思科網(wǎng)絡(luò)安全-第七章講述_第1頁(yè)
思科網(wǎng)絡(luò)安全-第七章講述_第2頁(yè)
思科網(wǎng)絡(luò)安全-第七章講述_第3頁(yè)
思科網(wǎng)絡(luò)安全-第七章講述_第4頁(yè)
思科網(wǎng)絡(luò)安全-第七章講述_第5頁(yè)
已閱讀5頁(yè),還剩164頁(yè)未讀, 繼續(xù)免費(fèi)閱讀

下載本文檔

版權(quán)說(shuō)明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請(qǐng)進(jìn)行舉報(bào)或認(rèn)領(lǐng)

文檔簡(jiǎn)介

CCNASecurityChapter6:SecuringtheLocalAreaNetworkLessonPlanningThislessonshouldtake3-4hourstopresentThelessonshouldincludelecture,demonstrations,discussionsandassessmentsThelessoncanbetaughtinpersonorusingremoteinstructionMajorConceptsDescribeendpointvulnerabilitiesandprotectionmethodsDescribebasicCatalystswitchvulnerabilitiesConfigureandverifyswitchsecurityfeatures,includingportsecurityandstormcontrolDescribethefundamentalsecurityconsiderationsofWireless,VoIP,andSANs.Contents6.1EndpointSecurity6.2Layer2SecurityConsiderations6.3ConfiguringLayer2Security6.4Wireless,VoIP,andSANSecurity6.1EndpointSecurityEndpointSecurityConsiderationsIntroducingEndpointSecurityEndpointSecuritywithIronPortEndpointSecuritywithNetworkAdmissionControlEndpointSecuritywithCiscoSecurityAgent6.1.1IntroducingEndpointSecuritySecuringtheLANAddressingEndpointSecurityOperatingSystemsBasicSecurityServicesTypesofApplicationAttacksCiscoSystemsEndpointSecuritySolutionsSecuringtheedgedevicebecauseofitsWANconnection?SecuringtheinternalLAN?Both!SecuringtheinternalLANisjustasimportantassecuringtheperimeterofanetwork.InternalLANsconsistsof:EndpointsNon-endpointLANdevicesLANinfrastructureWhichshouldbeprotected?SecuringtheLANIPSMARSVPNACSIronPortFirewallWeb

ServerEmailServerDNSLANHostsPerimeterInternetAreasofconcentration:SecuringendpointsSecuringnetwork

infrastructureALANconnectsmanynetworkendpointdevicesthatactasanetworkclients.Endpointdevicesinclude:LaptopsDesktopsIPphonesPersonaldigitalassistants(PDAs)ServersPrintersSecuringEndpointDevicesALANalsorequiresmanyintermediarydevicestointerconnectendpointdevices.Non-endpointLANdevices:SwitchesWirelessdevicesIPtelephonydevicesStorageareanetworking(SAN)devicesSecuringNon-EndpointDevicesAnetworkmustalsobeabletomitigatespecificLANattacksincluding:MACaddressspoofingattacksSTPmanipulationattacksMACaddresstableoverflowattacksLANstormattacksVLANattacksSecuringtheLANInfrastructureOperatingSystemsBasicSecurityServicesTrustedcodeandtrustedpath–ensuresthattheintegrityoftheoperatingsystemisnotviolatedPrivilegedcontextofexecution–providesidentity

authenticationandcertainprivilegesbasedontheidentityProcessmemoryprotectionandisolation–providesseparationfromotherusersandtheirdataAccesscontroltoresources–ensuresconfidentialityandintegrityofdataTypesofApplicationAttacksIhavegaineddirectaccesstothisapplication’sprivilegesIhavegainedaccesstothissystemwhichistrustedbytheothersystem,allowingmetoaccessit.IndirectDirectCiscoSystemsEndpointSecuritySolutionsCiscoNACIronPortCiscoSecurityAgentIronPortisaleadingproviderofanti-spam,anti-virus,andanti-spywareappliances.CiscoacquiredIronPortSystemsin2007.ItusesSenderBase,theworld'slargestthreatdetectiondatabase,tohelpprovidepreventiveandreactivesecuritymeasures.IronPort6.1.2EndpointSecuritywithIronPortCiscoIronPortProductsIronPortC-Series:Iron-PortS-SeriesCiscoIronPortProductsIronPortproductsinclude:E-mailsecurityappliancesforvirusandspamcontrolWebsecurityapplianceforspywarefiltering,URLfiltering,andanti-malwareSecuritymanagementapplianceIronPortC-SeriesInternetInternetAntispamAntivirusPolicyEnforcementMailRoutingBeforeIronPortIronPortE-mailSecurityApplianceFirewallGroupwareUsersAfterIronPortUsersGroupwareFirewallEncryptionPlatformMTADLPScannerDLPPolicyManagerIronPortS-SeriesWebProxyAntispywareAntivirusAntiphishingURLFilteringPolicyManagementFirewallUsersUsersFirewallIronPortS-SeriesBeforeIronPortAfterIronPortInternetInternet6.1.3EndpointSecuritywithNetworkAdmissionControlCiscoNACTheNACFrameworkNACComponentsCiscoNACApplianceProcessAccessWindowsCiscoNACNACFrameworkSoftwaremoduleembeddedwithinNAC-enabledproductsIntegratedframeworkleveragingmultipleCiscoandNAC-awarevendorproductsIn-bandCiscoNACAppliancesolutioncanbeusedonanyswitchorrouterplatformSelf-contained,turnkeysolution

ThepurposeofNAC:AllowonlyauthorizedandcompliantsystemstoaccessthenetworkToenforcenetworksecuritypolicyCiscoNACApplianceReferto

fourimportantfeaturesofNACTheNACFrameworkAAA

ServerCredentialsCredentialsEAP/UDP,EAP/802.1xRADIUSCredentialsHTTPSAccessRightsNotificationCiscoTrustAgentComply?VendorServersHostsAttemptingNetworkAccessNetworkAccessDevicesPolicyServerDecisionPointsandRemediationEnforcementNAC的示意圖當(dāng)運(yùn)行NAC時(shí),首先由網(wǎng)絡(luò)接入設(shè)備發(fā)出消息,從主機(jī)請(qǐng)求委托書。然后,AAA服務(wù)器CiscoTrustAgent(CTA)與主機(jī)上的CiscoTrustAgent(CTA)建立安全的EAP對(duì)話。此時(shí),CTA對(duì)AAA服務(wù)器執(zhí)行檢查。委托書可以通過(guò)主機(jī)應(yīng)用、CTA或網(wǎng)絡(luò)設(shè)備傳遞,由思科ACS接收后進(jìn)行認(rèn)證和授權(quán)。某些情況下,ACS可以作為防病毒策略服務(wù)器的代理,直接將防病毒軟件應(yīng)用委托書傳送到廠商的AV服務(wù)器接收檢查。委托書通過(guò)審查后,ACS將為網(wǎng)絡(luò)設(shè)備選擇相應(yīng)的實(shí)施策略。例如,ACS可以向路由器發(fā)送準(zhǔn)入控制表,對(duì)此主機(jī)實(shí)施特殊策略。對(duì)于非響應(yīng)性設(shè)備,可以對(duì)主動(dòng)運(yùn)行CTA(網(wǎng)絡(luò)或ACS)的設(shè)備實(shí)施默認(rèn)策略。在以后的各階段,還將通過(guò)掃描或其它機(jī)制對(duì)主機(jī)系統(tǒng)執(zhí)行進(jìn)一步檢查,以便收集其他端點(diǎn)安全信息。NACComponentsCiscoNAS(CiscoNACApplianceServer)Servesasanin-bandorout-of-banddevicefornetworkaccesscontrolCiscoNAM(CiscoNACApplianceManager)Centralizesmanagementforadministrators,supportpersonnel,andoperatorsCiscoNAA(CiscoNACApplianceAgent)Optionallightweightclientfordevice-basedregistryscansinunmanagedenvironmentsRule-setupdatesScheduledautomaticupdatesforantivirus,criticalhotfixes,andotherapplicationsMGRCiscoNACApplianceProcessTHEGOALIntranet/

