組網需求

如圖所示，用戶PC1、PC2、PC3通過接入設備連接公司網絡。為了提高用戶接入的安全性，將接入設備Router的接口使能端口安全功能，并且設置接口學習MAC地址數的上限為接入用戶數，這樣其他外來人員使用自己帶來的PC無法訪問公司的網絡。

配置思路

采用如下的思路配置端口安全：

1.配置VLAN，實現二層轉發功能。

2.配置端口安全功能，實現學習到的MAC地址表項不老化。

操作步驟

創建VLAN，配置接口的鏈路類型，并配置IP

LSW2

<Huawei>sys
[Huawei]sys LSW2
[LSW2]vlan batch 10
[LSW2]interface GigabitEthernet0/0/1
[LSW2-GigabitEthernet0/0/1]port link-type access
[LSW2-GigabitEthernet0/0/1]port default vlan 10
[LSW2-GigabitEthernet0/0/1]quit
[LSW2]interface GigabitEthernet0/0/2
[LSW2-GigabitEthernet0/0/2]port link-type access
[LSW2-GigabitEthernet0/0/2]port default vlan 10
[LSW2-GigabitEthernet0/0/2]quit
[LSW2]interface GigabitEthernet0/0/3
[LSW2-GigabitEthernet0/0/3]port link-type access
[LSW2-GigabitEthernet0/0/3]port default vlan 10
[LSW2-GigabitEthernet0/0/3]quit
[LSW2]interface GigabitEthernet0/0/4
[LSW2-GigabitEthernet0/0/4]port link-type trunk 
[LSW2-GigabitEthernet0/0/4]port trunk allow-pass vlan 10
[LSW2-GigabitEthernet0/0/4]quit

LSW1

<Huawei>sys
[Huawei]sys LSW1
[LSW1]vlan batch 10
[LSW1]interface GigabitEthernet0/0/1
[LSW1-GigabitEthernet0/0/1]port link-type trunk 
[LSW1-GigabitEthernet0/0/1]port trunk allow-pass vlan 10
[LSW1-GigabitEthernet0/0/1]quit
[LSW1]interface Vlanif 10
[LSW1-Vlanif10]ip add 192.168.10.1 24
[LSW1-Vlanif10]quit

PC1

PC2

PC3

配置端口安全功能

LSW1

[LSW1]interface GigabitEthernet0/0/1
[LSW1-GigabitEthernet0/0/1]port-security enable
[LSW1-GigabitEthernet0/0/1]port-security max-mac-num 3
[LSW1-GigabitEthernet0/0/1]port-security mac-address sticky
[LSW1-GigabitEthernet0/0/1]quit
[LSW1]display mac-address sticky vlan 10
MAC address table of slot 0:
-------------------------------------------------------------------------------
MAC Address    VLAN/       PEVLAN CEVLAN Port            Type      LSP/LSR-ID  VSI/SI                                              MAC-Tunnel  
-------------------------------------------------------------------------------
5489-98f6-76f9 10          -      -      GE0/0/1         sticky    -           
5489-984d-0e9d 10          -      -      GE0/0/1         sticky    -           
5489-9889-2c6c 10          -      -      GE0/0/1         sticky    -           
-------------------------------------------------------------------------------
Total matching items on slot 0 displayed = 3 

測試把PC1替換后的PC是否可以連接到網絡

新拓撲圖

替換PC配置IP，配置的IP和PC1一致

驗證

新增PC ping Vlanif接口，無法ping通

PC>ping 192.168.10.1Ping 192.168.10.1: 32 data bytes, Press Ctrl_C to break
From 192.168.10.10: Destination host unreachable
From 192.168.10.10: Destination host unreachable
From 192.168.10.10: Destination host unreachable
From 192.168.10.10: Destination host unreachable
From 192.168.10.10: Destination host unreachable--- 192.168.10.1 ping statistics ---5 packet(s) transmitted0 packet(s) received100.00% packet loss

PC2、PC3 ping Vlanif接口，可以ping通

PC2 ping結果
PC>ping 192.168.10.1Ping 192.168.10.1: 32 data bytes, Press Ctrl_C to break
From 192.168.10.1: bytes=32 seq=1 ttl=255 time=32 ms
From 192.168.10.1: bytes=32 seq=2 ttl=255 time=63 ms
From 192.168.10.1: bytes=32 seq=3 ttl=255 time=47 ms
From 192.168.10.1: bytes=32 seq=4 ttl=255 time=47 ms
From 192.168.10.1: bytes=32 seq=5 ttl=255 time=62 ms--- 192.168.10.1 ping statistics ---5 packet(s) transmitted5 packet(s) received0.00% packet lossround-trip min/avg/max = 32/50/63 msPC3 ping結果
PC>ping 192.168.10.1Ping 192.168.10.1: 32 data bytes, Press Ctrl_C to break
From 192.168.10.1: bytes=32 seq=1 ttl=255 time=47 ms
From 192.168.10.1: bytes=32 seq=2 ttl=255 time=62 ms
From 192.168.10.1: bytes=32 seq=3 ttl=255 time=47 ms
From 192.168.10.1: bytes=32 seq=4 ttl=255 time=31 ms
From 192.168.10.1: bytes=32 seq=5 ttl=255 time=62 ms--- 192.168.10.1 ping statistics ---5 packet(s) transmitted5 packet(s) received0.00% packet lossround-trip min/avg/max = 31/49/62 ms

驗證結果：PC1換成其他PC，無法訪問公司網絡。