extreme switch MAC Address 차단
익스트림 스위치 EXOS에서 특정 맥 어드레스를 차단 하는 방법은 두 가지가 있다. access리스트를 이용하는 방법과, fdb를 설정하는 방법이다.
먼저, 차단할 맥 어드레스를 확인한다. 맥 어드레스 50:b7:c3:8d:ad:d6 를 확인한다.
* SWITCH # show iparp VR Destination Mac Age Static VLAN VID Port ... VR-Default 192.168.100.206 98:de:d0:cf:ca:b9 7 NO V132 132 20 VR-Default 192.168.100.222 50:b7:c3:8d:ad:d6 14 NO V132 132 23 VR-Default 192.168.100.225 18:67:b0:d3:47:a2 3 NO V132 132 23 ... Dynamic Entries : 23 Static Entries : 0 Pending Entries : 0 In Request : 890655 In Response : 74618 Out Request : 75297 Out Response : 7515 Failed Requests : 0 Proxy Answered : 0 Rx Error : 0 Dup IP Addr : 0.0.0.0 Rejected Count : 23944 Rejected IP : 169.254.94.229 Rejected Port : 52 Rejected I/F : V132 Max ARP entries : 8192 Max ARP pending entries : 256 ARP address check: Enabled ARP refresh : Enabled Timeout : 20 minutes ARP Sender-Mac Learning : Disabled Locktime : 1000 milliseconds Retransmit Time : 1000 milliseconds Reachable Time : 900000 milliseconds (Auto) Fast Convergence : Off
1. ACL(access-list)를 이용하는 방법.
현재 ACL을 확인해본다.
* SWITCH # show access-list No entry found!
vi 편집기로 block_MAC.pol 화일을 아래와 같이 생성한다.
* SWITCH # vi block_MAC.pol
entry block_MAC {
if{
ethernet-source-address 50:b7:c3:8d:ad:d6;
} then {
deny;
}
}
configure 커맨드로 아래처럼 적용한다.
* SWITCH # configure access-list block_MAC vlan V132 done!
ACL이 이상 없는지 확인한다(문법 확인).
* SWITCH # check policy block_MAC Policy file check successful.
ACL이 적용 되었는지 확인해본다.
* SWITCH # sh access-list Vlan Name Port Policy Name Dir Rules Dyn Rules =================================================================== V132 * block_MAC ingress 1 0
맥어드레스를 차단 해제 하려면 아래와 같이 unconfigure 명령어를 사용한다.
* SWITCH # unconfigure access-list block_MAC . done!
2. fdb(forwarding database)를 이용하는 방법
fdb를 확인해본다.
* SWITCH # show fdb
Mac Vlan Age Flags Port / Virtual Port List
------------------------------------------------------------------------------
...
50:b7:c3:8d:ad:d6 V132(0132) 0000 spm Bb 23
...
Flags : d - Dynamic, s - Static, p - Permanent, n - NetLogin, m - MAC, i - IP,
x - IPX, l - lockdown MAC, L - lockdown-timeout MAC, M- Mirror, B - Egress Blackhole,
b - Ingress Blackhole, v - MAC-Based VLAN, P - Private VLAN, T - VLAN translation,
D - drop packet, h - Hardware Aging, o - IEEE 802.1ah Backbone MAC,
S - Software Controlled Deletion, r - MSRP,
R - TRILL Rbridge, Z - OpenFlow
Total: 20 Static: 1 Perm: 1 Dyn: 19 Dropped: 0 Locked: 0 Locked with Timeout: 0
FDB Aging time: 300
fdb에서 아래와 같이 맥 어드레스를 차단한다.
* SWITCH # create fdbentry 50:b7:c3:8d:ad:d6 V132 blackhole
* SWITCH # show fdb
Mac Vlan Age Flags Port / Virtual Port List
------------------------------------------------------------------------------
...
50:b7:c3:8d:ad:d6 V132(0132) 0000 spm Bb
...
Flags : d - Dynamic, s - Static, p - Permanent, n - NetLogin, m - MAC, i - IP,
x - IPX, l - lockdown MAC, L - lockdown-timeout MAC, M- Mirror, B - Egress Blackhole,
b - Ingress Blackhole, v - MAC-Based VLAN, P - Private VLAN, T - VLAN translation,
D - drop packet, h - Hardware Aging, o - IEEE 802.1ah Backbone MAC,
S - Software Controlled Deletion, r - MSRP,
R - TRILL Rbridge, Z - OpenFlow
Total: 20 Static: 1 Perm: 1 Dyn: 19 Dropped: 0 Locked: 0 Locked with Timeout: 0
FDB Aging time: 300
* SWITCH # show fdb blackhole
Mac Vlan Age Flags Port / Virtual Port List
------------------------------------------------------------------------------
50:b7:c3:8d:ad:d6 V132(0132) 0000 spm Bb
Flags : d - Dynamic, s - Static, p - Permanent, n - NetLogin, m - MAC, i - IP,
x - IPX, l - lockdown MAC, L - lockdown-timeout MAC, M- Mirror, B - Egress Blackhole,
b - Ingress Blackhole, v - MAC-Based VLAN, P - Private VLAN, T - VLAN translation,
D - drop packet, h - Hardware Aging, o - IEEE 802.1ah Backbone MAC,
S - Software Controlled Deletion, r - MSRP,
R - TRILL Rbridge, Z - OpenFlow
Total: 16 Static: 1 Perm: 1 Dyn: 15 Dropped: 0 Locked: 0 Locked with Timeout: 0
FDB Aging time: 300
맥어드레스 차단을 해제하려면, 아래처럼 하면 된다.
* SWITCH # delete fdbentry 50:b7:c3:8d:ad:d6 V132