Cisco WS-C2960G-8TC-L Скачать руководство пользователя страница 19 | Manualshive

Страница: 19 / 30

Cisco WS-C2960G-8TC-L Скачать руководство пользователя страница 19

Port Security Feature

375

CertPrs8

/CCNA

®

Cisco Certiﬁed Network Associate Study Guide/Richard Deal/149728-5/Chapter 12

12.

At the top of the simulator in the menu bar, click the eStations icon and

choose Host-2. Enter

ipconfig /all

and compare the MAC address of

the PC to that learned by the 2950-1 switch on

fastethernet0/4

.

You should be more comfortable with the CAM table on Cisco switches.

CERTIFICATION OBJECTIVE 12.05

Port Security Feature

Port security

is a switch feature that allows you to lock down switch ports based on

the MAC address or addresses associated with the interface, preventing unauthorized
access to a LAN. For example, if MAC address 0001.001c.dddd is supposed to be
off of fa0/1, but it is seen off of fa0/2, this would be considered a security violation.
Or, if more addresses are seen off the interface than you allow, this would also be
considered a violation. As an administrator, you control what should happen when
a violation occurs, be it generating a notification about the issue, dropping traffic

for the MAC address that caused the violation,
or completely disabling the port where the
violation occurred.

The port security feature will not work

on trunk ports (Chapter 13), switch port
analyzer ports (SPANs), and EtherChannel
ports (Chapter 14). However, it is compatible
with 802.1x (Chapter 5) and Voice VLANs
(Chapter 13).

Port Security Conﬁguration

Starting in IOS 12.1(6)EA2, Cisco standardized how port security is configured on
its switches. The entire configuration is performed on an interface-by-interface basis
by using the

switchport

commands:

switch(config)#

interface fastethernet|gigabit 0/

port_#

switch(config-if)#

switchport mode access

switch(config-if)#

switchport access vlan

VLAN_#

Port security and/or

802.1x can be used lock down ports on a
switch, preventing unauthorized access to
your LAN network.

ch12.indd 375

3/12/08 4:45:12 PM

«
...
17
18
19
20
21
...
»

Содержание WS-C2960G-8TC-L

Страница 1: ...r 12 Blind Folio 357 12 Initial Switch Configuration CERTIFICATION OBJECTIVES 12 01 2960 Overview 12 02 Switch Startup 12 03 Basic Switch Configuration 12 04 Basic Switch Operation andVerification 12 05 Port Security Feature Two Minute Drill Q A Self Test ch12 indd 357 3 12 08 4 45 00 PM ...

Страница 2: ... comes with the LAN based software image which provides advanced quality of service rate limiting access control list ACL and many other features Table 12 1 compares the 2960 switches and their port types and capacities The dual purpose Gigabit Ethernet GE port supports a 10 100 1000 port and an SFP fiber port where one of the two ports not both can be used If a 2960 supports dual ports this is di...

Страница 3: ...aseTX ports For the 10 100 ports the ports are numbered in the first column 1 at the top and 2 at the bottom in the second column 3 at the top and 4 at the bottom and so on The front of the chassis contains the MODE button as well as the LEDs The rear of the chassis has the management connections You ll notice that no toggle switch is included to turn the switch on or off To turn the switch on plu...

Страница 4: ...he MODE LED will change from STAT to DUPLX The LEDs above each of the ports will reflect the duplex setting of the associated port If the LED above the port is off the port is set to half duplex if the LED is green the port is set to full duplex By pressing the MODE button again the MODE LED will change from DUPLX to SPEED The 2960 supports 10 100 and 10 100 1000 ports When the mode LED is set to ...

Страница 5: ...The following sections discuss these processes TABLE 12 3 Status Mode and Port LEDs LED Color LED Meaning Green A powered up physical layer connection to the device is attached to the port Flashing green Traffic is entering and or leaving the port Flashing green and amber An operational problem is occurring with the port perhaps excessive errors or a connection problem Amber The port has been disa...

Страница 6: ...t at least one test has failed during POST which is usually catastrophic for the switch in other words the switch won t boot up Running POST takes about a minute Assuming that the POST tests pass at least the critical ones the IOS continues executing Once the IOS completely loads a configuration is found and applied to the switch and you ll be presented with the User EXEC prompt assuming you are c...