Network2.Hostis

redirectedtoaloginpage.CiscoNACAppliancevalidatesusernameandpassword,alsoperformsdeviceandnetworkscanstoassessvulnerabilitiesondevice.Deviceisnoncompliant

orloginisincorrect.Hostisdeniedaccessandassigned

toaquarantinerolewithaccesstoonlineremediationresources.3a.3b.Deviceis“clean”.Machinegetson“certifieddeviceslist”andisgrantedaccesstonetwork.CiscoNASCiscoNAM1.Hostattemptstoaccessawebpageorusesanoptionalclient.Networkaccessisblockeduntilwiredorwirelesshostprovideslogininformation.AuthenticationServerMGRQuarantineRole3.Thehostisauthenticatedandoptionally

scannedforposturecomplianceAccessWindows4.LoginScreenScanisperformed(typesofchecksdependonuserrole)ScanfailsRemediate6.1.4EndpointSecuritywithCiscoSecurityAgentCSAArchitectureModelCSAOverviewCSAFunctionalityAttackPhasesCSALogMessagesCSAArchitectureManagementCenterforCiscoSecurityAgent

withInternalorExternalDatabaseSecurity

PolicyServerProtectedbyCiscoSecurityAgentAdministration

WorkstationSSLEventsAlertsCSAOverviewStateRulesandPoliciesRules

EngineCorrelation

EngineFileSystemInterceptorNetwork

InterceptorConfiguration

InterceptorExecutionSpaceInterceptorApplicationAllowedRequestBlockedRequestCSAFunctionalitySecurityApplicationNetwork

InterceptorFileSystemInterceptorConfiguration

InterceptorExecution

Space

InterceptorDistributedFirewallX―――HostIntrusionPreventionX――XApplication

Sandbox―XXXNetworkWormPreventionX――XFileIntegrityMonitor―XX―AttackPhasesFilesysteminterceptorNetworkinterceptorConfigurationinterceptorExecutionspaceinterceptorServerProtectedbyCiscoSecurityAgentProbephasePingscansPortscansPenetratephaseTransferexploitcodetotargetPersistphaseInstallnewcodeModifyconfigurationPropagatephaseAttackothertargetsParalyzephaseErasefilesCrashsystemStealdataCSAstoppedtheseattacksbyidentifyingtheirmaliciousbehaviorwithoutanyupdatesCSALogMessages6.2Layer2SecurityConsiderationsLayer2SecurityConsiderationsIntroductiontoLayer2SecurityMACAddressSpoofingAttacksMACAddressTableOverflowAttacksSTPManipulationAttacksLANStormAttacksVLANAttacks6.2.1IntroductiontoLayer2SecurityLayer2SecurityOverviewofOSIModelIPSMARSVPNACSIronPortFirewallWeb

ServerEmailServerDNSHostsPerimeterInternetLayer2SecurityOSIModelMACAddressesWhenitcomestonetworking,Layer2isoftenaveryweaklink.PhysicalLinksIPAddressesProtocolsandPortsApplicationStreamApplicationPresentationSessionTransportNetworkDataLinkPhysicalCompromisedApplicationPresentationSessionTransportNetworkDataLinkPhysicalInitialCompromiseLayer2VulnerabilitiesMACAddressSpoofingAttacksMACAddressTableOverflowAttacksSTPManipulationAttacksStormAttacksVLANAttacksMACAddressSpoofingAttackMACAddress:AABBccAABBcc12AbDdSwitchPort12MACAddress:AABBccAttackerPort1Port2MACAddress:12AbDdIhaveassociatedPorts1and2withtheMACaddressesofthedevicesattached.Trafficdestinedforeachdevicewillbeforwardeddirectly.Theswitchkeepstrackofthe

