Various switch port configuration examples
2017-09-30
The most common understanding of port security is that MAC addresses can be used to control and manage network traffic, such as MAC addresses and specific port binding, limit the number of specific ports through the MAC address, or in the specific port is not allowed Some MAC addresses are passed by frame traffic. A little delay under the port security, that is, according to 802.1X to control the network access traffic.
First, talk about the MAC address and port binding, and according to the MAC address to allow traffic configuration.
The MAC address is bound to the port. When the MAC address of the host is different from the MAC address specified on the switch, the corresponding port of the switch will be down. When you specify a MAC address for a port, the port mode must be in the access or trunk state.
3550-1 # conf t
3550-1 (config) #int f0 / 1
3550-1 (config-if) #switchport mode access / Specifies the port mode.
3550-1 (config-if) #switchport port-security mac-address 00-90-F5-10-79-C1 / Configure the MAC address.
3550-1 (config-if) #switchport port-security maximum 1 / Limit the number of MAC addresses allowed on this port to 1.
3550-1 (config-if) #switchport port-security violation shutdown / When the above configuration is found inconsistent, the port down.
Through the MAC address to limit the port traffic, this configuration allows a TRUNK port up to 100 MAC addresses, more than 100, but the data frame from the new host will be lost.
3550-1 # conf t
3550-1 (config) #int f0 / 1
3550-1 (config-if) #switchport trunk encapsulation dot1q
3550-1 (config-if) #switchport mode trunk / Configure the port mode to TRUNK.
3550-1 (config-if) #switchport port-security maximum 100 / Allows the maximum number of MAC addresses passed by this port to 100.
3550-1 (config-if) #switchport port-security violation protect / When the number of host MAC addresses exceeds 100, the switch continues to work, but the data frame from the new host is lost.
The above configuration allows traffic based on the MAC address. The following configuration rejects the traffic based on the MAC address.
This configuration can only filter unicast traffic in the Catalyst switch and is invalid for multicast traffic.
3550-1 # conf t
3550-1 (config) # mac-address-table static 00-90-F5-10-79-C1 VLAN 2 drop / Drop traffic at the corresponding VLAN.
3550-1 # conf t
3550-1 (config) # mac-address-table static 00-90-F5-10-79-C1 VLAN 2 int f0 / 1 / Drop traffic on the corresponding interface.
Finally, talk about 802.1X related concepts and configuration.
The 802.1X authentication protocol was originally used on a wireless network and was later used on network devices such as regular switches and routers. It can be based on the port to authenticate the identity of the user, that is, when the user’s data traffic attempts to configure the port through the 802.1X protocol, the identity of the verification must be legitimate to allow access to the network. This is the advantage of doing the user can authenticate the network, and simplify the configuration, to a certain extent, can replace the Windows AD.
To configure the 802.1X authentication protocol, you must enable AAA authentication globally. This is not much different from AAA authentication on the network boundary. However, the authentication protocol is 802.1X. Then, you need to enable 802.1X on the corresponding interface. verification. (It is recommended that you enable 802.1X authentication on all ports and use the radius server to manage usernames and passwords)
The following configuration AAA authentication uses the local username and password.
3550-1 # conf t
3550-1 (config) #aaa new-model / Enable AAA authentication.
3550-1 (config) #aaa authentication dot1x default local / globally enable 802.1X protocol authentication and use local username and password.
3550-1 (config) #int range f0 / 1 -24
3550-1 (config-if-range) # dot1x port-control auto / Enable 802.1X authentication on all interfaces.
First, talk about the MAC address and port binding, and according to the MAC address to allow traffic configuration.
The MAC address is bound to the port. When the MAC address of the host is different from the MAC address specified on the switch, the corresponding port of the switch will be down. When you specify a MAC address for a port, the port mode must be in the access or trunk state.
3550-1 # conf t
3550-1 (config) #int f0 / 1
3550-1 (config-if) #switchport mode access / Specifies the port mode.
3550-1 (config-if) #switchport port-security mac-address 00-90-F5-10-79-C1 / Configure the MAC address.
3550-1 (config-if) #switchport port-security maximum 1 / Limit the number of MAC addresses allowed on this port to 1.
