【参考】switchport port-security aging端口地址老化配置

2013-05-08 16:44:15|  分类： 网络技术 |  标签： |举报 |字号大中小 订阅

在某些应用场景下，需要对交换机下联地址做控制，比如：控制下联接口主机数量。但如果下联主机的二层地址是变动的——今天来五个人，明天走了，后天又来五个，该怎么办？针对这种场景需要在交换机port-security 功能的基础上，启用“port-security aging ”功能。

其命令格式为：

switchport port-security aging {static | time time | type {absolute | inactivity}}
no switchport port-security aging {static | time | type}

在实际环境中，做了如下配置：

interface FastEthernet0/28
 switchport access vlan 123
 switchport mode access
 switchport port-security maximum 32
 switchport port-security
 switchport port-security aging time 60
 switchport port-security violation restrict
 switchport port-security mac-address sticky
 switchport port-security aging type inactivity
 switchport port-security aging static

switchport port-security mac-address sticky 0021.6b93.feca vlan access
 switchport port-security mac-address sticky 0021.6bc6.fc78 vlan access
 switchport port-security mac-address sticky 0023.4edb.2323 vlan access
 switchport port-security mac-address sticky 0023.7666.4d77 vlan access
 switchport port-security mac-address sticky 0026.c75d.764a vlan access
  spanning-tree portfast
 spanning-tree bpduguard enable

但是发现，sticky学到的这几个地址，始终在 F0/28的配置里。也就是说并没有按照原先以为的“老化”（aging）掉！那是因为 “switchport port-security aging … ”命令没有生效嘛？

下面就这个问题展开讨论——

看起来简单，但在具体应用时还是有两个需要注意的地方。

1）：“ switchport port-security aging static”

端口下配置“switchport port-security aging static”时：

--------------------------------------------------------------------------------------------
  Vlan    Mac Address         Type                              Ports   Remaining Age

(mins)   
  ----      -----------                  ----                              -----   ----------------------
  34    0026.c75d.764a    SecureConfigured       Fa0/28      60 (I)
  34    00f4.b99c.dc71     SecureDynamic            Fa0/28      60 (I)
  34    1c65.9dee.d99b    SecureDynamic              Fa0/28      60 (I)
  34    5891.cf37.2a3f     SecureConfigured           Fa0/28      60 (I)
  34    5891.cf3c.ec5e     SecureDynamic               Fa0/28      60 (I)
  34    5891.cf3c.ec5f      SecureConfigured           Fa0/28      60 (I)
  34    5cf9.dd50.b61e    SecureConfigured           Fa0/28      60 (I)
  34    6894.2335.4fa9    SecureDynamic               Fa0/28      60 (I)
  34    9c2a.701e.2ba3    SecureDynamic              Fa0/28      60 (I)
  34    c014.3ddc.4203    SecureConfigured           Fa0/28      60 (I)
  34    c014.3ddc.6eed    SecureConfigured           Fa0/28      60 (I)
  34    d0c2.82e7.cd64    SecureDynamic              Fa0/28       58 (I)
-------------------------------------------------------------------------------------------

2）：端口下不配置“switchport port-security aging static”时（ aging static 默认为disable）

------------------------------------------------------------------------------------------
 Vlan    Mac Address       Type                             Ports     Remaining Age
                                                                                                (mins)    
 ----     -----------                ----                                 -----        -------------
  34    0026.c75d.764a    SecureConfigured       Fa0/28       -
  34    00f4.b99c.dc71     SecureDynamic            Fa0/28      59 (I)
  34    1c65.9dee.d99b    SecureDynamic              Fa0/28      60 (I)
  34    5891.cf37.2a3f      SecureConfigured          Fa0/28       -
  34    5891.cf3c.ec5e      SecureDynamic              Fa0/28      60 (I)
  34    5891.cf3c.ec5f       SecureConfigured          Fa0/28       -
  34    5cf9.dd50.b61e     SecureConfigured           Fa0/28       -
  34    6894.2335.4fa9     SecureDynamic               Fa0/28      60 (I)
  34    9c2a.701e.2ba3    SecureDynamic               Fa0/28      60 (I)
  34    c014.3ddc.4203    SecureConfigured           Fa0/28       -
  34    c014.3ddc.6eed    SecureConfigured           Fa0/28       -
  34    d0c2.82e7.cd64    SecureDynamic               Fa0/28      58 (I)
------------------------------------------------------------------------------------------

通过上面的举例不难看出"switchport port-security aging static"命令影响到的是"switchport port-security aging time "的作用范围。即port-security 老化时间是对SecureDynamic地址和 SecureConfigured 地址都生效还是只针对SecureDynamic地址生效。那么，如果配置no switchport port-security aging time时，自然会想到如下的状态结果：

--------------------------------------------------------------------------------------------------
  Vlan    Mac Address          Type                              Ports        Remaining Age

(mins)   
  ----      -----------                 ----                                 -----        --------------
  34       0026.c75d.764a    SecureConfigured          Fa0/28         -
  34       00f4.b99c.dc71     SecureDynamic            Fa0/28         -
  34       1c65.9dee.d99b    SecureDynamic            Fa0/28         -
  34       5891.cf37.2a3f      SecureConfigured          Fa0/28         -
  34       5891.cf3c.ec5e     SecureDynamic            Fa0/28         -
  34       5891.cf3c.ec5f      SecureConfigured          Fa0/28          -
  34       5cf9.dd50.b61e     SecureConfigured          Fa0/28         -
  34       6894.2335.4fa9     SecureDynamic            Fa0/28         -
  34       9c2a.701e.2ba3    SecureDynamic            Fa0/28         -
  34       c014.3ddc.4203    SecureConfigured          Fa0/28         -
  34       c014.3ddc.6eed    SecureConfigured          Fa0/28         -
  34       d0c2.82e7.cd64    SecureDynamic            Fa0/28         -
-------------------------------------------------------------------------------------------

