1.实验拓扑
(1)配置S1的G0/0/1接口的端口安全。
S1的配置
<Huawei>sys
[Huawei]undo info-center enable
[Huawei]sysname S1
[S1]interface g0/0/1
[S1-GigabitEthernet0/0/1]port-security enable
[S1-GigabitEthernet0/0/1]port-security max-mac-num 2
[S1-GigabitEthernet0/0/1]port-security protect-action shutdown
使用PC1,PC2访问PC4,查看S1的MAC地址表。
PC1访问PC4:
PC>ping 10.1.1.4
Ping 10.1.1.4: 32 data bytes, Press Ctrl_C to break
From 10.1.1.4: bytes=32 seq=1 ttl=128 time=47 ms
From 10.1.1.4: bytes=32 seq=2 ttl=128 time=63 ms
From 10.1.1.4: bytes=32 seq=3 ttl=128 time=94 ms
From 10.1.1.4: bytes=32 seq=4 ttl=128 time=47 ms
From 10.1.1.4: bytes=32 seq=5 ttl=128 time=93 ms
--- 10.1.1.4 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 47/68/94 ms
PC2访问PC4:
PC>ping 10.1.1.4
Ping 10.1.1.4: 32 data bytes, Press Ctrl_C to break
From 10.1.1.4: bytes=32 seq=1 ttl=128 time=78 ms
From 10.1.1.4: bytes=32 seq=2 ttl=128 time=94 ms
From 10.1.1.4: bytes=32 seq=3 ttl=128 time=62 ms
From 10.1.1.4: bytes=32 seq=4 ttl=128 time=62 ms
From 10.1.1.4: bytes=32 seq=5 ttl=128 time=62 ms
--- 10.1.1.4 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 62/71/94 ms
查看S1的MAC地址表:
[S1]display mac-address
MAC address table of slot 0:
MAC Address VLAN/ PEVLAN CEVLAN Port Type LSP/LSR-ID
VSI/SI MAC-Tunnel
5489-9803-6228 1 - - GE0/0/1 security -
5489-982b-2f53 1 - - GE0/0/1 security -
Total matching items on slot 0 displayed = 2
MAC address table of slot 0:
MAC Address VLAN/ PEVLAN CEVLAN Port Type LSP/LSR-ID
VSI/SI MAC-Tunnel
5489-98fd-042c 1 - - GE0/0/3 dynamic 0/-
Total matching items on slot 0 displayed = 1
使用非法用户访问PC4:
PC>ping 10.1.1.4
Ping 10.1.1.4: 32 data bytes, Press Ctrl_C to break
From 10.1.1.6: Destination host unreachable
From 10.1.1.6: Destination host unreachable
From 10.1.1.6: Destination host unreachable
From 10.1.1.6: Destination host unreachable
From 10.1.1.6: Destination host unreachable
--- 10.1.1.4 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
(2)配置S1的G0/0/2接口为安全静态MAC地址。
[S1]i g00/0/2
[S1-GigabitEthernet0/0/2]port-security enable
[S1-GigabitEthernet0/0/2]port-security mac-address sticky
[S1-GigabitEthernet0/0/2]port-security mac-address sticky 5489-9827-7795 vlan 1
[S1-GigabitEthernet0/0/2]port-security max-mac-num 1
查看S1的MAC地址表:
[S1]display mac-address
MAC address table of slot 0:
MAC Address VLAN/ PEVLAN CEVLAN Port Type LSP/LSR-ID
VSI/SI MAC-Tunnel
5489-9827-7795 1 - - GE0/0/2 sticky -
Total matching items on slot 0 displayed = 1
[S1]
- 配置S1的G0/0/3接口为Sticky MAC。
[S1]i g0/0/3
[S1-GigabitEthernet0/0/3]port-security enable
[S1-GigabitEthernet0/0/3]port-security mac-address sticky
[S1-GigabitEthernet0/0/3]port-security max-mac-num 1
在PC4没通信之前,交换机的MAC地址表并没有其MAC地址的对应关系。查看MAC地址表。
[S1]display mac-address
MAC address table of slot 0:
MAC Address VLAN/ PEVLAN CEVLAN Port Type LSP/LSR-ID
VSI/SI MAC-Tunnel
5489-9827-7795 1 - - GE0/0/2 sticky -
Total matching items on slot 0 displayed = 1
在PC4上访问PC3:
PC>ping 10.1.1.4
Ping 10.1.1.4: 32 data bytes, Press Ctrl_C to break
From 10.1.1.4: bytes=32 seq=1 ttl=128 time=47 ms
From 10.1.1.4: bytes=32 seq=2 ttl=128 time=31 ms
From 10.1.1.4: bytes=32 seq=3 ttl=128 time=31 ms
From 10.1.1.4: bytes=32 seq=4 ttl=128 time=47 ms
From 10.1.1.4: bytes=32 seq=5 ttl=128 time=47 ms
--- 10.1.1.4 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 31/40/47 ms
再次查看MAC地址表:
[S1]display mac-address
MAC address table of slot 0:
MAC Address VLAN/ PEVLAN CEVLAN Port
VSI/SI MAC-Tunnel
5489-9827-7795 1 - - GE0/0/2 sticky -
5489-98fd-042c 1 - - GE0/0/3 sticky -
Total matching items on slot 0 displayed = 2
可以看到G0/0/3接口学习到的MAC地址为PC4的MAC地址,并且类型为sticky。
版权归原作者 吁111111 所有, 如有侵权,请联系我们删除。