http://www.h3c.com/cn/d_201812/1139191_30005_0.htm#_Toc532464095
端口安全典型配置举例
1.10.1 端口安全autoLearn模式配置举例
1. 组网需求
在Device的端口GE1/0/1上对接入用户做如下的限制:
· 允许64个用户自由接入,不进行认证,将学习到的用户MAC地址添加为Sticky安全MAC地址,老化时间为30分钟;
· 当安全MAC地址数量达到64后,停止学习;当再有新的MAC地址接入时,触发入侵检测,并将此端口关闭30秒。
2. 组网图
图1-1 端口安全autoLearn模式组网图
3. 配置步骤
(1) 具体的配置步骤
<Device> system-view
# 使能端口安全功能。
[Device] port-security enable
# 设置Sticky MAC地址的老化时间为30分钟。
[Device] port-security timer autolearn aging 30
# 打开入侵检测Trap开关。
[Device] port-security trap intrusion
[Device] interface GigabitEthernet 1/0/1
# 设置端口安全允许的最大MAC地址数为64。
[Device-GigabitEthernet1/0/1] port-security max-mac-count 64
# 设置端口安全模式为autoLearn。
[Device-GigabitEthernet1/0/1] port-security port-mode autolearn
# 设置触发入侵检测特性后的保护动作为暂时关闭端口,关闭时间为30秒。
[Device-GigabitEthernet1/0/1] port-security intrusion-mode disableport-temporarily
[Device-GigabitEthernet1/0/1] quit
[Device] port-security timer disableport 30
(2) 验证配置结果
上述配置完成后,可以用display命令显示端口安全配置情况,如下:
[Device] display port-security interface GigabitEthernet 1/0/1
Equipment port-security is enabled
Intrusion trap is enabled
AutoLearn aging time is 30 minutes
Disableport Timeout: 30s
OUI value:
GigabitEthernet1/0/1 is link-up
Port mode is autoLearn
NeedToKnow mode is disabled
Intrusion Protection mode is DisablePortTemporarily
Max MAC address number is 64
Stored MAC address number is 0
Authorization is permitted
Security MAC address learning mode is sticky
Security MAC address aging type is absolute
可以看到端口安全所允许的最大MAC数为64,端口模式为autoLearn,入侵检测Trap开关打开,入侵保护动作为DisablePortTemporarily,入侵发生后端口禁用时间为30秒。
配置完成后,允许地址学习,学习到的MAC地址数可以用上述命令显示,如学习到5个,那么存储的安全MAC地址数就为5,可以在端口视图下用display this命令查看学习到的MAC地址,如:
[Device] interface GigabitEthernet 1/0/1
[Device-GigabitEthernet1/0/1] display this
#
interface GigabitEthernet1/0/1
port-security max-mac-count 64
port-security port-mode autolearn
port-security mac-address security sticky 0002-0000-0015 vlan 1
port-security mac-address security sticky 0002-0000-0014 vlan 1
port-security mac-address security sticky 0002-0000-0013 vlan 1
port-security mac-address security sticky 0002-0000-0012 vlan 1
port-security mac-address security sticky 0002-0000-0011 vlan 1
#
当学习到的MAC地址数达到64后,用命令display port-security interface可以看到端口模式变为secure,再有新的MAC地址到达将触发入侵保护,Trap信息如下:
#Jan 14 10:39:47:135 2011 Device PORTSEC/4/VIOLATION: Trap1.3.6.1.4.1.25506.2.26.1.
3.2<hh3cSecureViolation>:
An intrusion occurs!
IfIndex: 9437185
Port: 9437185
MAC Addr: 00:02:00:00:00:32
VLAN ID: 1
IfAdminStatus: 1
并且可以通过下述命令看到端口安全将此端口关闭:
[Device-GigabitEthernet1/0/1] display interface GigabitEthernet 1/0/1
GigabitEthernet1/0/1 current state: DOWN ( Port Security Disabled )
IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 000f-cb00-5558
Description: GigabitEthernet1/0/1 Interface
......
30秒后,端口状态恢复:
[Device-GigabitEthernet1/0/1] display interface GigabitEthernet 1/0/1
GigabitEthernet1/0/1 current state: UP
IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 000f-cb00-5558
Description: GigabitEthernet1/0/1 Interface
......
