本文介绍了如何配置Cisco 2950交换机的端口安全,包括设置访问模式、最大安全地址数和违规模式,以保护网络接口免受未经授权的设备接入。详细步骤包括进入端口模式,启用port-security,设定最大连接数和选择违规响应策略,例如保护、限制和关闭模式。
交换机端口安全的配置:
对交换机的某一个端口做端口安全配置,首先应该进入该端口。
即:进入到:端口模式
交换机型号:Cisco 2950
switchport Set switching mode characteristics
tx-ring-limit Configure PA level transmit ring limit
S1(config-if)#switchport ?
access Set access mode characteristics of the interface
mode Set trunking mode of the interface
native Set trunking native characteristics when interface is in
trunking mode
nonegotiate Device will not engage in negotiation protocol on this
interface
port-security Security related command
priority Set appliance 802.1p priority
trunk Set trunking characteristics of the interface
voice Voice appliance attributes
S1(config-if)#switchport mode acces
S1(config-if)#
S1(config-if)#?
cdp Global CDP configuration subcommands
channel-group Etherchannel/port bundling configuration
channel-protocol Select the channel protocol (LACP, PAgP)
description Interface specific description
duplex Configure duplex operation.
exit Exit from interface configuration mode
mac-address Manually set interface MAC address
mls mls interface commands
no Negate a command or set its defaults
shutdown Shutdown the selected interface
spanning-tree Spanning Tree Subsystem
speed Configure speed operation.
storm-control storm configuration
switchport Set switching mode characteristics
tx-ring-limit Configure PA level transmit ring limit
S1(config-if)#switchport ?
access Set access mode characteristics of the interface
mode Set trunking mode of the interface
native Set trunking native characteristics when interface is in
trunking mode
nonegotiate Device will not engage in negotiation protocol on this
interface
port-security Security related command
priority Set appliance 802.1p priority
trunk Set trunking characteristics of the interface
voice Voice appliance attributes
S1(config-if)#switchport mode acces
S1(config-if)#switchport port-security ?
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
<cr>
S1(config-if)#switchport port-security maximum 1
S1(config-if)#switchport port-security violation ?
protect Security violation protect mode // 当新的计算机接入时,如果该接口的mac条目超过了最大数量,则这个新的计算机将无法接入,而原有的计算机不受影响。
restrict Security violation restrict mode // restrict[英][rɪˈstrɪkt] :vt.限制,限定 ,当新的计算机接入时,如果该接口达到最大值,则这个新的无法接入,而交换机会发送警告信息。
shutdown Security violation shutdown mode // 当新的计算机接入时,如果该接口的MAC条目超过了最大数量,则该接口将会被关闭,则这个新的计算机和原有的计算机都无法接入,需要用:no showdown 重新打开。
S1(config-if)#switchport port-security violation shutdown // 意思是:当该端口遭受侵害时,将采取shutdown操作即:禁用该端口。
S1(config-if)#
S1#show mac-address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 000a.f3e3.b801 DYNAMIC Fa0/2
1 0023.3364.2238 STATIC Fa0/1
S1#
// violation : [vaɪə'leɪʃn]:n. 违反;侵害;
那么如何为一个接口手动的添加一个MAC表项呢?
:
S1(config)#interface f0/1
S1(config-if)#
S1(config-if)#
S1(config-if)#mac ?
H.H.H MAC address
S1(config-if)#mac 0023.3364.2238
S1(config-if)#
S1#show mac-address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 000a.f3e3.b801 DYNAMIC Fa0/2
1 0023.3364.2238 STATIC Fa0/1 // 这就是刚才手动添加的。
扫一扫
1544
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
