交换机端口安全

拓扑图

为路由器的接口 完成配置后进入特权模式，查看路由器的端口f0/0的mac地址

Router#show interfaces f0/0

FastEthernet0/0 is up, line protocol is up (connected)

Hardware is Lance, address is 00d0.9739.3601 (bia 00d0.9739.3601)（mac地址）

  Internet address is 192.168.1.254/24

......

 

接下来为交换机配置端口安全

进入端口模式

sw03(config)#interface f0/1

把端口改为访问模式

sw03(config-if)#switch mode access

打开交换机的端口安全功能

sw03(config-if)#switch port-security

设置端口上的最大同时连接数为 1

sw03(config-if)#switch port-security maximum  1

设置当端口连接数超过 1 时，关闭接口

sw03(config-if)#switch port-security violation shutdown

然后将路由器f0/0 的mac地址绑定

sw03(config-if)#switchport port-security mac-address 00d0.9739.3601

保存配置

sw03#copy running-config  startup-config
Destination filename [startup-config]?
Building configuration...
[OK]

用show mac-address-table命令检查交换机的mac地址表

sw03#show mac-address-table
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----

   1    00d0.9739.3601    STATIC      Fa0/1

 

 做端口安全测试

用ping命令检查连通性

修改路由器端口 f0/0的mac地址，使用命令mac-address（修改mac地址需要关闭端口）

Router(config)#int f0/1

Router(config-if)#shutdown 

Router(config-if)#mac-address 1.1.1

Router(config-if)#no shu

 

Router(config-if)#

%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up

查看修改后的mac地址

Router#show int f0/0

FastEthernet0/0 is up, line protocol is down (disabled)

  Hardware is Lance, address is 0001.0001.0001 (bia 00d0.9739.3601)

  Internet address is 192.168.1.254/24

再使用ping命令进行测试

Router#ping 192.168.1.1

 

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

 

Router#

无法连接

检查交换机上的f0/1端口

sw03#show interfaces f0/1

FastEthernet0/1 is down, line protocol is down (err-disabled)

  Hardware is Lance, address is 00d0.ba1d.e101 (bia 00d0.ba1d.e101)

 BW 100000 Kbit, DLY 1000 usec,

......

发现端口已经down