endpointsbymaintainingaMACaddresstable.InMAC

spoofing,theattackerposes

asanotherhost—inthiscase,

AABBcc6.2.2MACAddressSpoofingAttackMACAddress:AABBccAABBccSwitchPort12MACAddress:AABBccAttackerPort1Port2AABBcc12IhavechangedtheMAC

addressonmycomputer

tomatchtheserver.ThedevicewithMACaddressAABBcchaschangedlocationstoPort2.ImustadjustmyMACaddresstableaccordingly.MACAddressTableOverflowAttackABCDVLAN10VLAN10IntruderrunsmacoftobeginsendingunknownbogusMACaddresses.3/253/25MACX3/25MACY3/25MACZXYZfloodMACPortX3/25Y3/25C3/25BogusaddressesareaddedtotheCAMtable.CAMtableisfull.HostCTheswitchfloodstheframes.AttackerseestraffictoserversBandD.VLAN101234BothMACspoofingandMACaddresstableoverflowattackscanbemitigatedbyconfiguringportsecurityontheswitch.Portsecuritycaneither:StaticallyspecifytheMACaddressesonaparticularswitchport.AllowtheswitchtodynamicallylearnafixednumberofMACaddressesforaswitchport.StaticallyspecifyingtheMACaddressesisnotamanageablesolutionforaproductionenvironment.AllowingtheswitchtodynamicallylearnafixednumberofMACaddressesisanadministrativelyscalablesolution.MACAddressMitigationTechniquesAnSTPattacktypicallyinvolvesthecreationofabogusRootbridge.ThiscanbeaccomplishedusingavailablesoftwarefromtheInternetsuchasbrconfigorstp-packet.TheseprogramscanbeusedtosimulateabogusswitchwhichcanforwardSTPBPDUs.STPAttackMitigationtechniquesincludeenablingPortFast,rootguardandBPDUguard.6.2.4STPManipulationAttackSpanningtreeprotocoloperatesbyelectingarootbridgeSTPbuildsatreetopologySTPmanipulationchangesthetopologyofanetwork—theattackinghostappearstobetherootbridgeFFFFFBRootBridge

Priority=8192

MACAddress=0000.00C0.1234STPManipulationAttackRootBridge

Priority=8192RootBridgeFFFFFBSTPBPDU

Priority=0STPBPDU

Priority=0FBFFFFAttackerTheattackinghostbroadcastsoutSTP

configurationandtopologychangeBPDUs.Thisisanattempttoforcespanningtree

recalculations.6.2.5LANStormAttackBroadcast,multicast,orunicastpacketsarefloodedonallportsinthesameVLAN.ThesestormscanincreasetheCPUutilizationonaswitchto100%,reducingtheperformanceofthenetwork.BroadcastBroadcastBroadcastBroadcastBroadcastBroadcastBroadcastBroadcastBroadcastBroadcastBroadcastBroadcastALANstormoccurswhenpacketsfloodtheLAN,creatingexcessivetrafficanddegradingnetworkperformance.Possiblecauses:ErrorsintheprotocolstackimplementationMis-configurationsUsersissuingaDoSattackBroadcaststormscanalsooccuronnetworks.Rememberthatswitchesalwaysforwardbroadcastsoutallports.Somenecessaryprotocols,suchasARPandDHCPusebroadcasts;therefore,switchesmustbeabletoforwardbroadcasttraffic.LANStormAttacksMitigationtechniquesincludeconfiguringstormcontrol.StormControlTotal

