IP address and MAC address relationship: IP address is based on the current IPV4 standard specified, not subject to hardware limitations easier to remember the address, length 4 bytes. The MAC address is the physical address of the network card, stored in the EPROM of the network card, and the hardware is related, more difficult to remember, length of 6 bytes.
Although in the TCP/IP network, the computer often needs to set the IP address in order to communicate, however, the actual communication between computers is not through the IP address, but with the help of the MAC address of the network card. The IP address is only the MAC address of the computer that is used to query for communication purposes.
The ARP protocol is used to notify each other's computers and network devices of their IP's corresponding MAC address. Contains one or more tables in the computer's ARJ cache for storing IP addresses and their resolved Ethernet MAC addresses. When a computer communicates with a computer with another IP address, the corresponding MAC address is preserved in the ARP cache. So the next time the computer communicates with the same IP address, the MAC address is not queried, but the MAC address in the cache is referenced directly.
In switched networks, the switch maintains a MAC address table and sends the data to the destination computer based on the MAC address.
Why to bind Mac with IP address: IP address modification is very easy, and MAC address is stored in the network card EEPROM, and the MAC address of the network card is only certain. Therefore, in order to prevent the internal personnel to carry out illegal IP spoofing (such as embezzlement of the higher authority of the IP address to obtain information outside the jurisdiction), you can bind the IP address of the internal network with the MAC address, even if the user modifies the IP address, also because the MAC address does not match the theft of And because of the only certainty of the MAC address of the network card, we can find the network card using the MAC address according to the MAC address, and then find the illegal person.
At present, many units of the internal network, have adopted the MAC address and IP address binding technology. Here we will introduce the IP and Mac binding settings for Cisco switches.
The following three options are available in Cisco, and Scenario 1 and Scenario 2 implement the same functionality, that is, a specific host's MAC address (NIC hardware address) is bound on a specific switch port. Scenario 3 is to bind the MAC address (NIC hardware address) and IP address of a specific host at the same time on a specific switch port.
1. Scheme 1--MAC address binding based on port
Cisco 2950 switch For example, login into the switch, enter the management password into the configuration mode, type command:
Switch#config Terminal
# Enter configuration mode
Switch (config) # Interface fastethernet 0/1
# Enter specific port configuration mode
Switch (config-if) #Switchport port-secruity
# Configure Port security mode
Switch (config-if) switchport port-security Mac-address mac (host's MAC address)
# Configure the MAC address of the host to which this port is bound
Switch (config-if) no switchport port-security Mac-address mac (host's MAC address)
# Remove the MAC address of the binding host
Attention:
The above command sets a port on the switch to bind a specific MAC address. So only this host can use the network, if the host's network card has been replaced or other PCs want to use the network through this port is not available, unless you delete or modify the port binding on the MAC address to normal use.
Attention:
The above functions apply to Cisco 2950, 3550, 4500, 6500 series Switches
2. Scheme 2--extended access list based on MAC address
Switch (config) Mac Access-list extended MAC10
# define a MAC address access control list and name the list named MAC10
Switch (config) permit host 0009.6BC4.D4BF any
# A host that defines a MAC address as 0009.6BC4.D4BF can access any host
Switch (config) permit any host 0009.6BC4.D4BF
# define hosts that can access MAC address 0009.6BC4.D4BF for all hosts
Switch (config-if) interface fa0/20
#进入配置具体端口的模式
Switch (config-if) Mac Access-group MAC10 in
# Apply the access list named MAC10 on the port (that is, the access policy we defined earlier)
Switch (config) no Mac Access-list extended MAC10
# Clears the access list named MAC10
This feature is roughly the same as the application, but it is based on a port-made MAC address access control list limit that can be limited to specific source MAC address and destination address range.
Attention:
The above features can be achieved on Cisco 2950, 3550, 4500, 6500 series switches, but note that 2950, 3550 require the switch to run enhanced software mirroring (enhanced image).
3. MAC address Binding for solution 3--ip address
You can use only 1 or 2 combinations of ip-based access control lists to reach the IP-MAC binding capability.
Switch (config) Mac Access-list extended MAC10
# define a MAC address access control list and name the list named MAC10
Switch (config) permit host 0009.6BC4.D4BF any
# A host that defines a MAC address as 0009.6BC4.D4BF can access any host
Switch (config) permit any host 0009.6BC4.D4BF
# define hosts that can access MAC address 0009.6BC4.D4BF for all hosts
Switch (config) Ip Access-list extended IP10
# define an IP address access control list and name the list named IP10
Switch (config) Permit 192.168.0.1 0.0.0.0 any
# A host that defines an IP address as 192.168.0.1 can access any host
Permit any 192.168.0.1 0.0.0.0
# define hosts that can access IP addresses to 192.168.0.1 for all hosts
Switch (config-if) interface fa0/20
#进入配置具体端口的模式
Switch (config-if) Mac Access-group MAC10 in
# Apply the access list named MAC10 on the port (that is, the access policy we defined earlier)
Switch (config-if) Ip Access-group IP10 in
# Apply the access list named IP10 on the port (that is, the access policy we defined earlier)
Switch (config) no Mac Access-list extended MAC10
# Clears the access list named MAC10
Switch (config) no Ip access-group IP10 in
# Clears the access list named IP10
The above mentioned application 1 is based on the host MAC address and switch port binding, Scenario 2 is based on the MAC address access control list, the first two scenarios can achieve a similar function. If you want to achieve the IP and MAC address binding can only be implemented according to the scenario 3来, you can use scenario 1 or Scenario 2 with the IP Access control list to achieve the desired results.
Note: The above features are available on Cisco 2950, 3550, 4500, 6500 series switches, but note that 2950 and 3550 require the switch to run enhanced software mirroring (enhanced image).
After note: From the surface, the binding MAC address and IP address can prevent the internal IP address stolen, but in fact, because of the various layers of protocol and network card-driven implementation technology, MAC address and IP address binding there is a large defect, and can not really prevent the internal IP address stolen.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
