#switchport port-security
#switchport port-security max 5
#switchport por-security mac-address 0000.xxxx.abcd
# sh port-security
MaxSecureAddr : 最大可以接受多少 MAC 連上
CurrentAddr : 目前連上的 MAC 數
SecurityViolation: 若為 1 則該 Port 被鎖定
Port-Security 解除鎖定
errdisable recovery interval 30 <== 修改為 30 秒自動重新啟動 errdisable recovery cause psecure-violation Port-Security 對於超過規定數量的 MAC 的處理方式
- Shutdown :關閉埠為err-disable狀態,除非管理員手工啟動,否則該埠失效這種方式保護能力最強,但是對於一些情況可能會為管理帶來麻煩。
- Protect: 丟棄非法流量,不報警。
- Restrict: 丟棄非法流量,在console發警告 ,對比上面會是交換機 CPU 利用率上升但是不影響交換機使用。
Troubleshoot
- show interfaces status err-disabled—Shows which local ports are involved in the errdisabled state.
- show etherchannel summary—Shows the current status of the EtherChannel.
- show errdisable recovery—Shows the time period after which the interfaces are enabled for errdisable conditions.
- show errdisable detect—Shows the reason for the errdisable status.
For more information on troubleshooting switchport issues, refer to Troubleshooting Switch Port and Interface Problems.
Spanning Tree PortFast BPDU Guard Enhancement
Configuring Port Security
1 則留言:
Example:
interface FastEthernet0/x
description "xxxx"
switchport access vlan X
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky xxxx.xxxx.xxxx
spanning-tree portfast
spanning-tree bpdufilter enable
張貼留言