1. Solution 1—Port-based MAC address binding
As an example, log in to the switch, enter the management password to enter the configuration mode, and type in the command:
Switch#config terminal
#Enter configuration mode
Switch(config)# Interface fastethernet 0/1
#Enter specific port configuration mode
Switch(config-if)#Switchport port-secruity
#Configure port security mode
Switch(config-if ) switchport port-security mac-address MAC (host's MAC address)
#Configure the MAC address of the host to which this port is to be bound
Switch(config-if )no switchport port-security mac-address MAC (host's MAC address)
#Delete the MAC address of the bound host
Notice:
The above command sets a specific MAC address to bind a port on the switch, so that only this host can use the network. If the network card of the host is replaced or other PCs want to use the network through this port, it will not be available. Unless the MAC address bound on the port is deleted or modified, it can be used normally.
Notice:
The above functions are suitable for Cisco 2950, 3550, 4500, 6500 series switches
2. Solution 2—Extended access list based on MAC address
Switch(config)Mac access-list extended MAC10
#Define a MAC address access control list and name the list MAC10
Switch(config)permit host 0009.6bc4.d4bf any
#Hosts with MAC address 0009.6bc4.d4bf can access any host
Switch(config)permit any host 0009.6bc4.d4bf
#Define all hosts can access hosts with MAC address 0009.6bc4.d4bf
Switch(config-if )interface Fa0/20
#Enter the configuration specific port mode
Switch(config-if )mac access-group MAC10 in
# Apply an access list called MAC10 on this port (i.e. the access policy we defined earlier)
Switch(config)no mac access-list extended MAC10
#Clear access list named MAC10
This function is generally the same as the application, but it is a port-based MAC address access control list restriction, which can limit the specific source MAC address and destination address range.
Notice:
The above functions can be implemented on Cisco 2950, 3550, 4500, and 6500 series switches, but it should be noted that the switches need to run enhanced software images (Enhanced Image).
3. Solution 3—MAC address binding of IP address
The IP-MAC binding function can only be achieved by combining Application 1 or 2 with an IP-based access control list.
Switch(config)Mac access-list extended MAC10
#Define a MAC address access control list and name the list MAC10
Switch(config)permit host 0009.6bc4.d4bf any
#Hosts with MAC address 0009.6bc4.d4bf can access any host
Switch(config)permit any host 0009.6bc4.d4bf
#Define all hosts can access hosts with MAC address 0009.6bc4.d4bf
Switch(config)Ip access-list extended IP10
#Define an IP address access control list and name the list IP10
Switch(config)Permit 192.168.0.1 0.0.0.0 any
#Define host with IP address 192.168.0.1 can access any host
Permit any 192.168.0.1 0.0.0.0
#Define all hosts can access hosts with IP address 192.168.0.1
Switch(config-if )interface Fa0/20
#Enter the configuration specific port mode
Switch(config-if )mac access-group MAC10 in
# Apply an access list called MAC10 on this port (i.e. the access policy we defined earlier)
Switch(config-if )Ip access-group IP10 in
# Apply an access list called IP10 on this port (i.e. the access policy we defined earlier)
Switch(config)no mac access-list extended MAC10
#Clear access list named MAC10
Switch(config)no Ip access-group IP10 in
#Clear the access list named IP10
Application 1 mentioned above is based on the binding of the host MAC address and the switch port, and Solution 2 is based on the access control list of the MAC address. The functions that can be realized in the first two solutions are roughly the same. If you want to bind IP and MAC addresses, you can only implement it according to Scheme 3. Scheme 1 or Scheme 2 can be used in combination with IP access control list according to your needs to achieve the desired effect.
Note: The above functions can be implemented on Cisco 2950, 3550, 4500, and 6500 series switches, but it should be noted that the switches need to run enhanced software images (Enhanced Image).
