.
This commit is contained in:
commit
46c5ff0cec
62
FlexVPN/FlexVPN_Remote_Access_AnyConnect.txt
Normal file
62
FlexVPN/FlexVPN_Remote_Access_AnyConnect.txt
Normal file
@ -0,0 +1,62 @@
|
||||
R1(config)#ip http server
|
||||
|
||||
R1(config)#crypto pki server R1CA
|
||||
R1(cs-server)#issuer-name cn="R1CA"
|
||||
R1(cs-server)#grant auto
|
||||
R1(cs-server)#no shutdown
|
||||
|
||||
R1(config)#ip domain name NWL.LAB
|
||||
R1(config)#crypto pki trustpoint R1CLIENT
|
||||
R1(ca-trustpoint)#enrollment url http://192.168.1.1
|
||||
R1(ca-trustpoint)#subject-name cn=R1CLIENT.CONTOSO.COM
|
||||
R1(config)#crypto pki authenticate R1CLIENT
|
||||
R1(config)#crypto pki enroll R1CLIENT
|
||||
|
||||
|
||||
R1(config)#aaa new-model
|
||||
|
||||
R1(config)#aaa authentication login AAA_AUTHENTICATION_LOGIN local
|
||||
R1(config)#aaa authorization network AAA_AUTHORIZATION_NETWORK local
|
||||
|
||||
R1(config)#username test password mojehaslo
|
||||
|
||||
R1(config)#crypto ikev2 authorization policy IKEV2_AUTHORIZATION_POLICY
|
||||
R1(config-ikev2-author-policy)#pool VPN_POOL
|
||||
R1(config-ikev2-author-policy)#def-domain CONTOSO.COM
|
||||
R1(config-ikev2-author-policy)#route set remote ipv4 1.1.1.1 255.255.255.255
|
||||
R1(config-ikev2-author-policy)#dns 1.1.1.1
|
||||
R1(config)#ip local pool VPN_POOL 192.168.10.5 192.168.10.10
|
||||
|
||||
|
||||
R1(config)#crypto ikev2 proposal IKEV2_PROPOSAL
|
||||
R1(config-ikev2-proposal)#encryption aes-cbc-256
|
||||
R1(config-ikev2-proposal)#integrity sha256
|
||||
R1(config-ikev2-proposal)#group 14
|
||||
|
||||
R1(config)#crypto ikev2 policy default
|
||||
R1(config-ikev2-policy)#proposal IKEV2_PROPOSAL
|
||||
|
||||
R1(config)#crypto ikev2 profile IKEV2_PROFILE
|
||||
R1(config-ikev2-profile)#match identity remote key-id *$AnyConnectClient$*
|
||||
R1(config-ikev2-profile)#authentication local rsa-sig
|
||||
R1(config-ikev2-profile)#authentication remote anyconnect-eap aggregate
|
||||
R1(config-ikev2-profile)#pki trustpoint R1-CLIENT
|
||||
R1(config-ikev2-profile)#aaa authentication anyconnect-eap AAA_AUTHENTICATION_LOGIN
|
||||
R1(config-ikev2-profile)#aaa authorization group anyconnect-eap list AAA_AUTHORIZATION_NETWORK IKEV2_AUTHORIZATION_POLICY
|
||||
R1(config-ikev2-profile)#virtual-template 1
|
||||
|
||||
R1(config)#crypto ipsec transform-set TRANSFORM_SET esp-aes 256 esp-sha256-hmac
|
||||
R1(cfg-crypto-trans)#mode tunnel
|
||||
|
||||
R1(config)#crypto ipsec profile IKEV2_PROFILE
|
||||
R1(ipsec-profile)#set transform-set TRANSFORM_SET
|
||||
R1(ipsec-profile)#set ikev2-profile IKEV2_PROFILE
|
||||
|
||||
R1(config)#interface Virtual-Template1 type tunnel
|
||||
R1(config-if)#ip unnumbered Loopback0
|
||||
R1(config-if)#ip mtu 1400
|
||||
R1(config-if)#tunnel mode ipsec ipv4
|
||||
R1(config-if)#tunnel protection ipsec profile IKEV2_PROFILE
|
||||
|
||||
|
||||
|
37
FlexVPN/flexvpn1.txt
Normal file
37
FlexVPN/flexvpn1.txt
Normal file
@ -0,0 +1,37 @@
|
||||
crypto ikev2 keyring KEYR1
|
||||
peer R2
|
||||
address 198.51.100.2
|
||||
pre-shared-key local Cisco
|
||||
