交换机的流量控制和端口安全(2009-10-16 )四大 traffic control:storm-control 用于限制广播/组播/单播流量不超过门限 只有storm-control不是switchport 语句switch protect, 用于接口隔离,配protect的接口互相隔离switch block 用于 block unknown unicast/multicast 包switch port-security 只允许某个MAC地址的包storm-control 其实就是流量控制storm-control (broadcast | multicast | unicast} level (level [level-low] pps pps [pps-low]}interface fastethernet0/1storm-control broadcast level 87 65广播流量大于87%,就关闭接口,低于65%,再开启接口如果百分比设为0~~就是完全禁止广播/组播/单播流量如果百分比设为100 流量无限制Protected Portsinterface fastethernet0/1 switchport protected• protected port 和另一个 protected port 肯定隔离.常用于接入服务:要求流量只被uplink转出,不转发到SW其他端口, 即端口间互相隔离,只和上层连接switchport block 是针对 unknown 包unknown multicast unknownd unicastinterface gigabitethernet0/1 switchport block multicast switchport block unicastSwitch# show interfaces fastethernet 0/1 switchportProtected: falseUnknown unicast blocked: disabledUnknown multicast blocked: disabledswichport security 配置 3550-B(config-if)#switchport mode accessenable起用3550-B(config-if)#switchport port-security最大允许数目The default is 1如果不设VLAN,最大数目就涵盖所有VLAN3550-B(config-if)#switchport port-security maximum value静态绑定MAC地址可以配置多条如果接口配置的 secure MAC address 的条数 低于 maximum number of secureMAC addresses,剩下的会动态学习3550-B(config-if)#switchport port-security mac-address mac-address 定义MAC地址冲突时的ACTION• protect一dropped• restrict——droppedan SNMP trap is sent, a syslog message is logged,shutdown——The interface is error-disabledan SNMP trap is sent, a syslog message is logged3550-B(config-if)#switchport port-security violation [protect restrict | shutdown]酉己置 aging timer3550-B(config-if)#switchport port-security aging [static] time time type[absolute | inactivity]Port Security Agingswitchport port-security aging (static | time ... | type (absolute | inactivity})staticstatic参数使swtchport secure mac-address语句配置的静态条目也可 以aging,因为缺省aging是针对针对动态条目这个参数很少见,因为通常静态条目都是手工配置的,所以无时间限制timeaging time如果 time=0,就是 disable aging 了aging time 超时后的 actiontypetype absolute 到时间后所有MAC地址被移除,过时就删type inactivity 到时间后只有在 aging time 内 inactivity (没有traffic 的 MAC),才 remove 条目switchport port-security aging time 2 aging time 2 分钟,默认对动态有效 switchport port-security aging static aging time 对静态条目也有效 switchport port-security aging type inactivity 至U期的不活动条目会被移除,这是配置aging后的默认行为。
swichport security 配置经验• switchport mode access配置 switchport port-security 前,先显式配置 switchport mode access否则提示错误因为是switchport指令,所以不能应用在三层口如int vlan 20 配前一定要先shutdown接口,否则端口会报告地址重复verify port-securityRack07Sw1#sh port-securitySecure Port MaxSecureAddr CurrentAddr SecurityViolation SecurityAction(Count) (Count) (Count)Fa0/12 1 1 0 ProtectTotal Addresses in System (excluding one mac per port) : 0Max Addresses limit in System (excluding one mac per port) : 5120 验证port-security,改R2的MAC-ADDRESS,这样会造成冲突 r2 (config-if)#mac-address 1001.1ee1.10e2 r2# show int e1Ethernet1 is up, line protocol is upHardware is Lance, address is 1001.1ee1.10e2 (bia 00e0.b064.242d)。