Table of contents
Port security configuration
Features
The port security function uses the source MAC address of the message to limit whether the message can enter the port of the switch. It can control whether the message can enter the port by statically setting a specific MAC address or dynamically learning a limited number of MAC addresses. A port enabled with the port security function is called a security port.
After the port security function is enabled on a port, only packets with source MAC addresses configured or learned in the port security address table can enter the switch for communication, and other packets will be discarded. You can also set the port security address to bind IP+MAC, or only bind IP, to limit the packets that must match the bound port security address as the source MAC address to enter the switch communication.
Note: Only RSR10-02E, RSR20-04E, RSR20-14E/F 10.4 (3b12) and above versions support the port security function. RSR10-02/01G, RSR20-04/14/18/24 series do not support this function.
Application Scenario
Enterprises have relatively high requirements for network security. Only computers with specific MAC addresses (IP addresses can be configured arbitrarily) are allowed to access the Internet, so the port security function can be enabled on the router.
1. Networking requirements:
It is required that PC1 (IP: 192.168.1.1, MAC: 0021.CCCF.6F70) can only be connected to the F1/0 switch port, and do IP+MAC address binding, other computers connected to this port will not be able to communicate;
It is required that the F1/1 port can only be connected to the PC whose MAC address is aaaa.aaaa.aaaa and whose IP address is not restricted, and PCs with other MAC addresses cannot be connected through this port.
2. Network topology:
3. Configuration points:
1. Create the address of the user gateway on the router
2. Configure the port security parameters on the F1/0 port
3. Configure the port security parameters on the F1/1 port
Note: The "switchport port-security maximum " function of the 10.4 (3b12) and 10.4 (3b12) p1 versions does not count the number of MACs in the ip+mac binding entry into the maximum. For example, if a static IP+MAC binding and maximum 1 are configured, the port can still learn a dynamic MAC. If you want to realize that only one fixed IP+MAC binding user can be accessed under the port, you can use the global IP+MAC binding and the MAC binding + maximum under the port to achieve:
address-bind x.x.x.x H.H.H
interface fastethernet 0/0
switchport port-security mac-address H.H.H
switchport port-security maximum 1
switchport port-security
Versions after 10.4(3b12)p1 do not have this restriction.
4. Configuration steps
1. Create the address of the user gateway on the router
Ruijie(config)#interface vlan 1
Ruijie(config-if-VLAN 1)#ip address 192.168.1.254 255.255.255.0
2. Configure the port security parameters on the F1/0 port
Ruijie(config)#interface fastEthernet 1/0
Ruijie(config-if-FastEthernet 1/0)#switchport port-security binding 0021.CCCF.6F70 vlan 1 192.168.1.1 //Associate the PC belonging to vlan1 with mac address 0021.CCCF.6F70 and ip address 192.168.1.1 Bind to the F1/0 interface
Ruijie(config-if-FastEthernet 1/0)# switchport port-security maximum 1 //Specify that this port can only learn 1 MAC entry
Ruijie(config-if-FastEthernet 1/0)#switchport port-security //Enable the port security function of this port
3. Configure the port security parameters on the F1/1 port
Ruijie(config)#interfac fastEthernet 1/1
Ruijie(config-if-FastEthernet 1/1)#switchport port-security mac-address aaaa.aaaa.aaaa //Set the terminal whose mac address is aaaa.aaaa.aaaa on the F1/1 interface
Ruijie(config-if-FastEthernet 1/0)# switchport port-security maximum 1 //Specify that this port can only learn 1 MAC entry
Ruijie(config-if-FastEthernet 0/2)#switchport port-security //Enable port security function
5. Configuration Verification
Through the show port-security address command on the router, you can see the address entries that have been bound and taken effect
6. Appendix
1. Router port security is divided into IP+MAC binding and only MAC binding
This is done with the following command:
Ruijie(config-if-FastEthernet 0/1)#switchport port-security binding ?
A.B.C.D IP address
H.H.H 48-bit hardware address
For example, to bind IP+MAC, you can use the following command:
Ruijie(config-if-FastEthernet 0/1)#switchport port-security binding 0021.CCCF.6F70 vlan 1 192.168.1.1
If you only do MAC binding, you need to use the following command to achieve:
Ruijie(config-if-FastEthernet 0/1)#switchport port-security mac-address 0021.CCCF.6F70
2. If IP+MAC binding or only IP binding is set, the switch will still dynamically learn the MAC address of the downlink user
For example, the following commands are bound on the switch port:
Ruijie(config-if-FastEthernet 0/1)#switchport port-security binding 1414.4b19.ecc1 vlan 1 192.168.1.1
Ruijie(config-if-FastEthernet 0/1)#switchport port-security
At this point, view the configuration as follows:
Ruijie#show port-security address
Vlan Mac Address IP Address Type Port Remaining Age (mins)
---- --------------- ---------------------------------------- ---------- -------- -------------
1 1414.4b19.ecc1 192.168.1.1 Configured Fa0/1 -
After the user accesses, the switch will still learn the user's MAC dynamically.
Ruijie#show port-security address
Vlan Mac Address IP Address Type Port Remaining Age (mins)
---- --------------- ---------------------------------------- ---------- -------- -------------
1 1414.4b19.ecc1 Dynamic Fa0/1 -
1 1414.4b19.ecc1 192.168.1.1 Configured Fa0/1 -
If you want to enable IP+MAC binding or only MAC binding to take effect, you must first let the port learn the user's MAC address safely. For example, if the following settings are made, users at 192.168.1.2 will not be able to access the Internet:
interface GigabitEthernet 0/1
switchport port-security mac-address 1414.4b19.0000 vlan 1
switchport port-security binding 1414.4b19.ecc1 vlan 1 192.168.1.2
switchport port-security maximum 1
switchport port-security
The reason is that the maximum allowed number of MAC addresses is 1, and an address of 1414.4b19.0000 has been bound, so the port security cannot learn the MAC address, and the port security IP+MAC (or IP) binding must be learned first to the secure MAC address of the port, so users of 192.168.1.2 cannot be released. If you want to let the user access the Internet, you can achieve this by binding the MAC of the user:
interface GigabitEthernet 0/1
switchport port-security mac-address 1414.4b19.ecc1 vlan 1
switchport port-security mac-address 1414.4b19.0000 vlan 1
switchport port-security binding 1414.4b19.ecc1 vlan 1 192.168.1.2
switchport port-security maximum 2
switchport port-security
Summary: If MAC or IP+MAC binding is configured, the conditions for port security MAC binding must also be met.
3. If port security (port MAC binding) is set for some ports, but port security is not set for some ports, for example, the user who has set port security binding for port 1 is PC1, and the other ports are not set for port security. Then PC1 can access the Internet when it is plugged into port 1, but it cannot access the Internet when plugged into other ports.
4. If some ports of the switch are set up with port security (port IP+MAC or IP binding), but some ports are not set with port security. Safety. Then PC1 can access the Internet when it is plugged into port 1, and it can also access the Internet when plugged into other ports. That is to say, port security MAC address binding is the key factor that determines the user’s access.