cd5\u4f7f\u7528\u7db2\u8def,
\u9664\u975e\u5c07\u4ecb\u97621\u5c0d\u6620\u5230mac_a\u7684\u8cc7\u6599\u6e05\u7a7a
\u65b9\u6cd5\u6709:\u62d4\u9664\u7dda\u8def,\u4f7f\u7528aging\u6307\u4ee4\u903e\u6642\u81ea\u52d5\u6e05\u7a7a,\u4f7f\u7528clear port-security\u6307\u4ee4<\/p>\n\n\n\n

\u8a2d\u5b9a\u6700\u5927secure-mac\u6578\u91cf
(config-if)#switchport port-security maximum < 1-1024><\/strong>
\u52d5\u614b\u5b78\u7fd2mac address\u4e26\u5132\u5b58\u5728address table\u4e2d,\u91cd\u958b\u6a5f\u5f8c\u6703\u6d88\u5931
ps:\u9810\u8a2d\u662f1
ps:\u57281900switch\u70baport secure max-mac-count < num><\/p>\n\n\n\n

\u5728\u8a72\u4ecb\u9762\u6307\u5b9a\u53ef\u5b58\u53d6\u7684mac
(config-if)#switchport port-security mac-address < mac addr><\/strong>
< mac addr> \u53ef\u5c07mac address\u8a2d\u6210\u8207\u67d0\u500b\u57e0\u7d50\u5408\u7684\u975c\u614b\u8a18\u9304
ps:
port-security maximum\u8a2d3,\u4e14\u53c8\u6307\u5b9a1\u500bport-security mac-address,\u5247\u53ea\u67092\u500b\u53ef\u5b58\u53d6\u7684mac\u53ef\u52d5\u614b\u88ab\u5b78\u7fd2<\/p>\n\n\n\n

\u555f\u7528sticky MAC addresses
(config-if)#switchport port-security mac-address strick<\/strong>
\u6703\u5c07\u5b78\u7fd2\u7684mac address\u5132\u5b58\u5728running configuration,
\u6548\u679c\u985e\u4f3cswitch\u81ea\u5df1\u770b\u9032\u4f86\u6709\u90a3\u4e9bmac\u81ea\u52d5\u57f7\u884cswitchport port-security mac-address < mac addr>
\u82e5\u624b\u52d5\u57f7\u884ccopy run sta\u5f8c,\u91cd\u958b\u6a5f\u5247\u4e0d\u6703\u6d88\u5931
ps:\u4f3c\u4e4e\u7121\u6cd5\u65bcaging\u5408\u7528<\/p>\n\n\n\n

\u975e\u5141\u8a31\u7684mac\u4f4d\u7f6e\u9023\u5165\u6642\u8655\u7406\u65b9\u5f0f
(config-if)#switchport port-security violation < protect|restrict|shutdown><\/strong>
protect(\u4fdd\u8b77\u6a21\u5f0f):<\/strong>
\u4e1f\u6389\u4e0d\u5408\u6cd5\u7684\u5c01\u5305,\u4e0d\u767c\u8b66\u544a
\u5fa9\u539f\u65b9\u5f0f:\u4f7f\u7528clear port-security dynamic
restrict(\u9650\u5236\u6a21\u5f0f):<\/strong>
\u4e1f\u6389\u4e0d\u5408\u6cd5\u7684\u5c01\u5305,\u767c\u8b66\u544a,\u9001\u51faSNMP trap\u548csyslog\u8a0a\u606f
\u5fa9\u539f\u65b9\u5f0f:\u4f7f\u7528clear port-security dynamic
ps:
\u5728restrict\u6a21\u5f0f\u4e0b,\u7576\u6709\u975e\u6cd5\u5b58\u53d6\u6642,syslog\u8a0a\u606f\u5927\u81f4\u5982\u4e0b
Jun 3 17:18:41.888 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0000.5e00.0101 on port GigabitEthernet0\/11
shutdown(\u95dc\u9589\u6a21\u5f0f):\u9810\u8a2d<\/strong>
\u9032\u5165err-disable\u72c0\u614b,\u4e26\u5c07port\u95dc\u9589,\u767c\u8b66\u544a,\u9001\u51faSNMP trap\u548csyslog\u8a0a\u606f
\u5fa9\u539f\u65b9\u5f0f:\u624b\u52d5\u91cd\u555f\u4ecb\u9762(shutdown\u5f8c\u5728no shutdown)\u6216\u900f\u904eerrdisable recovery\u6062\u5fa9
ps:
\u5728shutdown\u6a21\u5f0f\u4e0b,\u82e5\u6709\u975e\u6cd5\u5b58\u53d6\u6642,show interface\u6642\u6703\u770b\u5230error-disable
ps:
\u82e5gi0\/11\u70bashutdown mode,\u7576\u6709\u975e\u6cd5\u5b58\u53d6\u6642,syslog\u8a0a\u606f\u5927\u81f4\u5982\u4e0b
Jun 3 17:14:19.018 EDT: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi0\/11, putting Gi0\/11 in err-disable state
Jun 3 17:14:19.022 EDT: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address0003.a089.efc5 on port GigabitEthernet0\/11.
Jun 3 17:14:20.022 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface Gigabit Ethernet0\/11, changed state to down
Jun 3 17:14:21.023 EDT: %LINK-3-UPDOWN: Interface GigabitEthernet0\/11, changed state to down<\/p>\n\n\n\n

