1.Port-Security安全地址:secure MAC address 在接口上激活Port-Security后,该接口就具有了一定的安全功能,例如能够限制接口(所连接的)的最大MAC数量,从而限制接入的主机用户;或者限定接口所连接的特定MAC,从而实现接入用户的限制。那么要执行过滤或者限制动作,就需要有依据,这个依据就是安全地址 – secure MAC address。
安全地址表项可以通过让使用端口动态学习到的MAC(SecureDynamic),或者是手工在接口下进行配置(SecureConfigured),以及sticy MAC address(SecureSticky) 三种方式进行配置。
当我们将接口允许的MAC地址数量设置为1并且为接口设置一个安全地址,那么这个接口将只为该MAC所属的PC服务,也就是源为该MAC的数据帧能够进入该接口。
1.Port-Security配置步骤 a) 在接口上激活Port-Security
Port-Security开启后,相关参数都有默认配置,需关注
b) 配置每个接口的安全地址(Secure MAC Address)
可通过交换机动态学习、手工配置、以及stciky等方式创建安全地址
c) 配置Port-Security惩罚机制
默认为shutdown,可选的还有protect、restrict
d) (可选)配置安全地址老化时间
If you reconfigure a secure access port as a trunk, port security converts all the sticky and static secure addresses on that port that were dynamically learned in the access VLAN to sticky or static secure addresses on the native VLAN of the trunk. Port security removes all secure addresses on the voice VLAN of the access port.
If you reconfigure a secure trunk as an access port, port security converts all sticky and static addresses learned on the native VLAN to addresses learned on the access VLAN of the access port. Port security removes all addresses learned on VLANs other than the native VLAN.