交换机端口安全配置实验(MAC动态绑定和静态绑定)

原创

老赵网络 2018-05-14 09:16:38 ©著作权

文章标签 端口安全交换机 port security sticky 文章分类 网络安全

©著作权归作者所有：来自51CTO博客作者老赵网络的原创作品，请联系作者获取转载授权，否则将追究法律责任

1、根据拓扑完成上图，可以配置pc的地址为192.168.1.1-192.168.1.4 2、配置安全端口 Switch>enable switch#conf t Switch(config)#interface f0/1 Switch(config-if)#switchport mode access ** 配置access模式** Switch(config-if)#switchport port-security ** 开启安全端口** Switch(config-if)# do show port inter f0/1 ** 查看安全端口信息** Port Security : Enabled ** 已经开启** Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 0 Configured MAC Addresses : 0 Sticky MAC Addresses : 0 Last Source Address:Vlan : 0000.0000.0000:0 Security Violation Count : 0

Switch(config-if)#switchport port-security maximum 2

设置最大接入MAC地址数为2 Switch(config-if)#switchport port-security mac-address sticky ** 自动获得接入设备的MAC ** Switch(config-if)#switchport port-security violation ?
违规处理方式 protect Security violation protect mode
保护- 丢弃数据，不告警 restrict Security violation restrict mode
抵制 –丢弃数据，发告警 shutdown Security violation shutdown mode
关闭- 丢弃数据，发告警并关闭链路 Switch(config-if)#switchport port-security violation protect ** 选择违规处理方式为保护** Switch(config-if)#end Switch# Switch#show port-security address ** 查看地址表** Secure Mac Address Table

Vlan Mac Address Type Ports Remaining Age (mins)

1 0002.4AA6.D46D SecureSticky FastEthernet0/1 - 1 0010.1108.D197 SecureSticky FastEthernet0/1 -

Total Addresses in System (excluding one mac per port) : 1 Max Addresses limit in System (excluding one mac per port) : 1024

验证试验，两台先接入的主机可以访问PC3 ，第三台不能访问PC3 说明试验成功。

验证安全端口的另外一种模式-静态绑定

Switch#conf t Switch(config)# Switch(config)#interface f0/1 Switch(config-if)#no switchport port-security mac-address sticky 删除动态绑定 Switch(config-if)#do show port add Secure Mac Address Table

Vlan Mac Address Type Ports Remaining Age

1 0002.4AA6.D46D SecureSticky FastEthernet0/1 -
动态绑定的地址还在 1 0010.1108.D197 SecureSticky FastEthernet0/1 -

Total Addresses in System (excluding one mac per port) : 1 Max Addresses limit in System (excluding one mac per port) : 1024 Switch(config-if)#end Switch#clear port-security sticky
清除动态绑定地址 Switch#show port-security address Secure Mac Address Table

Vlan Mac Address Type Ports Remaining Age (mins)

Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 1024

Switch#conf t Switch(config)#interface f0/1 Switch(config-if)#switchport port-security mac-address 00D0.FF76.14ED ** 手动绑定PC的MAC** Switch(config-if)#switchport port-security mac-address 0010.1108.D197

PC的MAC地址需要你自己在pC 的命令提示符下获取，获取方法：ipconfig /all

验证试验，静态绑定的PC可以访问PC3 ，其他不可以访问PC3 ，证明试验成功。