(三) 配置广播流量控制
配置如下:
interface GigabitEthernet2/0/1 storm-control broadcast level 8.00 4.00 !
interface GigabitEthernet2/0/2 storm-control broadcast level 8.00 4.00 !
interface GigabitEthernet2/0/5 storm-control broadcast level 8.00 4.00
产生广播风暴后,sh storm-control:
Interface Filter State Upper Lower Current --------- ------------- ----------- ----------- ----------
Gi2/0/1 Forwarding 8.00% 4.00% 3.01% Gi2/0/2 Forwarding 8.00% 4.00% 3.02% Gi2/0/5 Forwarding 8.00% 4.00% 0.00%
Interface Filter State Upper Lower Current --------- ------------- ----------- ----------- ----------
Gi2/0/1 Forwarding 8.00% 4.00% 7.52% Gi2/0/2 Forwarding 8.00% 4.00% 7.54% Gi2/0/5 Forwarding 8.00% 4.00% 0.00%
Interface Filter State Upper Lower Current --------- ------------- ----------- ----------- ----------
Gi2/0/1 Blocking 8.00% 4.00% 9.69% Gi2/0/2 Blocking 8.00% 4.00% 9.72% Gi2/0/5 Forwarding 8.00% 4.00% 0.00%
Interface Filter State Upper Lower Current --------- ------------- ----------- ----------- ----------
Gi2/0/1 Forwarding 8.00% 4.00% 0.01% Gi2/0/2 Forwarding 8.00% 4.00% 0.00% Gi2/0/5 Forwarding 8.00% 4.00% 0.00% 可见,当端口流量超过设置的百分比后,端口开始进行抑制。 log输入如下:
*Mar 1 01:00:57.600: %SW_MATM-4-MACFLAP_NOTIF: Host d4be.d92d.1893 in vlan 1 is flapping between port Gi2/0/2 and port Gi2/0/1
*Mar 1 01:00:58.422: %STORM_CONTROL-3-FILTERED: A Broadcast storm detected on Gi2/0/1. A packet filter action has been applied on the interface.
*Mar 1 01:01:01.442: %STORM_CONTROL-3-FILTERED: A Broadcast storm detected on Gi2/0/1. A packet filter action has been applied on the interface.
*Mar 1 01:01:04.462: %STORM_CONTROL-3-FILTERED: A Broadcast storm detected on Gi2/0/1. A packet filter action has been applied on the interface. ......
*Mar 1 01:01:10.955: %SW_MATM-4-MACFLAP_NOTIF: Host d4be.d92d.1893 in vlan 1 is flapping between port Gi2/0/2 and port Gi2/0/1
(四) 配置风暴控制动作
storm-control action shutdown 命令最好与 errdisable recovery cause storm-control 命令配合使用,默认的端口恢复时间,cisco3750是300秒,可以修改为30-86400秒,否则端口err-disable后,只能通过手动配置,恢复端口状态。 配置如下:
errdisable recovery cause storm-control ......
interface GigabitEthernet2/0/1 storm-control broadcast level 8.00 4.00 storm-control action shutdown !
interface GigabitEthernet2/0/2 storm-control broadcast level 8.00 4.00 storm-control action shutdown !
interface GigabitEthernet2/0/5 storm-control broadcast level 8.00 4.00 storm-control action shutdown !
产生广播风暴后,log如下:
*Mar 1 01:07:49.020: %SW_MATM-4-MACFLAP_NOTIF: Host d4be.d92d.1893 in vlan 1 is flapping between port Gi2/0/5 and port Gi2/0/2
*Mar 1 01:07:50.085: %PM-4-ERR_DISABLE: storm-control error detected on Gi2/0/1, putting Gi2/0/1 in err-disable state *Mar 1 01:07:50.135: %STORM_CONTROL-3-SHUTDOWN: A packet storm was detected on Gi2/0/1. The interface has been disabled.
*Mar 1 01:07:50.135: %PM-4-ERR_DISABLE: storm-control error detected on Gi2/0/2, putting Gi2/0/2 in err-disable state *Mar 1 01:07:50.202: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/1, changed state to down *Mar 1 01:07:50.202: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/2, changed state to down *Mar 1 01:07:52.090: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/1, changed state to down *Mar 1 01:07:52.148: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/2, changed state to down
*Mar 1 01:12:50.129: %PM-4-ERR_RECOVER: Attempting to recover from storm-control err-disable state on Gi2/0/1 *Mar 1 01:12:50.187: %PM-4-ERR_RECOVER: Attempting to recover from storm-control err-disable state on Gi2/0/2
*Mar 1 01:12:51.127: %SW_MATM-4-MACFLAP_NOTIF: Host d4be.d92d.1893 in vlan 1 is flapping between port Gi2/0/2 and port Gi2/0/1
*Mar 1 01:12:52.301: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/1, changed state to up
*Mar 1 01:12:52.310: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/1, changed state to up *Mar 1 01:12:52.318: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/2, changed state to up
*Mar 1 01:12:52.326: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/2, changed state to up *Mar 1 01:12:52.335: %PM-4-ERR_DISABLE: storm-control error detected on Gi2/0/1, putting Gi2/0/1 in err-disable state *Mar 1 01:12:52.394: %STORM_CONTROL-3-SHUTDOWN: A packet storm was detected on Gi2/0/1. The interface has been disabled.