Страница 7: ...4 Aug 07 01 55 by myl Image text base 0x00003000 data base 0x00FC0000 Initializing flashfs flashfs 1 602 files 19 directories flashfs 1 0 orphaned files 0 orphaned directories flashfs 1 Total bytes 32514048 flashfs 1 Initialization complete done Initializing flashfs POST CPU MIC register Tests Begin POST CPU MIC register Tests End Status Passed POST PortASIC Memory Tests Begin POST PortASIC Memory...

Страница 8: ...00 Motherboard assembly number 73 10390 04 Power supply part number 341 0097 02 Motherboard serial number FOC11305QDR Power supply serial number AZS113104M2 Model revision number D0 Motherboard revision number A0 Model number WS C2950 24TT L System serial number FOC1131W4NR Top Assembly Part Number 800 27221 03 Top Assembly Revision Number A0 Version ID V03 CLEI Code Number COM3L00BRB Hardware Boa...

Страница 9: ...tings are in square brackets Basic management setup configures only enough connectivity for management of the system extended setup will ask you to configure each interface on the system Would you like to enter basic management setup yes no yes Configuring global parameters Enter host name Switch The enable secret is a password used to protect access to privileged EXEC and configuration modes This...

Страница 10: ...igure IP on this interface no yes IP address for this interface 192 168 1 253 Subnet mask for this interface 255 255 255 0 Class C network is 192 168 1 0 24 subnet bits mask is 24 Would you like to enable as a cluster command switch yes no no The following configuration command script was created hostname Switch enable secret 5 1 N L t4q9Jw5DTffPTPE KkKNX enable password boson line vty 0 15 passwo...

Страница 11: ... Configuration Common IOS configuration tasks for switches and routers such as assigning a hostname setting up passwords for User and Privilege EXEC access and configuring hardware characteristics for interfaces speed and duplexing were discussed in Chapter 11 This section addresses how to assign an IP address and default gateway address to your switch so that you can access it remotely You ll als...

Страница 12: ...nce you re working in the VLAN interface use the ip address command to assign the address and subnet mask Next assign the default gateway ip default gateway This command is necessary if the switch needs to communicate with other devices via IP that are located in other subnets Example Conﬁguration Now let s pull together the basic configuration tasks from Chapter 11 as well as the above configurat...

Страница 13: ...255 255 255 0 Switch A config vlan exit Switch A config ip default gateway 10 0 1 1 Switch A config end Switch A copy running config startup config In this example the switch was given a hostname Switch A passwords for the console VTYs Privilege EXEC mode a login banner an IP address for VLAN 1 and a default gateway plus I saved the switch s configuration to NVRAM 12 02 The CD includes a multimedi...

Страница 14: ... address of 192 168 1 2 24 to the 2960 in VLAN 1 with a default gateway of 192 168 1 1 4 Access User EXEC mode Type enable to go to Privilege EXEC mode and then type configure terminal to access Configuration mode Your prompt should look like this Switch config 5 Enter the VLAN interface with interface vlan1 6 Enter the addressing information ip address 192 168 1 2 255 255 255 0 Enable the interfa...

Страница 15: ... pinging Host 1 and the 2950 1 switch ping 192 168 1 10 and ping 192 168 1 2 The pings should be successful Now configure the 2950 3 switch The commands are the same except use the appropriate configuration information the IP address is 192 168 3 2 24 Test connectivity to the 2600 1 and Host 4 1 Click the eSwitches icon in the toolbar and select 2950 3 2 On the 2950 3 switch access User EXEC mode ...

Страница 16: ...an example of the use of this command based on the network shown in Figure 12 2 Switch show mac address table Mac Address Table Vlan Mac Address Type Ports All 0000 0000 0001 STATIC CPU All 0000 0000 0002 STATIC CPU 1 0000 1111 AAAA DYNAMIC FA0 1 1 0000 1111 CCCC DYNAMIC FA0 2 1 0000 1111 BBBB DYNAMIC FA0 3 Total Mac Addresses for this criterion 12 In this example all the STATIC entries represent ...

Страница 17: ...ve that device to a different port even though the switch will see the change the static entry will always override the learning function of the switch On a 2960 switch use the following command to create a static entry in the CAM table Switch config mac address table static MAC_address vlan VLAN_ interface type module port_ In addition to specifying the MAC address of the device and the interface...

