Xavfsizlik buzilishiga javob berish ning uchta usuli mavjud:
switch(config-if)# switchport port-security violation
switchport port-security violation restrict – buzilishga javob berish rjimini ko`rsatish. Bunda, agar interfeysda uchinchi notanish MAC-manzil paydo bo`lsa, undan keluvchi barcha paketlar qabul qilinmaydi. Undan tashqari syslog, SNMP trap, violetion counter ka`bi jurnallashtiruvchilarga xabar jo`natiladi.
switchport port-security violation shutdown- buzilish aniqlanganda interfeysni error-disabled holatiga o`tkazadi va o`chiradi. Undan tashqari syslog, SNMP trap, violetion counter ka`bi jurnallashtiruvchilarga xabar jo`natiladi. Ushbu holatdan chiqarish uchun shutdown va no shutdown buyruqlaridan foydalaniladi.
Agar interfeysga switchport port-security violation protect buyrug`i kiritilgan bo`lsa, unda notanish MAC-manzil paketlari qabul qilinmaydi va xech qanday xabar yaratilmaydi, hamda port shutdown holatiga o`tmaydi.
Ushbu usullardan switchport port-security violation restrict ko`pchilik hollarda tavsiya etiladi.
MAC-manzillar jadvalini tozalash Boshqa qurilmalar ulanishi uchun MAC-manzillar jadvalini tozalash:
switch# clear port-security [all|configured|dynamic|sticky] [address |interface ]
switch #clear port-security all
switch #clear port-security configured
switch #clear port-security dynamic
switch #clear port-security sticky
Port-security sozlanishlari haqidagi ma’lumotlarni ko`rish
switch# show port-security
switch# show port-security interface fa0/3
switch# show port-security address
Topshiriq
2.4-rasmda keltirilgan tarmoq topologiyasini Cisco Packet Tracer dasturida tuzish talab qilinadi;
Har bir kompyuter uchun IP manzilni sozlang va MAC manzillarni 2.2-rasmda ko`rsatilgandek aniqlang;
Kommutatorning har bir portlariga xavfsizlik ko`rsatkichlarini sozlang;
2.1-jadvalga yuqorida keltirilgan topshiriqlarni kiriting.
2.4-rasm. Tarmoq topologiyasi.
2.1-jadval
Qurilma
IP-manzil
МАС-manzil
Interfeys
Port rejimlari
Laptop0
192.168.1.1
00E0.F902.D683
Fa0
n/a
Laptop1
192.168.1.2
000B.BE9B.EE4A
Fa0
n/a
Laptop2
192.168.1.3
00D0.5819.04E3
Fa0
n/a
Laptop3
192.168.1.4
0004.9AB9.DAC2
Fa0
n/a
Laptop4
192.168.1.5
00D0.BAC2.8C58
Fa0
n/a
Laptop5
192.168.1.6
0000.0C6E.01E0
Fa0
n/a
SW1
N/A
N/A
Fa0/1
sticky
SW1
N/A
N/A
Fa0/2
mac-address
00D0.5819.04E3
SW1
N/A
N/A
Fa0/3
violation protect
SW1
N/A
N/A
Fa0/5-24
Shutdown
SW2
N/A
N/A
Fa0/1
restrict
SW2
N/A
N/A
Fa0/2
restrict
SW2
N/A
N/A
Fa0/3
Protect
SW2
N/A
N/A
Fa0/4
maximum 4
Ishni bajarish tartibi Switch>enable Switch#configure terminal Switch(config)#hostname Sw1 Sw1(config)#interface fa0/1 1. Portni access rejimiga o`zgartirish Sw1(config-if)#switchport mode access 2. Portda port-securityni ishga tushurish Sw1 (config-if)#switchport port-security 3. Secure-MAC ni dinamik aniqlashni ko`rsatish Sw1 (config-if)#switchport port-security mac-address sticky Sw1 (config-if)#exit 4. Secure-MAC ni statik aniqlashni ko`rsatish Sw1(config)#interface fastEthernet 0/2 Sw1(config-if)#switchport mode access Sw1(config-if)#switchport port-security Sw1(config-if)#switchport port-security mac-address 000B.BE9B.EE4A Sw1(config-if)#end 5. Xavfsizlik buzilishigi javob berish rejimini sozlash Sw1(config)#interface fastEthernet 0/3 Sw1(config-if)#switchport mode access Sw1(config-if)#switchport port-security Sw1(config-if)#switchport port-security mac-address sticky Sw1(config-if)#switchport port-security violation protect Sw1(config-if)#end 6. Ishlatilmayotgan portlarni o`chirish Sw1(config)#interface range fastEthernet 0/5-24 Sw1(config-if-range)#shutdown 7. Portda secure-MAC maksimal soni N ni ko`rsatish (Bu buyruq Sw2 kommutatorga tavsiya etiladi)
Switch>enable Switch#configure terminal Switch(config)#hostname Sw2 Sw2(config)#interface fa0/4 Sw2(config-if)#switchport mode trunk Sw2(config-if)#switchport port-security maximum 4 Sw1(config-if)#switchport port-security violation restrict 8. Natijani tekshirish Switch#show port-security interface fa 0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 0 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 0001.63B4.E4A6:1 Security Violation Count : 0 9. Sozlamalarni saqlash Switch#copy running-config startup-config Topshiriq Har bir talaba yuqorida keltirilgan ma’lumotlar bo`yicha Cisco Packet tracer muhitida laboratoriya ishini bajaradi.
Nazorat savollari MAC-manzil bu nima va qurilmalarda qanday aniqlanadi?
Kommutatorda port xavfsizligi funksiyasini nima uchun ishlatiladi?
Secure-MAC maksimal sonini N qaysi holatlarda ishlatiladi?
Port security asosiy atributalari keltiring.
Kommutatorning xavfsizligini ta`minlashning yana qanday chorlarini bilasiz ?
