【 Weak current College 】 switch port security summary 】

The most common understanding of the port security is based on the MAC address for the network traffic control and management, such as the MAC address and specific port binding, restricting specific port through the number of MAC addresses, or the specific port does not allow certain MAC addresses frame flow through. A slight extension of port security, you can control the network 802.1X access traffic. First on the MAC address and port bindings, as well as MAC address allows the flow of the configuration. 1.MAC address and port bindings, when it finds the host's MAC address and switch specifies the MAC address is not at the same time, the appropriate ports on the switch will fall down. When to port specified MAC address, the port mode is essential to provide access or Trunk status. 3550-1 # conf t 3550-1 (config) # int f0/1 3550-1 (config-if) # switchport mode access/specify port mode. 3550-1 (config-if) # switchport port-security mac-address 90-F5-00-10-79-C1/configured MAC address. 3550-1 (config-if) # switchport port-security maximum 1/limit this port allows a number of MAC addresses to 1. 3550-1 (config-if) # switchport port-security violation shutdown/when found in conformity with the above configuration, the port down. 2. adoption of the MAC address to limit the port traffic, this configuration allows a TRUNK port up through 100, over 100 MAC address, but from the new host data frames are missing. 3550-1 # conf t 3550-1 (config) # int f0/1 3550-1 (config-if) # encapsulation dot1q switchport trunk 3550-1 (config-if) # switchport mode trunk/configure port mode for TRUNK. 3550-1 (config-if) # switchport port-security maximum 100/allow this port through a maximum number of 100 MAC address. 3550-1 (config-if) # switchport port-security violation protect/when host MAC address number exceeds 100, the switch to work, but from the new host data frames are missing. The above configuration under MAC addresses to allow traffic, the following configurations are based on MAC addresses to deny traffic. 1. this configuration in Catalyst switch only unicast traffic filtering for multicast traffic is invalid. 3550-1 # conf t 3550-1 (config) # mac-address-table static 00-90-F5-10-79-C1 vlan 2 drop/drop the appropriate Vlan traffic. 3550-1 # conf t 3550-1 (config) # mac-address-table static 00-90-F5-10-79-C1 vlan 2 int f0/1/drop in the corresponding interface. Last mention an 802.1 x-related concepts and configuration. 802.1X authentication protocol originally used in wireless networks, then in normal switches and routers and other network devices. It can be based on the port to authenticate the identity of the user, that is, when a user attempts to data flow through the configured port 802.1X Protocol, you must verify the identity of the legitimate is allowed network access. This benefit is available on the network, user authentication, and to simplify the configuration, to a certain extent can replace Windows ad. Configure 802.1X authentication protocol, you must first enable AAA certification, globally and at the network border use AAA certification, there's not much difference, but certification of agreement is 802.1X; second, you need the appropriate interfaces enable 802.1 x authentication. (Recommended for all ports enable 802.1 x authentication, and use a radius server to manage the user name and password), the following configuration is used by the AAA certification as a local user name and password. 3550-1 # conf t 3550-1 (config) # enable new-model/aaa AAA certification. 3550-1 (config) # aaa authentication dot1x default local/global enable 802.1 x authentication protocol, and using a local user name and password. 3550-1 (config) # int range f0/1-24 3550-1 (config-if-range) # dot1x port-control auto/on all interfaces enable 802.1 x authentication. PostScript by MAC address to control network traffic can pass the above configuration, or through access control lists, for example, in the available through 700 Cata3550-799, access control lists for MAC address filtering. But using access control lists to control flow is too much trouble, it seems that use fewer, here are introduced. By MAC address binding while inCertain extent to ensure the intranet security, but the effect is not very good, we recommend using 802.1 x authentication protocol. During the controllability, manageability 802.1X is a good choice.