Port security, the switch will record the Ethernet MAC address connected to the switch port through the MAC address table , and only allow a certain MAC address to communicate through this port. Use the port security feature to prevent unauthorized devices from accessing the network and enhance security. In addition, the port security feature can also be used to prevent MAC address flooding from filling up the MAC address table .
A brief understanding of port security is enough, not much to say.
The experimental environment is as follows:
PC1-1 is prepared to replace PC1 for experimental configuration to determine binding results
After configuring the ip address for PC1 and PC2, the two PCs can already communicate normally
PC1ping 192.168.1.20
This is because the switch has not been configured in any way, as long as the PCs on the same network segment can communicate.
What to do now is to bind the MAC address and ip address of pc1 to the ge0/0/1 port of the switch, and bind the MAC address and ip address of pc2 to the ge0/0/2 port.
Experiment purpose: Port configuration binding, so that the MAC and ip addresses that do not belong to the port cannot communicate with other PCs.
Switch configuration:
1. First enter the port to start the secure port mode, which is closed by default.
[Huawei]interface GigabitEthernet0/0/1
[Huawei-GigabitEthernet0/0/1]port-security enable
[Huawei-GigabitEthernet0/0/1]port-security mac-address sticky
[Huawei-GigabitEthernet0/0/1]quit
[Huawei]interface GigabitEthernet0/0/2
[Huawei-GigabitEthernet0/0/2]port-security enable
[Huawei-GigabitEthernet0/0/2]port-security mac-address sticky
[Huawei-GigabitEthernet0/0/2]quit
2. Do port binding in global mode
[Huawei]user-bind static ip-address 192.168.1.10 mac-address 5489-98E3-765E inte
rface GigabitEthernet 0/0/1
[Huawei]user-bind static ip-address 192.168.1.20 mac-address 5489-9861-65ED inte
rface GigabitEthernet 0/0/2
(The user binds the device with static ip 192.168.1.10 and mac address 5489-98E3-765E to GigabitEthernet 0/0/1.)
The configuration is complete.
MAC address
Each device has a MAC address from the factory, and this MAC address is unique. It is equivalent to our ID card.
test:
Use PC1 to ping PC2 192.168.1.20
is able to communicate
At this time, PC1-1 is used. Disconnect PC1 from G0/0/1, and connect PC1-1 to g0/0/1.
Use PC1-1 PING PC2 192.168.1.20
View is not able to communicate
Although PC1-1 and PC2 have the same IP address in the same network segment, but the g0/0/1 port of the switch has been configured to bind the MAC address and IP address of PC1, when the switch detects the MAC address and IP address of PC1-1 When it is different from the original binding, the switch will not update the MAC of PC1-1 to the MAC table of the switch. PC1-1 sends a data packet to the switch, and the switch will not forward it, so naturally PC1-1 cannot ping PC2 in the same network segment. You can reconnect pc1 to the G0/0/1 port of the switch and then ping PC2 192.168.1.20 to see that communication is possible