numberof

broadcastpacketsorbytes6.2.6VLANAttacksVLAN=BroadcastDomain=LogicalNetwork(Subnet)SegmentationFlexibilitySecurityTrunkportspasstrafficforallVLANsusingeitherIEEE802.1Qorinter-switchlink(ISL)VLANencapsulation.AVLANhoppingattackcanbelaunchedinoneoftwoways:IntroducingarogueswitchonanetworkwithDTPenabled.DTPenablestrunkingtoaccessalltheVLANsonthetargetswitch.Double-taggingVLANattackbyspoofingDTPmessagesfromtheattackinghosttocausetheswitchtoentertrunkingmode.TheattackercanthensendtraffictaggedwiththetargetVLAN,andtheswitchthendeliversthepacketstothedestination.VLANAttacksBydefaultmostswitchessupportDynamicTrunkProtocol(DTP)whichautomaticallytrytonegotiatetrunklinks.AnattackercouldconfigureahosttospoofaswitchandadvertiseitselfasbeingcapableofusingeitherISLor802.1q.Ifsuccessful,theattackingsystemthenbecomesamemberofallVLANs.VLANHoppingAttack-RogueSwitchThesecondswitchreceivesthepacket,onthenativeVLANDouble-TaggingVLANAttackAttackeron

VLAN10,butputsa20taginthepacketVictim

(VLAN20)Note:ThisattackworksonlyifthetrunkhasthesamenativeVLANastheattacker.Thefirstswitchstripsoffthefirsttaganddoesnotretagit(nativetrafficisnotretagged).Itthenforwardsthepackettoswitch2.20,1020Trunk

(NativeVLAN=10)802.1Q,802.1Qtrunk802.1Q,FrameFrame1234Thesecondswitchexaminesthepacket,seestheVLAN20tagandforwardsitaccordingly.Involvestaggingtransmittedframeswithtwo802.1qheadersinordertoforwardtheframestothewrongVLAN.Thefirstswitchstripsthefirsttagofftheframeandforwardstheframe.ThesecondswitchthenforwardsthepackettothedestinationbasedontheVLANidentifierinthesecond802.1qheader.UseadedicatednativeVLANforalltrunkports.SetthenativeVLANonthetrunkportstoanunusedVLAN.Disabletrunknegotiationonallportsconnectingtoworkstations.VLANHoppingAttack-Double-TaggingMitigationtechniquesincludeensuringthatthenativeVLANofthetrunkportsisdifferentfromthenativeVLANoftheuserports.6.3ConfiguringLayer2SecurityConfiguringSwitchSecurityConfiguringPortSecurityVerifyingPortSecurityBPDUGuardandRootGuardStormControlVLANConfigurationCiscoSwitchedPortAnalyzerCiscoRemoteSwitchedPortAnalyzerBestPracticesforLayer26.3.1ConfiguringPortSecurityPortSecurityOverviewPortSecurityConfigurationSwitchportPort-SecurityParametersPort-SecurityViolationConfigurationSwitchportPort-SecurityViolationParametersPortSecurityAgingConfigurationSwitchportPort-SecurityAgingParametersTypicalConfigurationPortSecurityOverviewMACAMACAPort0/1allowsMACA

Port0/2allowsMACB

Port0/3allowsMACCAttacker1Attacker20/10/20/3MACFAllowsanadministratortostaticallyspecifyMACAddressesforaportortopermittheswitchtodynamicallylearnalimitednumberofMACaddressesConfiguringPortSecurityTopreventMACspoofingandMACtableoverflows,enableportsecurity.PortSecuritycanbeusedtostaticallyspecifyMACaddressesforaportortopermittheswitchtodynamicallylearnalimitednumberofMACaddresses.BylimitingthenumberofpermittedMACaddressesonaporttoone,portsecuritycanbeusedtocontrolunauthorizedexpansionofthenetwork.OnceMACaddressesareassignedtoasecureport,theportdoesnotforwardframeswithsourceMACaddressesoutsidethegroupofdefinedaddresses.Securesourceaddressescanbe:ManuallyconfiguredAutoconfigured(learned)PortSecurityWhenaMACaddressdiffersfromthelistofsecureaddresses,theporteither:Shutsdownuntilitisadministrativelyenabled(defaultmode).Dropsincomingframesfromtheinsecurehost(restrictoption).Theportbehaviordependsonhowitisconfiguredtorespondtoasecurityviolation.Shutdownistherecommendedsecurityviolation.PortSecurityCLICommandsswitchportmodeaccess

