cisco交换机安全之端⼝⼴播抑制
1.利⽤风暴控制
命令:
switch(interface-if)#storm-control ?
action Action to take for storm-control 定义如果超过限定范围流量采取什么⾏为 broadcast Broadcast address storm control 控制⼴播
multicast Multicast address storm control 控制组播
unicast Unicast address storm control 控制单播
Switch4(config-if)#storm-control broadcast ?
level Set storm suppression level on this interface 定义级别
远华案件
Switch4(config-if)#storm-control broadcast level ?
<0.00 - 100.00> Enter rising threshold 定义端⼝带宽下线值
bps Enter suppression level in bits per second 定义每秒流量传输的位(1字节=8位)数
pps Enter suppression level in packets per second 定义每秒包数量
中国农民调查 pdf
Switch4(config-if)#storm-control broadcast level pps 50 40 ? 定义⼴播每秒超过50/s个则端⼝阻塞(blocking)⼩于40/s个则端⼝恢复(下线值貌似没什么⽤,也可以只写⼀个上限值就可以) Switch4(config-if)#storm-control action ? 定义包超过定义的最⼤数量时采取的⾏为,不定义此项就默认为block⽽不是shutdown,当⼴播⼩于40/s的时候端⼝⼜恢复通信,但是当配置了action为shutdown时当端⼝⼴播超过50/s就会被shutdown,就只能⽤下⾯的errdisable的恢复⽅法来恢复端⼝了。
shutdown Shutdown this interface if a storm occurs 当⼴播超过设置的流量时down
trap Send SNMP trap if a storm occurs 发送snmp给⽹管⼯作站(配置了snmp)
⽰例:Switch4(config)#int
通田阁萝Switch4(config)#interface f0/5
Switch4(config-if)#storm-control broadcast level 10 5
Switch4(config-if)#storm-control action shutdown 或者
Switch4(config-if)#storm-control action trap
Switch4(config-if)#no sh
Switch4(config-if)#do wr
Switch#show storm-control 查看⼴播风暴端⼝状态
Interface Filter State Upper Lower Current
--------- ------------- ----------- ----------- ----------
Fa0/2 Forwarding 50 pps 40 pps 0 pps
Fa0/3 Link Down 50 pps 40 pps 0 pps
Fa0/4 Link Down 50 pps 40 pps 0 pps
Fa0/5 Link Down 50 pps 40 pps 0 pps
Fa0/6 Forwarding 50 pps 40 pps 0 pps
Fa0/7 Forwarding 50 pps 40 pps 0 pps
Fa0/8 Forwarding 50 pps 40 pps 0 pps
Fa0/9 Forwarding 50 pps 40 pps 0 pps
Fa0/10 Link Down 50 pps 40 pps 0 pps
Fa0/11 Forwarding 50 pps 40 pps 1 pps
Fa0/12 Link Down 50 pps 40 pps 0 pps
Fa0/13 Forwarding 50 pps 40 pps 0 pps
Fa0/14 Forwarding 50 pps 40 pps 0 pps
Fa0/15 Forwarding 50 pps 40 pps 0 pps
Fa0/16 Forwarding 50 pps 40 pps 0 pps
Fa0/17 Forwarding 50 pps 40 pps 0 pps
Fa0/18 Forwarding 50 pps 40 pps 0 pps
Fa0/19 Forwarding 50 pps 40 pps 0 pps
Fa0/20 Forwarding 50 pps 40 pps 0 pps
Fa0/21 Link Down 50 pps 40 pps 0 pps
Fa0/22 Link Down 50 pps 40 pps 0 pps
Fa0/23 Forwarding 50 pps 40 pps 0 pps
Fa0/24 Forwarding 50 pps 40 pps 0 pps
注:⼀个端⼝被策略down后会显⽰err-disable,恢复的⽅法有两个。⼀个⼿动⼀个⾃动,⼿动是到该接⼝下执⾏shutdown然后在执⾏no shutdown(直接no shutdown不⾏),⾃动是: 03年高考作文
session 2 端⼝err-disable⾃动恢复
L3#show errdisable detect 查看SW端⼝安全关闭⽀持哪些安全策略
ErrDisable Reason Detection status
----------------- ----------------
udld Enabled
bpduguard Enabled
security-violatio Enabled
channel-misconfig Enabled
psecure-violation Enabled
unicast-flood Enabled
vmps Enabled
loopback Enabled
unicast-flood Enabled
pagp-flap Enabled
dtp-flap Enabled
link-flap Enabled
l2ptguard Enabled
sfp-config-mismat Enabled
gbic-invalid Enabled
dhcp-rate-limit Enabled
storm-control Enabled
inline-power Enabled
arp-inspection Enabled
community-limit Enabled
invalid-policy Enabled
L3#show errdisable recovery 查看SW端⼝安全关闭策略开启了⾃动恢复功能,默认都没有开启ErrDisable Reason Timer Status
----------------- --------------
udld Disabled
bpduguard Disabled
security-violatio Disabled
channel-misconfig Disabled
vmps Disabled
pagp-flap Disabled
教学改革设想
dtp-flap Disabled
link-flap Disabled
l2ptguard Disabled
psecure-violation Disabled
sfp-config-mismat Disabled
gbic-invalid Disabled
dhcp-rate-limit Disabled
unicast-flood Disabled
storm-control enable
inline-power Disabled
arp-inspection Disabled
loopback Disabled
Timer interval: 300 seconds
Interfaces that will be enabled at the next timeout:
Interface Errdisable reason Time left(sec)
--------- ----------------- --------------
Fa0/4 storm-control 1470 看到f0/4⼝再过1470s⾃动恢复up
L4#show interfaces f0/4
FastEthernet0/4 is down, line protocol is down (err-disable)这个状态就是端⼝被策略down了
Hardware is Fast Ethernet, address is 0022.916d.1e86 (bia 0022.916d.1e86)
MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Auto-duplex, Auto-speed, media type is 10/100BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 3w5d, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
887508 packets input, 666054421 bytes, 0 no buffer
Received 5177 broadcasts (0 multicasts)
0 runts, 0 giants, 0 throttles
2 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 1970 multicast, 0 pause input
0 input packets with dribble condition detected
761562 packets output, 100518453 bytes, 0 underruns
0 output errors, 0 collisions, 5 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 PAUSE output
0 output buffer failures, 0 output buffers swapped out
L4(config)#errdisable recovery cause storm-control ⼿⼯开启storm-control的⾃动恢复
L3(config)#errdisable recovery interval 1800 恢复时间为1800s,当端⼝被err-disable后10分钟后⾃动恢复,如果再次检测到storm超标则⾃动被down然后再过10分钟再次⾃动恢复为up,这样循环。
豫公网安备41160202000603
站长QQ:729038198
关于我们
投诉建议