Port-Security란?

Switch의 MAC 주소공간제약으로인해 장비의스펙에따라 MAC 주소가제한이된다. MAC
Flooding은 이러한점을이용하여 Switch의 MAC Address Table의 공간을 한계에도 달하게하여
Switch를마치 Hub처럼 동작을 시켜버린다. 보통 Switch의 Mac Address Table이 가득차게되면,
Hub와 동일하게들어온 포트를 제외한 다른모든포트로 Flooding한다. 이러한공격방법들이 증가함
에따라서나오게된 Solution이 Port-Security이다.
Port-Security는 각port마다 Mac-address를 제한시켜 MAC Flooding등의 공격을 방지할수있습니다.
이러한경우가 아니더라도 사내에서 User 임의대로 Hub를 사용하는것에대해 제한하기 위해서도

쓰인다.


Port-Security의3가지방식

1. Static Secure MAC-Address : 해당port에사용할User의MAC-Address를관리자가직접입력하여
설정하는방식으로관리자가지정한MAC-Address 이외에다른

MAC-Address를가진Device는해당포트를사용할수없다

Switch(config)# interface gigabitEthernet1/0/1
Switch(config-if)# switchportport-security mac-address 001F.1629.E6F8

->해당Interface에Static으로Mac-address를지정하여, Port-Security 적용


2. Dynamic Secure MAC-Address : 해당port에사용할User의MAC-Address를동적으로학습하여
Port-Security가적용이된다. Switch가Reboot이되면
Port-Security에등록된MAC-Address는삭제된다.

3. Stick Secure MAC-Address : 해당port에사용할User의MAC-Address를동적으로학습하여
Port-Security가적용이된다. Dynamic 방식과동일하지만, 다른점은
Dynamic은Switch가Reboot 될경우Port-Security에등록된
MAC-Address가삭제되지만, Sticky는NVRAM에저장하여Reboot된

후에도그대로해당MAC이Port-Security에저장된다.

Switch(config)# interface gigabitEthernet1/0/1
Switch(config-if)# switchportport-security mac-address sticky

->해당Interface를Port-Security Sticky 방식으로지정


Port-SecurityViolation


1. Violation Shutdown : Port-Security Default Violation이며, Port-Security가동작하는Interface에서

위반했을경우“Shutdown”되며, Err-Disable 상태로넘어간다.

Switch(Config)# interface gigabitethernet1/0/1
Switch(Config-if)#switchportport-securit ymac-address001F.1629.E6F7
Switch(Config-if)# switchportport-security violation shutdown
->해당Interface를Port-Security Static으로지정하여001F.1629.E6F7 이외의다른Mac이학습되면, 해당포트를 Shutdown 상태로만든다.

 

%PM-4-ERR_DISABLE: psecure-violation error detected on Gi1/0/1, putting Gi1/0/1 in err-disable state%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 001f.1629.e6f8 on port GigabitEthernet1/0/1.

->Port-Security 정책을위반하여발생하는Event Log


2. Violation restrict : Port-Security에서정책을위반한MAC-Address가연결되었을때, 위반한
MAC-address를가진Device의모든Frame은Drop된다. Drop됨과동시에

위반한MAC-Address에대해서Event log를발생한다.

Switch(Config)# interface gigabitethernet1/0/1
Switch(Config-if)# switchportport-security maximum 1
Switch(Config-if)# switchportport-security violation restrict

->해당Interface를Port-Security maximum-macaddress를지정하여1로지정하여이외의다른MAC이올라왔을경우위반한MAC-Address에대해서만모든Frame을폐기하며, Violation Event log를발생한다

%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 001f.1629.e6f8 on port GigabitEthernet1/0/1.

->Port-Security Violation이발생하여,001f.1629.e6f8의MAC-Address를제한되었다는log


3. Violation Protect : restrict와동일하게동작하지만, Violation Event log를발생하지않는다.

Switch(Config)# interface gigabitethernet1/0/1
Switch(Config-if)# switchportport-security maximum 1
Switch(Config-if)# switchportport-security violation protect

->해당Interface를Port-Security maximum-macaddress를지정하여1로지정하여이외의다른MAC이올라왔을경우위반한MAC-Address에대해서만모든Frame을폐기하며, Violation Event log를발생하지않는다.


Port-Security Aging Time ?

Port-Security에는Port-Security에등록된MAC-Address에대한Aging Time이존재하는데Default로
Infinity 이다. Aging Time은Port-Security가Static or Dynamic으로적용된port에서만적용가능하다.
Aging Time은0-1440 Minute까지설정가능하며, 0=infinity로동작한다.

Port-Security Aging Time에는2가지방식이있다.


-Absolute :Port-Security에등록된MAC-Address가무조건해당

Aging Time이만료되어야Port-Security에등록된MAC-Address가삭제된다.

Switch(config)# interface gigabitEthernet1/0/1
Switch(config-if)# switchportport-security aging time 1
Switch(config-if)# switchportport-security aging type absolute


-Inactivity : Port-Security에등록된MAC-Address의Data Traffic이없는경우에무조건해당

Port-Security에등록된MAC-Address가삭제된다.

Switch(config)# interface gigabitEthernet1/0/1
Switch(config-if)# switchportport-security aging type inactivity
Switch(config-if)# switchportport-security aging time 1
Sample Configuration
ConfigurationSwitch(Config)# interface gigabitethernet1/0/1
Switch(Config-if)# switchportport-security ßPort-security enable
Switch(Config-if)# switchportport-security maximum 2 ß
->해당interface로학습될MAC-address 제한
Switch(Config-if)#switchportport-security mac-address[sticky,static]
->port-security type,default dynamic
Switch(Config-if)# switchportport-security violation [shutdown / restrict / protect]
Switch(Config-if)# switchportport-security aging static ß
->static으로지정한mac-address에대한aging time
Switch(Config-if)# switchportport-security aging time [0-1440 min] ß
->default 0sec, 0sec->infinity
Switch(Config-if)# switchportport-security aging type [absolute / inactivity] ß
->aging time type 결정


Show port-security interface [type_num]
Switch# show port-security interface gigabitethernet1/0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 1 mins
Aging Type : Absolute
SecureStaticAddress Aging : Enabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan: 001f.1629.e6f8:1
Security Violation Count : 0








Port-Security Configuration

Show port-security address
Switch# show port-security address
Switch# showport-security address
Secure Mac Address Table
------------------------------------------------------------------------
Vlan  Mac Address      Type           Ports Remaining Age(mins)
------------------------------------------------------------------------
1   001f.1629.e6f8  SecureDynamic        Gi1/0/1 < 1
------------------------------------------------------------------------
Total Addresses in System (excluding one macper port) : 0Max Addresses limit in System (excluding one macper port) : 6144

 


->해당Interface에Static으로Mac-address를지정하여, Port-Security 적용

+ Recent posts