Страница 18: ... menu bar click the eSwitches icon and choose 2950 1 5 Enter Privilege EXEC mode by typing enable View the CAM table by typing show mac address table 6 Clear the CAM table by typing clear mac address table dynamic 7 On the 2950 1 ping Host 1 type ping 192 168 1 10 Examine the CAM table show mac address table What is the MAC address of Host 1 The MAC address will be different for each computer on w...

Страница 19: ... you allow this would also be considered a violation As an administrator you control what should happen when a violation occurs be it generating a notification about the issue dropping traffic for the MAC address that caused the violation or completely disabling the port where the violation occurred The port security feature will not work on trunk ports Chapter 13 switch port analyzer ports SPANs ...

Страница 20: ... maximum specifies the maximum number of devices that can be associated with the interface This defaults to 1 and can range from 1 to 132 The fifth command on the interface specifies what should occur if a security violation occurs the MAC address is seen connected to a different port Three options are possible protect When the number of secure addresses reaches the maximum number allowed any addi...

Страница 21: ...y secure addresses Basically sticky learning lets you avoid having to configure the MAC addresses associated with the interface If you don t statically define the MAC addresses or use sticky learning to learn them with port security dynamic learning is used Dynamic learning is similar to sticky learning in that the switch will learn the MAC addresses dynamically off of the interface up to the maxi...

Страница 22: ... port security command switch show port security Port MaxSecureAddr CurrentAddr SecurityViolation Security Action Count Count Count Fa0 1 10 10 0 Shutdown Fa0 2 1 1 0 Restrict Total Addresses in System 21 Max Addresses limit in System 6176 In this example 10 MAC addresses can be learned off of FA0 1 10 have been learned and the violation mode is shut down but currently no violations have occurred ...

Страница 23: ...ce and assigning a default gateway address Know when you must configure a default gateway address on a switch Basic Switch Operation and Verification Understand how to view the MAC addresses in the MAC address table show mac address table and how to compare incoming frames to the table to determine how the switch will forward the frame Port Security Feature Of the five sections in this chapter thi...

Страница 24: ...ly minimally it will need an IP address associated with a VLAN interface vlan and ip address and a default gateway address ip default gateway To view the MAC addresses the switch learns use the show mac address table command Port security can be used to prevent unauthorized access to a LAN Addresses can be learned dynamically not saved using sticky learning saved or statically configured A violati...

Страница 25: ...ound and loaded If a configuration file cannot be found when booting up the System Configuration Dialog questions can be answered to place a basic configuration on the switch Basic Switch Configuration An IP address can be assigned to a VLAN interface on a switch for accessing it remotely via telnet or SSH or to back up its configuration or upgrade its IOS using the ip address command The ip defau...

Страница 26: ...hapter 12 The defaults for port security are learning one MAC address on the interface with a violation mode of shutdown Sticky learning allows a switch to dynamically learn which MAC addresses are associated with an interface as well as saving these in the running configuration of the switch ch12 indd 382 3 12 08 4 45 14 PM ...

Страница 27: ...T LED is amber on one of the two PCs switch port connections C The SYSTEM LED is off D The MIC connectors on the Ethernet cables are not seated correctly in the switch ports Switch Startup 3 Which of the following is not asked for during the System Configuration Dialog script A Enabling interfaces B Default gateway address C VLAN interface to use for management functions D Enable secret password B...

Страница 28: ...1111 AAAA DYNAMIC FA0 1 1 0000 1111 CCCC DYNAMIC FA0 2 1 0000 1111 BBBB DYNAMIC FA0 3 A Flood it B Drop it C Forward it out FA0 1 D Forward it out of FA0 1 and FA0 2 Port Security Feature 8 Which switch feature is used to prevent unauthorized access to a LAN A Port security B Port security and 802 1Q C VTY passwords D Enable password 9 Which of the following is not a default configuration for port...

Страница 29: ...itches B C and D are asked for and are thus incorrect answers Basic Switch Configuration 4 C The ip default gateway command is a Global configuration mode command A is incorrect because the Interface mode is used to assign an IP address to a VLAN interface B is incorrect because Line mode is used to restrict User EXEC access to the switch D is a nonexistent configuration mode 5 Here is how to conf...

Страница 30: ...ct because 802 1Q is a VLAN trunking protocol C and D are used to restrict access to the switch not to the LAN for which the switch provides connectivity 9 C Dynamic not sticky learning is the default A B and D are defaults and thus incorrect 10 D You should statically define MAC addresses of servers and routers when using port security A and C are used for user ports B is a nonexistent learning m...

Отзывы:

Нет отзывов