Switch Settings bound to the IP-MAC

IP-MAC bound switch settings 1. solution 1: bind a port-based MAC address to a Cisco 2950 switch as an example. log on to the switch, enter the management password to enter the configuration mode, and run the following command: switch # config terminal # enter the configuration mode Switch (config) # Interface fastethernet 0/1 # enter the specific port configuration mode Switch (config-if) # Switchport port-secruity # configure the port security mode www.2cto.com Switch (config-if) switchport port-security mac-address MAC (MAC address of the host) # configure the MAC address of the host to be bound to this port Switch (config-if) no switchport port-security mac-address MAC (MAC address of the host) # Delete the MAC address of the bound host note Purpose: Set a port on the vswitch to bind a specific MAC address so that only the host can use the network, if the NIC of the host is changed or another PC wants to use the network via this port, it will not be available unless the MAC address bound to the port is deleted or modified. Note: The above functions are applicable to Cisco 2950, 3550, 4500, and 6500 series switches. solution 2-MAC address-based extended access list Switch (config) mac access-list extended MAC10 # define a MAC address access control list and name the list MAC10 (Reprinted with the source n et130) Switch (config) permit host 0009.6bc4.d4bf any # A host with the MAC address 0009.6bc4.d4bf can access any host Switch (config) permit any host 0009.6bc4.d4bf # define that all hosts can access the host Switch (config-if) interface Fa0/20 where the MAC address is 0009.6bc4.d4bf # enter the specific port configuration mode www.2cto.com
Switch (config-if) mac access-group MAC10 in # apply the access list named MAC10 on this port (that is, the previously defined access policy) Switch (config) no mac access-list extended MAC10 # Clear the access list named MAC10 this function is the same as a large part of the application, but it is a port-based MAC Address access Control list restriction, you can specify the source MAC address and target address range. Note: The above functions can be implemented on Cisco 2950, 3550, 4500, and 6500 series switches, but note that 2950 and 3550 require an Enhanced software Image (Enhanced Image) for the switch ). 3. scheme 3--mac Address binding of IP Address can only be used by combining application 1 or 2 with IP address-Based Access Control List to achieve IP-MAC binding function. (Reprinted with the source n et130) www.2cto.com Switch (config) Mac access-list extended MAC10 # define a MAC address access control list and name it MAC10 Switch (config) permit host 0009.6bc4.d4bf any # A host with the MAC address 0009.6bc4.d4bf can access any host Switch (config) permit any host 0009.6bc4.d4bf # define that all hosts can access the host Switch (config) with the MAC address 0009.6bc4.d) ip access-list extended IP10 # define an Ip address access control list and name this list IP10 Switch (config) permit 192.168.0.1 0.0.0.0 any # A host with the IP address 192.168.0.1 can access any host with the IP address Permit any 192.168.0.1 0.0.0.0 # A Switch (config-if) that defines that all hosts can access a host with the IP address 192.168.0.1) interface Fa0/20 # enter the specific port configuration mode www.2cto.com Switch (config-if) mac access-group MAC10 in # apply the access list named MAC10 on this port (that is, the previously defined access policy) Switch (config-if) ip access-group IP10 in # apply the access list named IP10 on this port (that is, the access policy defined above) Switch (config) no mac access-list extended MAC10 # Clear the access list named MAC10 Switch (config) no Ip access-group IP10 in # Clear the access list www.2cto.com named IP10
The Application 1 mentioned above is based on the binding of the host MAC address and the switch port. solution 2 is the access control list based on the MAC address. The functions of the first two solutions are roughly the same. If you want to bind an IP address to a MAC address, you can bind solution 1 or solution 2 to the IP address access control list as needed to achieve the desired effect. Note: The above functions can be implemented on Cisco 2950, 3550, 4500, and 6500 series switches, but note that 2950 and 3550 require an Enhanced software Image (Enhanced Image) for the switch ). Post-Note: On the surface, binding MAC addresses and IP addresses can prevent internal IP addresses from being stolen. However, due to various protocols and NIC Driver implementation technologies, binding a MAC address to an IP address has many drawbacks and cannot prevent the use of an internal IP address from being stolen.