3550-1 (config-if) #switchport port-security violation shutdown / When the above configuration is found inconsistent, the port down.
Through the MAC address to limit the port traffic, this configuration allows a TRUNK port up to 100 MAC addresses, more than 100, but the data frame from the new host will be lost.
3550-1 # conf t
3550-1 (config) #int f0 / 1
3550-1 (config-if) #switchport trunk encapsulation dot1q
3550-1 (config-if) #switchport mode trunk / Configure the port mode to TRUNK.
3550-1 (config-if) #switchport port-security maximum 100 / Allows the maximum number of MAC addresses passed by this port to 100.
3550-1 (config-if) #switchport port-security violation protect / When the number of host MAC addresses exceeds 100, the switch continues to work, but the data frame from the new host is lost.
The above configuration allows traffic based on the MAC address. The following configuration rejects the traffic based on the MAC address.
This configuration can only filter unicast traffic in the Catalyst switch and is invalid for multicast traffic.
3550-1 # conf t
3550-1 (config) # mac-address-table static 00-90-F5-10-79-C1 VLAN 2 drop / Drop traffic at the corresponding VLAN.
3550-1 # conf t
3550-1 (config) # mac-address-table static 00-90-F5-10-79-C1 VLAN 2 int f0 / 1 / Drop traffic on the corresponding interface.
Finally, talk about 802.1X related concepts and configuration.
The 802.1X authentication protocol was originally used on a wireless network and was later used on network devices such as regular switches and routers. It can be based on the port to authenticate the identity of the user, that is, when the user’s data traffic attempts to configure the port through the 802.1X protocol, the identity of the verification must be legitimate to allow access to the network. This is the advantage of doing the user can authenticate the network, and simplify the configuration, to a certain extent, can replace the Windows AD.
To configure the 802.1X authentication protocol, you must enable AAA authentication globally. This is not much different from AAA authentication on the network boundary. However, the authentication protocol is 802.1X. Then, you need to enable 802.1X on the corresponding interface. verification. (It is recommended that you enable 802.1X authentication on all ports and use the radius server to manage usernames and passwords)
The following configuration AAA authentication uses the local username and password.
3550-1 # conf t
3550-1 (config) #aaa new-model / Enable AAA authentication.
3550-1 (config) #aaa authentication dot1x default local / globally enable 802.1X protocol authentication and use local username and password.
3550-1 (config) #int range f0 / 1 -24
3550-1 (config-if-range) # dot1x port-control auto / Enable 802.1X authentication on all interfaces.
RECENT BLOG POST
-
012019-10With the continuous development of 5G communication technology, 100G modules are gradually becoming popular. We know that there are many kinds of packages for 100G optical modules. From 2000 to now, the optical module package types have been rapidly developed. Its main package types are: GBIC, SFP, XENPAK, SNAP12, X2, XFP, SFP+, QSFP/QSFP+, CFP, CXP. In the fast-developing network era, some 100G optical modules avoid the risk of being eliminated, and upgraded and revised with the wave of the Internet, such as 100G CFP optical modules.
-
012019-101. What is the CWDM SFP? The CWDM optical module is an optical module using CWDM technology to implement the connection between the existing network device and the CWDM multiplexer/demultiplexer. When used with a CWDM multiplexer/demultiplexer, CWDM optical modules can increase network capacity by transmitting multiple data channels with separate optical wavelengths (1270 nm to 1610 nm) on the same single fiber.
-
012019-10AOC is the abbreviation of Active Optical Cables, which is called Active Optical Cables in Chinese. AOC active optical is to encapsulate two optical modules and cable together. Because the medium of transmission in the middle is optical cable, AOC optical module, which contains laser devices, has a higher price for DAC. However, its optical aperture is not exposed, it has high reliability, and its working distance can be customized for a long distance of less than 100 meters.
-
012019-10Dense Wavelength Division Multiplexing (DWDM) technology is capable of transmitting data in an optical fiber using bit wavelength parallel transmission or string line transmission using the wavelength of the laser.It is widely used in different fields of communication networks, including long-distance backbone networks, metropolitan area networks (MANs), residential access networks, and local area networks (LANs).The DWDM optical module is the optical module that uses this technology, so the DWDM optical module has high bandwidth and long-distance transmission characteristics.
