Port security Configuration for the Cisco PT Simulation Experiment (7) switch

Source: Internet
Author: User
Tags snmp cisco switch ccna study guide

Port security Configuration for the Cisco PT Simulation Experiment (7) switch


Experimental Purpose :

Master the port security function of the switch, control the user's secure access

Experimental Background :

The company network adopts the personal fixed IP Internet program, in order to prevent the company internal User IP address borrowing, using, unauthorized access to the switch and other violations, while preventing public and internal network attack and destruction behavior, the company requires strict control of the network, for this need to do appropriate configuration in the switch.

Technical Principle :

  • Port security: You can control and manage network traffic based on MAC address, such as MAC address with specific port bindings, limit the number of MAC addresses that specific ports pass through, or allow frame traffic for certain MAC addresses on specific ports. A little extension of the lower port security, that is, according to 802.1X to control network access traffic.

  • CISCO switch port is in desirable mode by default (the port tends to relay when other switch connections are detected), so to ensure proper operation of the switch port security function, the port mode must first be modified to either the access port or the trunk port (the package type should be specified on Layer 3 switch).

  • security Address table item configuration: mac-address-table table, which indicates the relationship between the port and the MAC address, when the device is plugged in, the switch learns the MAC address of the device and joins the table.

    • Dynamic MAC Address: The switch actively learns the MAC address and will re-learn and update the MAC address table when the port status changes

    • Static MAC Address: the "Port and MAC address" is bound, and added to the table, the port is no longer active learning

    • Sticky MAC Address: The first active learning MAC address and binding, when the port status changes again, the port is no longer active learning

  • When a port receives an unsolicited MAC address traffic, the switch performs the following violation actions:

    • Protection (Protect): Discards the disallowed MAC address traffic, but does not create a log message.

    • Limit (Restrict): Discard disallowed MAC address traffic, create log messages and send SNMP trap messages

    • Off (Shutdown): The default option to place the port in the Err-disabled state, create a log message, and send an SNMP trap message. To turn the port back on, you need to "close and open" the port or use the errdisable recovery command. The latter is not available on the simulator.

Experimental Equipment : switch_2960 2 units, PC 4, straight line, crossover line.

Experimental topology :

650) this.width=650; "Src=" https://s5.51cto.com/wyfs02/M02/9C/A8/wKioL1l0LsvRete2AABQPJo0mhQ130.png-wh_500x0-wm_ 3-wmp_4-s_478582444.png "title=" 5.1.PNG "width=" 480 "height=" 289 "border=" 0 "hspace=" 0 "vspace=" 0 "style=" width:480px ; height:289px; "alt=" Wkiol1l0lsvrete2aabqpjo0mhq130.png-wh_50 "/>

Experimental steps:

Port security features for switching on

Configure the maximum number of connections for a switch limit

View IP and MAC address information for a host

Configure address bindings for a switch

View switch Ports Security Configuration

Note: On the emulator, you cannot use the show port-security command on a layer 3 switch


PC Settings 192.168.1.2//pc0192.168.1.3//pc1192.168.1.4//pc2192.168.1.5//pc3//Subnet mask and gateway 255.255.255.0 192.168.1.1
PC (Command prompt cmd) ipconfig//view MAC address of 4 PCs separately
Switch0 configuration switch>enswitch#conf tswitch (config) #inter rang f0/1-22switch (config-if-range) #switchport mode access/ /configuration port for access type switch (config-if-range) #switchport port-security//Open port security Feature//Set port maximum number of connections is 1, that is, enable dynamic Mac Security address switch ( Config-if-range) #switchport port-security maximum 1//If a violation is found, the process is closed port switch (config-if-range) #switchport Port-security violation shutdown Switch (config-if-range) #endSwitch #show port-security//view port Security Configuration
SWITCH1 configuration switch>enswitch#conf tswitch (config) #inter rang f0/1-2//enable sticky MAC address, automatically bind access to MAC address switch (config-if-range) #switchport port-security sticky//ping Test, the results of the link are all//Then interchange PC2 and PC3 on the switch port, ping test, the result link is not switch (config-if-range) # Endswitch#show mac-address-table//view port MAC address binding configuration Switch#clear port-security sticky//clear all bonded sticky MAC addresses


Lab Environment: Windows 7, Cisco PT 7.0

Reference: CCNA Study Guide (7th edition)


Port security Configuration for the Cisco PT Simulation Experiment (7) switch

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.