交换机端口安全
拓扑图
为路由器的接口 完成配置后进入特权模式,查看路由器的端口f0/0的mac地址
Router#show interfaces f0/0
FastEthernet0/0 is up, line protocol is up (connected)
Hardware is Lance, address is 00d0.9739.3601 (bia 00d0.9739.3601)(mac地址)
Internet address is 192.168.1.254/24
......
接下来为交换机配置端口安全
进入端口模式
sw03(config)#interface f0/1
把端口改为访问模式
sw03(config-if)#switch mode access
打开交换机的端口安全功能
sw03(config-if)#switch port-security
设置端口上的最大同时连接数为 1
sw03(config-if)#switch port-security maximum 1
设置当端口连接数超过 1 时,关闭接口
sw03(config-if)#switch port-security violation shutdown
然后将路由器f0/0 的mac地址绑定
sw03(config-if)#switchport port-security mac-address 00d0.9739.3601
保存配置
sw03#copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]
用show mac-address-table命令检查交换机的mac地址表
Mac Address Table
-------------------------------------------
---- ----------- -------- -----
做端口安全测试
用ping命令检查连通性
修改路由器端口 f0/0的mac地址,使用命令mac-address(修改mac地址需要关闭端口)
Router(config)#int f0/1
Router(config-if)#shutdown
Router(config-if)#mac-address 1.1.1
%LINK-5-CHANGED: Interface FastEthernet0/0, changed state to up
查看修改后的mac地址
Router#show int f0/0
FastEthernet0/0 is up, line protocol is down (disabled)
Hardware is Lance, address is 0001.0001.0001 (bia 00d0.9739.3601)
Internet address is 192.168.1.254/24
再使用ping命令进行测试
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
sw03#show interfaces f0/1
FastEthernet0/1 is down, line protocol is down (err-disabled)
Hardware is Lance, address is 00d0.ba1d.e101 (bia 00d0.ba1d.e101)
BW 100000 Kbit, DLY 1000 usec,
......
发现端口已经down