Switch(config-if)#Setstheinterfacemodeasaccessswitchportport-security

Switch(config-if)#Enablesportsecurityontheinterfaceswitchportport-securitymaximumvalue

Switch(config-if)#SetsthemaximumnumberofsecureMACaddressesfortheinterface(optional)SwitchportPort-SecurityParametersParameterDescriptionmac-address

mac-address(Optional)SpecifyasecureMACaddressfortheportbyenteringa48-bitMACaaddress.YoucanaddadditionalsecureMACaddressesuptothemaximumvalueconfigured.vlanvlan-id(Optional)Onatrunkportonly,specifytheVLANIDandtheMACaddress.IfnoVLANIDisspecified,thenativeVLANisused.vlanaccess(Optional)Onanaccessportonly,specifytheVLANasanaccessVLAN.vlanvoice(Optional)Onanaccessportonly,specifytheVLANasavoiceVLANmac-addresssticky

[mac-address](Optional)Enabletheinterfaceforstickylearningbyenteringonlythemac-addressstickykeywords.Whenstickylearningisenabled,theinterfaceaddsallsecureMACaddressesthataredynamicallylearnedtotherunningconfigurationandconvertstheseaddressestostickysecureMACaddresses.SpecifyastickysecureMACaddressbyenteringthemac-addressstickymac-addresskeywords..maximum

value(Optional)SetthemaximumnumberofsecureMACaddressesfortheinterface.ThemaximumnumberofsecureMACaddressesthatyoucanconfigureonaswitchissetbythemaximumnumberofavailableMACaddressesallowedinthesystem.TheactiveSwitchDatabaseManagement(SDM)templatedeterminesthisnumber.ThisnumberrepresentsthetotalofavailableMACaddresses,includingthoseusedforotherLayer2functionsandanyothersecureMACaddressesconfiguredoninterfaces.Thedefaultsettingis1.vlan[vlan-list](Optional)Fortrunkports,youcansetthemaximumnumberofsecureMACaddressesonaVLAN.Ifthevlankeywordisnotentered,thedefaultvalueisused.vlan:setaper-VLANmaximumvalue.vlanvlan-list:setaper-VLANmaximumvalueonarangeofVLANsseparatedbyahyphenoraseriesofVLANsseparatedbycommas.FornonspecifiedVLANs,theper-VLANmaximumvalueisused.PortSecurityViolationConfigurationswitchportport-securitymac-addresssticky

Switch(config-if)#Enablesstickylearningontheinterface(optional)switchportport-securityviolation{protect|restrict|shutdown}

Switch(config-if)#Setstheviolationmode(optional)switchportport-securitymac-addressmac-address

Switch(config-if)#EntersastaticsecureMACaddressfortheinterface(optional)SwitchportPort-SecurityViolationParametersParameterDescriptionprotect(Optional)Setthesecurityviolationprotectmode.WhenthenumberofsecureMACaddressesreachesthelimitallowedontheport,packetswithunknownsourceaddressesaredroppeduntilyouremoveasufficientnumberofsecureMACaddressesorincreasethenumberofmaximumallowableaddresses.Youarenotnotifiedthatasecurityviolationhasoccurred.restrict(Optional)Setthesecurityviolationrestrictmode.WhenthenumberofsecureMACaddressesreachesthelimitallowedontheport,packetswithunknownsourceaddressesaredroppeduntilyouremoveasufficientnumberofsecureMACaddressesorincreasethenumberofmaximumallowableaddresses.Inthismode,youarenotifiedthatasecurityviolationhasoccurred.shutdown(Optional)Setthesecurityviolationshutdownmode.Inthismode,aportsecurityviolationcausestheinterfacetoimmediatelybecomeerror-disabledandturnsofftheportLED.ItalsosendsanSNMPtrap,logsasyslogmessage,andincrementstheviolationcounter.Whenasecureportisintheerror-disabledstate,youcanbringitoutofthisstatebyenteringtheerrdisablerecoverycause