*Mar 1 01:12:52.394: %PM-4-ERR_DISABLE: storm-control error detected on Gi2/0/2, putting Gi2/0/2 in err-disable state *Mar 1 01:12:52.452: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/1, changed state to down *Mar 1 01:12:52.452: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/0/2, changed state to down *Mar 1 01:12:54.348: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/1, changed state to down *Mar 1 01:12:54.398: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/2, changed state to down
可见,产生广播风暴后,端口被置为err-disable,由于设置了errdisable recovery,默认5分钟后,端口状态恢复,但是广播风暴依然存在,端口又马上被置为err-disable,实验与预期一致。
(五) 总结
在交换机接口下,通过配置,可以对广播及组播流量进行控制,保护整体网络带宽;当出现广播风暴时,可以及时抑制,把影响限制在局部,保证网络性能的同时,也降低交换机的负载,避免硬件因不必要的高负荷运转而缩短使用年限。 配置示例: 接口配置模式下:
storm-control broadcast level 8.00 4.00 storm-control multicast level 8.00 4.00 storm-control action shutdown 其中: ?
level 8.00 4.00:
8.00与4.00取值范围为0.00到100.00,为百分比的意思
例如端口的speed为1000Mb/s,当相应的广播或组播流量超过1000*8=80Mb/s时,开始对相应的流量进行Blocking控制,当流量小于1000*4/100=40Mb/s,恢复允许相应的流量通过。 ?
action shutdown:
storm-control默认的控制方式,是对相应流量进行Blocking阻断,端口状态并不改变。 可以根据实际情况,配置是否进行端口shutdown操作。 ?
端口进行Blocking和shutdown的区别:
Blocking时,交换机CPU利用率依然很高,对应接口的流量依然很大,交换机持续处于高负荷运转下; shutdown后,交换机CPU利用率会恢复正常,交换机也恢复正常的运行状态。 ?
当配置action shutdown时,可以在全局配置模式下配置如下命令,当端口err-disable后,尝试进行恢复: errdisable recovery cause storm-control
端口状态恢复后,如果异常流量依然存在,端口又会置为err-disable状态,直到流量恢复正常。
三、 交换机端口接入安全设计
switchport port-security
switchport port-security maximum 1
switchport port-security violation shutdown
设计要点:ES交换机接入端口配置Port security特性防治连接HUB的情况出现。 ?设计范围;所有ES交换机接入端口。
?所有的ES交换机连接终端设备的端口配置Port security特性。
?设置端口上最大可以通过的 MAC 地址数量为1,有效防止用户随意接入Hub, 连接多台终端设备。
?Port security机制自动检测到端口MAC地址数量,当检测到1个以上的MAC地址, 则自动把该交换机的端口shutdown,另外在交换机上配置相关的SNMP trap, 当交换机有端口被shutdown后,网管系统能第一时间通知管理员进行处理。
测试同一网口启用port-security maximum 1之后多久可以更换另外一台笔记本,正常接入网络(调节mac地址刷新时间)
(一) cisco下端口安全命令
接口配置模式下: switchport port-security ?
aging Port-security aging commands mac-address Secure mac address maximum Max secure addresses violation Security violation mode
switchport port-security aging ?
static Enable aging for configured secure addresses time Port-security aging time type Port-security aging type
switchport port-security aging time ?
<1-1440> Aging time in minutes. Enter a value between 1 and 1440 说明:如果不设置,默认0,不老化
switchport port-security aging type ? absolute Absolute aging (default)
inactivity Aging based on inactivity time period 说明:
Enable or disable static aging for the secure port, or set the aging time or type. Enter static to enable aging for statically configured secure addresses on this port.
For time, specify the aging time for this port. The valid range is from 0 to 1440 minutes. If the time is equal to 0, aging is disabled for this port.
For type, select one of these keywords:
? absolute—Sets the aging type as absolute aging. All the secure addresses on this port age out after the specified time
(minutes) lapses and are removed from the secure address list.
Note The absolute aging time could vary by 1 minute, depending on the sequence of the system timer.
? inactivity—Sets the aging type as inactivity aging. The secure addresses on this port age out only if there is no data
traffic from the secure source addresses for the specified time period.
switchport port-security mac-address ? H.H.H 48 bit mac address
sticky Configure dynamic secure addresses as sticky
switchport port-security maximum ? <1-6144> Maximum addresses
switchport port-security violation ? protect Security violation protect mode restrict Security violation restrict mode shutdown Security violation shutdown mode 说明:
Violation Mode Traffic is forwarded Sends SNMP trap Sends syslog Displays error Shuts down port message protect restrict shutdown 默认为shutdown
switchport port-security violation shutdown vlan ?
No No No No Yes Yes No Yes Yes message No No No No No Yes (二) 配置端口接入安全
配置如下:
errdisable recovery cause psecure-violation errdisable recovery interval 30 ...... !
interface GigabitEthernet2/0/5 switchport mode access switchport port-security 注意: 1. 2. 3.
端口安全必须在access 模式下做,否则: Switch(config-if)#switchport port-security
Command rejected: GigabitEthernet2/0/5 is a dynamic port.
3750g默认switchport port-security maximum为1,设置配置文件也不显示,不用设置 3750g默认switchport port-security violation为shutdown,设置配置文件也不显示,不用设置