Está en la página 1de 3

1/ Gii thiu Bn l 1 QTM, v bn nm r thit b no c ni vo cng no trn Switch, tng lai bn mun cc cng s c s dng nh th no.

. Khi , tnh nng Port Secutiry s gip bn 1 s vn sau: - Gii hn cho 1 cng ch c s dng bi 1 (hoc nhiu) thit b. VD: bn mun cng Fa0/1 ch chp nhn cc frame n t thit b c MAC Address l 0202.1111.1111 iu ny gip gim thiu 1 s nguy c mng b tn cng khi Attacker thc hin ARP Attack. - Nu 1 thit b khng c quyn s dng cng gi frame ti, Switch loi b frame , ghi li log, hoc shutdown cng (loi b tt c cc frame mun vo ra t cng ny ca tt c cc thit b) 2/ Cc bc cu hnh Cu hnh Port Security bao gm nhiu bc. V c bn, bn cn thit lp cho cng mun p Port Security tr thnh Access Port, tc l cng ch c th trao i frame vi cc cng nm cng VLAN vi n. Sau , bn enable cho Port Security v cu hnh thit b c MAC Adrress l g mi c s dng cng . Di y l cc bc thc hin. B0: Nhy vo cng mun p PS B1: cng tr thnh Access Port s dng lnh Code:
switchport mode access

B2: enable PS cho n g tip Code:


switchport port-security

B3: (khng bt buc) Nu mun ch nh s lng MAC Address ti a c php lin kt vi cng ny th g Code:
switchport port-security maximum number

(thay number=s MAC Address, mc nh l 1) B4: (khng bt buc) Bn mun Switch lm g khi cc frame gi ti cng ny c Source MAC Address khng nm trong danh sch cho php: protect, restrict, shutdown? (chn 1 trong 3) Mc nh l shutdown cng Code:
switchport port-security violation {protect | restrict | shutdown}

Gii thch: - Protect: Loi b frame (nhng vn cho php cc frame khc i ra cng ny) - Restrict: Loi b frame + hin th syslog trn ca s console + gi thng ip SNMP - Shutdown: Loi b frame + hin th syslog trn ca s console v gi thng ip SNMP + disable cng t chi tt c traffic vo ra Ty chn Shutdown t interface vo trng thi error disabled (err-disabled), lm cho interface ngng hot ng hon ton. khi phc lm vic cho n bn nhy vo cng v dng lnh Code:
no shutdown

B5a: Ch nh 1 (hoc nhiu) MAC Addess c php gi frame ti cng ny Code:


switchport port-security mac-address mac_address

(thay mac_address = MAC Adrress mong mun). S dng lnh ny nhiu ln ch nh hn 1 MAC Adrress

B5b: Thay v lm bc B5a bn phi d v thm tng MAC Address bng tay, Switch c th t ng thm cc MAC Address vo danh sch c php lin kt vi cng (Whitelist) thng qua qu trnh Sticky Learning. Code:
switchport port-security mac-address sticky

Lnh ny s bo cho Switch bit: Thit b no gi frame n cng ny u tin th hy thm MAC Address ca thit b vo Whitelist Lu : + Nu B3 bn t maximum=n th ch c n thit b gi frame n u tin s nm trong Whitelist. + Sau khi hon tt thit lp Port Security bn chy lnh

Maximum Mac-address: s lng ti da cho php cc mac-address c cu hnh trn mi port l t 1 - 3072. gi tr mc nh l 1 khi ta g lnh: 'switchport portsecurity'. thay i gi tr max mac-address, dng lnh: 'switchport portsecurity maximum xxx' vi xxx l con s c th. Nh vy vi cu hnh trn mnh khng cn thit phi lnh: 'switchport port-security maximum 1' - Violation mode: khi mt mac-address khng c cu hnh trong port-security v s lng mac-address vt qu s lng ti a mac-address cho php th s vi phm n cu hinh ca port-security, action tip theo i vi port ny ty thuc vo cch bn cu hnh vi 3 vioaltion mode sau: protect, restrict, shutdown. + Protect: Port s drop tt c traffic ca mac-address 'l' khng c cu hnh cho n khi bn remove mac-address ny ra khi port (ngt kt ni ca PC ra khi port). + Restrict: Port s drop tt c traffic ca mac-address 'l' khng c cu hnh cho n khi bn remove mac-address ny ra khi port (ngt kt ni ca PC ra khi port). Nhng khc vi mode 'Protect' 1 ch, mode ny s tng dn gi tr b m dnh cho SecurityViolation ( SecurityViolation counter to increment) v s sinh ra cc cnh bo - SNMP Notification c th c gi n Network Administrator. + Shutdown: mode mc nh khi cu hnh port-security vi lnh 'swithcport portsecurity'. Mode ny s drop tt c cc traffic trn port ch khng ch ca mac 'l' v shutdown port ny ngay lp tc, port khi ny ri vo trng thi 'error disable'. Bn c th a port tr li hot ng bng cch cu hnh 'shudown' sau 'no shutdown' trn port, hay t ng enable bng chui lnh: 'errdisable recovery cause psecure-violation' v'errdisable recovery cause interval 3600'.