14.4 MAC地址表安全

1.R1配置

[R1]interface GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/0]ip address 192.168.1.254 24

2.SW1配置

[SW1]vlan 100
[SW1]interface GigabitEthernet 0/0/1
[SW1-GigabitEthernet0/0/1]port link-type access
[SW1-GigabitEthernet0/0/1]port default vlan 100
[SW1]interface GigabitEthernet 0/0/2
[SW1-GigabitEthernet0/0/2]port link-type access
[SW1-GigabitEthernet0/0/2]port default vlan 100
[SW1]interface GigabitEthernet 0/0/3
[SW1-GigabitEthernet0/0/3]port link-type access
[SW1-GigabitEthernet0/0/3]port default vlan 100
[SW1]interface GigabitEthernet 0/0/24
[SW1-GigabitEthernet0/0/24]port link-type access
[SW1-GigabitEthernet0/0/24]port default vlan 100

3.PC1连通性测试网关

PC>ping 192.168.1.254
Ping 192.168.1.254: 32 data bytes, Press Ctrl_C to break
From 192.168.1.254: bytes=32 seq=1 ttl=255 time=31 ms

4.PC3修改MAC地址为网关MAC地址

<R1>display interface GigabitEthernet 0/0/0
GigabitEthernet0/0/0 current state : UP
Line protocol current state : UP
Last line protocol up time : 2023-02-14 09:37:34 UTC-08:00
Description:HUAWEI, AR Series, GigabitEthernet0/0/0 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 192.168.1.254/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc92-34b2

5.PC1连通性测试网关

PC>ping 192.168.1.254
Ping 192.168.1.254: 32 data bytes, Press Ctrl_C to break
From 192.168.1.254: bytes=32 seq=1 ttl=255 time=47 ms

6.查看SW1的MAC地址表

[SW1]display mac-address 
MAC address table of slot 0:
MAC Address    VLAN/       PEVLAN CEVLAN Port            Type      LSP/LSR-ID  
               VSI/SI                                              MAC-Tunnel  
00e0-fc92-34b2 100         -      -      GE0/0/24        dynamic   0/-         
5489-9849-1fd0 100         -      -      GE0/0/1         dynamic   0/-

 7.SW1配置R1的MAC地址和端口及VLAN静态绑定

  [SW1]mac-address static 00e0-fc92-34b2 GigabitEthernet 0/0/24 vlan 100

[SW1]display mac-address 
00e0-fc92-34b2 100         -      -      GE0/0/24        static    -           
PC3>ping 192.168.1.2
Ping 192.168.1.2: 32 data bytes, Press Ctrl_C to break
From 192.168.1.3: Destination host unreachable

8.SW1配置黑洞MAC（PC1的MAC）

[SW1]mac-address blackhole 5489-9849-1FD0 VLAN 100
PC1>ping 192.168.1.254
Ping 192.168.1.254: 32 data bytes, Press Ctrl_C to break
From 192.168.1.1: Destination host unreachable

9.PC2连通性测试PC1

PC>arp -s 192.168.1.1 54-89-98-49-1F-D0
PC>arp -a
Internet Address    Physical Address    Type
192.168.1.1         54-89-98-49-1F-D0   static

PC2>ping 192.168.1.1
Ping 192.168.1.1: 32 data bytes, Press Ctrl_C to break
Request timeout!