Although in the TCP
/ IP networks, computers often need to set the IP address to communicate, in
fact, the communication between computers is not via IP address, but by means
of the MAC address of the network card. IP addresses only to be used to query
the MAC address of the target computer which is to communicate.
ARP protocol is
used to notify corresponding MAC address of our own IP for other's computers,
network equipment. There are one or more tables in the computer's cache ARJ for
storing IP address and parsed Ethernet MAC address. The corresponding MAC
address will retain in the ARP cache after one computer was communicated with
another IP address computer. So the next time when communicate with the same IP
address, it will use the cache MAC addresses directly instead of querying the
MAC address.
Under a switched
network, the switch also maintains a MAC address table, and then sends data to
the target computer according to MAC address.
Why do we need to
bind MAC and IP Address? IP address is very easy to modify while MAC address is
stored in the EEPROM of the card, and only the card's MAC address is determined.
Therefore, in order to prevent insider from doing illegal IP embezzlement (for
example: embezzle the higher IP address authority to get the information outside
the permission) we can bind the internal network IP address and MAC address, and
the embezzlement will be failed due to the unmatched MAC address even if the embezzler
changed the IP address. What’s more, we can find corresponding user of the network
card according to the MAC address and then find out the embezzler due to the
only certainty of MAC address.
Currently, the MAC
address and IP address binding techniques has been adopted to the internal
network of many companies. Here we will introduce the IP and MAC binding
programs of the Cisco switch.
There are three
options as below to choose as to the Cisco, and the function of option 1 and 2
is the same, that is to say, bind the specific host MAC address (network card
hardware address) to the specific switch port. Option 3 is simultaneously binding
the specific host MAC address (network card hardware address) and IP address to
the specific host port on the switch.
Option 1 -
Based on MAC address binding on port
Take Cisco 2950
switch for example, to log into the switch, enter the administrative password into
the configuration mode, and then input the command:
Switch#config terminal
#Enter into the configuration mode
Switch(config)# Interface fastethernet 0/1
#Enter into the specific port configuration mode
Switch(config-if)#Switchport port-secruity
#Configure port security mode
Switch(config-if )switchport port-security mac-address MAC (MAC address of the mainframe)
#Configure the port to bind the host's MAC address
Switch(config-if )no switchport port-security mac-address MAC (MAC address of the host computer)
#Delete the binding host's MAC address
Note:
These functions
apply to Cisco 2950,3550,4500,6500 Series Switches
Option 2 - based on extended access
lists of MAC addresses
Switch(config)Mac access-list extended MAC10
# Define a MAC address access control list and name the list to be MAC10
Switch(config)permit host 0009.6bc4.d4bf any
#Define the host MAC address 0009.6bc4.d4bf to access any host computers
Switch(config)permit any host 0009.6bc4.d4bf
#Define all host computers to access the host MAC address 0009.6bc4.d4bf
Switch(config-if )interface Fa0/20
# Enter into specific interface configuration mode
Switch(config-if )mac access-group MAC10 in
#Apply to access list with the name of MAC 10 on the port (that is the access policies we defined before)
Switch(config)no mac access-list extended MAC10
#Clear the access list which named MAC 10
Note:
The above functions
can be achieved on Cisco 2960,3560,4500,6500 Series switches, however, the 2960,
3560 switches need the Enhanced Image.
Only the
combination between option 1 or 2 and the based ACL (access control lists) of
IP can achieve the IP-MAC binding function.
Switch(config)Mac
access-list extended MAC10
#Define a MAC address access control list and name the list to be MAC10
Switch(config)permit host 0009.6bc4.d4bf any
#Define the host MAC address 0009.6bc4.d4bf to access any host computers
Switch(config)permit any host 0009.6bc4.d4bf
#Define all host computers to access the host MAC address 0009.6bc4.d4bf
Switch(config)Ip access-list extended IP10
#Define a IP address access control list and name the list to be IP10
Switch(config)Permit 192.168.0.1 0.0.0.0 any
#Define the host of 192.168.0.1 IP address to access any host computers
#Define a MAC address access control list and name the list to be MAC10
Switch(config)permit host 0009.6bc4.d4bf any
#Define the host MAC address 0009.6bc4.d4bf to access any host computers
Switch(config)permit any host 0009.6bc4.d4bf
#Define all host computers to access the host MAC address 0009.6bc4.d4bf
Switch(config)Ip access-list extended IP10
#Define a IP address access control list and name the list to be IP10
Switch(config)Permit 192.168.0.1 0.0.0.0 any
#Define the host of 192.168.0.1 IP address to access any host computers
Permit
any 192.168.0.1 0.0.0.0
#Define all host computers to access the host of 192.168.0.1 IP address
Switch(config-if )interface Fa0/20
# Enter into specific interface configuration mode
Switch(config-if )mac access-group MAC10 in
#Apply to access list with the name of MAC 10 on the port (that is the access policies we defined before)
#Define all host computers to access the host of 192.168.0.1 IP address
Switch(config-if )interface Fa0/20
# Enter into specific interface configuration mode
Switch(config-if )mac access-group MAC10 in
#Apply to access list with the name of MAC 10 on the port (that is the access policies we defined before)
Switch(config-if
)Ip access-group IP10 in
#Apply to access list with the name of IP10 on the port (that is the access policies we defined before)
#Apply to access list with the name of IP10 on the port (that is the access policies we defined before)
Switch(config)no
mac access-list extended MAC10
#Clear the access list which named MAC10
Switch(config)no Ip access-group IP10 in
#Clear the access list which na med IP10
#Clear the access list which named MAC10
Switch(config)no Ip access-group IP10 in
#Clear the access list which na med IP10
The above
mentioned option 1 is based on the binding between MAC address of host computer
and switch ports, Option 2 is based on the MAC address access control list, the
functions of the first two schemes can be achieved the same. The IP and MAC
address binding can be achieved if you do as the Option 3. You can combine
Option 1 or 2 with ACL (access control lists) to realize what you want.
Note:
The above functions
can be achieved on Cisco 2960,3560,4500,6500 Series switches, however, the
2960, 3560 switches need the Enhanced Image.
Note:
Apparently, the binding
between MAC address and IP address can avoid embezzlement of internal IP
addresses, however, in fact, there are a lot of defects between the binding and
can not really avoid the embezzlement of the internal IP addresses due to the
layers of protocols and network card drivers and other technologies.
More related: