Сейчас этот форум просматривают: нет зарегистрированных пользователей и гости: 27
Mac address learning что это
Port security может быть включена на порту одной командой:
В данном примере Port Security включается только на одном порту, хотя в реальных условиях она обычно задействуется на всех пользовательских портах.
После включения Port Security можно посмотреть настройки Port Security по-умолчанию при помощи команды show port-security :
Как можно заметить, в настройках существует ряд параметров, которые можно настроить. Обо всем по порядку.
Когда какое-либо устройство подключается к порту коммутатора, коммутатор изучает MAC адрес источника первого кадра поступившего на его порт:
Теперь в качестве эксперимента подключим к этому порту коммутатора хаб, к которому подключим то-же устройство, плюс еще одно новое устройство. В такой ситуации порт коммутатора будет получать кадры с двумя разными MAC адресами источника. Посмотрим, что произойдет, когда второе устройство начнет передавать трафик:
Снова просмотрим состояние Port Security на порту, появление кадров с новым MAC адресом на порту коммутатора привело к выключению этого порта :
Настройка Port Security
Violation Mode
Port security может быть настроена на выполнение трех различных действий при наступлении исключения (violation):
Генерация сообщений в log будет продолжаться, пока устройство с неразрешенным MAC адресом будет подключено к коммутатору.
Максимальное к-во MAC адресов
По умолчанию, port security ограничивает количество разрешенных MAC адресов одним. Эта настройка может быть изменена, например для одновременного подключения IP телефона и компьютера к одному порту коммутатора:
Так-же существует возможность настроить максимальное к-во адресов для Voice и обычного VLAN отдельно.:
MAC Address Learning
Администратор имеет возможность статически назначать разрешенные MAC адреса на порту. MAC адреса могут быть сконфигурированы отдельно для VLAN (access или voice).
Настроенные адреса храняться в running configuration:
В общем эта практика трудно применима в сетях с большим количеством портов, наиболее удлобный вариант в данном случае — это «sticky learning» MAC адресорв — при таком режиме адреса изучаются динамически до достижения лимита к-ва адресов (maximum MAC address).
В процессе изучения адреса помещаются в running config, так-же, как если бы они были настроены вручную:
MAC Address Aging
По умолчанию, MAC адреса запоминаются фактически навсегда (до перезагрузки). Возможно настроить устаревание «Aging» адресов. Это позволит новым устройствам быть подключенными к порту коммутатора через некоторое время. Aging может быть настроен на обновление MAC адресов на регулярной основе (через определенные интервалы), либо после определенного периода неактивности устройства. Следующая конфигурация устанавливает время устаревания записи MAC адреса через 5 минут неактивности:
Через 5 минут неактивности можно увидеть, что адрес стерт из памяти, освободив место для изучения любого другого:
Auto-recovery
Для того, чтобы избежать необходимости вручную включать порт после его блокировки (error-disabled state) возможно применение функции автоматтическо восстановления (auto-recovery). Интервал настраивается в секундах.
Через десять минут (600 сек) после перевода порта в режим error-disabled, можно увидеть, что порт автоматически вернулся в рабочее состояние:
Помните, что в случае если ситуация с подключенными устройствами не меняется, то после автоматического восстановления он будет снова переведен в состояние error-disabled.
Так-же необходимо понимать, что MAC адрес легко подменить, а несколько подключенных к порту устройств можно скрыть за простым маршрутизатором. Стандарт IEEE 802.1X является более бескомпромисной технологией безопастности на уровне доступа.
2 Responses to “Настройка Port Security”
emsgr.us
Так как после команды switchport port-security, сразу включается Port security с настройками по умолчанию, то ее стоит давать вначале только если настройки по умолчанию подходят.
Cisco CPT Configuration Guide CTC and Documentation Release 9.7 and Cisco IOS Release 15.2(02)
Book Title
Cisco CPT Configuration Guide CTC and Documentation Release 9.7 and Cisco IOS Release 15.2(02)
Chapter Title
Configuring MAC Learning
View with Adobe Reader on a variety of devices
Results
Chapter: Configuring MAC Learning
Configuring MAC Learning
This chapter describes MAC learning, MAC address limiting, and static MAC address. This chapter also describes the configuration procedures.
Understanding MAC Learning
The Carrier Packet Transport (CPT) system is a distributed system with fabric cards, line cards, and CPT 50 panels. The MAC addresses learned on one line card needs to be learned or distributed on the other line cards. The MAC learning feature enables the distribution of the MAC addresses learned on one line card to the other line cards.
A software MAC address table is maintained on the fabric cards. This MAC address table contains the MAC addresses learned on all the line cards. This MAC address table is used to distribute the MAC addresses when the line card reboots or goes through Online Insertion and Removal (OIR).
Note
By default, MAC address learning is enabled only for point–to–multipoint bridge domains and can also be disabled. See NTP-J7 Enable or Disable MAC Learning on a Bridge Domain.
MAC Address Aging
Dynamically learned MAC addresses are deleted after the MAC address age out value. This frees up unused addresses from the MAC address table for other active subscribers. In CPT, the default value for MAC address aging is 300 seconds and cannot be changed. The expected MAC address age out timer is between 300 to 600 seconds depending on the number of MAC addresses learned.
Dynamic MAC Address Learning
Dynamic MAC address learning occurs when the bridging data path encounters an ingress frame whose source address is not present in the MAC address table for the ingress service instance. The learned MAC addresses are distributed to the other cards with Ethernet Flow Points (EFPs) in the same bridge domain.
MAC Move
A MAC move occurs when the same MAC address is re-learned on a different port. When a MAC move is detected, a transient event is generated to inform the user about the MAC move.
MAC Learning on LAG
MAC learning is enabled on the LAG interface, if the Link Aggregation Group (LAG) interface is part of the point–to–multipoint bridge domain. The MAC addresses are learned on the LAG interface instead of the physical interface.
MAC Learning Actions
The following table describes the various scenarios and the actions taken on MAC addresses for each scenario.
Table 1 MAC Learning Actions
Scenario
Action
A bridge domain is created.
The MAC learning is enabled by default in point–to–multipoint bridge domains. The MAC learning is not supported in point–to–point bridge domains.
A bridge domain is deleted.
The MAC addresses learned on the bridge domain are removed from the software MAC address table that is maintained on the fabric cards. These MAC addresses are also removed from the line card hardware.
An EFP is added and is the first EFP on a bridge domain on a card.
All the MAC addresses learned on the bridge domain are sent to this new card.
An EFP is added and is not the first EFP on a bridge domain.
Nothing needs to be done as the MAC addresses learned on the bridge domain are already present.
An EFP is deleted.
All the MAC addresses learned on that EFP are deleted.
An EFP admin state is UP.
When the EFP is the first EFP on the bridge domain on the card, all the MAC addresses learned on the bridge domain are sent to this new card. When the EFP is not the first EFP on the bridge domain on the card, nothing needs to be done as the MAC addresses learned on the bridge domain are already present.
An EFP admin state is DOWN.
All the MAC addresses learned on that EFP are deleted.
The port goes down.
All the MAC addresses learned on the port on all the bridge domains are deleted.
The active fabric card is reset.
The standby fabric card becomes active and the software MAC address table on the new active card is used.
The standby fabric card is reset.
The standby fabric card is updated with the software MAC address table during the bulk synchronization process.
The line card comes up after the line card is reset (soft reset).
The active fabric card sends the MAC addresses learned on the bridge domains that are configured on the line card.
The line card goes through Online Insertion and Removal (OIR).
The active fabric card sends the MAC addresses learned on the bridge domains that are configured on the line card.
MAC Learning Configuration Procedures
The following procedures can be performed using Cisco IOS commands to configure MAC learning and MAC address limiting:
The following procedures can be performed using CTC to configure MAC learning and MAC address limiting:
NTP-J7 Enable or Disable MAC Learning on a Bridge Domain
Stop. You have completed this procedure.
DLP-J19 Re–enable or Disable MAC Learning on a Bridge Domain Using Cisco IOS Commands
Purpose
This procedure re-enables or disables MAC learning on the bridge domain using Cisco IOS commands.
Tools/Equipment
None
Prerequisite Procedures
None
Required/As Needed
As needed
Onsite/Remote
Onsite or remote
Security Level
Provisioning or higher
Note
MAC learning is enabled on the point–to–multipoint bridge domains by default.
Procedure
Command or Action
Purpose
Step 1
enable
Example:Router> enable
Enables privileged EXEC mode.
Example:Router# configure terminal
Enters global configuration mode.
Step 3
bridge-domainbridge-id
Example:Router(config)# bridge-domain 100
Configures components on a bridge domain and enters bridge domain configuration mode.
Step 4
mac learning
Example:Router(config-bdomain)# mac learning
Re-enables MAC learning on this bridge domain.
Step 5
no mac learning
Example:Router(config-bdomain)# no mac learning
Disables MAC learning on this bridge domain.
Step 6
end
Example:Router(config-bdomain)# end
Exits bridge domain configuration mode and returns to privileged EXEC mode.
Example: Re–enable or Disable MAC Learning on a Bridge Domain
The following example shows how to re-enable MAC learning on a bridge domain using Cisco IOS commands:
The following example shows how to disable MAC learning on a bridge domain using Cisco IOS commands:
DLP-J20 Re-enable or Disable MAC Learning on a Bridge Domain Using CTC
Purpose
This procedure re-enables or disables MAC learning on the bridge domain using CTC.
