How to implement port security on a Cisco Switch

More and more cases require Port Security recently. Port security is mainly used to restrict access to port access by binding a client Mac. The ACL between VLANs is not in the current range.

After several days of practical debugging, I learned from the experiences of my predecessors and summarized my debugging experiences as follows:

1. cisco29 series switches can implement layer-2 port security, that is, the MAC address and port are bound.

2,
The Cisco3550 or above vswitches can implement port security based on Layer 2 and Layer 3, that is

The MAC address and port are bound, and the MAC address and IP address are bound.

3. Take the Cisco3550 switch as an Example

You can bind a MAC address to a port in two ways:

A. Set a port to only accept the MAC address of the computer that is connected to the port for the first time. After obtaining the MAC address of a computer for the first time, the packets sent by other computers connected to this port are considered illegal and discarded.

B. Set a port to only accept the MAC address of a specific computer. Other computers cannot access this port.

4. Method of cracking: there are many ways to crack the network, mainly by changing the MAC address of the new computer Nic, but I think, in practice, this method does not have any function. The reason is very simple. If it is not a network administrator, other general personnel cannot pay attention to the MAC address of a valid computer at ordinary times, generally, you cannot enter a valid computer to obtain the MAC address, unless it is the user of the LAN.

5. Implementation Method:

Different implementation methods for two 3rd applications

A. Accept the MAC address of the computer connected to the port for the first time:

Switch # config Terminal

Switch (config) # interface-ID: enter the port to be configured

Switch (config-If) # switchport mode access is set to switch mode

Switch (config-If) # switchport port-security enable port security mode

Switch (config-If) # switchport port-security violation {protect | restrict | Shutdown} // for illegal computer access, port processing mode {discard data packets, no warning | discard data packets, issue a warning on the console | the disabled port is in err-Disable state, and the port fails unless manually activated by the Administrator.

B. Accept the MAC address of a specific computer:

Switch # config Terminal

Switch (config) # interface-ID

Switch (config-If) # switchport Mode Access

Switch (config-If) # switchport port-Security

Switch (config-If) # switchport port-security violation {protect | restrict | Shutdown} // The preceding steps are the same as those of.

Switch (config-If) # switchport port-security Mac-address sticky

Switch (config-If) # switchport port-security aging static // open static ing

Switch (config-If) # switchport port-security Mac-address sticky XXXX. xxxx. xxxx // enter a specific allowed MAC address for the port

How to bind a MAC address to an IP address:

Create a ing table for the MAC address and IP address in the vswitch. The IP address and MAC address obtained from the port match the table. If the table does not match the table, the packets sent from the port are discarded.

Implementation Method:

Switch # config Terminal

Switch (config) # ARP 1.1.1.1 0001.0001.1111 ARPA

Note: All IP addresses in the CIDR block must be mapped to MAC addresses. Unused IP addresses can be mapped to 2.16.0000.0000. Otherwise, the binding is invalid for IP addresses that do not have a ing in the CIDR block.