Two Layer-2 port security is used to prevent long-distance optical fiber lines from being connected to two layer-3 switches.

I. Overview:On the forum, I saw someone asking how to prevent long-distance fiber lines from being eavesdropped or connected to other illegal switches. If they are the same, port security is used to prevent random access, log on to the rack to perform the test and record the test results. Forum question link: Workshop.Ii. Basic Ideas:A. assume that the vswitch is a layer-3 vswitch B. if the two switches are connected by a layer-3 port and bound to the mac address corresponding to the peer IP address, although it can prevent access to the layer-3 device, it cannot prevent the middle side from being connected to the layer-2 device for eavesdropping. C. Encrypt traffic through ipsec between hosts. Unless the two ends of the connection are routers, it is not feasible to configure IPsec for each host if there are too many hosts connected to the switch at both ends. ----- A high-end switch has never been used. Generally, an ordinary layer-3 switch does not seem to be able to configure ipsec vpnD. although data encryption is the best way to prevent eavesdropping, it seems that encryption is not easy to implement E. two-layer security is used to prevent unauthorized access: --- access ports are used for ports connected to switches, and VLAN svi is configured on both ends-each switch ensures that there is only one interconnected interface for the interconnected vlan-layer switches must enable route forwarding, and two layer-3 switches (static or default) refer to each other's routes ), to achieve mutual access between the two sides of the switch-Configure port security for the interconnected port, only two mac can be learned, so that only the intermediate line does not have other Layer 2 devices, when connected to other Layer 2 devices, the port will be down to prevent listening. This experiment only verifies the feasibility. If possible, we recommend that you use a router to interconnect and configure ipsec.Iii. Test topology:4. Basic Configuration:A. R4:Interface FastEthernet0/0
Ip address 255.1.1.4 255.255.255.0no shutno ip routingip default-gateway 255.1.1.1B. SW1:Ip routinginterface FastEthernet0/4
Switchport access vlan 20
Switchport mode accessinterface FastEthernet0/20
Switchport access vlan 10
Switchport mode access
Switchport port-security maximum 2
Switchport port-security
Switchport port-security mac-address stickyinterface Vlan10
Ip address 10.1.1.1 255.255.255.252
Interface Vlan20
Ip address 255.1.1.1 255.255.255.0
Ip route 0.0.0.0 0.0.0.0 10.1.1.2C. SW2:Ip routinginterface FastEthernet0/5
Switchport access vlan 30
Switchport mode accessinterface FastEthernet0/20
Switchport access vlan 10
Switchport mode access
Switchport port-security maximum 2
Switchport port-security
Switchport port-security mac-address stickyinterface Vlan30ip address 30.1.1.1 255.255.255.0
Interface Vlan100
Ip address 10.1.1.2 255.255.255.252
Ip route 0.0.0.0 0.0.0.0 10.1.1.1D. R5:Interface FastEthernet0/1
Ip address 30.1.1.5 255.255.255.0no shutno ip routingip default-gateway 30.1.1.15. Verification:R4 # ping 30.1.1.5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 30.1.1.5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 MS
R4 #R5 # ping route 1.1.4

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to listen 1.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 MS
R5 #Sw1 # show running-config interface f0/20
Building configuration...

Current configuration: 336 bytes
!
Interface FastEthernet0/20
Switchport access vlan 10
Switchport mode access
Switchport port-security maximum 2
Switchport port-security
Switchport port-security mac-address sticky
Switchport port-security mac-address sticky 0014. a80a. f716 vlan access
Switchport port-security mac-address sticky 0014. a80a. f741 vlan access
EndSw2 # show int f0/20 | in Hardware
Hardware is Fast Ethernet, address is 0014. a80a. f716 (bia 0014. a80a. f716)Sw2 # show int vlan 10 | in Hardware
Hardware is EtherSVI, address is 0014. a80a. f741 (bia 0014. a80a. f741)Sw1 # show mac address-table | in 0/20
10 0014. a80a. f716 STATIC Fa0/20
10 0014. a80a. f741 STATIC Fa0/20
Sw1 #Sw2 # show running-config int f0/20
Building configuration...

Current configuration: 312 bytes
!
Interface FastEthernet0/20
Switchport access vlan 10
Switchport mode access
Switchport port-security maximum 2
Switchport port-security
Switchport port-security mac-address sticky
Switchport port-security mac-address sticky 001a. a164.b216
Switchport port-security mac-address sticky 001a. a164.b241
EndSw1 # show int f0/20 | in Hardware
Hardware is Fast Ethernet, address is 001a. a164.b216 (bia 001a. a164.b216)
Sw1 # show int vlan 10 | in Hardware
Hardware is EtherSVI, address is 001a. a164.b241 (bia 001a. a164.b241)Sw2 # show mac address-table | in 0/20
10 001a. a164.b216 STATIC Fa0/20
10 001a. a164.b241 STATIC Fa0/20 --- because the rack cannot be added to another layer 2 device by default, you can test it by adding other interfaces to the vlan where the interconnection interface is located, because the interface receives packets from other mac addresses, the interface is down.

Http://333234.blog.51cto.com/323234/1318930