4. 【Cisco】#9 スイッチ設定1
FORSE
電源を投入して下さい
電源入った事をLED(ランプ)で確認してください
① PCから「tera term」を起動
② 「シリアル」を選択
③ Portから、USBを選択
4
手順1
スイッチは起動が早いです(ルータと比べると)
セットアップモードが起動したら、noと入力、もしくはcttl+c
--- System Configuration Dialog ---
Would you like to enter the initial configuration dialog? [yes/no]:no
Press RETURN to get started!
Switch>enable
Switch#
Switch#configure terminal
Switch(config)#
Switch(config)#hostname SW-1
SW-xxx(cnofig)#
Switch #configure terminal
Switch(config)#no ip domain lookup
Switch(config)#vtp mode transparent
Switch(config)#line console 0
Switch(config-line)#logging synchronous
Switch(config-line)#exec-timeout 60 0
Switch(config-line)#end
6. 【Cisco】#9 スイッチの設定 3
FORSE
手順7
インターフェースのポートセキュリティの設定を検証する
手順15
Show run interfaceコマンドで現在刺さっているPCのmac-addressが登録
されていることを確認
6
Switch#show run interface GigabitEthernet0/1
Building configuration...
Current configuration : 203 bytes
!
interface GigabitEthernet0/1
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky aaaa.bbbb.cccc vlan access
end
SW-1#show port-security interface gigabitEthernet0/1
Port Security : Enabled ←portsecurtiy有効化
Port Status : Secure-up ←port状態有効化
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : bcc3.42ca.ba01:10 ←登録確認
Security Violation Count : 0
手順8
設定の検証をする
ポートセキュリティが有効なポート → 今回はGi0/1
MACアドレステーブルを確認する
SW-1#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Gi0/1 1 1 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 8192
SW-1#
SW-1#show port-security address
Secure Mac Address Table
-----------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
10 bcc3.42ca.ba01 SecureSticky Gi0/1 -
-----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 8192
8. 【Cisco】#9 スイッチの設定5
FORSE
手順8
ポートセキュリティを設定したportに違うPCを接続し、コンソールログに
下記が表示される事を確認
アップ → 違反 → ダウン
オレンジ点灯 → 消灯
手順9
Show int gi0/1を入力し、ポート状態がerr-disabledであることを確認
8
ポート違反したときの挙動
Switch#
*Mar 1 06:00:37.292: %LINK-3-UPDOWN: Interface GigabitEthernet0/1,
changed state to up
*Mar 1 06:00:38.293: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet0/1, changed state to up
*Mar 1 06:00:51.248: %PM-4-ERR_DISABLE: psecure-violation error detected
on Gi0/1, putting Gi0/1 in err-disable state
*Mar 1 06:00:51.248: %PORT_SECURITY-2-PSECURE_VIOLATION: Security
violation occurred, caused by MAC address bcc3.42ca.ba01 on port
GigabitEthernet0/1.
*Mar 1 06:00:52.250: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet0/1, changed state to down
*Mar 1 06:00:53.251: %LINK-3-UPDOWN: Interface GigabitEthernet0/1,
changed state to down
Switch#show interfaces gigabitEthernet 0/1 | include line protocol
GigabitEthernet0/1 is down, line protocol is down (err-disabled)
SW-1#show port-security interface gigabitEthernet 0/1
Port Security : Enabled
Port Status : Secure-shutdown ← ポート止めてます
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : a813.7492.caf5:10 ← 直近のmac
Security Violation Count : 1 ← 違反回数
SW-1# show port-security address
Secure Mac Address Table
-----------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
10 bcc3.42ca.ba01 SecureSticky Gi0/1 -
-----------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 8192
4つ↑ 登録されているmac
end
10. 【Cisco】#9 スイッチの設定 7
FORSE
手順12 セキュリティ違反を自動回復を有効にする
手順13 設定を検証する
手順14 自動回復を検証する
隣の人とポートを交換し、コンソール表示を待つ
10
SW-1(config)#errdisable recovery cause psecure-violation
SW-1(config)#errdisable recovery interval 120
手順15 ポートセキュリティ、ポートの状態を確認する。
手順16 自分のPCに戻す
手順17 ポートセキュリティ、ポートの状態を確認する
SW-1#show errdisable recovery | include psesure
psecure-violation Enabled ← ポートセキュリティ違反
SW-1#show errdisable recovery | include Timer interval
Timer interval: 120 seconds ← 2分で自動回復
Mar 30 04:40:06.088: %PM-4-ERR_RECOVER: Attempting to recover from psecure-
violation err-disable state on Gi0/1
SW-1#
Mar 30 04:40:16.898: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state
to up
Mar 30 04:40:17.900: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet0/1, changed state to up
SW-1#
Mar 30 04:40:30.587: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi0/1,
putting Gi0/1 in err-disable state
SW-1#
Mar 30 04:40:30.593: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation
occurred, caused by MAC address a813.7492.caf5 on port GigabitEthernet0/1.