psecure-violation

globalconfigurationcommand,oryoucanmanuallyre-enableitbyenteringtheshutdownandnoshutdowninterfaceconfigurationcommands.shutdown

vlanSetthesecurityviolationmodetoper-VLANshutdown.Inthismode,onlytheVLANonwhichtheviolationoccurrediserror-disabled.PortSecurityAgingConfigurationswitchportport-securityaging{static|timetime|type{absolute|inactivity}}

Switch(config-if)#EnablesordisablesstaticagingforthesecureportorsetstheagingtimeortypePortsecurityagingcanbeusedtosettheagingtimeforstaticanddynamicsecureaddressesonaport.Twotypesofagingaresupportedperport:absolute-Thesecureaddressesontheportaredeletedafterthespecifiedagingtime.inactivity-Thesecureaddressesontheportaredeletedonlyiftheyareinactiveforthespecifiedagingtime.SwitchportPort-SecurityAgingParametersParameterDescriptionstaticEnableagingforstaticallyconfiguredsecureaddressesonthisport.timetimeSpecifytheagingtimeforthisport.Therangeis0to1440minutes.Ifthetimeis0,agingisdisabledforthisport.typeabsoluteSetabsoluteagingtype.Allthesecureaddressesonthisportageoutexactlyafterthetime(minutes)specifiedandareremovedfromthesecureaddresslist.typeinactivitySettheinactivityagingtype.Thesecureaddressesonthisportageoutonlyifthereisnodatatrafficfromthesecuresourceaddressforthespecifiedtimeperiod.TypicalConfigurationswitchportmodeaccessswitchportport-securityswitchportport-securitymaximum2

switchportport-securityviolationshutdown switchportport-securitymac-addressstickyswitchportport-securityagingtime120Switch(config-if)#S2PCB(config)#errdisablerecoverycausepsecure-violation(config)#Errdiablerecoveryintervla1006.3.2VerifyingPortSecurityCLICommandsViewSecureMACAddressesMACAddressNotificationsw-class#showport-securitySecurePortMaxSecureAddrCurrentAddrSecurityViolationSecurityAction(Count)(Count)(Count)Fa0/12200ShutdownTotalAddressesinSystem(excludingonemacperport):0MaxAddresseslimitinSystem(excludingonemacperport):1024CLICommandssw-class#showport-securityinterfacef0/12PortSecurity:EnabledPortstatus:Secure-downViolationmode:ShutdownMaximumMACAddresses:2TotalMACAddresses:1ConfiguredMACAddresses:0Agingtime:120minsAgingtype:AbsoluteSecureStaticaddressaging:DisabledSecurityViolationCount:0ViewSecureMACAddressessw-class#showport-securityaddressSecureMacAddressTableVlanMacAddressTypePortsRemainingAge(mins)

10000.ffff.aaaaSecureConfiguredFa0/12-TotalAddressesinSystem(excludingonemacperport):0MaxAddresseslimitinSystem(excludingonemacperport):1024MACAddressNotification

MACaddressnotificationallowsmonitoringoftheMACaddresses,atthemoduleandportlevel,addedbytheswitchorremovedfromtheCAMtableforsecureports.NMSMACAMACBF1/1=MACAF1/2=MACBF2/1=MACD

