### Port-Security
-관리자는 자신이 관리하는 네트워크망에 연결된 모든 구성을 파악해야한다.
-관리자가 지정한 장비는 통신이 가능해야하지만 지정되지 않은 장비가 연결시 통신할수 없어야한다.
-Port-Security
: Switchport로 관리자가 지정한 장비 연결시에는 통신이 가능하지만
관리자가 지정하지 않은 장비가 연결시 해당 트래픽을 무시하거나
해당 Switchport를 Err-disable상태로 전환하는 기능
# Switch
interface fastethernet 0/1
switchport mode access
switchport port-security maximum x : 해당 Port로 허용할 Mac-address개수를 입력
switchport port-security mac-addres HHHH.HHHH.HHHH : 해당 Port로 허용할 Mac-address를 입력
switchport port-security violation ?
protect : 해당 Port로 지정되지 않은 Mac-address입력시 해당 트래픽을 무시
restrict : 해당 Port로 지정되지 않은 Mac-address입력시 해당 트래픽을 무시 , Log-message를 출력
shutdown : 해당 Port로 지정되지 않은 Mac-address입력시 해당 Port를 Err-disable상태로 전환
switchport port-security : "switchport port-security"command입력시 설정이 적용된다.
!
# SW1
interface fastethernet 0/1
switchport mode access
switchport port-security maximum 1
switchport port-security mac-address 00D0.BA28.B155
switchport port-security violation shutdown
switchport port-security
spanning-tree portfast
!
interface fastethernet 0/2
switchport mode access
switchport port-security maximum 1
switchport port-security mac-address 0060.4777.8496
switchport port-security violation shutdown
switchport port-security
spanning-tree portfast
!
interface fastethernet 0/3
switchport mode access
switchport port-security maximum 1
switchport port-security mac-address 0002.165D.3630
switchport port-security violation shutdown
switchport port-security
spanning-tree portfast
!
interface fastethernet 0/20
switchport mode access
switchport port-security maximum 1
switchport port-security mac-address 0030.F238.7564
switchport port-security violation shutdown
switchport port-security
spanning-tree portfast
!
정보 확인
SW1# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
--------------------------------------------------------------------
Fa0/1 1 1 0 Shutdown
Fa0/2 1 1 0 Shutdown
Fa0/3 1 1 0 Shutdown
Fa0/20 1 1 0 Shutdown
--------------------------------------------------------------------
SW1# show port-security interface fastethernet 0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.0000.0000:0
Security Violation Count : 0
SW1# show port-security interface fastethernet 0/2
SW1# show port-security interface fastethernet 0/3
SW1# show port-security interface fastethernet 0/20
-Port-Security Sticky 옵션
: Port-Security를 다수의 Port에 적용시 사용하는 기능으로
Port-Security 설정시 Sticky 옵션을 사용하게되면 해당 Port로 입력되는
첫번째 Mac-address를 Switch가 자동으로 등록하는 기능
# SW1
interface range fa0/1 - fa0/20
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enble
switchport port-security maximum 1 : 해당 Port로 허용할 Mac-address개수를 입력
switchport port-security mac-address sticky : 해당 Port로 입력되는 첫번째 mac-address를 자동으로 등록 (Sticky)
switchport port-security violation shutdown : 지정되지 않은 Mac-address입력시 해당 Port를 err-disable상태로 전환
switchport port-security : port-security 적용
!
정보 확인
SW1# show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
--------------------------------------------------------------------
Fa0/1 1 1 0 Shutdown
Fa0/2 1 1 0 Shutdown
Fa0/3 1 1 0 Shutdown
Fa0/4 1 0 0 Shutdown
Fa0/5 1 0 0 Shutdown
Fa0/6 1 0 0 Shutdown
Fa0/7 1 0 0 Shutdown
Fa0/8 1 0 0 Shutdown
Fa0/9 1 0 0 Shutdown
Fa0/10 1 0 0 Shutdown
Fa0/11 1 0 0 Shutdown
Fa0/12 1 0 0 Shutdown
Fa0/13 1 0 0 Shutdown
Fa0/14 1 0 0 Shutdown
Fa0/15 1 0 0 Shutdown
Fa0/16 1 0 0 Shutdown
Fa0/17 1 0 0 Shutdown
Fa0/18 1 0 0 Shutdown
Fa0/19 1 0 0 Shutdown
Fa0/20 1 1 0 Shutdown
--------------------------------------------------------------------
SW1# show port-security interface fastEthernet 0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1 <---------- Sticy를 사용하여 mac-address등록
Last Source Address:Vlan : 00D0.BA28.B155:1
Security Violation Count : 0
'물리서버' 카테고리의 다른 글
| Frame-relay (0) | 2021.11.24 |
|---|---|
| Switch (0) | 2021.11.24 |
| MPLS VPN (Static) (0) | 2021.11.23 |
| IPsec 실습 (0) | 2021.11.23 |
| Data Privacy (0) | 2021.11.23 |
