1.交换机端口加固
port-security enable #开启接口端口安全
port-security protect-action protect #端口安全检测机制 1:restrict(报警);2:protect(丢弃);3:shutdown(关闭)
port-security max-mac-num 2 #端口学习mac地址数量
port-security mac-address sticky #端口安全学习mac模式/静态(static))、动态(dynamic)、安全(security)、粘滞(sticky)
port-security aging-time 1 #设置端口老化时间
dis mac-address verbose #查看详细MAC学习内容
dis mac-address sticky #查看MAC粘滞的内容
undo port-security mac-address sticky #取消MAC地址粘滞
如果只是希望阻止非法MAC通过设备通信,并且在主机较多的环境下,配置端口安全更合适
2.交换机IPSG技术
IPSG(IP Source Guard)是一种基于二层接口的源IP地址过滤技术,它能够防止恶意主机伪造合法主机的IP地址来仿冒合法主机,还能确保非授权主机不能通过自己指定IP地址的方式来访问网络
2.1 静态IPSG配置
user-bind static ip-address 192.168.1.1 mac-address 5489-98c0-3caf interface GigabitEthernet0/0/10 vlan 11 #手动绑定IP-MAC-接口-vlan对应关系
[interface g0/0/1] ip source check user-bind enable #在接口上开启检查
[interface g0/0/1] ip source check user-bind alarm enable #IP报文检查告警功能
[interface g0/0/1] ip source check user-bind alarm threshold 200 #丢弃报文阈值到达200将上报告警
display dhcp static user-bind all
[Switch_2] dhcp enable
[Switch_2] ip pool DHCP-IP
[Switch_2-ip-pool-DHCP-IP] network 10.1.1.0 mask 24
[Switch_2-ip-pool-DHCP-IP] gateway-list 10.1.1.1
[Switch_2] interface vlanif 10
[Switch_2-Vlanif10] ip address 10.1.1.1 255.255.255.0
[Switch_2-Vlanif10] dhcp select global
[Switch_1] dhcp enable
[Switch_1] dhcp snooping enable
[Switch_1] vlan 10
[Switch_1-vlan10] dhcp snooping enable
[Switch_1-vlan10] dhcp snooping trusted interface gigabitethernet 0/0/3 #开启信任端口
[Switch_1-vlan10] ip source check user-bind enable #在vlan里开启IPSG
display dhcp snooping user-bind all