(addressagesout)SwitchCAMTableSNMPtrapssenttoNMSwhennewMACaddressesappearorwhenoldonestimeout.MACDisaway

fromthenetwork.F1/2F1/1F2/1TheMACAddressNotificationfeaturesendsSNMPtrapstothenetworkmanagementstation(NMS)wheneveranewMACaddressisaddedtooranoldaddressisdeletedfromtheforwardingtables.MACAddressNotificationSwitch(config)#macaddress-tablenotificationSwitch(config-if)#snmptrapmac-notificationSwitch(config)#snmp-serverenabletrapsmac-notification6.3.3ConfiguringBPDUGuardandRootGuardConfigurePortfastBPDUGuardDisplaytheStateofSpanningTreeRootGuardVerifyRootGuardCausesaLayer2interfacetotransitionfromtheblockingtotheforwardingstateimmediately,bypassingthelisteningandlearningstates.UsedonLayer2accessportsthatconnecttoasingleworkstationorserver.Itallowsthosedevicestoconnecttothenetworkimmediately,insteadofwaitingforSTPtoconverge.Configuredusingthespanning-treeportfastcommand.PortFastConfigurePortfastCommand

DescriptionSwitch(config-if)#spanning-treeportfast

EnablesPortFastonaLayer2accessportandforcesittoentertheforwardingstateimmediately.Switch(config-if)#nospanning-treeportfast

DisablesPortFastonaLayer2accessport.PortFastisdisabledbydefault.Switch(config)#spanning-treeportfastdefaultGloballyenablesthePortFastfeatureonallnontrunkingports.Switch#showrunning-configinterfacetype

slot/portIndicateswhetherPortFasthasbeenconfiguredonaport.ServerWorkstationThefeaturekeepstheactivenetworktopologypredictable.ItprotectsaswitchednetworkfromreceivingBPDUsonportsthatshouldnotbereceivingthem.ReceivedBPDUsmightbeaccidentalorpartofanattack.IfaportconfiguredwithPortFastandBPDUGuardreceivesaBPDU,theswitchwillputtheportintothedisabledstate.BPDUguardisbestdeployedtowarduser-facingportstopreventrogueswitchnetworkextensionsbyanattackinghost.BPDUGuardBPDUGuardSwitch(config)#spanning-treeportfastbpduguarddefaultGloballyenablesBPDUguardonallportswithPortFastenabledFFFFFBRootBridgeBPDUGuardEnabledAttackerSTPBPDUDisplaytheStateofSpanningTreeSwitch#showspanning-treesummarytotals

Rootbridgefor:none.PortFastBPDUGuardisenabledUplinkFastisdisabledBackboneFastisdisabledSpanningtreedefaultpathcostmethodusedisshortNameBlockingListeningLearningForwardingSTPActive

1VLAN00011<outputomitted>ThefeaturepreventsinterfacesthatareinaPortFast-operationalstatefromsendingorreceivingBPDUs.TheinterfacesstillsendafewBPDUsatlink-upbeforetheswitchbeginstofilteroutboundBPDUs.Thefeaturecanbeconfiguredgloballyorattheinterfacelevel.GloballyenableBPDUfilteringonaswitchsothathostsconnectedtotheseinterfacesdonotreceiveBPDUs.IfaBPDUisreceivedonaPortFast-enabledinterfacebecauseitisconnectedtoaswitch,theinterfacelosesitsPortFast-operationalstatus,andBPDUfilteringisdisabled.Attheinterfacelevel,thefeaturepreventstheinterface

溫馨提示

  • 1. 本站所有資源如無(wú)特殊說(shuō)明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請(qǐng)下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請(qǐng)聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁(yè)內(nèi)容里面會(huì)有圖紙預(yù)覽,若沒(méi)有圖紙預(yù)覽就沒(méi)有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫(kù)網(wǎng)僅提供信息存儲(chǔ)空間,僅對(duì)用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對(duì)用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對(duì)任何下載內(nèi)容負(fù)責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請(qǐng)與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時(shí)也不承擔(dān)用戶因使用這些下載資源對(duì)自己和他人造成任何形式的傷害或損失。

最新文檔

評(píng)論

0/150

提交評(píng)論