Note: On the surface, binding MAC addresses and IP addresses can prevent internal IP addresses from being stolen. However, in fact, due to various layers of protocols and network card drivers and other implementation technologies, the binding of MAC addresses and IP addresses has great flaws and cannot truly prevent internal IP addresses from being stolen. Article entry: csh Editor in charge: csh
As an example, log in to the switch, enter the management password to enter the configuration mode, and type in the command:
Switch#config terminal
#Enter configuration mode
Switch(config)# Interface fastethernet 0/1
#Enter specific port configuration mode
Switch(config-if)#Switchport port-secruity
#Configure port security mode
Switch(config-if ) switchport port-security mac-address MAC (host's MAC address)
#Configure the MAC address of the host to which this port is to be bound
Switch(config-if )no switchport port-security mac-address MAC (host's MAC address)
#Delete the MAC address of the bound host
Notice:
The above command sets a specific MAC address to bind a port on the switch, so that only this host can use the network. If the network card of the host is replaced or other PCs want to use the network through this port, it will not be available. Unless the MAC address bound on the port is deleted or modified, it can be used normally.
Notice:
The above functions are suitable for Cisco 2950, 3550, 4500, 6500 series switches
2. Solution 2—Extended access list based on MAC address
Switch(config)Mac access-list extended MAC10
#Define a MAC address access control list and name the list MAC10
Switch(config)permit host 0009.6bc4.d4bf any
#Hosts with MAC address 0009.6bc4.d4bf can access any host
Switch(config)permit any host 0009.6bc4.d4bf
#Define all hosts can access hosts with MAC address 0009.6bc4.d4bf
Switch(config-if )interface Fa0/20
#Enter the configuration specific port mode
Switch(config-if )mac access-group MAC10 in
# Apply an access list called MAC10 on this port (i.e. the access policy we defined earlier)
Switch(config)no mac access-list extended MAC10
#Clear access list named MAC10
This function is generally the same as the application, but it is a port-based MAC address access control list restriction, which can limit the specific source MAC address and destination address range.
Notice:
The above functions can be implemented on Cisco 2950, 3550, 4500, and 6500 series switches, but it should be noted that the switches need to run enhanced software images (Enhanced Image).
3. Solution 3—MAC address binding of IP address
The IP-MAC binding function can only be achieved by combining Application 1 or 2 with an IP-based access control list.
Switch(config)Mac access-list extended MAC10
#Define a MAC address access control list and name the list MAC10
Switch(config)permit host 0009.6bc4.d4bf any
#Hosts with MAC address 0009.6bc4.d4bf can access any host
Switch(config)permit any host 0009.6bc4.d4bf
#Define all hosts can access hosts with MAC address 0009.6bc4.d4bf
Switch(config)Ip access-list extended IP10
#Define an IP address access control list and name the list IP10
Switch(config)Permit 192.168.0.1 0.0.0.0 any
#Define host with IP address 192.168.0.1 can access any host
Permit any 192.168.0.1 0.0.0.0
#Define all hosts can access hosts with IP address 192.168.0.1
Switch(config-if )interface Fa0/20
#Enter the configuration specific port mode
Switch(config-if )mac access-group MAC10 in
# Apply an access list called MAC10 on this port (i.e. the access policy we defined earlier)
Switch(config-if )Ip access-group IP10 in
# Apply an access list called IP10 on this port (i.e. the access policy we defined earlier)
Switch(config)no mac access-list extended MAC10
#Clear access list named MAC10
Switch(config)no Ip access-group IP10 in
#Clear the access list named IP10
Application 1 mentioned above is based on the binding of the host MAC address and the switch port, and Solution 2 is based on the access control list of the MAC address. The functions that can be realized in the first two solutions are roughly the same. If you want to bind IP and MAC addresses, you can only implement it according to Scheme 3. Scheme 1 or Scheme 2 can be used in combination with IP access control list according to your needs to achieve the desired effect.
Note: The above functions can be implemented on Cisco 2950, 3550, 4500, and 6500 series switches, but it should be noted that the switches need to run enhanced software images (Enhanced Image).
Note: On the surface, binding MAC addresses and IP addresses can prevent internal IP addresses from being stolen. However, in fact, due to various layers of protocols and network card drivers and other implementation technologies, the binding of MAC addresses and IP addresses has great flaws and cannot truly prevent internal IP addresses from being stolen. Article entry: csh Editor in charge: csh