这些现象本质上是"switchport port-security aging static"与"switchport port-security aging time "共同影响的结果。

最后，再回到开头提到的那个问题上！为什么配置了“switchport port-security mac-address sticky H.H.H vlan access” 反而不会被“ switchport port-security aging static”老化掉？

回顾一下“switchport port-security mac-address sticky”命令产生的背景——将交换机动态学习到的主机条目转化为静态主机条目，从而减轻管理员人工输入“switchport port-security mac-address H.H.H”的工作量。

为了验证"switchport port-security aging *”命令对“switchport port-security mac-address sticky”命令的影响，在交换机端口下做了如下配置：

switchport port-security maximum 12
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 switchport port-security mac-address sticky

交换机动态地学习到一个MAC，生成“switchport port-security mac-address sticky 5891.cf3c.ec5e vlan access”的条目，并把它放进port-security maximum地址池中。此时通过“sh port-security address ”查看端口port-security 地址列表：

可以看出，5891.cf3c.ec5e 这一通过“switchport port-security mac-address sticky”方式学到的地址没有像“SecureDynamic ”方式的学到的MAC地址那样老化！

又在上面配置基础上增加“sw port-security aging static”配置，现在的配置为：
 switchport port-security maximum 12
 switchport port-security
 switchport port-security aging time 2
 switchport port-security violation restrict
 switchport port-security aging type inactivity
 switchport port-security mac-address sticky
 switchport port-security aging static

再通过“sh port-security address ”查看端口port-security 地址列表：

可以看出，5891.cf3c.ec5e 这一通过“switchport port-security mac-address sticky”方式学到的地址也没有像“SecureConfigured ”方式的学到的MAC地址那样老化！

最终，可以归纳出一条——"switchport port-security aging static"与"switchport port-security aging time "命令对“switchport port-security mac-address sticky”方式学到的地址不生效！

根据上面分析的几点和port-security的基本功能，归纳出这样几个应用场景和相对应的模板：

1）控制端口下二层主机数量（不区分活动的还是非活动的）：

switch port-security

switch port-security max *（数量以端口下主机情况为准）

switchport port-security violation {restrict | shutdown}

注：从安全的角度说，这种配置方式还起到了防止mac 泛洪和mac欺骗***的作用。

2）在1）的基础上，进一步限定具体的主机地址（根据第一次在线情况自动生成配置并保存）：

switch port-security

switch port-security max *

switchport port-security violation {restrict | shutdown}

switchport port-security mac-address sticky

3）在1）的基础上，进一步限定具体的主机地址（人工手动设置）：

switch port-security

switch port-security max *

switchport port-security violation {restrict | shutdown}

switchport port-security mac-address H.H.H

4）在1）的基础上，区分活动的主机（一定时间周期内不活动的主机被淘汰）：

switch port-security

switch port-security max *

switchport port-security violation {restrict | shutdown}

switchport port-security aging time * （时间值根据环境设定，范围为1——1440，单位“分钟”）

switchport port-security aging  type {absolute | inactivity}  （老化时间的计时方式可选）

5）在3）的基础上，除了限定具体主机地址外，还希望通过检测主机活动情况“动态”地刷新这个“限定的主机”列表：

switch port-security

switch port-security max *

switchport port-security violation {restrict | shutdown}

switchport port-security mac-address H.H.H （限定具体主机地址）

switchport port-security aging time *

switchport port-security aging type {absolute | inactivity}

switchport port-security aging static

讨论到这里，开头提及的场景中的配置就确定了——使用配置模板4）的配置即可。之所以开头那段配置没有达到预期效果，是因为自己对命令"switchport port-security aging static"望文生义了！

————————————————————————————————————————————————

参考原文地址：http://www.zhanggy.com/blog/switchport-port-security%E5%91%BD%E4%BB%A4%E8%A7%A3%E9%87%8A

Use the switchport port-security aging interface configuration command to set the aging time and type for secure address entries or to change the aging behavior for secure addresses on a particular port. Use the no form of this command to disable port security aging or to set the parameters to their default states.
switchport port-security aging {static | time time | type {absolute | inactivity}}
no switchport port-security aging {static | time | type}
Syntax Description

static Enable aging for statically configured secure addresses on this port.
time Specify the aging time for this port. The range is 0 to 1440 minutes. If the time is 0, aging is disabled for this port.
type Set the aging type.
absolute Set absolute aging type. All the secure addresses on this port age out exactly after the time (minutes) specified and are removed from the secure address list.
inactivity Set the inactivity aging type. The secure addresses on this port age out only if there is no data traffic from the secure source address for the specified time period.

Defaults The port security aging feature is disabled. The default static aging behavior is disabled.

The default time is 0 minutes.
The default aging type is absolute.

Usage Guidelines To enable secure address aging for a particular port, set the aging time to a value other than 0 for that port.

To allow limited time access to particular secure addresses, set the aging type as absolute. When the aging time lapses, the secure addresses are deleted.
To allow continuous access to a limited number of secure addresses, set the aging type as inactivity. This removes the secure address when it become inactive, and other addresses can become secure.
To allow unlimited access to a secure address, configure it as a secure address, and disable aging for the statically configured secure address by using the no switchport port-security aging static interface configuration command.