SW-1#
Mar 30 04:40:31.589: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet0/1, changed state to down
SW-1#
Mar 30 04:40:32.596: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state
to down
SW-1#show port-security interface gigabitEthernet 0/1
Port Security : Enabled
Port Status : Secure-shutdown ←ポート無効化
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : a813.7492.caf5:10
Security Violation Count : 1
SW-1#show port-security interface gigabitEthernet 0/1
Port Security : Enabled
Port Status : Secure-up ←ポート有効化
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : a813.7492.caf5:10
Security Violation Count : 0
13. 【Cisco】#9 スイッチの設定8
FORSE
Radiusの設定を投入
手順18 ローカルユーザ作成(Dot1x認証の有効化の準備)
手順19 AAAの有効化
手順20 consoleとtelentはローカル認証
手順21 Radiusサーバの登録
手順22 dot1xを有効にします
手順24
port#3~ port #8はMacアドレス認証を実施します
Radiusの設定を検証
手順25 RadiusサーバのIPアドレス、ポート、キーを確認
インターフェース設定を検証
13
SW-1(config) #username cisco password cisco
SW-1(config) #aaa new-model
SW-1(config)#radius server FreeRadius
SW-1(config-radius-server)#address ipv4 192.168.210.201 auth-port
1812 acct-port 1813
SW-1(config-radius-server)#key s-key ←事前共有カギ
SW-1(config-radius-server)#exit
SW-1(config) #aaa authentication login console local
SW-1(config) #line console 0
SW-1(config-line) # login authentication console
SW-1(config) #line vty 0 4
SW-1(config-line) # login authentication console
SW-1(config)# dot1x system-auth-control
SW-1(config)# aaa authentication dot1x default group radius
SW-1(config) # interface range GigabitEthernet0/3 - 8
SW-1(config-if-range) # authentication port-control auto
SW-1(config-if-range) # authentication order mab
SW-1(config-if-range) # mab ←MacAdressBypass(mac認証)を有効化
SW-1(config-if-range) # authentication timer restart 0 ←再認証回数ゼロ
SW-1#sh run | section radius server
radius server FreeRadius
address ipv4 192.168.210.201 auth-port 1812 acct-port 1813
key s-key
SW-1#sh run | section interface GigabitEthernet0/6
interface GigabitEthernet0/6
switchport access vlan 10
switchport mode access
authentication order mab
authentication port-control auto
mab
SW-1#
14. 【Cisco】#9 スイッチの設定9
FORSE
ポートセキュリティ検証
手順26 MACアドレス未登録の状態で、ポートに結線し接続できない事を確認
手順27 MACアドレスを登録
1.登録するMACアドレスを手順25から確認、本書の例はa8137492d0ee
2.別途teratermでRadiusサーバに接続
手順28
MACアドレスを登録する
手順29
物理結線を実施
MACアドレス認証が成功する事を確認(コンソール表示)
手順30 認証成功している事を確認
14
Mar 31 06:33:16.538: %AUTHMGR-5-START: Starting 'mab' for client (a813.7492.d0ee) on Interface
Gi0/5 AuditSessionID C0A8D2FD00000029063E62FA
Mar 31 06:33:17.545: %MAB-5-FAIL: Authentication failed for client (a813.7492.d0ee) on Interface
Gi0/5 AuditSessionID C0A8D2FD00000029063E62FA
Mar 31 06:33:17.545: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for
client (a813.7492.d0ee) on Interface Gi0/5 AuditSessionID C0A8D2FD00000029063E62FA
Mar 31 06:33:17.545: %AUTHMGR-7-FAILOVER: Failin
SW-1#g over from 'mab' for client (a813.7492.d0ee) on Interface Gi0/5 AuditSessionID
C0A8D2FD00000029063E62FA
Mar 31 06:33:17.545: %AUTHMGR-7-NOMOREMETHODS: Exhausted all authentication methods for
client (a813.7492.d0ee) on Interface Gi0/5 AuditSessionID C0A8D2FD00000029063E62FA
Mar 31 06:33:17.545: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client
(a813.7492.d0ee) on Interface Gi0/5 AuditSessionID C0A8D2FD00000029063E62FA
MACアドレス登録
[root@Rabo9AthSV raddb]# vi /etc/raddb/users
#4SE-006
a8137492d0ee Cleartext-Password:=" a8137492d0ee "
Radiusデーモン再起動
[root@Rabo9AthSV raddb]# systemctl restart radiusd
%LINK-3-UPDOWN: Interface GigabitEthernet0/5, changed state to up
Mar 31 06:33:19.474: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/5,
changed state to up
Mar 31 06:34:18.142: %AUTHMGR-5-START: Starting 'mab' for client (a813.7492.d0ee) on Interface
Gi0/5 AuditSessionID C0A8D2FD00000029063E62FA
Mar 31 06:34:18.147: %MAB-5-SUCCESS: Authentication successful for client (a813.7492.d0ee) on
Interface Gi0/5 AuditSessionID C0A8D2FD00000029063E62FA
Mar 31 06:34:18.147: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client
(a813.7492.d0ee) on Interface Gi0/5 AuditSessionID C0A8D2FD00000029063E62FA
Mar 31 06:34:19.170: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (a813.7492.d0ee)
on Interface Gi0/5 AuditSessionID C0A8D2FD00000029063E62FA
sw-1#show authentication sessions
Interface MAC Address Method Domain Status Session ID
Gi0/6 bcc3.42ca.ba01 mab DATA Authz Success C0A8D2FC000000170130F03A