2024年1月17日发(作者：)

交换机的流量控制和端口安全

(2009-10-16 )

四大traffic control:

storm-control——用于限制广播/组播/单播流量不超过门限 只有storm-control不是switchport语句



switch protect,—— 用于接口隔离，配protect的接口互相隔离



switch block——用于block unknown unicast/multicast包



switch port-security—— 只允许某个MAC地址的包



storm-control——其实就是流量控制

storm-control {broadcast | multicast | unicast} level {level [level-low]

| pps pps [pps-low]}

interface fastethernet0/1

storm-control broadcast level 87 65

广播流量大于87%，就关闭接口，低于65%，再开启接口

如果百分比设为0 就是完全禁止广播/组播/单播流量

如果百分比设为100 流量无限制

Protected Ports

interface fastethernet0/1

switchport protected

protected port 和另一个protected port 肯定隔离



常用于接入服务：要求流量只被uplink转出，不转发到SW其他端口，即端口间互相隔离,只和上层连接



switchport block是针对unknown包

interface gigabitethernet0/1

switchport block multicast

switchport block unicast

unknown multicast

unknownd unicast

Switch# show interfaces fastethernet 0/1 switchport

Protected: false

Unknown unicast blocked: disabled

Unknown multicast blocked: disabled

swichport security配置

3550-B(config-if)#switchport mode access

enable起用

3550-B(config-if)#switchport port-security

最大允许数目

The default is 1

如果不设VLAN，最大数目就涵盖所有VLAN

3550-B(config-if)#switchport port-security maximum value

静态绑定MAC地址

可以配置多条

如果接口配置的secure MAC address的条数 低于maximum number of secure

MAC addresses，剩下的会动态学习

3550-B(config-if)#switchport port-security mac-address mac-address

定义MAC地址冲突时的ACTION

protect—dropped



restrict—dropped



an SNMP trap is sent,

a syslog message is logged,



shutdown—The interface is error-disabled

an SNMP trap is sent,

a syslog message is logged

3550-B(config-if)#switchport port-security violation [protect |

restrict | shutdown]

配置aging timer

3550-B(config-if)#switchport port-security aging [static] time time type

[absolute | inactivity]

Port Security Aging

switchport port-security aging {static | time ... | type {absolute |

inactivity}}

static参数使swtchport secure mac-address语句配置的静态条目也可static 以aging，因为缺省aging是针对针对动态条目

这个参数很少见，因为通常静态条目都是手工配置的，所以无时间限制

time

aging time

如果time=0,就是disable aging了

aging time 超时后的 action

type absolute ——到时间后所有MAC地址被移除，过时就删

type

type inactivity——到时间后只有在aging time内inactivity（没有traffic的MAC），才remove 条目

switchport port-security aging time 2

aging time 2分钟，默认对动态有效

switchport port-security aging static

aging time 对静态条目也有效

switchport port-security aging type inactivity

到期的不活动条目会被移除，

这是配置aging 后的默认行为。

swichport security配置经验



switchport mode access

配置switchport port-security 前，先显式配置switchport mode access

否则提示错误

因为是switchport指令，所以不能应用在三层口如int vlan 20



配前一定要先shutdown接口, 否则端口会报告地址重复



verify port-security

Rack07Sw1#sh port-security

Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security

Action

(Count) (Count) (Count)

---------------------------------------------------------------------------

Fa0/12 1 1 0 Protect

---------------------------------------------------------------------------

Total Addresses in System (excluding one mac per port) : 0

Max Addresses limit in System (excluding one mac per port) : 5120

验证port-security，改R2的MAC-ADDRESS，这样会造成冲突

r2 (config-if)#mac-address 1001.1ee1.10e2

r2# show int e1

Ethernet1 is up, line protocol is up

Hardware is Lance, address is 1001.1ee1.10e2 (bia 00e0.b064.242d)