组网需求
如图所示,用户PC1、PC2、PC3通过接入设备连接公司网络。为了提高用户接入的安全性,将接入设备Router的接口使能端口安全功能,并且设置接口学习MAC地址数的上限为接入用户数,这样其他外来人员使用自己带来的PC无法访问公司的网络。
配置思路
采用如下的思路配置端口安全:
1.配置VLAN,实现二层转发功能。
2.配置端口安全功能,实现学习到的MAC地址表项不老化。
操作步骤
创建VLAN,配置接口的链路类型,并配置IP
LSW2
plain
<Huawei>sys
[Huawei]sys LSW2
[LSW2]vlan batch 10
[LSW2]interface GigabitEthernet0/0/1
[LSW2-GigabitEthernet0/0/1]port link-type access
[LSW2-GigabitEthernet0/0/1]port default vlan 10
[LSW2-GigabitEthernet0/0/1]quit
[LSW2]interface GigabitEthernet0/0/2
[LSW2-GigabitEthernet0/0/2]port link-type access
[LSW2-GigabitEthernet0/0/2]port default vlan 10
[LSW2-GigabitEthernet0/0/2]quit
[LSW2]interface GigabitEthernet0/0/3
[LSW2-GigabitEthernet0/0/3]port link-type access
[LSW2-GigabitEthernet0/0/3]port default vlan 10
[LSW2-GigabitEthernet0/0/3]quit
[LSW2]interface GigabitEthernet0/0/4
[LSW2-GigabitEthernet0/0/4]port link-type trunk
[LSW2-GigabitEthernet0/0/4]port trunk allow-pass vlan 10
[LSW2-GigabitEthernet0/0/4]quitLSW1
plain
<Huawei>sys
[Huawei]sys LSW1
[LSW1]vlan batch 10
[LSW1]interface GigabitEthernet0/0/1
[LSW1-GigabitEthernet0/0/1]port link-type trunk
[LSW1-GigabitEthernet0/0/1]port trunk allow-pass vlan 10
[LSW1-GigabitEthernet0/0/1]quit
[LSW1]interface Vlanif 10
[LSW1-Vlanif10]ip add 192.168.10.1 24
[LSW1-Vlanif10]quitPC1
PC2
PC3
配置端口安全功能
LSW1
plain
[LSW1]interface GigabitEthernet0/0/1
[LSW1-GigabitEthernet0/0/1]port-security enable
[LSW1-GigabitEthernet0/0/1]port-security max-mac-num 3
[LSW1-GigabitEthernet0/0/1]port-security mac-address sticky
[LSW1-GigabitEthernet0/0/1]quit
[LSW1]display mac-address sticky vlan 10
MAC address table of slot 0:
-------------------------------------------------------------------------------
MAC Address VLAN/ PEVLAN CEVLAN Port Type LSP/LSR-ID
VSI/SI MAC-Tunnel
-------------------------------------------------------------------------------
5489-98f6-76f9 10 - - GE0/0/1 sticky -
5489-984d-0e9d 10 - - GE0/0/1 sticky -
5489-9889-2c6c 10 - - GE0/0/1 sticky -
-------------------------------------------------------------------------------
Total matching items on slot 0 displayed = 3 测试把PC1替换后的PC是否可以连接到网络
新拓扑图
替换PC配置IP,配置的IP和PC1一致
验证
新增PC ping Vlanif接口,无法ping通
plain
PC>ping 192.168.10.1
Ping 192.168.10.1: 32 data bytes, Press Ctrl_C to break
From 192.168.10.10: Destination host unreachable
From 192.168.10.10: Destination host unreachable
From 192.168.10.10: Destination host unreachable
From 192.168.10.10: Destination host unreachable
From 192.168.10.10: Destination host unreachable
--- 192.168.10.1 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet lossPC2、PC3 ping Vlanif接口,可以ping通
plain
PC2 ping结果
PC>ping 192.168.10.1
Ping 192.168.10.1: 32 data bytes, Press Ctrl_C to break
From 192.168.10.1: bytes=32 seq=1 ttl=255 time=32 ms
From 192.168.10.1: bytes=32 seq=2 ttl=255 time=63 ms
From 192.168.10.1: bytes=32 seq=3 ttl=255 time=47 ms
From 192.168.10.1: bytes=32 seq=4 ttl=255 time=47 ms
From 192.168.10.1: bytes=32 seq=5 ttl=255 time=62 ms
--- 192.168.10.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 32/50/63 ms
PC3 ping结果
PC>ping 192.168.10.1
Ping 192.168.10.1: 32 data bytes, Press Ctrl_C to break
From 192.168.10.1: bytes=32 seq=1 ttl=255 time=47 ms
From 192.168.10.1: bytes=32 seq=2 ttl=255 time=62 ms
From 192.168.10.1: bytes=32 seq=3 ttl=255 time=47 ms
From 192.168.10.1: bytes=32 seq=4 ttl=255 time=31 ms
From 192.168.10.1: bytes=32 seq=5 ttl=255 time=62 ms
--- 192.168.10.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 31/49/62 ms