核心配置
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
port-security enable
port-security max-mac-num 2
完整配置
<r1>display current-configuration
#
sysname r1
#
vlan batch 10 20
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
dhcp enable
#
diffserv domain default
#
drop-profile default
#
ip pool dhcp10
gateway-list 10.1.1.1
network 10.1.1.0 mask 255.255.255.0
lease day 10 hour 0 minute 0
dns-list 8.8.8.8
#
aaa
Nov 24 2023 11:59:46-08:00 r1 L2IFPPI/4/PORTSEC_ACTION_ALARM:OID 1.3.6.1.4.1.201
1.5.25.42.2.1.7.6 The number of MAC address on interface (6/6) GigabitEthernet0/
0/1 reaches the limit, and the port status is : 1. (1:restrict;2:protect;3:shutd
own) authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
interface Vlanif1
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
dhcp select global
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
port-security enable
port-security max-mac-num 2
#
interface GigabitEthernet0/0/2
#
Nov 24 2023 12:00:16-08:00 r1 L2IFPPI/4/PORTSEC_ACTION_ALARM:OID 1.3.6.1.4.1.201
1.5.25.42.2.1.7.6 The number of MAC address on interface (6/6) GigabitEthernet0/
0/1 reaches the limit, and the port status is : 1. (1:restrict;2:protect;3:shutd
own)interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
user-interface con 0
user-interface vty 0 4
#
return
<r1>
Nov 24 2023 12:00:46-08:00 r1 L2IFPPI/4/PORTSEC_ACTION_ALARM:OID 1.3.6.1.4.1.201
1.5.25.42.2.1.7.6 The number of MAC address on interface (6/6) GigabitEthernet0/
0/1 reaches the limit, and the port status is : 1. (1:restrict;2:protect;3:shutd
own)
相关知识
接口上的安全MAC地址数量达到限制后,如果收到源MAC地址不存在的报文,端口安全则认为有非法用户攻击,缺省情况下会执行Restrict动作。
保护动作有三种:shutdown、restrict、protect
当执行动作为Shutdown时,接口关闭后不会自动恢复,需要由网络管理人员在接口视图下使用restart命令重启接口进行恢复
也可以在系统视图下执行error-down auto-recovery cause port-security interval 10,使得端口在10s后自动恢复