Cisco Catalyst Switch IP + MAC binding

 

I. host MAC and switch port binding:

Switch # config terminal

Switch (config) # int f0/1

Switch (config-if) # switchport mode access

Switch (config-if) # switchport port-security mac-address 2.16.0000.0001

 

 

2. Host IP address and switch port binding:

Switch (config) # interface FastEthernet0/17

Switch (config-if) # ip access-group 1 in

Switch (config) # access-list 1 permit 10.0.0.1

 

In this way, the FastEthernet0/17 port of the vswitch is bound to the ip address and mac address.

 

 

 

The simplest method

In the 2960 switch, how does one bind the port MAC address and the IP address and MAC address?

Arp 192.168.1.1 2.16.1001.2200 arpa fa0/1

 

 

It is said that

You can enable dhcp snooping for dynamic binding, and use the ip source binding command for static binding.

 

 

 

 

 

 

 

 

 

 

 

Command for binding the mac ip address of a route Switch

To prevent ip address theft or employee ip address tampering in a cisco switch, you can take the following measures: binding an ip address to a mac address and binding an ip address to a vswitch port.

1. Check the port through IP Address

Check the MAC address first, and then check the port based on the MAC address:

Bangonglou3 # show arp | include 208.41 find the port through IP Address

 

Or show mac-address-table to view the ip-mac table of the entire port.

 

Internet 10.138.208.41 4 0006.1bde.3de9 ARPA Vlan10

Bangonglou3 # show mac-add | in 0006.1bde

10 0006.1bde.3de9 DYNAMIC Fa0/17

Bangonglou3 # exit

 

2. Binding ip addresses to mac addresses. This binding can be simple and effective to prevent ip addresses from being stolen. After someone changes the ip address to the ip address you have bound to the mac address, the network is different, (tcp/udp protocols are different, but netbios network items can be accessed). Specific Practices:

Cisco (config) # arp 10.138.208.81 0000. e268.9980 ARPA

In this way, 10.138.208.81 and mac: 0000. e268.9980 ARPA are bound together.

 

3. Bind the ip address to the vswitch port. The port bound with this method can only be used by this ip address. Change it to another ip address and immediately disconnect the network. This effectively prevents ip address tampering.

Cisco (config) # interface FastEthernet0/17

Cisco (config-if) # ip access-group 6 in

Cisco (config) # access-list 6 permit 10.138.208.81

In this way, the FastEthernet0/17 port of the vswitch is bound to ip Address: 10.138.208.81.

 

 

 

 

 

 

 

The most common understanding of port security is to control and manage network traffic based on the MAC address, such as binding a MAC address to a specific port, restrict the number of MAC addresses that a specific port uses, or prohibit the frame traffic of certain MAC addresses from passing through a specific port.

 

1. the MAC address is bound to the port. When the MAC address of the host is found to be different from the MAC address specified on the switch, the corresponding port of the switch is down. When you specify a MAC address for a port, the port mode must be in the access or Trunk status.

 

3550-1 # conf t

 

3550-1 (config) # int f0/1

 

3550-1 (config-if) # switchport mode access/Specify the port mode.

 

3550-1 (config-if) # switchport port-security mac-address 00-90-F5-10-79-C1/configure the MAC address.

 

3550-1 (config-if) # switchport port-security maximum 1/restrict the number of MAC addresses allowed by this port to 1.

 

This is very good!

 

3550-1 (config-if) # switchport port-security violation shutdown/when it is found that it is inconsistent with the above configuration, the port is down.

 

2. Use the MAC address to limit port traffic. This configuration allows a TRUNK port to pass up to 100 MAC addresses. When the port exceeds 100, data frames from the new host will be lost.

 

3550-1 # conf t

 

3550-1 (config) # int f0/1

 

3550-1 (config-if) # switchport trunk encapsulation dot1q

 

3550-1 (config-if) # switchport mode trunk/configure the port mode as TRUNK.

 

3550-1 (config-if) # switchport port-security maximum 100/the maximum number of MAC addresses allowed for this port is 100.

 

3550-1 (config-if) # switchport port-security violation protect/when the number of host MAC addresses exceeds 100, the switch continues to work, but data frames from new hosts will be lost.

 

The preceding configuration allows traffic based on the MAC address. The following configuration rejects traffic based on the MAC address.

 

1. This configuration can only filter unicast traffic in the Catalyst switch, but is not valid for multicast traffic.

 

3550-1 # conf t

 

3550-1 (config) # mac-address-table static 00-90-F5-10-79-C1 vlan 2 drop/drops traffic on the corresponding Vlan.

 

3550-1 # conf t

 

3550-1 (config) # mac-address-table static 00-90-F5-10-79-C1 vlan 2 int f0/1/discard traffic on the corresponding interface.

 

 

 

 

 

 

 

 

 

 

 

 

 

As network security becomes more and more important today, colleges and enterprises are increasingly strict with LAN security control. One common practice is to bind IP addresses, MAC addresses of network cards, and switch ports, however, there are few articles about how to quickly bind MAC and switch ports.

 

Generally speaking, binding a MAC address to a vswitch port is actually a vswitch port security function. The port security function allows you to configure a port to allow only one or more specified devices to access that switch. You can determine the devices that are allowed to access according to the MAC address; the MAC address of the device that is allowed to access can be manually configured or "learned" from the switch. When an unapproved MAC address tries to access the port, exchange opportunities to suspend or disable the port.

 

I. First, you must understand two concepts:

Reliable MAC address. There are three types of configuration.

