当前位置：首页 > news >正文

端口安全配置示例

news 2025/6/20 11:05:02

组网需求

如图所示，用户PC1、PC2、PC3通过接入设备连接公司网络。为了提高用户接入的安全性，将接入设备Router的接口使能端口安全功能，并且设置接口学习MAC地址数的上限为接入用户数，这样其他外来人员使用自己带来的PC无法访问公司的网络。

配置思路

采用如下的思路配置端口安全：

1.配置VLAN，实现二层转发功能。

2.配置端口安全功能，实现学习到的MAC地址表项不老化。

操作步骤

创建VLAN，配置接口的链路类型，并配置IP

LSW2

<Huawei>sys
[Huawei]sys LSW2
[LSW2]vlan batch 10
[LSW2]interface GigabitEthernet0/0/1
[LSW2-GigabitEthernet0/0/1]port link-type access
[LSW2-GigabitEthernet0/0/1]port default vlan 10
[LSW2-GigabitEthernet0/0/1]quit
[LSW2]interface GigabitEthernet0/0/2
[LSW2-GigabitEthernet0/0/2]port link-type access
[LSW2-GigabitEthernet0/0/2]port default vlan 10
[LSW2-GigabitEthernet0/0/2]quit
[LSW2]interface GigabitEthernet0/0/3
[LSW2-GigabitEthernet0/0/3]port link-type access
[LSW2-GigabitEthernet0/0/3]port default vlan 10
[LSW2-GigabitEthernet0/0/3]quit
[LSW2]interface GigabitEthernet0/0/4
[LSW2-GigabitEthernet0/0/4]port link-type trunk 
[LSW2-GigabitEthernet0/0/4]port trunk allow-pass vlan 10
[LSW2-GigabitEthernet0/0/4]quit

LSW1

<Huawei>sys
[Huawei]sys LSW1
[LSW1]vlan batch 10
[LSW1]interface GigabitEthernet0/0/1
[LSW1-GigabitEthernet0/0/1]port link-type trunk 
[LSW1-GigabitEthernet0/0/1]port trunk allow-pass vlan 10
[LSW1-GigabitEthernet0/0/1]quit
[LSW1]interface Vlanif 10
[LSW1-Vlanif10]ip add 192.168.10.1 24
[LSW1-Vlanif10]quit

PC1

PC2

PC3

配置端口安全功能

LSW1

[LSW1]interface GigabitEthernet0/0/1
[LSW1-GigabitEthernet0/0/1]port-security enable
[LSW1-GigabitEthernet0/0/1]port-security max-mac-num 3
[LSW1-GigabitEthernet0/0/1]port-security mac-address sticky
[LSW1-GigabitEthernet0/0/1]quit
[LSW1]display mac-address sticky vlan 10
MAC address table of slot 0:
-------------------------------------------------------------------------------
MAC Address    VLAN/       PEVLAN CEVLAN Port            Type      LSP/LSR-ID  VSI/SI                                              MAC-Tunnel  
-------------------------------------------------------------------------------
5489-98f6-76f9 10          -      -      GE0/0/1         sticky    -           
5489-984d-0e9d 10          -      -      GE0/0/1         sticky    -           
5489-9889-2c6c 10          -      -      GE0/0/1         sticky    -           
-------------------------------------------------------------------------------
Total matching items on slot 0 displayed = 3

测试把PC1替换后的PC是否可以连接到网络

新拓扑图

替换PC配置IP，配置的IP和PC1一致

验证

新增PC ping Vlanif接口，无法ping通

PC>ping 192.168.10.1Ping 192.168.10.1: 32 data bytes, Press Ctrl_C to break
From 192.168.10.10: Destination host unreachable
From 192.168.10.10: Destination host unreachable
From 192.168.10.10: Destination host unreachable
From 192.168.10.10: Destination host unreachable
From 192.168.10.10: Destination host unreachable--- 192.168.10.1 ping statistics ---5 packet(s) transmitted0 packet(s) received100.00% packet loss

PC2、PC3 ping Vlanif接口，可以ping通

PC2 ping结果
PC>ping 192.168.10.1Ping 192.168.10.1: 32 data bytes, Press Ctrl_C to break
From 192.168.10.1: bytes=32 seq=1 ttl=255 time=32 ms
From 192.168.10.1: bytes=32 seq=2 ttl=255 time=63 ms
From 192.168.10.1: bytes=32 seq=3 ttl=255 time=47 ms
From 192.168.10.1: bytes=32 seq=4 ttl=255 time=47 ms
From 192.168.10.1: bytes=32 seq=5 ttl=255 time=62 ms--- 192.168.10.1 ping statistics ---5 packet(s) transmitted5 packet(s) received0.00% packet lossround-trip min/avg/max = 32/50/63 msPC3 ping结果
PC>ping 192.168.10.1Ping 192.168.10.1: 32 data bytes, Press Ctrl_C to break
From 192.168.10.1: bytes=32 seq=1 ttl=255 time=47 ms
From 192.168.10.1: bytes=32 seq=2 ttl=255 time=62 ms
From 192.168.10.1: bytes=32 seq=3 ttl=255 time=47 ms
From 192.168.10.1: bytes=32 seq=4 ttl=255 time=31 ms
From 192.168.10.1: bytes=32 seq=5 ttl=255 time=62 ms--- 192.168.10.1 ping statistics ---5 packet(s) transmitted5 packet(s) received0.00% packet lossround-trip min/avg/max = 31/49/62 ms