mac泛红攻击
端口安全配置
int f0/1
description access port
switchport mode access
switchport access vlan2
swichport port-security
switchport port-security maximum 2
swichport port-security mac-address 0000.1111.2222
switchport port-security mac-address 0000.1111.3333
swichport port-security violation restrict
switchport port-security aging time 60
swichport port-security aging type inactivity
1.基于主机mac来允许流量
可定义2个参数:授权的mac地址/允许学习多个mac地址(默认=1)
注意端口安全,采取行为:1.shutdown:将永久性或特定周期内err-disable端口(默认行为)
2.restrict:将未授权主机的帧丢弃drop,并发送snmp trap
3.protect:当超过所允许学习的最大mac数时,将未授权主机的帧丢弃drop静悄悄的丢弃,不发送snmp trap
switchport mode access启用端口安全时,必须先设为access端口
switchport port-security启用端口安全(默认只能学一个接口)
swichport port-security maxmum 1指定最大允许学多少地址
swichport port-security mac-address aaaa.bbbb.ccc
swichprot port-security aging time 1(分钟)设定多长时间后能重新学习mac地址,也就是设定现有mac地址有效期。
swichport port-security mac-address sticky将动态学到地址粘贴,永久使用
show port-security可以看到那些接口应用了端口安全
show port-security address 可以看到授权的mac地址
show port-security int f0/1可以看到接口具体状态
aaa认证配置
username admin password cisco
aaa new-model
radius-server host 10.1.1.50 auth-port 1812 key xyz123
aaa authentication login default group radius local line
aaa authentication login no_auth none
line vty 0 15
login authentication default
passsworkd sanfran
line cosco 0
login au no_auth
802.1x
配置
aaa new-model
radius-server host 10.1.1.50 auth-port 1812 key xyz123
aaa authentication dot1x default group radius
dot1x system-auth-control
int f0/1
description access port
swichport mode acc
dot1x port-control auto
