难点交换机端口安全的关闭端口 交换机一个端口一个MAC(MAC绑定port) 实验环境packet tracer 5.3 Cisco2960 Switch(config-if)#interface fa0/2 //进入接口 Switch(config-if)#switchport mode access //将接口设置为access模式,在packet tracer中好像是必须的,虽然交换机的默认模式是access,但是还是必须要键入这个命令Switch(config-if)#switchport port-security //启动端口安全功能 Switch(config-if)#switchport port-security maximum 1 //设置端口的最大MAC数量Switch(config-if)#switchport port-security mac-address 00D0.97DC.31A7//写入MAC Switch(config-if)#do show port-security address//验证配置,我现在配置的是fa0/2 Secure Mac Address Table ------------------------------------------------------------------------------- Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ---- ----- ------------- 1 0030.A36E.C1CC SecureConfigured FastEthernet0/1 - 1 00D0.97DC.31A7 SecureConfigured FastEthernet0/ 2 - ------------------------------------------------------------------------------ Total Addresses in System (excluding one mac per port) : 0 Max Addresses limit in System (excluding one mac per port) : 1024 下面我将插在MAC为00D0.97DC.31A7的PC网线拔了插到其他不同MAC的PC上 Switch(config-if)#shutdown //我先down了这个接口 Switch(config-if)# %LINK-5-CHANGED: Interface FastEthernet0/2, changed state to administratively down %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to down Switch(config-if)#no shutdown //插到另外的一个PC上然后打开端口 %LINK-5-CHANGED: Interface FastEthernet0/2, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to up Switch(config-if)# %LINK-5-CHANGED: Interface FastEthernet0/2, changed state to administratively down %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to down //我在这个期间,用ping命令ping了一个不是本机的IP,主要是要让交换机知道我的MAC,由于先前配置了安全端口,所以现在端口状态变成了administratively down,这也是本实验的要的效果 下面我在将网线插到原来的PC上(MAC为00D0.97DC.31A7的PC) Switch(config-if)#no shutdown //书上讲只要用no shutdown就可以开启,现在实验显示是无效的 %LINK-5-CHANGED: Interface FastEthernet0/2, changed state to down Switch(config-if)#shutdown //必须先用shutdown关闭端口,这也是论坛里的一个兄弟提醒我的,先谢谢这位兄弟了 %LINK-5-CHANGED: Interface FastEthernet0/2, changed state to administratively down Switch(config-if)#no shutdown //再次执行no shutdown好的现在端口可以使用了 %LINK-5-CHANGED: Interface FastEthernet0/2, changed state to up %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to up Switch(config-if)# 。