Static and reliable MAC address: manually configured in vswitch interface mode. This configuration is saved in the vswitch MAC address table and running configuration file, after the switch is restarted, it will not be lost (of course, after the configuration is saved). The specific command is as follows:

Switch (config-if) # switchport port-security mac-address Mac address

Dynamic and reliable MAC address: This type is the default type of the switch. In this type, the switch dynamically learns the MAC address, but this configuration will only be saved in the MAC address table and will not be saved in the running configuration file. After the switch is restarted, the MAC addresses in these MAC address tables are automatically cleared.

Viscous and reliable MAC address: In this type, you can manually configure the binding between the MAC address and the port, or enable the switch to automatically learn to bind, this configuration is saved in the MAC address and in the running configuration file. If you save the configuration, you do not have to re-learn the MAC address after the switch restarts, although the sticky and reliable MAC address can be manually configured, CISCO does not recommend this. The command is as follows:

Switch (config-if) # switchport port-security mac-address sticky

In fact, after the above command is configured and the port gets the MAC address, a configuration command is automatically generated

Switch (config-if) # switchport port-security mac-address sticky Mac address

This is also why CISCO does not recommend manual configuration of MAC addresses in this type.

 

Ii. Measures taken against MAC security violations:

When the maximum number of MAC addresses is exceeded, or the MAC address of the device accessing the port is not the MAC address of the port in this MAC address table, or when a MAC address in the same VLAN is configured on several ports, it will cause a violation of MAC address security. At this time, three measures are taken:

1. protection mode (protect): discards data packets without warning.

2. restrict: discards data packets, sends warnings, sends SNMP traps, and records them in syslog logs.

3. shutdown: This is the default switch mode. In this case, the port immediately changes to the err-disable state, turn off the port light, issue an SNMP trap, and record it in the syslog log, this port fails unless manually activated by the Administrator.

The command is as follows:

Switch (config-if) # switchport port-security violation {protect | restrict | shutdown}

The following table lists the specific comparisons.

Violation Mode Traffic is forwarded Sends SNMP trap Sends syslog message Displays error

Message Shuts down port

Protect No

Restrict No Yes No

Shutdown No Yes

Table 1

Pay attention to the following issues When configuring Port Security:

Port Security is only configured on the static Access port. Port security cannot be configured on the trunk port, SPAN port, Fast Ethernet channel, gebit Ethernet Channel port group, or the port dynamically allocated to a VLAN; the port security cannot be set based on each VLAN. The switch does not support sticky and reliable MAC address aging time. The protect and restrict modes cannot be set on the same port at the same time.

 

Next we will connect the above knowledge points and talk about all the commands for implementing the configuration steps.

 

1. commands for static and reliable MAC addresses:

Switch # config terminal

Switch (config) # interface-id: enter the port to be configured

Switch (config-if) # switchport mode Access is set to Switch mode

Switch (config-if) # switchport port-security enable port security mode

Switch (config-if) # switchport port-security violation {protect | restrict | shutdown}

The above command is optional, that is, you do not need to configure it. The default mode is shutdown, but restrict is recommended in actual configuration.

Switch (config-if) # switchport port-security maximum value

The above command is also optional, that is, you do not need to configure it. The default maximum is a MAC address, and the maximum value of the 2950 and 3550 switches is 132.

In fact, the above commands are static and sticky,

Switch (config-if) # switchport port-security mac-address MAC address

The preceding command indicates a static and reliable MAC address.

2. Dynamic and reliable MAC Address Configuration, because it is the default configuration of the switch.

3. Steps for configuring a reliable and viscous MAC address:

Switch # config terminal

Switch (config) # interface-id

Switch (config-if) # switchport mode Access

Switch (config-if) # switchport port-security

Switch (config-if) # switchport port-security violation {protect | restrict | shutdown}

Switch (config-if) # switchport port-security maximum value

The commands mentioned above are explained for the same reason as the static commands mentioned above.

Switch (config-if) # switchport port-security mac-address sticky

The above command indicates that it is configured as a reliable and viscous MAC address.

Finally, let's talk about how to quickly bind a MAC address to a vswitch port in an enterprise. In practical use, we often use reliable and viscous MAC Address binding. Now we can bind it to a 2950EMI instance.

 

 

Method 1: Configure in CLI Mode

2950 (config) # int rang fa0/1-48

2950 (config-if-range) # switchport mode Access

2950 (config-if-range) # switchport port-security

2950 (config-if-range) # switchport port-security mac-address violation restrict

2950 (config-if-range) # switchport port-security mac-address sticky

In this way, the 48 ports of the vswitch are bound. Note: in actual use, you must enable all the PCs connected to the vswitch so that you can learn the MAC address, in addition, you need to save the configuration file after learning the MAC address, so that you do not need to learn the MAC address next time, and then use show port-security address to view the bound port to confirm that the configuration is correct.

 

Method 2: Configure in the WEB interface, that is, CMS (Cluster Management Unit)

Enter the IP Address of the switch in the IE browser, and select Enable or Disabled in Status and Sticky MAC Address under port-port security, violation Action can be set to Shutdown, Restrict, or Protect. Maximum Address Count (1-132) can be set to a value in this range.

 

 

Of course, we also need to bind IP addresses and MAC addresses. This requires layer-3 or above exchanges, because we know that common switches work on layer-2, that is, to enable the data link layer, it is impossible to bind an IP address. If an enterprise is a star network, the central switch has three or more features. We can bind it,

Switch (config) # arp IP address Mac address arpa