Bi vit Port Security

Tc gi L Qung H

I.

Mc ch ca bi lab

Gip ngi thc hnh hiu c chc nng ca port security II. S v yu cu cu hnh

Yu cu : Bn cn c 1 Switch 2950, 2 host S :

III. 1.

Cu hnh Cu hnh port security

Bc 1: Tin hnh ni dy nh s .Khi ng Switch. Bc 2: Bc 2-1:

Switch>enable Switch#conf t Switch(config)#interface f0/1

Bc 2-2: a port vo ch access, y l ch bt buc cho port khi cu hnh port security

Switch(config-if)#switchport mode access

Bc 2-3: Khi ng port security

Switch(config-if)#switchport port-security

Bc 2-4: Ch nh s ln a ch MAC c thay i. y l thng s ch nh s ln ti a m port vn cn chp nhn s thay i a ch MAC. Thay i a ch MAC c ngha l bn thay i mt host khc trong kt ni vi Switch. Gi s ln c php thay i ny l k, gi s ln bn thay i a ch MAC l n. Port s vn cho php hot ng nu nh nk v mt iu quan trng na l phi kt ni a ch MAC ban u vo li port. S ln c thay i ti thiu l 1 v ti a l 1024, v mc nh l 1. V d nu ch nh s ln l 3:

Switch(config-if)#switchport port-security maximum maximum

Bn c php thay i a ch MAC ti a l 3 ln. Cn ch l mc d cho php thay i nhng khng c ngha l port vn hot ng bnh thng khi a ch MAC b sai. Khi a ch MAC khng ng port s chuyn sang trng thi li. Tuy nhin nu bn kt ni a ch MAC ban u vo li trong lc ny thi port s hot ng bnh thng tr li. Tr li vi bi cu hnh, ta s cu hnh s ln c php thay i l 1, y l thng s mc nh v do khng cn phi cu hnh lnh ny cho switch Bc 2-5: Ch nh a ch MAC cn c bo mt trn interface. Vi ng tc ny khi host c a ch MAC tng ng s c hot ng bnh thng khi kt ni vo switch trn interface ny.

Nu a ch MAC ca host khc vi a ch c ch nh trn interface th port s vo trng thi li v hin nhin l s khng c s chuyn tip gi tin trn port ny.

Switch(config-if)#switchport port-security mac-address mac-address

Ch : nh dng v a ch MAC trong cu lnh trn l: AAAA.BBBB.CCCC a ch ny phi ging vi a ch ca host cn c bo mt. i vi host l PC, tm a ch MAC ny lm nh sau: M DOS command bng cch vo Start\Run ri g lnh cmd Trong giao din DOS ny g lnh C:\>ipconfig /all. Mn hnh s hin ra cc thng s v a ch MAC ca card mng.

i vi host l Router, tm a ch host: Kt ni cng console my tnh vi router Dng lnh show version tm a ch MAC

Cu hnh cho Switch:

Switch(config-if)#switchport port-security mac-address 00e0.4d01.2978

Bc 2-6: Ch nh trng thi ca port s thay i khi a ch MAC kt ni b sai: Cu trc lnh :

Switch(config-if)#switchport port-security violation [shutdown | restrict protect] shutdown: port s c a vo trng thi li v b shutdown restrict: port s vn trng thi up mc d a ch MAC kt ni b sai. Tuy nhin cc gi tin n port ny u b hy, v s c mt bn thng bo v s lng gi tin b hy. protect: port vn up nh restrict, cc gi tin n port b hy v khng c thng bo v vic hy b gi tin ny

Trong bi lab ny s ch nh trng thi port l shut down.

Switch(config-if)#switchport port-security violation

shutdown

n y bn hon tt phn cu hnh port security. Bc tip theo s l th nghim. Bc 3: Cu hnh lnh debug quan st s thay i:

Switch#debug port-security

Bc 4: S dng mt host khc thay th cho host ban u. Kim tra a ch MAC ca host mi :

Host mi c a ch MAC l 0006.7b08.cab5 Bc 4: Tin hnh rt cp ra khi host v cm vo host chun b bc 3. Quan st: + n trn port f0/1 s b tt + Thng bo trn giao din 00:22:24: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting Fa0/1 in err-disable state 00:22:24: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0006.7b08.cab5 on port FastEthernet0/1.

00:22:25: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down 00:22:26: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down Bc 5: Dng lnh show xem trng thi ca port f0/1 Switch#show interface f0/1 FastEthernet0/1 is down, line protocol is down (err-disabled) Hardware is Fast Ethernet, address is 000f.239d.c641 (bia 000f.239d.c641) MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 10Mb/s Lc ny mi n lc tin hnh gi thng tin trn port 1 u v ch!!! 1. Khi phc port v trng thi bnh thng

khi phc li port th bn phi can thip vo switch. Bc 1: Ni cng console vo switch Switch>enable Switch#conf t Bc 2: C hai cch khi phc port Cch 1: khi phc nhn cng, bn s thc hin trc tip qu trnh khi phc ny. Switch(config)#interface f0/1