pre-shared-key remote Cisco
|
||||
|
||||
|
||||
crypto ikev2 profile Profil1
|
||||
match identity remote address 198.51.100.2 255.255.255.255
|
||||
authentication local pre-share
|
||||
authentication remote pre-share
|
||||
keyring local KEYR1
|
||||
|
||||
|
||||
crypto ikev2 proposal ikeprop1
|
||||
integrity sha256 sha384 sha512
|
||||
group 14 15
|
||||
encryption aes-cbc-128 aes-cbc-256
|
||||
|
||||
crypto ikev2 policy ikepol1
|
||||
proposal ikeprop1
|
||||
|
||||
ip access-list extended ACLR2
|
||||
permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
|
||||
|
||||
crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes
|
||||
|
||||
crypto map CM1 10 ipsec-isakmp
|
||||
match address ACLR2
|
||||
set peer 198.51.100.2
|
||||
set transform-set TR1
|
||||
set ikev2-profile Profil1
|
||||
|
||||
|
||||
int g0/1
|
||||
crypto map CM1
|
||||
|
87
FlexVPN/flexvpn2.txt
Normal file
87
FlexVPN/flexvpn2.txt
Normal file
@ -0,0 +1,87 @@
|
||||
Dla R1 i R2:
|
||||
|
||||
no int tunnel 1
|
||||
no router ospf 1
|
||||
|
||||
|
||||
Dla R1:
|
||||
interface Loopback1
|
||||
ip address 172.16.1.1 255.255.255.0
|
||||
|
||||
############################################
|
||||
Dla R1:
|
||||
crypto ikev2 keyring KEYR1
|
||||
peer R2
|
||||
address 198.51.100.2
|
||||
pre-shared-key local Cisco
|
||||
pre-shared-key remote Cisco
|
||||
|
||||
|
||||
crypto ikev2 profile Profil1
|
||||
match identity remote address 198.51.100.2 255.255.255.255
|
||||
authentication local pre-share
|
||||
authentication remote pre-share
|
||||
keyring local KEYR1
|
||||
|
||||
|
||||
Dla R2:
|
||||
crypto ikev2 keyring KEYR1
|
||||
peer R1
|
||||
address 192.0.2.1
|
||||
pre-shared-key local Cisco
|
||||
pre-shared-key remote Cisco
|
||||
|
||||
|
||||
crypto ikev2 profile Profil1
|
||||
match identity remote address 192.0.2.1 255.255.255.255
|
||||
authentication local pre-share
|
||||
authentication remote pre-share
|
||||
keyring local KEYR1
|
||||
|
||||
|
||||
|
||||
Dla R1:
|
||||
crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes
|
||||
|
||||
crypto ipsec profile IPprof1
|
||||
set transform-set TR1
|
||||
set ikev2-profile Profil1
|
||||
|
||||
|
||||
int tun 12
|
||||
ip add 10.0.12.1 255.255.255.0
|
||||
tunnel source 192.0.2.1
|
||||
tunnel destination 198.51.100.2
|
||||
tunnel protection ipsec profile IPprof1
|
||||
tunnel mode ipsec ipv4
|
||||
|
||||
|
||||
|
||||
Dla R2:
|
||||
crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes
|
||||
|
||||
crypto ipsec profile IPprof1
|
||||
set transform-set TR1
|
||||
set ikev2-profile Profil1
|
||||
|
||||
|
||||
int tun 12
|
||||
ip add 10.0.12.2 255.255.255.0
|
||||
tunnel source 198.51.100.2
|
||||
tunnel destination 192.0.2.1
|
||||
tunnel protection ipsec profile IPprof1
|
||||
tunnel mode ipsec ipv4
|
||||
|
||||
|
||||
Dla R1:
|
||||
router eigrp 1
|
||||
network 10.0.12.0 0.0.0.255
|
||||
network 172.16.1.0 0.0.0.255
|
||||
|
||||
Dla R2:
|
||||
router eigrp 1
|
||||
network 10.0.12.0 0.0.0.255
|
||||
network 172.16.2.0 0.0.0.255
|
||||
|
||||
|
||||
|
105
