About switch settings for IP-MAC Address binding

Note: Relationship between the IP address and the MAC address: the IP address is specified according to the current IPv4 standard and is easy to remember without hardware restrictions. The length is 4 bytes. The MAC address is the physical address of the network card. It is stored in the EPROM of the network card, which is related to hardware and hard to remember. The length is 6 bytes.
In TCP/IP networks, computers usually need to set IP addresses for communication. However, in fact, communication between computers is not through IP addresses, but by the MAC addresses of NICs. The IP address is only used to query the MAC address of the target computer.
ARP is used to notify the recipient's computers and network devices of the MAC address corresponding to their IP addresses. The ARJ cache of a computer contains one or more tables used to store IP addresses and resolved Ethernet MAC addresses. After a computer communicates with another IP address, the corresponding MAC address is retained in the ARP cache. Therefore, the next communication with a computer with the same IP address will not query the MAC address, but directly reference the MAC address in the cache.
In a switched network, the switch also maintains a MAC address table and sends data to the target computer based on the MAC address. Reprinted with the source n et130)
Why do you need to bind a MAC address and IP Address: it is very easy to modify the IP address, while the MAC address is stored in the EEPROM of the NIC, And the MAC address of the NIC is unique. Therefore, in order to prevent internal personnel from using illegal IP addresses (for example, stealing IP addresses of persons with higher permissions to obtain information beyond permissions), you can bind the IP addresses of the internal network to the MAC address, even if the IP address is modified, the hacker fails to steal because the MAC address does not match. In addition, because the MAC address of the NIC is unique and deterministic, the hacker can find the NIC that uses the MAC address based on the MAC address, then the hacker is detected.
Currently, many internal networks use the MAC address and IP Address binding technology. Next we will introduce the IP and MAC binding settings for Cisco switches.
There are three solutions available in Cisco. solution 1 and solution 2 provide the same functionality, that is, bind the MAC address Nic hardware address of the specific host to the specific switch port). solution 3 is to bind the MAC address Nic hardware address of the specific host to the specific switch port at the same time) and IP address.
1. solution 1-Port-based MAC Address binding
Take the Cisco 2950 vswitch as an example. log on to the vswitch and enter the management password to enter the configuration mode. Then, run the following command:
Switch # config terminal
# Enter the Configuration Mode
Switch (config) # Interface fastethernet 0/1
# Enter the specific port configuration mode
Switch (config-if) # Switchport port-secruity
# Configure port security mode
Switch (config-if) switchport port-security mac-address MAC (MAC address of the host)
# Configure the MAC address of the host to which the port is bound
Switch (config-if) no switchport port-security mac-address MAC (MAC address of the host)
# Delete the MAC address of the bound host
Note:
The above command sets a port on the switch to bind a specific MAC address, so that only this host can use the network, if the NIC of the host is changed or another PC wants to use the network via this port, it will not be available unless the MAC address bound to the port is deleted or modified.
Note:
The preceding functions are applicable to Cisco 2950, 3550, 4500, and 6500 series switches.
2. solution 2-Expanded access list based on MAC address
Switch (config) Mac access-list extended MAC10
# Define a MAC address access control list and name it MAC10
Switch (config) permit host 0009.6bc4.d4bf any
# A host with the MAC address 0009.6bc4.d4bf can access any host
Switch (config) permit any host 0009.6bc4.d4bf
# Define that all hosts can access hosts whose MAC address is 0009.6bc4.d4bf
Switch (config-if) interface Fa0/20
# Enter the specific port configuration mode
Switch (config-if) mac access-group MAC10 in
# Apply the access list named MAC10 on this port, that is, the access policy we defined earlier)
Switch (config) no mac access-list extended MAC10
# Clear the access list named MAC10
This function is the same as the application, but it is a port-based MAC Address Access Control List restriction that can limit the MAC address and target address range of a specific source.
Note:
The above functions can be implemented on Cisco 2950, 3550, 4500, and 6500 series switches, but note that 2950 and 3550 require the Enhanced software Image Enhanced Image to run the switch ).
3. scheme 3--bind the MAC address of the IP address
You can only use application 1 or 2 in combination with an IP-based Access Control List for IP-MAC binding.
Switch (config) Mac access-list extended MAC10
# Define a MAC address access control list and name it MAC10
Switch (config) permit host 0009.6bc4.d4bf any
# A host with the MAC address 0009.6bc4.d4bf can access any host
Switch (config) permit any host 0009.6bc4.d4bf
# Define that all hosts can access hosts whose MAC address is 0009.6bc4.d4bf
Switch (config) Ip access-list extended IP10
# Define an IP address access control list and name it IP10
Switch (config) Permit 192.168.0.1 0.0.0.0 any
# A host with a defined IP address of 192.168.0.1 can access any host
Permit any 192.168.0.1 0.0.0.0
# Define that all hosts can access hosts whose IP address is 192.168.0.1
Switch (config-if) interface Fa0/20
# Enter the specific port configuration mode
Switch (config-if) mac access-group MAC10 in
# Apply the access list named MAC10 on this port, that is, the access policy we defined earlier)
Switch (config-if) Ip access-group IP10 in
# Apply the access list named IP10 on this port, that is, the access policy we defined earlier)
Switch (config) no mac access-list extended MAC10
# Clear the access list named MAC10
Switch (config) no Ip access-group IP10 in
# Clear the access list named IP10
The Application 1 mentioned above is based on the binding of the host MAC address and the switch port. solution 2 is the access control list based on the MAC address. The functions of the first two solutions are roughly the same. If you want to bind an IP address to a MAC address, you can bind solution 1 or solution 2 to the IP address access control list as needed to achieve the desired effect.
Note: The above functions can be implemented on Cisco 2950, 3550, 4500, and 6500 series switches, but note that 2950 and 3550 require the switch to run the Enhanced software Image Enhanced Image ).
Post-Note: On the surface, binding MAC addresses and IP addresses can prevent internal IP addresses from being stolen. However, due to various protocols and NIC Driver implementation technologies, binding a MAC address to an IP address has many drawbacks and cannot prevent the use of an internal IP address from being stolen.