Shenzhou Digital DCS-3950 switch for port binding

Port binding with Shenzhou digital DCS-3950

The importance of port bindings is no longer said to avoid computer access to the switch

First, Mac and port binding only (via Port-security)

Dcs-3950-26c#conf
dcs-3950-26c (config) #int E0/0/1--port bindings need to go inside the interface and take effect only for the current port
DCS-3950-26C (CONFIG-IF-ETHERNET0/0/1) #switchport port-security--Open port Safe Mode
DCS-3950-26C (CONFIG-IF-ETHERNET0/0/1) #switchport port-security mac-address aa-22-33-44-55-66-- Bind aa-22-33-44-55-66 to Port 1
DCS-3950-26C (CONFIG-IF-ETHERNET0/0/1) #

Test the phenomenon, when aa-22-33-44-55-66 this computer connects to Port 1 o'clock, can work normally, connect to other ports, the switch does not forward the data frame for it, the network does not pass; when other MAC addresses are connected to the switch, inserting to any port including 1 can work correctly, Switches are forwarded for them.

Port security default One port can only be configured with one entry, and if multiple entries need to be configured, the following settings are required

DCS-3950-26C (CONFIG-IF-ETHERNET0/0/1) #switchport port-security maximum?
<1-128> Maximum Addrs <1-128>

Enter the number you want.

In addition, port-security can also dynamically learn, then lock, then transform, dynamic binding

DCS-3950-26C (CONFIG-IF-ETHERNET0/0/1) #switchport port-security Lock
DCS-3950-26C (CONFIG-IF-ETHERNET0/0/1) #switchport port-security Convert

After locking, the switch will no longer learn the new access Mac from this port

Conclusion: A bound MAC address can only work on a bound port, and a MAC address without a binding may work on any port.

Two, only Mac and port binding (through Mac-address-table)

Next, use different commands to achieve the same experimental results as just now. This time using the switch MAC Address table, will be bound to the address of the static configuration to a port, do not allow other ports to learn the MAC address, implementation of the binding function.

dcs-3950-26c (config) #mac-address-table static address aa-22-33-44-55-66 VLAN 1 interface E0/0/2

dcs-3950-26c (config) #mac-add sta add aa-22-33-55-66-77 VL 1 int E0/0/2

A binding of two addresses was made on the second port, and the experimental phenomenon was identical to the first one.

Three, MAC, IP port binding (via AM command)

The above two examples, are only the MAC address restrictions, no binding on IP, in practice, many cases will be binding on IP addresses, to avoid the phenomenon of IP conflict.

dcs-3950-26c (config) #am enable--turn on the Switch AM feature

DCS-3950-26C (CONFIG-IF-ETHERNET0/0/14) #am Port--ports AM feature is turned on, and when the port is set to AM, the port is not connected without adding entries.

At this point the test in 14-port computer Ping Other ports of the computer, the other port computers ping, all through

DCS-3950-26C (CONFIG-IF-ETHERNET0/0/14) #am mac-ip-pool 00-e0-42-04-0f-4a 172.16.0.1
DCS-3950-26C (CONFIG-IF-ETHERNET0/0/14) #

At this point 14 port 00-e0-42-04-0f-4a 172.16.0.1 This computer and other computers can ping, the other 14 ports under the still can not

DCS-3950-26C (CONFIG-IF-ETHERNET0/0/14) #am mac-ip-pool 00-e0-81-08-16-ac 172.16.0.2
DCS-3950-26C (CONFIG-IF-ETHERNET0/0/14) #

At this point the 14-port 00-e0-42-04-0f-4a 172.16.0.1 and 00-e0-81-08-16-ac 172.16.0.2 these two computers
Can ping with other computers, the other 14 ports under the still can't

Unplug the 14-port cable plug into 15, test results, the result is through

Unplug the other port cable, insert to 14, test effect, the result is not pass

Turn off AM feature
The no AM port can be closed on the port
You can also turn off the no AM enable globally

Conclusion: AM can be used to bind the port to Mac and IP, but when the network cable is plugged into another port, am is powerless.

Iv. binding of the true meaning

Combine using port-security with AM or mac-address-table with AM
The binding that implements the true meaning.