The most common understanding of port security is that MAC addresses can be used to control and manage network traffic, such as MAC addresses and specific port binding, limit the number of specific ports through the MAC address, or in the specific port is not allowed Some MAC addresses are passed by frame traffic. A little delay under the port security, that is, according to 802.1X to control the network access traffic.
First, talk about the MAC address and port binding, and according to the MAC address to allow traffic configuration.
The MAC address is bound to the port. When the MAC address of the host is different from the MAC address specified on the switch, the corresponding port of the switch will be down. When you specify a MAC address for a port, the port mode must be in the access or trunk state.
3550-1 # conf t
3550-1 (config) #int f0 / 1
3550-1 (config-if) #switchport mode access / Specifies the port mode.
3550-1 (config-if) #switchport port-security mac-address 00-90-F5-10-79-C1 / Configure the MAC address.
3550-1 (config-if) #switchport port-security maximum 1 / Limit the number of MAC addresses allowed on this port to 1.
3550-1 (config-if) #switchport port-security violation shutdown / When the above configuration is found inconsistent, the port down.
Through the MAC address to limit the port traffic, this configuration allows a TRUNK port up to 100 MAC addresses, more than 100, but the data frame from the new host will be lost.
3550-1 # conf t
3550-1 (config) #int f0 / 1
3550-1 (config-if) #switchport trunk encapsulation dot1q
3550-1 (config-if) #switchport mode trunk / Configure the port mode to TRUNK.
3550-1 (config-if) #switchport port-security maximum 100 / Allows the maximum number of MAC addresses passed by this port to 100.
3550-1 (config-if) #switchport port-security violation protect / When the number of host MAC addresses exceeds 100, the switch continues to work, but the data frame from the new host is lost.
The above configuration allows traffic based on the MAC address. The following configuration rejects the traffic based on the MAC address.
This configuration can only filter unicast traffic in the Catalyst switch and is invalid for multicast traffic.
3550-1 # conf t
3550-1 (config) # mac-address-table static 00-90-F5-10-79-C1 VLAN 2 drop / Drop traffic at the corresponding VLAN.
3550-1 # conf t
3550-1 (config) # mac-address-table static 00-90-F5-10-79-C1 VLAN 2 int f0 / 1 / Drop traffic on the corresponding interface.
Finally, talk about 802.1X related concepts and configuration.
The 802.1X authentication protocol was originally used on a wireless network and was later used on network devices such as regular switches and routers. It can be based on the port to authenticate the identity of the user, that is, when the user’s data traffic attempts to configure the port through the 802.1X protocol, the identity of the verification must be legitimate to allow access to the network. This is the advantage of doing the user can authenticate the network, and simplify the configuration, to a certain extent, can replace the Windows AD.
To configure the 802.1X authentication protocol, you must enable AAA authentication globally. This is not much different from AAA authentication on the network boundary. However, the authentication protocol is 802.1X. Then, you need to enable 802.1X on the corresponding interface. verification. (It is recommended that you enable 802.1X authentication on all ports and use the radius server to manage usernames and passwords)
The following configuration AAA authentication uses the local username and password.
3550-1 # conf t
3550-1 (config) #aaa new-model / Enable AAA authentication.
3550-1 (config) #aaa authentication dot1x default local / globally enable 802.1X protocol authentication and use local username and password.
3550-1 (config) #int range f0 / 1 -24
3550-1 (config-if-range) # dot1x port-control auto / Enable 802.1X authentication on all interfaces.