Binding IP and MAC addresses in Cisco switches

Source: Internet
Author: User
Tags snmp syslog cisco switch
To prevent IP address theft or employee IP address tampering in a Cisco switch, you can take the following measures: binding an IP address to a MAC address and binding an IP address to a vswitch port.
1. Check the port through IP Address
Check the MAC address first, and then check the port based on the MAC address:
Bangonglou3 # Show ARP | include 208.41 or show Mac-address-table to view the IP-Mac table of the entire port

Internet 10.138.208.41 4 0006.1bde.3de9 ARPA vlan10
Bangonglou3 # Show Mac-add | in 0006.1bde
10 0006.1bde.3de9 dynamic fa0/17
Bangonglou3 # exit

 

2. Binding IP addresses to MAC addresses. This binding can be simple and effective to prevent IP addresses from being stolen. After someone changes the IP address to the IP address you have bound to the MAC address, the network is different, (TCP/UDP protocols are different, but NetBIOS network items can be accessed). Specific Practices:
Cisco (config) # ARP 10.138.208.81 0000. e268.9980 ARPA
In this way, 10.138.208.81 and Mac: 0000. e268.9980 ARPA are bound together.
 
3. Bind the IP address to the vswitch port. The port bound with this method can only be used by this IP address. Change it to another IP address and immediately disconnect the network. This effectively prevents IP address tampering.

Cisco (config) # interface fastethernet0/17

Cisco (config-If) # IP Access-group 6 in

Cisco (config) # access-list 6 permit 10.138.208.81

In this way, the fastethernet0/17 port of the vswitch is bound to IP Address: 10.138.208.81.

 

From: http://www.net235.com/newsold/onews.asp? Id = 217

 

 

The most common understanding of port security is to control and manage network traffic based on the MAC address, such as binding a MAC address to a specific port, restrict the number of MAC addresses that a specific port uses, or prohibit the frame traffic of certain MAC addresses from passing through a specific port.

 

1. the MAC address is bound to the port. When the MAC address of the host is found to be different from the MAC address specified on the switch, the corresponding port of the switch is down. When you specify a MAC address for a port, the port mode must be in the access or trunk status.

3550-1 # conf t

3550-1 (config) # int F0/1

3550-1 (config-If) # switchport Mode Access/Specify the port mode.

3550-1 (config-If) # switchport port-security Mac-address 00-90-f5-10-79-c1/configure the MAC address.

3550-1 (config-If) # switchport port-security maximum 1/restrict the number of MAC addresses allowed by this port to 1.

3550-1 (config-If) # switchport port-security violation shutdown/when it is found that it is inconsistent with the above configuration, the port is down.

2. Use the MAC address to limit port traffic. This configuration allows a trunk port to pass up to 100 MAC addresses. When the port exceeds 100, data frames from the new host will be lost.

3550-1 # conf t

3550-1 (config) # int F0/1

3550-1 (config-If) # switchport trunk encapsulation dot1q

3550-1 (config-If) # switchport mode trunk/configure the port mode as trunk.

3550-1 (config-If) # switchport port-security maximum 100/the maximum number of MAC addresses allowed for this port is 100.

3550-1 (config-If) # switchport port-security violation protect/when the number of host MAC addresses exceeds 100, the switch continues to work, but data frames from new hosts will be lost.

The preceding configuration allows traffic based on the MAC address. The following configuration rejects traffic based on the MAC address.

1. This configuration can only filter unicast traffic in the catalyst switch, but is not valid for multicast traffic.

3550-1 # conf t

3550-1 (config) # Mac-address-Table static 00-90-f5-10-79-c1 VLAN 2 drop/drops traffic on the corresponding VLAN.

3550-1 # conf t

3550-1 (config) # Mac-address-Table static 00-90-f5-10-79-c1 VLAN 2 int F0/1/discard traffic on the corresponding interface.

 

From: http://www.pconline.com.cn/pcjob/nettech/cisco/others/0507/674179.html

 

As network security becomes more and more important today, colleges and enterprises are increasingly strict with LAN security control. One common practice is to bind IP addresses, MAC addresses of network cards, and switch ports, however, there are few specific implementation principles and steps for fast binding between MAC and switch ports.Article.

Generally speaking, binding a MAC address to a vswitch port is actually a vswitch port security function. The port security function allows you to configure a port to allow only one or more specified devices to access that switch. You can determine the devices allowed to access according to the MAC address; the MAC address of the device that is allowed to access can be manually configured or "learned" from the switch. When an unapproved MAC address tries to access the port, the switch suspends or disables the port.