ex:
(config)# interface GigabitEthernet0\/11
(config-if)# switchport access vlan 991
(config-if)# switchport mode access
(config-if)# switchport port-security
(config-if)# switchport port-security violation restrict<\/p>\n\n\n\n


\u6307\u5b9aMac-Address\u53ef\u5b58\u6d3b\u7684\u6642\u9593
(config-if)#switchport port-security aging [static] [min] [type]<\/strong>
[static] \u624b\u52d5\u8f38\u5165\u7684Mac-Address\u4e5f\u52a0\u5165\u8a08\u6642
[min]\u9810\u8a2d\u70ba0,\u8868\u793a\u662f\u6c38\u4e45\u6709\u6548
[type] inactivity\u8868\u793a\u7576\u6c92\u6709\u5c01\u5305\u901a\u904e\u6642,\u5c31\u958b\u59cb\u8a08\u6642,absolute\u70ba\u7d55\u5c0d\u6642\u9593<\/p>\n\n\n\n

\u6e05\u9664port-security mac
# clear port-security dynamic [address < mac > | interface < type mod\/num >]<\/strong><\/p>\n\n\n\n


\u986f\u793aport-security\u72c0\u614b
#show port-security [ interface | address ]<\/strong>
ps:
\u4ee5show port-security\u70ba\u4f8b,\u756b\u9762\u5927\u81f4\u5982\u4e0b
Secure Port , MaxSecureAddr(Count) , CurrentAddr(Count) , SecurityViolation(Count) , Security Action
—————————————————————————
Gi0\/11 , 5 , 1 , 0 , Restrict
Gi0\/12 , 1 , 0 , 0 , Shutdown
—————————————————————————
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 6176
ps:
\u4ee5show port-security interface gi0\/11\u70ba\u4f8b,\u8a0a\u606f\u5927\u81f4\u5982\u4e0b
Port Security : Enabled
Port Status : Secure-shutdown \/\/secure-shutdown\u70ba\u9055\u898f\u767c\u751f,secure-up\u70ba\u72c0\u614b\u6b63\u5e38
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0 \/\/\u76ee\u524d\u5b78\u7fd2\u5230\u7684mac\u6578\u91cf
Configured MAC Addresses : 0 \/\/ \u624b\u52d5\u8a2d\u5b9a\u7684mac\u6578\u91cf
Sticky MAC Addresses : 0
Last Source Address : 0003.a089.efc5
Security Violation Count : 1<\/p>\n\n\n\n


ps:
\u76f4\u63a5\u770berr-disabled\u7684\u4ecb\u9762\u6709\u90a3\u4e9b
# show interfaces status err-disabled<\/strong>
Port Name Status Reason
Gi0\/11 Test port err-disabled psecure-violation\u3000\/\/gi0\/11\u9032\u5165err-disabled\u72c0\u614b<\/p>\n","protected":false},"excerpt":{"rendered":"

port-security1.switch feature …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[31],"tags":[],"class_list":["post-866","post","type-post","status-publish","format-standard","hentry","category-cisco-security"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/866","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=866"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/866\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=866"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=866"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=866"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}