FlexVPN/flexvpn3.txt
Normal file
105
FlexVPN/flexvpn3.txt
Normal file
@ -0,0 +1,105 @@
|
||||
FLexVPN HUB-SPOKE
|
||||
Dla R2, R3, R4:
|
||||
crypto ikev2 keyring KEYR1
|
||||
peer R1
|
||||
address 192.0.2.1
|
||||
pre-shared-key local Cisco
|
||||
pre-shared-key remote Cisco
|
||||
|
||||
crypto ikev2 profile Profil1
|
||||
match identity remote address 192.0.2.1 255.255.255.255
|
||||
authentication local pre-share
|
||||
authentication remote pre-share
|
||||
keyring local KEYR1
|
||||
|
||||
crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes
|
||||
|
||||
crypto ipsec profile IPprof1
|
||||
set transform-set TR1
|
||||
set ikev2-profile Profil1
|
||||
|
||||
#####
|
||||
|
||||
Dla R2:
|
||||
int loopback 3
|
||||
ip add 2.2.2.2 255.255.255.255
|
||||
|
||||
Dla R3:
|
||||
int loopback 3
|
||||
ip add 3.3.3.3 255.255.255.255
|
||||
|
||||
Dla R4:
|
||||
int loopback 3
|
||||
ip add 4.4.4.4 255.255.255.255
|
||||
|
||||
Dla wszystkich Spoke (R2, R3, R4):
|
||||
int tun 12
|
||||
ip unnumbered loopback 3
|
||||
tunnel source g0/1
|
||||
tunnel destination 192.0.2.1
|
||||
tunnel protection ipsec profile IPprof1
|
||||
|
||||
#####
|
||||
Koncentrator (R1):
|
||||
|
||||
crypto ikev2 keyring KEYR1
|
||||
peer ANYROUTER
|
||||
address 0.0.0.0
|
||||
pre-shared-key local Cisco
|
||||
pre-shared-key remote Cisco
|
||||
|
||||
crypto ikev2 profile Profil1
|
||||
match identity remote address 0.0.0.0 0.0.0.0
|
||||
authentication local pre-share
|
||||
authentication remote pre-share
|
||||
keyring local KEYR1
|
||||
virtual-template 1
|
||||
|
||||
|
||||
crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes
|
||||
|
||||
crypto ipsec profile IPprof1
|
||||
set transform-set TR1
|
||||
set ikev2-profile Profil1
|
||||
|
||||
int loopback 3
|
||||
ip add 1.1.1.1 255.255.255.255
|
||||
|
||||
interface virtual-template 1 type tunnel
|
||||
tunnel source g0/1
|
||||
ip unnumbered loopback 3
|
||||
tunnel protection ipsec profile IPprof1
|
||||
|
||||
####
|
||||
Dla R1:
|
||||
router eigrp 1
|
||||
network 1.1.1.1 0.0.0.0
|
||||
|
||||
Dla R2:
|
||||
router eigrp 1
|
||||
network 2.2.2.2 0.0.0.0
|
||||
network 172.16.2.0 0.0.0.255
|
||||
network 192.168.2.0 0.0.0.255
|
||||
|
||||
Dla R3:
|
||||
router eigrp 1
|
||||
network 3.3.3.3 0.0.0.0
|
||||
network 172.16.3.0 0.0.0.255
|
||||
network 192.168.3.0 0.0.0.255
|
||||
|
||||
Dla R4:
|
||||
router eigrp 1
|
||||
network 4.4.4.4 0.0.0.0
|
||||
network 172.16.4.0 0.0.0.255
|
||||
network 192.168.4.0 0.0.0.255
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
116
FlexVPN/flexvpn4.txt
Normal file
116
FlexVPN/flexvpn4.txt
Normal file
@ -0,0 +1,116 @@
|
||||
FLexVPN HUB-SPOKE
|
||||
Dla R2, R3, R4:
|
||||
crypto ikev2 keyring KEYR1
|
||||
peer R1
|
||||
address 192.0.2.1
|
||||
pre-shared-key local Cisco
|
||||
pre-shared-key remote Cisco
|
||||
|
||||
crypto ikev2 profile Profil1
|
||||
match identity remote address 192.0.2.1 255.255.255.255
|
||||
authentication local pre-share
|
||||
authentication remote pre-share
|
||||
keyring local KEYR1
|
||||
