Shulou(Shulou.com)05/31 Report--

This article mainly explains "how to configure switch port security". The content of the article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought. Let's study and learn how to configure switch port security.

The most commonly used understanding of port security is that network traffic can be controlled and managed according to MAC addresses, such as binding MAC addresses to specific ports, limiting the number of MAC addresses that specific ports pass through, or not allowing frame traffic from certain MAC addresses to pass through specific ports. With a slight extension of port security, the access traffic of the network can be controlled according to 802.1X.

First of all, let's talk about the binding of MAC addresses to ports and the configuration of allowing traffic based on MAC addresses.

The 1.MAC address is bound to the port. When it is found that the MAC address of the host is different from the MAC address specified on the switch, the corresponding port of the switch will down off. When a port is assigned an MAC address, the port mode must be access or Trunk state.

3550-1#conf t

3550-1 (config) # int f0swap 1

3550-1 (config-if) # switchport mode access / designated port mode.

3550-1 (config-if) # switchport port-security mac-address 00-90-F5-10-79-C1 / configure MAC address.

3550-1 (config-if) # switchport port-security maximum 1 / limit the number of MAC addresses allowed through this port to 1.

3550-1 (config-if) # switchport port-security violation shutdown / Port down drops when it is found to be inconsistent with the above configuration.

two。 Port traffic is limited by MAC addresses, and this configuration allows a TRUNK port to pass through up to 100 MAC addresses, but data frames from the new host will be lost.

3550-1#conf t

3550-1 (config) # int f0swap 1

3550-1 (config-if) # switchport trunk encapsulation dot1q

3550-1 (config-if) # switchport mode trunk / configure the port mode is TRUNK.

3550-1 (config-if) # switchport port-security maximum 100 / the maximum number of MAC addresses allowed for this port is 100.

3550-1 (config-if) # switchport port-security violation protect / when the number of host MAC addresses exceeds 100, the switch continues to work, but data frames from the new host will be lost.

The above configuration allows traffic based on the MAC address, and the following configuration denies traffic based on the MAC address.

1. This configuration can only filter unicast traffic in Catalyst switches, but not for multicast traffic.

3550-1#conf t

3550-1 (config) # mac-address-table static 00-90-F5-10-79-C1 vlan 2 drop / drop traffic at the appropriate Vlan.

3550-1#conf t

3550-1 (config) # mac-address-table static 00-90-F5-10-79-C1 vlan 2 int f0Universe 1 / drop traffic on the appropriate interface.

Finally, I will talk about the related concepts and configuration of 802.1X.

The 802.1X authentication protocol was originally used in wireless networks and later on network devices such as ordinary switches and routers. It can authenticate the user based on the port, that is, when the user's data traffic attempts to pass through the port configured with 802.1X protocol, it must be authenticated, and the user is allowed to access the network legally. The advantage of this is that the users of the intranet can be authenticated and the configuration can be simplified, which can replace the AD of Windows to a certain extent.

To configure the 802.1X authentication protocol, you must first enable AAA authentication globally, which is not much different from using AAA authentication on the network boundary, except that the authentication protocol is 802.1X; secondly, you need to enable 802.1X authentication on the corresponding interface. (it is recommended to enable 802.1X authentication on all ports and use a radius server to manage usernames and passwords)

The following configuration AAA authentication uses a local username and password.

3550-1#conf t

3550-1 (config) # aaa new-model / enable AAA authentication.

3550-1 (config) # aaa authentication dot1x default local / enable 802.1X protocol authentication globally and use a local username and password.

3550-1 (config) # int range f0swap 1-24

3550-1 (config-if-range) # dot1x port-control auto / enable 802.1X authentication on all interfaces.

Thank you for your reading. the above is the content of "how to configure switch port security". After the study of this article, I believe you have a deeper understanding of how to configure switch port security. the specific use situation also needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.