Vswitch Port Security

Vswitch Port Security
The most common understanding of port security is to control and manage network traffic based on the MAC address, such as binding a MAC address to a specific port, restrict the number of MAC addresses that a specific port uses, or prohibit the frame traffic of certain MAC addresses from passing through a specific port. Port security means that the network access traffic can be controlled based on 802.1X. First, let's talk about binding the MAC address to the port and configuring the traffic allowed according to the MAC address. 1. the MAC address is bound to the port. When the MAC address of the host is found to be different from the MAC address specified on the switch, the corresponding port of the switch is down. When you specify a MAC address for a port, the port mode must be in the access or Trunk status. 3550-1 # conf t 3550-1 (config) # int f0/1 3550-1 (config-if) # switchport mode access/Specify the port mode. 3550-1 (config-if) # switchport port-security mac-address 00-90-F5-10-79-C1/configure the MAC address. 3550-1 (config-if) # switchport port-security maximum 1/restrict the number of MAC addresses allowed by this port to 1. 3550-1 (config-if) # switchport port-security violation shutdown/when it is found that it is inconsistent with the above configuration, the port is down. 2. Use the MAC address to limit port traffic. This configuration allows a TRUNK port to pass up to 100 MAC addresses. When the port exceeds 100, data frames from the new host will be lost. 3550-1 # conf t 3550-1 (config) # int f0/1 3550-1 (config-if) # switchport trunk encapsulation dot1q 3550-1 (config-if) # switchport mode trunk/configure the port mode to TRUNK. 3550-1 (config-if) # switchport port-security maximum 100/the maximum number of MAC addresses allowed for this port is 100. 3550-1 (config-if) # switchport port-security violation protect/when the number of host MAC addresses exceeds 100, the switch continues to work, but data frames from new hosts will be lost. The preceding configuration allows traffic based on the MAC address. The following configuration rejects traffic based on the MAC address. 1. This configuration can only filter unicast traffic in the Catalyst switch, but is not valid for multicast traffic. 3550-1 # conf t 3550-1 (config) # mac-address-table static 00-90-F5-10-79-C1 vlan 2 drop/discard traffic on the corresponding Vlan. 3550-1 # conf t 3550-1 (config) # mac-address-table static 00-90-F5-10-79-C1 vlan 2 int f0/1/discard traffic on the corresponding interface. Finally, let's talk about the related concepts and configurations of 802.1X. 802.1X Authentication Protocol was originally used in wireless networks and later used on network devices such as common switches and routers. It can authenticate a user's identity based on a port. That is, when a user's data traffic attempts to pass the port configured with 802.1X protocol, authentication is required and valid, so that the user can access the network. The advantage of doing so is that you can authenticate Intranet users, simplify the configuration, and replace Windows AD to a certain extent. To configure the 802.1X authentication protocol, you must first enable AAA authentication globally. This is not much different from using AAA authentication on network boundaries, except that the authentication protocol is 802.1X; second, you need to enable 802.1X authentication on the corresponding interface. (We recommend that you enable 802.1X authentication on all ports and use the radius server to manage the user name and password.) configure the local user name and password for AAA authentication. 3550-1 # conf t 3550-1 (config) # aaa new-model/enable AAA authentication. 3550-1 (config) # aaa authentication dot1x default local/enable 802.1X authentication globally and use the local user name and password. 3550-1 (config) # int range f0/1-24 3550-1 (config-if-range) # dot1x port-control auto/enable 802.1X authentication on all interfaces. Note that the MAC address can be used to control network traffic either through the above configuration or through the access control list, for example, in Cata3550, you can use the access control list of 700-799 to filter MAC addresses. However, using the access control list to control traffic is troublesome, and it seems that it is rarely used. I will not discuss it here. Although MAC Address binding can ensure Intranet security to some extent, the effect is not very good. We recommend that you use 802.1X authentication protocol. 802.1X is a good choice for controllability and manageability. Supplement the vswitch Port Security Configuration to implement the vswitch Port Security Configuration. Once the PC of the access port is changed, the port needs to be reconfigured. use the following operations to quickly clear the Mac address bound to port 1 shutdown2 and bind the new Mac address 3 clear arp4 clear port all int fa0/* 5 port no shutdown