Switch(config-if)#shutdown Switch(config-if)#no shutdown Thng bo trn mn hnh khi thc hin xong lnh 00:17:58: %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down 00:18:00: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up 00:18:01: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up Qu trnh trn ging nh bn cho php port hot ng li bnh thng, tuy nhin cn ch rng cc cu hnh trc cho port ny vn khng thay i, k c port-security. Cch 2: khi phc t ng, thit lp lnh switch t ng d tm li v khi phc. Vi cch ny gi s nh bn khng h bit nguyn nhn v sao port b down. Bc 2-1: Tin hnh tm li trn port Cu trc lnh: Switch(config)#errdisable detect cause [all | cause-name ] + all c ngha l tm tt c cc li xy ra + cause-name : ch tm li c tn l cause-name, gm c: all on all cases dhcp-rate-limit on dhcp-rate-limit dtp-flap Enable error detection Enable error detection Enable error detection

on dtp-flapping (Cu trc lnh - tip theo) gbic-invalid on gbic-invalid link-flap on linkstate-flapping loopback on loopback pagp-flap on pagp-flapping Enable error detection Enable error detection Enable error detection Enable error detection

Trong bi lab ny s cho switch tm tt c cc li:

Switch(config)#errdisable detect cause all

Bc 2-2: cho switch khi phc trng thi

Switch(config)#errdisable recorvery cause all

Bc 2-3: ci t thng s thi gian cho qu trnh khi phc. Mc nh port s c khi phc sau 300 giy khi bn thc hin lnh bc 2-2. Tuy nhin bn c th can thip vo thng s thi gian ny bng cch dng lnh:

Switch(config-if)#errdisable recorvery second

Thng s thi gian second c n v l giy bn cn phi ch

iu ny trnh nhm ln. By gi bn ci t thng s thi gian khi phc cho switch l 30 giy Switch(config-if)#errdisable recorvery 30 Switch(config-if)#^Z Bc 2-4: Quan st + Quan st n trn port f0/1 ca switch : sau 30 giy s sng li + Quan st trn giao din: - Quan st thng s thi gian do lnh debug to ra. 00:55:54: %PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-disable state on Fa0/1 00:55:55: PSECURE: psecure_linkchange: Fa0/1 hwidb=0x807D6C98 00:55:55: PSECURE: Link is coming up 00:55:55: PSECURE: psecure_linkup_init_internal: Fa0/1 hwidb = 0x807D6C98 00:55:55: PSECURE: No change in violation_mode 00:55:55: PSECURE: psecure_vlan_linkchange invoked: Vlan 1 00:55:55: PSECURE: Activating port-security feature 00:55:55: PSECURE: port_activate: status is 1 (Tip theo) 00:55:55: PSECURE: PSECURE: Deleting all dynamic addresses from h/w tables. 00:55:55: PSECURE: psecure_platform_delete_all_addrs:

deleting all addresses on vlan 1 00:55:55: PSECURE: psecure_delete_address_not_ok address <1,00e0.4d01.2978> allowed 00:55:55: PSECURE: skipping Fa0/1 while searching <1,00e0.4d01.2978> 00:55:55: PSECURE: Adding entry to HA table from port-security sub block 00:55:55: PSECURE: psecure_platform_add_mac_addrs: Do nothing, called to add <1,00e0.4d01.2978> to FastEthernet0/1 00:55:57: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up 00:55:58: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up - Dng lnh :
Switch#show interface f0/1

FastEthernet0/1 is up, line protocol is up (connected) Hardware is Fast Ethernet, address is 000f.239d.c641 (bia 000f.239d.c641) MTU 1500 bytes, BW 100000 Kbit, DLY 1000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) IV. Cu hnh ton b Cu hnh ca switch: Current configuration : 1727 bytes

! version 12.1 no service pad service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Switch ! ! errdisable recovery cause udld errdisable recovery cause bpduguard errdisable recovery cause security-violation errdisable recovery cause channel-misconfig errdisable recovery cause pagp-flap errdisable recovery cause dtp-flap errdisable recovery cause link-flap errdisable recovery cause psecure-violation errdisable recovery cause gbic-invalid errdisable recovery cause dhcp-rate-limit errdisable recovery cause unicast-flood errdisable recovery cause vmps

errdisable recovery cause loopback errdisable recovery interval 30 ip subnet-zero ! ! spanning-tree mode pvst no spanning-tree optimize bpdu transmission spanning-tree extend system-id ! ! ! ! interface FastEthernet0/1 switchport mode access switchport port-security switchport port-security mac-address 00e0.4d01.2978 ! interface FastEthernet0/2 ! interface FastEthernet0/3 ! interface FastEthernet0/4

! interface FastEthernet0/5 ! interface FastEthernet0/6 ! interface FastEthernet0/7 ! interface FastEthernet0/8 ! interface FastEthernet0/9 ! interface FastEthernet0/10 ! interface FastEthernet0/11 ! interface FastEthernet0/12 ! interface FastEthernet0/13 ! interface FastEthernet0/14 ! interface FastEthernet0/15

! interface FastEthernet0/16 ! interface FastEthernet0/17 ! interface FastEthernet0/18 ! interface FastEthernet0/19 ! interface FastEthernet0/20 ! interface FastEthernet0/21 ! interface FastEthernet0/22 ! interface FastEthernet0/23 ! interface FastEthernet0/24 ! interface Vlan1 no ip address no ip route-cache

shutdown ! ! ip http server ! line con 0 line vty 0 4 login line vty 5 15 login ! ! end V. nh gi n y bn c mt khi nim c bn v thao tc cu hnh tng i v port security. Bn c th thay i cc thng s trong cc cu lnh tm hiu r cc c tnh ca chng