How to configure IP on a cisco switch

How to configure IP address and MAC address on a Cisco switch binding





Content Summary:





at present, many of the company's internal network, has adopted the MAC address and IP address binding technology. Here we will introduce the configuration of IP address and MAC address bindings for Cisco switches.





Description:





at present, many of the company's internal network, has adopted the MAC address and IP address binding technology. Here we will introduce the configuration of IP address and MAC address bindings for Cisco switches.





IP address and MAC address: The IP address is specified according to the current IPV4 standard and is 4 bytes longer than the hardware limit. The MAC address is the physical address of the network card, stored in the EPROM of the network card, which is related to the hardware, and has a length of 6 bytes.





in switched networks, the switch maintains a MAC address table and sends the data to the destination computer based on the MAC address. Why to bind Mac with IP address: IP address modification is very easy, and MAC address is stored in the network card EEPROM, and the MAC address of the network card is only certain. Therefore, in order to prevent the internal personnel to carry out illegal IP spoofing (such as embezzlement of the higher authority of the IP address to obtain information outside the jurisdiction), you can bind the IP address of the internal network with the MAC address, even if the user modifies the IP address, also because the MAC address does not match the theft of And because of the only certainty of the MAC address of the network card, we can find the network card using the MAC address according to the MAC address, and then find the illegal person.





The following three options are available in Cisco, and Scenario 1 and Scenario 2 implement the same functionality, which is to bind a specific host's MAC address (NIC hardware address) to a specific switch port. Scenario 3 is to bind the MAC address (NIC hardware address) and IP address of a specific host at the same time on a specific switch port.





1. Scheme 1--MAC address bindings based on ports





Cisco 2950 switch For example, login into the switch, enter the management password into the configuration mode, type command:





Switch#config Terminal





# into configuration mode





Switch (config) # Interface fastethernet 0/1





# Enter specific port configuration mode





Switch (config-if) #Switchport port-secruity





# Configure port security mode





Switch (config-if) switchport port-security Mac-address mac (host's MAC address)





# Configure the MAC address of the host to which this port is bound





Switch (config-if) no switchport port-security Mac-address mac (host's MAC address)





# Deletes the MAC address of the binding host





Note:





the above command to set a port on the switch to bind a specific MAC address, so only this host can use the network, if the host's network card has been replaced or other PCs want to use the network through this port is not available, unless you delete or modify the port binding on the MAC address to normal use.





Note:





above features are applicable to Cisco 2950, 3550, 4500, 6500 series Switches 2. Scheme 2--extended access list based on MAC address





Switch (config) Mac access-list extended MAC10





# defines a MAC address access control list and names the list named MAC10





Switch (config) permit host 0009.6BC4.D4BF any





# A host that defines a MAC address as 0009.6BC4.D4BF can access any host





Switch (config) permit any host 0009.6BC4.D4BF





# defines hosts that can access MAC addresses as 0009.6BC4.D4BF





Switch (config-if) interface fa0/20





#进入配置具体端口的模式





Switch (config-if) Mac Access-group MAC10 in





# Apply the access list named MAC10 (that is, the access policy we defined earlier) on the port





Switch (config) no Mac access-list extended MAC10





# Clears the access list named MAC10





This feature is the same as the application, but it is based on the port of MAC address access control list restrictions, you can limit the specific source MAC address and destination address range.





Note:





above functions can be implemented on Cisco 2950, 3550, 4500, 6500 series switches, but note that 2950, 3550 require the switch to run enhanced software mirroring (enhanced image).





3. MAC address bindings for solution 3--ip addresses





can only be used to combine 1 or 2 with an ip-based access control list to achieve IP-MAC binding functionality.





Switch (config) Mac access-list extended MAC10





# defines a MAC address access control list and names the list named MAC10





Switch (config) permit host 0009.6BC4.D4BF any





# A host that defines a MAC address as 0009.6BC4.D4BF can access any host





Switch (config) permit any host 0009.6BC4.D4BF





# defines hosts that can access MAC addresses as 0009.6BC4.D4BF





Switch (config) Ip access-list extended IP10





# defines an IP address access control list and names the list named IP10





Switch (config) Permit 192.168.0.1 0.0.0.0 any





# A host that defines an IP address as 192.168.0.1 can access any host





Permit any 192.168.0.1 0.0.0.0





# defines hosts that can access IP addresses as 192.168.0.1





Switch (config-if) interface fa0/20





#进入配置具体端口的模式





Switch (config-if) Mac Access-group MAC10 in





# Apply the access list named MAC10 (that is, the access policy we defined earlier) on the port





Switch (config-if) Ip access-group IP10 in





# Apply the access list named IP10 (that is, the access policy we defined earlier) on the port





Switch (config) no Mac access-list extended MAC10





# Clears the access list named MAC10





Switch (config) no Ip access-group IP10 in





# Clears the access list named IP10





the above mentioned application 1 is based on the host MAC address and switch port binding, Scenario 2 is based on the MAC address access control list, the first two scenarios can achieve a similar function. If you want to achieve the IP and MAC address binding can only be implemented according to the scenario 3来, you can use scenario 1 or Scenario 2 with the IP Access control list to achieve the desired results.





Note: The above features can be implemented on Cisco 2950, 3550, 4500, 6500 series switches, but note that 2950 and 3550 require the switch to run enhanced software mirroring (enhanced image).





Note: From the surface, binding MAC address and IP address can prevent the internal IP address is stolen, but in fact, because of the various layers of protocol and network card-driven implementation technology, MAC address and IP address binding there is a large defect, and can not really prevent the internal IP address stolen.