配置端口安全

1.实验拓扑

（1）配置S1的G0/0/1接口的端口安全。

S1的配置

<Huawei>sys

[Huawei]undo info-center enable

[Huawei]sysname S1

[S1]interface g0/0/1

[S1-GigabitEthernet0/0/1]port-security enable

[S1-GigabitEthernet0/0/1]port-security max-mac-num 2

[S1-GigabitEthernet0/0/1]port-security protect-action shutdown

使用PC1，PC2访问PC4,查看S1的MAC地址表。

PC1访问PC4：

PC>ping 10.1.1.4

Ping 10.1.1.4: 32 data bytes, Press Ctrl_C to break

From 10.1.1.4: bytes=32 seq=1 ttl=128 time=47 ms

From 10.1.1.4: bytes=32 seq=2 ttl=128 time=63 ms

From 10.1.1.4: bytes=32 seq=3 ttl=128 time=94 ms

From 10.1.1.4: bytes=32 seq=4 ttl=128 time=47 ms

From 10.1.1.4: bytes=32 seq=5 ttl=128 time=93 ms

--- 10.1.1.4 ping statistics ---

  5 packet(s) transmitted

  5 packet(s) received

  0.00% packet loss

  round-trip min/avg/max = 47/68/94 ms

PC2访问PC4：

PC>ping 10.1.1.4

Ping 10.1.1.4: 32 data bytes, Press Ctrl_C to break

From 10.1.1.4: bytes=32 seq=1 ttl=128 time=78 ms

From 10.1.1.4: bytes=32 seq=2 ttl=128 time=94 ms

From 10.1.1.4: bytes=32 seq=3 ttl=128 time=62 ms

From 10.1.1.4: bytes=32 seq=4 ttl=128 time=62 ms

From 10.1.1.4: bytes=32 seq=5 ttl=128 time=62 ms

--- 10.1.1.4 ping statistics ---

  5 packet(s) transmitted

  5 packet(s) received

  0.00% packet loss

  round-trip min/avg/max = 62/71/94 ms

查看S1的MAC地址表：

[S1]display mac-address

MAC address table of slot 0:

-------------------------------------------------------------------------------

MAC Address    VLAN/       PEVLAN CEVLAN Port            Type      LSP/LSR-ID  

               VSI/SI                                              MAC-Tunnel  

-------------------------------------------------------------------------------

5489-9803-6228 1           -      -      GE0/0/1         security  -           

5489-982b-2f53 1           -      -      GE0/0/1         security  -           

-------------------------------------------------------------------------------

Total matching items on slot 0 displayed = 2

MAC address table of slot 0:

-------------------------------------------------------------------------------

MAC Address    VLAN/       PEVLAN CEVLAN Port            Type      LSP/LSR-ID  

               VSI/SI                                              MAC-Tunnel  

-------------------------------------------------------------------------------

5489-98fd-042c 1           -      -      GE0/0/3         dynamic   0/-         

-------------------------------------------------------------------------------

Total matching items on slot 0 displayed = 1

使用非法用户访问PC4：

PC>ping 10.1.1.4

Ping 10.1.1.4: 32 data bytes, Press Ctrl_C to break

From 10.1.1.6: Destination host unreachable

From 10.1.1.6: Destination host unreachable

From 10.1.1.6: Destination host unreachable

From 10.1.1.6: Destination host unreachable

From 10.1.1.6: Destination host unreachable

--- 10.1.1.4 ping statistics ---

  5 packet(s) transmitted

  0 packet(s) received

  100.00% packet loss

（2）配置S1的G0/0/2接口为安全静态MAC地址。

[S1]i g00/0/2

[S1-GigabitEthernet0/0/2]port-security enable

[S1-GigabitEthernet0/0/2]port-security mac-address sticky

[S1-GigabitEthernet0/0/2]port-security mac-address sticky 5489-9827-7795 vlan 1

[S1-GigabitEthernet0/0/2]port-security max-mac-num 1

查看S1的MAC地址表：

[S1]display mac-address

MAC address table of slot 0:

-------------------------------------------------------------------------------

MAC Address    VLAN/       PEVLAN CEVLAN Port            Type      LSP/LSR-ID  

               VSI/SI                                              MAC-Tunnel  

-------------------------------------------------------------------------------

5489-9827-7795 1           -      -      GE0/0/2         sticky    -           

-------------------------------------------------------------------------------

Total matching items on slot 0 displayed = 1

[S1]

1. 配置S1的G0/0/3接口为Sticky MAC。

[S1]i g0/0/3

[S1-GigabitEthernet0/0/3]port-security enable

[S1-GigabitEthernet0/0/3]port-security mac-address sticky

[S1-GigabitEthernet0/0/3]port-security max-mac-num 1

在PC4没通信之前，交换机的MAC地址表并没有其MAC地址的对应关系。查看MAC地址表。

[S1]display mac-address

MAC address table of slot 0:

-------------------------------------------------------------------------------

MAC Address    VLAN/       PEVLAN CEVLAN Port            Type      LSP/LSR-ID  

               VSI/SI                                              MAC-Tunnel  

-------------------------------------------------------------------------------

5489-9827-7795 1           -      -      GE0/0/2         sticky    -           

-------------------------------------------------------------------------------

Total matching items on slot 0 displayed = 1

在PC4上访问PC3：

PC>ping 10.1.1.4

Ping 10.1.1.4: 32 data bytes, Press Ctrl_C to break

From 10.1.1.4: bytes=32 seq=1 ttl=128 time=47 ms

From 10.1.1.4: bytes=32 seq=2 ttl=128 time=31 ms

From 10.1.1.4: bytes=32 seq=3 ttl=128 time=31 ms

From 10.1.1.4: bytes=32 seq=4 ttl=128 time=47 ms

From 10.1.1.4: bytes=32 seq=5 ttl=128 time=47 ms

--- 10.1.1.4 ping statistics ---

  5 packet(s) transmitted

  5 packet(s) received

  0.00% packet loss

  round-trip min/avg/max = 31/40/47 ms

再次查看MAC地址表：

[S1]display mac-address

MAC address table of slot 0:

-------------------------------------------------------------------------------

MAC Address    VLAN/       PEVLAN CEVLAN Port

               VSI/SI                                              MAC-Tunnel  

-------------------------------------------------------------------------------

5489-9827-7795 1           -      -      GE0/0/2         sticky    -           

5489-98fd-042c 1           -      -      GE0/0/3         sticky    -           

-------------------------------------------------------------------------------

Total matching items on slot 0 displayed = 2

可以看到G0/0/3接口学习到的MAC地址为PC4的MAC地址，并且类型为sticky。