此时,如手动删除几条安全MAC地址后,端口安全的状态重新恢复为autoLearn,可以继续学习MAC地址。
1.10.2 端口安全userLoginWithOUI模式配置举例
1. 组网需求
客户端通过端口GE1/0/1连接到Device上,Device通过RADIUS服务器对客户端进行身份认证,如果认证成功,客户端被授权允许访问Internet资源。
· IP地址为192.168.1.2的RADIUS服务器作为主认证/备份计费服务器,IP地址为192.168.1.3的RADIUS服务器作为备份认证/主计费服务器。认证共享密钥为name,计费共享密钥为money。
· 所有接入用户都使用ISP域sun的缺省认证/授权/计费方案,该域最多可容纳30个用户;
· 系统向RADIUS服务器重发报文的时间间隔为5秒,重发次数为5次,发送实时计费报文的时间间隔为15分钟,发送的用户名不带域名。
Device的管理者希望对接入用户的端口GE1/0/1做如下限制:
· 允许一个802.1X用户上线;
· 最多可以配置16个OUI值,还允许端口上有一个与OUI值匹配的MAC地址用户通过。
2. 组网图
图1-2 端口安全userLoginWithOUI模式组网图
3. 配置步骤
· 下述配置步骤包含了部分AAA/RADIUS协议配置命令,具体介绍请参见“安全配置指导”中的“AAA”。
· 客户端和RADIUS服务器之间路由可达,认证相关的配置略。
(1) 具体的配置步骤
· 配置RADIUS协议
<Device> system-view
# 配置RADIUS方案。
[Device] radius scheme radsun
[Device-radius-radsun] primary authentication 192.168.1.2
[Device-radius-radsun] primary accounting 192.168.1.3
[Device-radius-radsun] secondary authentication 192.168.1.3
[Device-radius-radsun] secondary accounting 192.168.1.2
[Device-radius-radsun] key authentication name
[Device-radius-radsun] key accounting money
[Device-radius-radsun] timer response-timeout 5
[Device-radius-radsun] retry 5
[Device-radius-radsun] timer realtime-accounting 15
[Device-radius-radsun] user-name-format without-domain
[Device-radius-radsun] quit
# 配置ISP域。
[Device] domain sun
[Device-isp-sun] authentication default radius-scheme radsun
[Device-isp-sun] authorization default radius-scheme radsun
[Device-isp-sun] accounting default radius-scheme radsun
[Device-isp-sun] access-limit enable 30
[Device-isp-sun] quit
· 配置802.1X
# 配置802.1X的认证方式为CHAP。(该配置可选,缺省情况下802.1X的认证方式为CHAP)
[Device] dot1x authentication-method chap
· 配置端口安全特性
# 使能端口安全功能。
[Device] port-security enable
# 添加5个OUI值。
[Device] port-security oui 1234-0100-1111 index 1
[Device] port-security oui 1234-0200-1111 index 2
[Device] port-security oui 1234-0300-1111 index 3
[Device] port-security oui 1234-0400-1111 index 4
[Device] port-security oui 1234-0500-1111 index 5
[Device] interface GigabitEthernet 1/0/1
# 设置端口安全模式为userLoginWithOUI。
[Device-GigabitEthernet1/0/1] port-security port-mode userlogin-withoui
[Device-GigabitEthernet1/0/1] quit
(2) 验证配置结果
查看名为radsun的RADIUS方案的配置信息:
[Device] display radius scheme radsun
SchemeName : radsun
Index : 1 Type : standard
Primary Auth Server:
IP: 192.168.1.2 Port: 1812 State: active
Encryption Key : N/A
Probe username :N/A
Probe interval : N/A
Primary Acct Server:
IP: 192.168.1.3 Port: 1813 State: active
Encryption Key : N/A
Second Auth Server:
IP: 192.168.1.3 Port: 1812 State: active
Encryption Key : N/A
Probe username :N/A
Probe interval : N/A
Second Acct Server:
IP: 192.168.1.2 Port: 1813 State: active
Encryption Key : N/A
Auth Server Encryption Key : ******
Acct Server Encryption Key : ******
Accounting-On packet disable, send times : 5 , interval : 3s
Interval for timeout(second) : 5
Retransmission times for timeout : 5
Interval for realtime accounting(minute) : 15
Retransmission times of realtime-accounting packet : 5
Retransmission times of stop-accounting packet : 500
Quiet-interval(min) : 5
Username format : without-domain
Data flow unit : Byte
Packet unit : one
查看名为sun的ISP域的配置信息:
[Device] display domain sun
Domain : sun
State : Active
Access-limit : 30