aaa authorization group override psk list AUTHPOLICY1 AUTHPOLICY1
|
||||
|
||||
crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes
|
||||
|
||||
crypto ipsec profile IPprof1
|
||||
set transform-set TR1
|
||||
set ikev2-profile Profil1
|
||||
|
||||
|
||||
aaa new-model
|
||||
aaa authorization network default local
|
||||
|
||||
crypto ikev2 authorization policy AUTHPOLICY1
|
||||
route set interface
|
||||
|
||||
|
||||
#####
|
||||
|
||||
|
||||
Dla wszystkich Spoke (R2, R3, R4):
|
||||
int tun 12
|
||||
ip address negotiated
|
||||
tunnel source g0/1
|
||||
tunnel destination 192.0.2.1
|
||||
tunnel protection ipsec profile IPprof1
|
||||
|
||||
#####
|
||||
Koncentrator (R1):
|
||||
|
||||
crypto ikev2 keyring KEYR1
|
||||
peer ANYROUTER
|
||||
address 0.0.0.0
|
||||
pre-shared-key local Cisco
|
||||
pre-shared-key remote Cisco
|
||||
|
||||
|
||||
|
||||
crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes
|
||||
|
||||
crypto ipsec profile IPprof1
|
||||
set transform-set TR1
|
||||
set ikev2-profile Profil1
|
||||
|
||||
int loopback 3
|
||||
ip add 1.1.1.1 255.255.255.0
|
||||
|
||||
interface virtual-template 1 type tunnel
|
||||
tunnel source g0/1
|
||||
ip unnumbered loopback 3
|
||||
tunnel protection ipsec profile IPprof1
|
||||
|
||||
|
||||
ip local pool PULAIP 1.1.1.2 1.1.1.10
|
||||
|
||||
aaa new-model
|
||||
aaa authorization network default local
|
||||
|
||||
crypto ikev2 authorization policy AUTHPOLICY1
|
||||
pool PULAIP
|
||||
route set interface
|
||||
|
||||
crypto ikev2 profile Profil1
|
||||
match identity remote address 0.0.0.0 0.0.0.0
|
||||
authentication local pre-share
|
||||
authentication remote pre-share
|
||||
keyring local KEYR1
|
||||
virtual-template 1
|
||||
aaa authorization group override psk list AUTHPOLICY1 AUTHPOLICY1
|
||||
|
||||
|
||||
####
|
||||
Dla R1:
|
||||
router eigrp 1
|
||||
network 1.1.1.0 0.0.0.255
|
||||
|
||||
Dla R2:
|
||||
router eigrp 1
|
||||
network 1.1.1.0 0.0.0.255
|
||||
network 172.16.2.0 0.0.0.255
|
||||
network 192.168.2.0 0.0.0.255
|
||||
|
||||
Dla R3:
|
||||
router eigrp 1
|
||||
network 1.1.1.0 0.0.0.255
|
||||
network 172.16.3.0 0.0.0.255
|
||||
network 192.168.3.0 0.0.0.255
|
||||
|
||||
Dla R4:
|
||||
router eigrp 1
|
||||
network 1.1.1.0 0.0.0.255
|
||||
network 172.16.4.0 0.0.0.255
|
||||
network 192.168.4.0 0.0.0.255
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
138
FlexVPN/flexvpn5.txt
Normal file
138
FlexVPN/flexvpn5.txt
Normal file
@ -0,0 +1,138 @@
|
||||
FLexVPN SPOKE-SPOKE
|
||||
Dla R2, R3, R4:
|
||||
|
||||
crypto ikev2 keyring KEYR1
|
||||
peer ANYPEER
|
||||
address 0.0.0.0
|
||||
pre-shared-key local Cisco
|
||||
pre-shared-key remote Cisco
|
||||
|
||||
crypto ikev2 profile Profil1
|
||||
match identity remote address 0.0.0.0 0.0.0.0
|
||||
authentication local pre-share
|
||||
authentication remote pre-share
|
||||
keyring local KEYR1
|
||||
aaa authorization group override psk list AUTHPOLICY1 AUTHPOLICY1
|
||||
|
||||
crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes
|
||||
|
||||
crypto ipsec profile IPprof1
