Port security Configuration for the Cisco PT Simulation Experiment (7) switch
Experimental Purpose :
Master the port security function of the switch, control the user's secure access
Experimental Background :
The company network adopts the personal fixed IP Internet program, in order to prevent the company internal User IP address borrowing, using, unauthorized access to the switch and other violations, while preventing public and internal network attack and destruction behavior, the company requires strict control of the network, for this need to do appropriate configuration in the switch.
Technical Principle :
Port security: You can control and manage network traffic based on MAC address, such as MAC address with specific port bindings, limit the number of MAC addresses that specific ports pass through, or allow frame traffic for certain MAC addresses on specific ports. A little extension of the lower port security, that is, according to 802.1X to control network access traffic.
-
CISCO switch port is in desirable mode by default (the port tends to relay when other switch connections are detected), so to ensure proper operation of the switch port security function, the port mode must first be modified to either the access port or the trunk port (the package type should be specified on Layer 3 switch).
security Address table item configuration: mac-address-table table, which indicates the relationship between the port and the MAC address, when the device is plugged in, the switch learns the MAC address of the device and joins the table.
Dynamic MAC Address: The switch actively learns the MAC address and will re-learn and update the MAC address table when the port status changes
Static MAC Address: the "Port and MAC address" is bound, and added to the table, the port is no longer active learning
Sticky MAC Address: The first active learning MAC address and binding, when the port status changes again, the port is no longer active learning
When a port receives an unsolicited MAC address traffic, the switch performs the following violation actions:
Protection (Protect): Discards the disallowed MAC address traffic, but does not create a log message.
Limit (Restrict): Discard disallowed MAC address traffic, create log messages and send SNMP trap messages
Off (Shutdown): The default option to place the port in the Err-disabled state, create a log message, and send an SNMP trap message. To turn the port back on, you need to "close and open" the port or use the errdisable recovery command. The latter is not available on the simulator.
Experimental Equipment : switch_2960 2 units, PC 4, straight line, crossover line.
Experimental topology :
650) this.width=650; "Src=" https://s5.51cto.com/wyfs02/M02/9C/A8/wKioL1l0LsvRete2AABQPJo0mhQ130.png-wh_500x0-wm_ 3-wmp_4-s_478582444.png "title=" 5.1.PNG "width=" 480 "height=" 289 "border=" 0 "hspace=" 0 "vspace=" 0 "style=" width:480px ; height:289px; "alt=" Wkiol1l0lsvrete2aabqpjo0mhq130.png-wh_50 "/>
Experimental steps:
Port security features for switching on
Configure the maximum number of connections for a switch limit
View IP and MAC address information for a host
Configure address bindings for a switch
View switch Ports Security Configuration
Note: On the emulator, you cannot use the show port-security command on a layer 3 switch
PC Settings 192.168.1.2//pc0192.168.1.3//pc1192.168.1.4//pc2192.168.1.5//pc3//Subnet mask and gateway 255.255.255.0 192.168.1.1
PC (Command prompt cmd) ipconfig//view MAC address of 4 PCs separately
Switch0 configuration switch>enswitch#conf tswitch (config) #inter rang f0/1-22switch (config-if-range) #switchport mode access/ /configuration port for access type switch (config-if-range) #switchport port-security//Open port security Feature//Set port maximum number of connections is 1, that is, enable dynamic Mac Security address switch ( Config-if-range) #switchport port-security maximum 1//If a violation is found, the process is closed port switch (config-if-range) #switchport Port-security violation shutdown Switch (config-if-range) #endSwitch #show port-security//view port Security Configuration
SWITCH1 configuration switch>enswitch#conf tswitch (config) #inter rang f0/1-2//enable sticky MAC address, automatically bind access to MAC address switch (config-if-range) #switchport port-security sticky//ping Test, the results of the link are all//Then interchange PC2 and PC3 on the switch port, ping test, the result link is not switch (config-if-range) # Endswitch#show mac-address-table//view port MAC address binding configuration Switch#clear port-security sticky//clear all bonded sticky MAC addresses
Lab Environment: Windows 7, Cisco PT 7.0
Reference: CCNA Study Guide (7th edition)
Port security Configuration for the Cisco PT Simulation Experiment (7) switch