Accounting method : Required
Default authentication scheme : radius:radsun
Default authorization scheme : radius:radsun
Default accounting scheme : radius:radsun
Domain User Template:
Idle-cut : Disabled
Self-service : Disabled
Authorization attributes:
查看端口安全的配置信息:
[Device] display port-security interface GigabitEthernet 1/0/1
Equipment port-security is enabled
Trap is disabled
Disableport Timeout: 20s
OUI value:
Index is 1, OUI value is 123401
Index is 2, OUI value is 123402
Index is 3, OUI value is 123403
Index is 4, OUI value is 123404
Index is 5, OUI value is 123405
GigabitEthernet1/0/1 is link-up
Port mode is userLoginWithOUI
NeedToKnow mode is disabled
Intrusion Protection mode is NoAction
Max MAC address number is not configured
Stored MAC address number is 0
Authorization is permitted
Security MAC address learning mode is sticky
Security MAC address aging type is absolute
配置完成后,如果有802.1X用户上线,则可以看到存储的安全MAC地址数为1。还可以通过下述命令查看802.1X用户的情况:
[Device] display dot1x interface GigabitEthernet 1/0/1
Equipment 802.1X protocol is enabled
CHAP authentication is enabled
Configuration: Transmit Period 30 s, Handshake Period 15 s
Quiet Period 60 s, Quiet Period Timer is disabled
Supp Timeout 30 s, Server Timeout 100 s
Reauth Period 3600 s
The maximal retransmitting times 2
The maximum 802.1X user resource number is 1024 per slot
Total current used 802.1X resource number is 1
GigabitEthernet1/0/1 is link-up
802.1X protocol is enabled
Handshake is enabled
Handshake secure is disabled
802.1X unicast-trigger is enabled
Periodic reauthentication is disabled
The port is an authenticator
Authentication Mode is Auto
Port Control Type is Mac-based
802.1X Multicast-trigger is enabled
Mandatory authentication domain: NOT configured
Guest VLAN: NOT configured
Auth-Fail VLAN: NOT configured
Critical VLAN: NOT configured
Critical recovery-action: NOT configured
Max number of on-line users is 256
EAPOL Packet: Tx 16331, Rx 102
Sent EAP Request/Identity Packets : 16316
EAP Request/Challenge Packets: 6
EAP Success Packets: 4, Fail Packets: 5
Received EAPOL Start Packets : 6
EAPOL LogOff Packets: 2
EAP Response/Identity Packets : 80
EAP Response/Challenge Packets: 6
Error Packets: 0
1. Authenticated user : MAC address: 0002-0000-0011
Controlled User(s) amount to 1
此外,端口还允许一个与OUI值匹配的MAC地址的用户通过,可以通过下述命令查看:
[Device] display mac-address interface GigabitEthernet 1/0/1
MAC ADDR VLAN ID STATE PORT INDEX AGING TIME(s)
1234-0300-0011 1 Learned GigabitEthernet1/0/1 AGING
--- 1 mac address(es) found ---
1.10.3 端口安全macAddressElseUserLoginSecure模式配置举例
1. 组网需求
客户端通过端口GE1/0/1连接到Device上,Device通过RADIUS服务器对客户端进行身份认证。如果认证成功,客户端被授权允许访问Internet资源。
Device的管理者希望对接入用户的端口GE1/0/1做如下的限制:
· 可以有多个MAC认证用户上线;
· 如果是802.1X用户请求认证,先进行MAC地址认证,MAC地址认证失败,再进行802.1X认证。802.1X用户限制为1个;
· MAC地址认证用户使用MAC地址作为用户名和密码,其中MAC地址带连字符、字母小写;
· 上线的MAC地址认证用户和802.1X认证用户总和不能超过64个。
2. 组网图
同图1-2所示。
3. 配置步骤
· RADIUS认证/计费及ISP域的配置同1.10.2 ,这里不再赘述。
· 接入用户和RADIUS服务器之间路由可达,认证相关的配置略。
(1) 具体的配置步骤
<Device> system-view
# 使能端口安全功能。
[Device] port-security enable
# 配置MAC地址的认证方式为PAP。(该配置可选,缺省情况下MAC地址的认证方式为PAP)
[Device] mac-authentication authentication-method pap