|
||||
set transform-set TR1
|
||||
set ikev2-profile Profil1
|
||||
|
||||
|
||||
aaa new-model
|
||||
aaa authorization network default local
|
||||
|
||||
crypto ikev2 authorization policy AUTHPOLICY1
|
||||
route set interface
|
||||
|
||||
|
||||
#####
|
||||
|
||||
|
||||
Dla wszystkich Spoke (R2, R3, R4):
|
||||
int tun 12
|
||||
ip address negotiated
|
||||
tunnel source g0/1
|
||||
tunnel destination 192.0.2.1
|
||||
tunnel protection ipsec profile IPprof1
|
||||
ip nhrp network-id 1
|
||||
ip nhrp shortcut virtual-template 12
|
||||
|
||||
|
||||
int virtual-template 12 type tunnel
|
||||
ip unnumbered tunnel 12
|
||||
tunnel source g0/1
|
||||
ip nhrp network-id 1
|
||||
ip nhrp shortcut virtual-template 12
|
||||
tunnel protection ipsec profile IPprof1
|
||||
|
||||
|
||||
|
||||
|
||||
#####
|
||||
Koncentrator (R1):
|
||||
|
||||
|
||||
int loopback 3
|
||||
ip add 1.1.1.1 255.255.255.0
|
||||
|
||||
ip local pool PULAIP 1.1.1.2 1.1.1.10
|
||||
|
||||
aaa new-model
|
||||
aaa authorization network default local
|
||||
|
||||
|
||||
crypto ikev2 authorization policy AUTHPOLICY1
|
||||
pool PULAIP
|
||||
route set interface
|
||||
|
||||
|
||||
crypto ikev2 keyring KEYR1
|
||||
peer ANYPEER
|
||||
address 0.0.0.0
|
||||
pre-shared-key local Cisco
|
||||
pre-shared-key remote Cisco
|
||||
|
||||
crypto ikev2 profile Profil1
|
||||
match identity remote address 0.0.0.0 0.0.0.0
|
||||
authentication local pre-share
|
||||
authentication remote pre-share
|
||||
keyring local KEYR1
|
||||
virtual-template 1
|
||||
aaa authorization group override psk list AUTHPOLICY1 AUTHPOLICY1
|
||||
|
||||
crypto ipsec transform-set TR1 esp-sha256-hmac esp-aes
|
||||
|
||||
crypto ipsec profile IPprof1
|
||||
set transform-set TR1
|
||||
set ikev2-profile Profil1
|
||||
|
||||
|
||||
|
||||
interface virtual-template 1 type tunnel
|
||||
tunnel source g0/1
|
||||
ip unnumbered loopback 3
|
||||
tunnel protection ipsec profile IPprof1
|
||||
ip nhrp network-id 1
|
||||
ip nhrp redirect
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
####
|
||||
Dla R1:
|
||||
router eigrp 1
|
||||
network 1.1.1.0 0.0.0.255
|
||||
|
||||
Dla R2:
|
||||
router eigrp 1
|
||||
network 1.1.1.0 0.0.0.255
|
||||
network 172.16.2.0 0.0.0.255
|
||||
network 192.168.2.0 0.0.0.255
|
||||
|
||||
Dla R3:
|
||||
router eigrp 1
|
||||
network 1.1.1.0 0.0.0.255
|
||||
network 172.16.3.0 0.0.0.255
|
||||
network 192.168.3.0 0.0.0.255
|
||||
|
||||
Dla R4:
|
||||
router eigrp 1
|
||||
network 1.1.1.0 0.0.0.255
|
||||
network 172.16.4.0 0.0.0.255
|
||||
network 192.168.4.0 0.0.0.255
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
91
ip_source_guard.txt
Normal file
91
ip_source_guard.txt
Normal file
@ -0,0 +1,91 @@
|
||||
Router:
|
||||
hostname R1
|
||||
!
|
||||
ip dhcp pool MY_POOL
|
||||
network 192.168.1.0 255.255.255.0
|
||||
!
|
||||
ip cef
|
||||
!
|
||||
interface FastEthernet0/0
|
||||
ip address 192.168.1.254 255.255.255.0
|
||||
!
|
||||
end
|
||||
|
||||
|
||||
Przełącznik (router podłączony na porcie g0/1):
|
||||
hostname SW1
|
||||
!
