本帖最后由 碧云天 于 2020-4-7 11:35 编辑
一.Port Security技术介绍
1.有效阻止MAC Flood和MAC Spoof攻击

• MAC Flood当特定接口设定的MAC table满的时候产生violation
  
• 当一个MAC地址在同一个VLAN里面的两个不同接口学到的时候产生violation
  

2.Port Security的默认行为

• 所有的接口Port Security功能是disable的
  
• 默认每个接口最大MAC地址容量为1
  
• 默认violation是shutdown
  

3.三种violation方式

• shutdown 使接口处于errordisable状态，并且告警
  
• restrict 丢掉违规数据包，并且告警
  
• protect 悄无声息地丢弃数据包，不产生告警
  

4.三种地址学习方式

• 自动学习（默认）
  
  
  
  • 先入为主
    
• 手动指派
  
  
  
  • 命令： 接口下 switchport port-security mac-address H.H.H
    
• Sticky
  
  
  
  • 将自动学习的mac地址保存配置，可以根据保存的配置进行调整
    

二.测试拓扑

三.基本配置
1.R1
interface Ethernet0/0
ip address 10.1.1.1 255.255.255.0
no shutdown
2.SW
interface range e0/0-1
sw mode access
sw access vlan 1
备注：接口必须指定是access接口，还是trunk接口，否则模拟器会报错
Switch(config-if)#switchport port-security
Command rejected: Ethernet0/0 is a dynamic port.
3.R2
interface Ethernet0/0
ip address 10.1.1.2 255.255.255.0
no shutdown
四.配置Port Security
1.端口启用Port Security
interface e0/0
switchport port-security
2.查看端口的Port Security配置
Switch#show port-security interface ethernet 0/0
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : aabb.cc00.4000:1
Security Violation Count : 0
Switch#
备注：可以看到默认启用Port Security，Violation Mode为Shutdown,接口最大MAC地址容量为1。
3.修改R1接口的mac地址,交换机立马出现告警
R1(config)#INT E0/0
R1(config-if)#mac-address 1.1.1
Switch(config-if)#
*Apr 4 01:50:24.410: %PM-4-ERR_DISABLE: psecure-violation error detected on Et0/0, putting Et0/0 in err-disable state
Switch(config-if)#
*Apr 4 01:50:24.410: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0001.0001.0001 on port Ethernet0/0.
*Apr 4 01:50:25.412: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0/0, changed state to down
Switch(config-if)#
*Apr 4 01:50:26.415: %LINK-3-UPDOWN: Interface Ethernet0/0, changed state to down
Switch(config-if)#
备注：这种情况，只能通过shutdown，再no shutdown接口，接口才能重新up。
4.修改接口的Violation以及mac地址容量
Switch(config)#int e0/0
Switch(config-if)#switchport port-security violation restrict
Switch(config-if)#switchport port-security maximum 2
5.如果修改接口mac地址的学习方式为Sticky，则会把学习到的mac地址加入配置
Switch(config)#int e0/0
Switch(config-if)#switchport port-security mac-address sticky
Switch(config-if)#do show run int e0/0 | begin interface
interface Ethernet0/0
switchport mode access
switchport port-security maximum 2
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0001.0001.0001
switchport port-security
end
Switch(config-if)#
6.取消R1接口的mac地址配置，交换机会将新的mac地址加入接口配置
Switch(config-if)#do show run int e0/0 | begin interface
interface Ethernet0/0
switchport mode access
switchport port-security maximum 2
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0001.0001.0001
switchport port-security mac-address sticky aabb.cc00.4000
switchport port-security
end
备注：经过抓包可以看到，R1路由器修改接口mac地址，会发出Gratuitous arp。
7.因为接口已经学满了2个mac地址，再修改R1接口为其他mac地址，交换机会发出告警
Switch(config-if)#
*Apr 4 02:38:55.401: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0002.0002.0002 on port Ethernet0/0.
备注：此时R1ping不通R2,如果将mac地址恢复，则又能ping通。