 

I. First, you must understand two concepts:
Reliable MAC address. There are three types of configuration.
Static and reliable MAC address: manually configured in vswitch interface mode. This configuration is saved in the vswitch MAC address table and running configuration file, after the switch is restarted, it will not be lost (of course, after the configuration is saved). The specific command is as follows:
Switch (config-If) # switchport port-security Mac-address MAC address
Dynamic and reliable MAC address: This type is the default type of the switch. In this type, the switch dynamically learns the MAC address, but this configuration will only be saved in the MAC address table and will not be saved in the running configuration file. After the switch is restarted, the MAC addresses in these MAC address tables are automatically cleared.
Viscous and reliable MAC address: In this type, you can manually configure the binding between the MAC address and the port, or enable the switch to automatically learn to bind, this configuration is saved in the MAC address and in the running configuration file. If you save the configuration, you do not have to re-learn the MAC address after the switch restarts, although the sticky and reliable MAC address can be manually configured, Cisco does not recommend this. The command is as follows:
Switch (config-If) # switchport port-security Mac-address sticky
In fact, after the above command is configured and the port gets the MAC address, a configuration command is automatically generated
Switch (config-If) # switchport port-security Mac-address sticky MAC address
This is also why Cisco does not recommend manual configuration of MAC addresses in this type.

 

Ii. Measures taken against Mac security violations:
When the maximum number of MAC addresses is exceeded, or the MAC address of the device accessing the port is not the MAC address of the port in this MAC address table, or when a MAC address in the same VLAN is configured on several ports, it will cause a violation of MAC address security. At this time, three measures are taken:
1. protection mode (protect): discards data packets without warning.
2. Restrict mode: discards data packets, sends warnings, sends SNMP traps, and records them in Syslog logs.
3. shutdown: This is the default switch mode. In this case, the port immediately changes to the err-Disable state, turn off the port light, issue an SNMP trap, and record it in the syslog log, this port fails unless manually activated by the Administrator.
The command is as follows:
Switch (config-If) # switchport port-security violation {protect | restrict | Shutdown}
The following table lists the specific comparisons.
Violation mode traffic is forwarded sends SNMP Trap sends Syslog message displays Error
Message shuts down Port
Protect no
Restrict No Yes No
Shutdown No Yes
Table 1
Pay attention to the following issues When configuring Port Security:
Port Security is only configured on the static access port. Port security cannot be configured on the trunk port, SPAN port, Fast Ethernet channel, gebit Ethernet Channel port group, or the port dynamically allocated to a VLAN; the port security cannot be set based on each VLAN. The switch does not support sticky and reliable MAC address aging time. The protect and restrict modes cannot be set on the same port at the same time.

Next we will connect the above knowledge points and talk about all the commands for implementing the configuration steps.

1. command steps for static and reliable MAC addresses:
switch # config terminal
switch (config) # interface-ID: enter the port to be configured
switch (config-If) # switchport mode access is set to switch mode
switch (config-If) # switchport port-security open port security mode

Switch (config-If) # switchport port-security violation {protect | restrict | Shutdown}
The above command is optional, that is, you do not need to configure it. The default mode is shutdown, but restrict is recommended in actual configuration.
Switch (config-If) # switchport port-Security Maximum Value
The above command is also optional, that is, you do not need to configure it. The default maximum is a MAC address, and the maximum value of the 2950 and 3550 switches is 132.
In fact, the above commands are static and sticky,
Switch (config-If) # switchport port-security Mac-address MAC address
The preceding command indicates a static and reliable MAC address.
2. Dynamic and reliable MAC Address Configuration, because it is the default configuration of the switch.
3. Steps for configuring a reliable and viscous MAC address:
Switch # config Terminal
Switch (config) # interface-ID
Switch (config-If) # switchport Mode Access
Switch (config-If) # switchport port-Security
Switch (config-If) # switchport port-security violation {protect | restrict | Shutdown}
Switch (config-If) # switchport port-Security Maximum Value

The commands mentioned above are explained for the same reason as the static commands mentioned above.
Switch (config-If) # switchport port-security Mac-address sticky
The above command indicates that it is configured as a reliable and viscous MAC address.
Finally, let's talk about how to quickly bind a MAC address to a vswitch port in an enterprise. In practical use, we often use reliable and viscous MAC Address binding. Now we can bind it to a 2950emi instance.

Method 1: Configure in CLI Mode
2950 (config) # int rang fa0/1-48
2950 (config-if-range) # switchport Mode Access
2950 (config-if-range) # switchport port-Security
2950 (config-if-range) # switchport port-security Mac-address violation restrict
2950 (config-if-range) # switchport port-security Mac-address sticky
In this way, the 48 ports of the vswitch are bound. Note: in actual use, you must enable all the PCs connected to the vswitch so that you can learn the MAC address, in addition, you need to save the configuration file after learning the MAC address, so that you do not need to learn the MAC address again next time. Then, use Show Port-security address to view the bound port and confirm that the configuration is correct.

Method 2: Configure in the Web interface, that is, CMS (Cluster Management Unit)
Enter the IP address of the switch in the IE browser, and select enable or disabled in status and sticky MAC address under port-port security, violation action can be set to shutdown, restrict, or protect. Maximum address count (1-132) can be set to a value in this range.

Of course there are also requirements for binding IP addresses and MAC addresses. This requires layer-3 or above exchanges, because we know that common switches work on layer-2, that is, it is impossible to bind an IP address to the data link layer. If an enterprise is a star network, the central switch has three or more features. You can bind the IP address to the instance.
switch (config) # arp ip address, MAC address, Arpa

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.