# 配置MAC地址认证用户名格式:使用带连字符的MAC地址作为用户名与密码,其中字母小写。
[Device] mac-authentication user-name-format mac-address with-hyphen lowercase
# 配置MAC地址认证用户所使用的ISP域。
[Device] mac-authentication domain sun
[Device] interface GigabitEthernet 1/0/1
# 配置802.1X的认证方式为CHAP。(该配置可选,缺省情况下802.1X的认证方式为CHAP)
[Device] dot1x authentication-method chap
# 设置端口安全允许的最大MAC地址数为64。
[Device-GigabitEthernet1/0/1] port-security max-mac-count 64
# 设置端口安全模式为macAddressElseUserLoginSecure。
[Device-GigabitEthernet1/0/1] port-security port-mode mac-else-userlogin-secure
(2) 验证配置结果
查看端口安全的配置信息:
[Device] display port-security interface GigabitEthernet 1/0/1
Equipment port-security is enabled
Trap is disabled
Disableport Timeout: 20s
OUI value:
GigabitEthernet1/0/1 is link-up
Port mode is macAddressElseUserLoginSecure
Intrusion Protection mode is NoAction
Max MAC address number is 64
Stored MAC address number is 0
Authorization is permitted
Security MAC address learning mode is sticky
Security MAC address aging type is absolute
查看MAC地址认证情况:
[Device] display mac-authentication interface GigabitEthernet 1/0/1
MAC address authentication is enabled.
PAP authentication is enabled
User name format is MAC address in lowercase,like xx-xx-xx-xx-xx-xx
Fixed username: mac
Fixed password: not configured
Offline detect period is 60s
Quiet period is 5s
Server response timeout value is 100s
The max allowed user number is 1024 per slot
Current user number amounts to 3
Current domain is mac
Silent MAC User info:
MAC Addr From Port Port Index
GigabitEthernet1/0/1 is link-up
MAC address authentication is enabled
Authenticate success: 3, failed: 7
Max number of on-line users is 256
Current online user number is 3
MAC ADDR Authenticate state Auth Index
1234-0300-0011 MAC_AUTHENTICATOR_SUCCESS 13
1234-0300-0012 MAC_AUTHENTICATOR_SUCCESS 14
1234-0300-0013 MAC_AUTHENTICATOR_SUCCESS 15
查看802.1X认证情况:
<Device> display dot1x interface GigabitEthernet 1/0/1
Equipment 802.1X protocol is enabled
CHAP authentication is enabled
Configuration: Transmit Period 30 s, Handshake Period 15 s
Quiet Period 60 s, Quiet Period Timer is disabled
Supp Timeout 30 s, Server Timeout 100 s
The maximal retransmitting times 2
Total maximum 802.1X user resource number is 1024 per slot
Total current used 802.1X resource number is 1
GigabitEthernet1/0/1 is link-up
802.1X protocol is enabled
Handshake is enabled
Handshake secure is disabled
802.1X unicast-trigger is enabled
Periodic reauthentication is disabled
The port is an authenticator
Authentication Mode is Auto
Port Control Type is Mac-based
802.1X Multicast-trigger is enabled
Mandatory authentication domain: NOT configured
Guest VLAN: NOT configured
Auth-Fail VLAN: NOT configured
Critical VLAN: NOT configured
Critical recovery-action: NOT configured
Max number of on-line users is 256
EAPOL Packet: Tx 16331, Rx 102
Sent EAP Request/Identity Packets : 16316
EAP Request/Challenge Packets: 6
EAP Success Packets: 4, Fail Packets: 5
Received EAPOL Start Packets : 6
EAPOL LogOff Packets: 2
EAP Response/Identity Packets : 80
EAP Response/Challenge Packets: 6
Error Packets: 0
1. Authenticated user : MAC address: 0002-0000-0011
Controlled User(s) amount to 1
- 2022-08-08回答
- 评论(0)
- 举报
-
(0)
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论