|
||||
ip dhcp snooping vlan 1
|
||||
no ip dhcp snooping information option
|
||||
ip dhcp snooping
|
||||
!
|
||||
interface GigabitEthernet0/1
|
||||
switchport mode access
|
||||
spanning-tree portfast
|
||||
ip dhcp snooping trust
|
||||
!
|
||||
interface GigabitEthernet0/2
|
||||
switchport mode access
|
||||
spanning-tree portfast
|
||||
!
|
||||
interface GigabitEthernet0/3
|
||||
switchport mode access
|
||||
spanning-tree portfast
|
||||
!
|
||||
interface GigabitEthernet0/4
|
||||
switchport mode access
|
||||
spanning-tree portfast
|
||||
!
|
||||
end
|
||||
|
||||
|
||||
Konfigurujemy "IP Source Guard" dla komputera podłączonego na porcie g0/2:
|
||||
SW1(config)#interface GigabitEthernet 0/2
|
||||
SW1(config-if)#ip verify source
|
||||
|
||||
SW1#show ip verify source
|
||||
Interface Filter-type Filter-mode IP-address Mac-address Vlan Log
|
||||
--------- ----------- ----------- --------------- ----------------- ---- ---
|
||||
Gi0/2 ip active 192.168.1.1 1 disabled
|
||||
|
||||
|
||||
SW1 zezwala teraz tylko na źródłowy adres IP 192.168.1.1 (bo taki PC dostanie pierwszy z brzegu) na interfejsie GigabitEthernet 0/2. Pole adresu MAC jest puste, także w tej chwili przełącznik sprawdza tylko źródłowy adres IP. Można jednak również sprawdzać źródłowy adres MAC.
|
||||
Do tego celu trzeba wykorzystać jeszcze mechanizm port-security:
|
||||
SW1(config)#interface GigabitEthernet 0/2
|
||||
SW1(config-if)#switchport port-security
|
||||
SW1(config-if)#ip verify source port-security
|
||||
|
||||
SW1#show ip verify source
|
||||
Interface Filter-type Filter-mode IP-address Mac-address Vlan Log
|
||||
--------- ----------- ----------- --------------- ----------------- ---- ---
|
||||
Gi0/2 ip-mac active 192.168.1.1 00:11:22:44:33:AA 1 disabled
|
||||
|
||||
|
||||
Załóżmy, że skonfigurujemy na porcie G0/3 kolejny PC, który będzie mieć statycznie przypisane dane adresowe:
|
||||
SW1(config)#interface GigabitEthernet 0/3
|
||||
SW1(config-if)#switchport port-security
|
||||
SW1(config-if)#ip verify source port-security
|
||||
|
||||
SW1#show ip verify source
|
||||
Interface Filter-type Filter-mode IP-address Mac-address Vlan Log
|
||||
--------- ----------- ----------- --------------- ----------------- ---- ---
|
||||
Gi0/2 ip-mac active 192.168.1.1 00:11:22:44:33:AA 1 disabled
|
||||
Gi0/3 ip-mac active deny-all deny-all 1
|
||||
|
||||
Jeżeli teraz z tego powyższego komputera spróbujemy wykonać jakąkolwiek transmisję (choćby ping), to nie pwoiedzie się, będzie blokowane.
|
||||
|
||||
|
||||
|
||||
Możemy również przypisać statycznie adres mac oraz adres IP do zadanego portu, np. dla portu G0/4:
|
||||
SW1(config)#interface GigabitEthernet 0/4
|
||||
SW1(config-if)#switchport port-security
|
||||
SW1(config-if)#ip verify source port-security
|
||||
SW1(config)#ip source binding 0011.aabb.0088 vlan 1 192.168.1.200 interface GigabitEthernet 0/4
|
||||
|
||||
|
||||
SW1#show ip verify source
|
||||
Interface Filter-type Filter-mode IP-address Mac-address Vlan Log
|
||||
--------- ----------- ----------- --------------- ----------------- ---- ---
|
||||
Gi0/2 ip-mac active 192.168.1.1 00:11:22:44:33:AA 1 disabled
|
||||
Gi0/3 ip-mac active deny-all deny-all 1
|
||||
Gi0/4 ip-mac active 192.168.1.200 00:16:C7:BE:0E:C8 1 disabled
|
Loading…
Reference in New Issue
Block a user