Tools/Equipment
None
Prerequisite Procedures
DLP-J2 Create an EVC Circuit Using CTC of EVC type Ethernet Private LAN or Ethernet Virtual Private LAN.
Required/As Needed
As needed
Onsite/Remote
Onsite or remote
Security Level
Provisioning or higher
Note
MAC learning is enabled on the point–to–multipoint bridge domains by default.
Understanding MAC Address Limiting
The MAC Address Limiting for bridge domains provides the capability to control the MAC addresses learnt on the bridge domain. You can configure an upper limit on the number of MAC addresses that can be learnt in a bridge domain. If an Ethernet frame with an unknown MAC address is received, it is flooded in the bridge domain. The MAC address limiting commands are configured under the bridge domain.
Note
The maximum MAC address limit on a bridge domain is 128000.
NTP-J8 Configure MAC Address Limit on a Bridge Domain
This procedure configures MAC address limit on a bridge domain.
Stop. You have completed this procedure.
DLP-J21 Configure MAC Address Limit on a Bridge Domain Using Cisco IOS Commands
Purpose
This procedure configures an upper limit on the number of MAC addresses that reside in a bridge domain using Cisco IOS commands.
Tools/Equipment
None
Prerequisite Procedures
None
Required/As Needed
As needed
Onsite/Remote
Onsite or remote
Security Level
Provisioning or higher
Procedure
Command or Action
Purpose
Step 1
enable
Example:Router> enable
Enables privileged EXEC mode.
Example:Router# configure terminal
Enters global configuration mode.
Step 3
bridge-domainbridge-id
Example:Router(config)# bridge-domain 100
Configures components on a bridge domain and enters bridge domain configuration mode.
Step 4
mac limit maximum addressesmaximum-addresses
Example:Router(config-bdomain)# mac limit maximum addresses 200
Sets an upper limit on the number of MAC addresses that reside in a bridge domain.
Enter the no mac limit command to restore the default MAC address limit.
Step 5
end
Example:Router(config-bdomain)# end
Exits bridge domain configuration mode and returns to privileged EXEC mode.
Example: Configure MAC Address Limit on a Bridge Domain
The following example shows how to configure MAC address limiting on a bridge domain using Cisco IOS commands:
DLP-J22 Configure the MAC Address Limit on a Bridge Domain Using CTC
You need to change the MAC address limit value on each node where the bridge domain is configured.
Step 9
Click Apply.
Step 10
Return to your originating procedure (NTP).
Understanding the Static MAC Address
You can configure static MAC addresses on a service instance. Static MAC address configuration on service instances eliminates the need for MAC address learning, which is required for traffic forwarding. Without MAC address learning, MAC address table resources can be conserved and network resources can be optimized.
Note
Static MAC address configuration does not apply to the MVR bridge domain.
Benefits
Static MAC address support on service instances provides the following benefits:
Restrictions
NTP-J9 Configure a Static MAC Address on a Service Instance
This procedure configures a static MAC address on a service instance.
Stop. You have completed this procedure.
DLP-J23 Configure a Static MAC Address on a Service Instance Using Cisco IOS Commands
Purpose
This procedure configures a static MAC address on a service instance using Cisco IOS commands.
Tools/Equipment
None
Prerequisite Procedures
DLP-J1 Configure an Ethernet Service Instance Using Cisco IOS Commands
Required/As Needed
As needed
Onsite/Remote
Onsite or remote
Security Level
Provisioning or higher
Note
Enter the no mac static address mac-addr command to remove the statically added unicast MAC address.
Configures a Ten Gigabit Ethernet interface and enters interface configuration mode.
Step 4
service instanceidethernet[evc-id]
Example:Router(config-if)# service instance 1 ethernet
Configures an Ethernet service instance on an interface and enters service instance configuration mode.
Step 5
mac static addressmac-address
Example:Router(config-if-srv)# mac static address 0000.bbbb.cccc
Configures a static MAC address on a service instance.
Step 6
exit
Example:Router(config-if-srv)# exit
Returns to interface configuration mode.
Step 7
end
Example:Router(config-if)# end
Returns to privileged EXEC mode.
Example: Configure a Static MAC Address on a Service Instance
The following example shows how to configure a static MAC address on a service instance using Cisco IOS commands:
DLP-J24 Configure a Static MAC Address on a Service Instance Using CTC
NTP-J10 Remove a MAC address
Stop. You have completed this procedure.
DLP-J25 Remove a MAC Address Using Cisco IOS Commands
Purpose
This procedure removes a dynamic MAC address from the MAC address table using Cisco IOS commands.
Tools/Equipment
None
Prerequisite Procedures
None
Required/As Needed
As needed
Onsite/Remote
Onsite or remote
Security Level
Provisioning or higher
Note
This procedure removes only dynamically added MAC addresses. To remove the statically added MAC addresses, enter the no mac static address mac-addr command.
