交换安全老师课堂笔记
2012-06-14 13:05
387 查看
一、 DHCP snooping
1.[/b]拓扑图:
---备注:GNS无法做该实验,L2IOU能敲命令,但是没有实际效果。
2.操作步骤:
A.交换机开启DHCP[/b]功能[/b]
Switch(config)#ip dhcp snooping
B.[/b] [/b]交换机指定定审查的VLAN[/b]
Switch(config)#ip dhcp snooping vlan 10
C.交换机指定授权DHCP[/b]服务器对应的端口为可信端口[/b]
Switch(config)#interface f0/1
Switch(config-if)#ip dhcp snooping trust
Switch(config-if)#exit
D. [/b]DHCP服务器不支持82[/b]选项,可以选择信任或者关闭[/b]
R1(config)#interface g0/0
R1(config-if)#ip dhcp relay information trusted
R1(config-if)#exit
----交换机82选项见如下所示:
Switch#sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
10[/b]
Insertion of option 82 is enabled
circuit-id format: vlan-mod-port
remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Interface Trusted Rate limit (pps)
------------------------ ------- ----------------
FastEthernet0/1 yes unlimited
Switch#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:24:C4:94:81:20 10.0.0.3 86227 dhcp-snooping 10 FastEthernet0/2
00:0B:FD:3F:10:A0 10.0.0.4 86322 dhcp-snooping 10 FastEthernet0/3
Total number of bindings: 2
E.交换机 [/b]对用户端口的DHCP[/b]请求进行流量限制[/b]
Switch(config)#interface range f0/2 - 3
Switch(config-if-range)#switchport port-security
Switch(config-if-range)#switchport port-security maximum 2
Switch(config-if-range)#ip dhcp snooping limit rate 2
Switch(config-if-range)#exit
---最后效果:
Switch#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
10
Insertion of option 82 is enabled
circuit-id format: vlan-mod-port
remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Interface Trusted Rate limit (pps)
------------------------ ------- ----------------
FastEthernet0/1 yes unlimited
FastEthernet0/2 no 2
FastEthernet0/3 no 2
二、 ARP审查:
1. [/b]基本配置[/b]
Switch(config)#ip arp inspection vlan 10
Switch#show ip arp inspection interfaces
Interface Trust State Rate (pps) Burst Interval
--------------- ----------- ---------- --------------
Fa0/1 Untrusted 15 1
Fa0/2 Untrusted 15 1
Fa0/3 Untrusted 15 1
Fa0/4 Untrusted 15 1
Fa0/5 Untrusted 15 1
Switch#show ip arp inspection
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
10 Enabled Active
Vlan ACL Logging DHCP Logging
---- ----------- ------------
10 Deny Deny
Vlan Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- ---------
10 0 0 0 0
Vlan DHCP Permits ACL Permits Source MAC Failures
---- ------------ ----------- -------------------
10 0 0 0
Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data
---- ----------------- ---------------------- ---------------------
Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data
---- ----------------- ---------------------- ---------------------
10 0 0 0
2. [/b]指定[/b]不受arp[/b]审查影响[/b]的trust[/b]端口,[/b]
Switch(config)#interface f0/1
Switch(config-if)#ip arp inspection trust
Switch(config-if)#exit
3. [/b]限定端口单位时间内转发Arp[/b]数据包的数量[/b]
Switch(config)#interface range f0/1 - 4
Switch(config-if-range)#ip arp inspection limit rate 5
Switch(config-if-range)#exit
Switch#sh ip arp inspection interfaces
Interface Trust State Rate (pps) Burst Interval
--------------- ----------- ---------- --------------
Fa0/1 Trusted 5 1
Fa0/2 Untrusted 5 1
Fa0/3 Untrusted 5 1
Fa0/4 Untrusted 5 1
Fa0/5 Untrusted 15 1
Fa0/6 Untrusted 15 1
三、 IP源防护
1. [/b]基于端口的策略,在端口下配置[/b]
Switch(config)#interface range f0/1 - 4
Switch(config-if-range)#ip verify source
Switch(config-if-range)#exit
Switch#sh ip verify source
Interface Filter-type Filter-mode IP-address Mac-address Vlan
--------- ----------- ----------- --------------- ----------------- ----------
Fa0/1 ip inactive-trust-port
Fa0/2 ip active 10.0.0.3 10
Fa0/3 ip active 10.0.0.5 10
Fa0/4 ip active deny-all 10
2. [/b]设定IP+MAC[/b]的源防护[/b]
Switch(config)#interface range f0/1 – 4
Switch(config-if)#switchport port-security
Switch(config-if-range)#ip verify source port-security
Switch(config-if-range)#^Z
Switch#sh ip verify source
Interface Filter-type Filter-mode IP-address Mac-address Vlan
--------- ----------- ----------- --------------- ----------------- ----------
Fa0/1 ip-mac inactive-trust-port
Fa0/2 ip-mac active 10.0.0.3 00:24:C4:94:81:20 10
Fa0/3 ip-mac active 10.0.0.5 00:0B:FD:3F:10:A0 10
Fa0/4 ip-mac active deny-all permit-all 10
3. [/b]静态IP[/b]源防护[/b]
Switch(config)#ip source binding 0017.5AED.DDF8 vlan 10 10.0.0.40 interface Fa0/4
Switch#show ip verify source
Interface Filter-type Filter-mode IP-address Mac-address Vlan
--------- ----------- ----------- --------------- ----------------- ----------
Fa0/1 ip-mac inactive-trust-port
Fa0/2 ip-mac active 10.0.0.3 00:24:C4:94:81:20 10
Fa0/3 ip-mac active 10.0.0.5 00:0B:FD:3F:10:A0 10
Fa0/4 ip-mac active 10.0.0.40 permit-all 10
四、PVLAN:
1.二层VLAN体系:
A.主VLAN对外可见,适用于和外部设备通信的VLAN号
B.辅助VLAN仅内部可见,用于在VLAN内被按照用户流量特点进行反内部分组
团体辅助VLAN:
相同团体VLAN内的成员可以互相通信,但是不能和其他孤立VLAN中的成员通信,也不能和其他团体VLAN中的成员通信。
孤立辅助VLAN:
相同孤立VLAN内的成员之间不允许互相通信,也不能和其他孤立VLAN中的成员通信,也不能和其他团体VLAN中的成员通信。
混杂端口:
混杂端口属于主VLAN,是主VLAN内部所有用户对外访问的网关。
混杂端口可以根据管理员控制与所有的主VLAN成员或者特定的辅助VLAN中的成员通信,
2.配置步骤:
第一步:交换机改为透明模式
vtp mode transparent
第二步:设定辅助VLAN
Switch(config)#vlan 120
Switch(config-vlan)#private-vlan isolated
Switch(config-vlan)#quit
第三步:设定主VLAN,并且关联辅助VLAN到主VLAN
Switch(config)#vlan 10
Switch(config-vlan)#private-vlan primary
Switch(config-vlan)#private-vlan association 120
Switch(config-vlan)#exit
第四步:辅助VLAN用户添加
Switch(config)#interface range f0/3 - 4
Switch(config-if-range)#switchport mode private-vlan host
Switch(config-if-range)#switchport private-vlan host-association 10 120
第五步:设定混杂端口,并声明混杂端口为那些辅助VLAN服务
Switch(config)#interface f0/5
Switch(config-if)#switchport mode private-vlan promiscuous
Switch(config-if)#switchport private-vlan mapping 10 add 120
Switch#show vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
10 120 isolated Fa0/3, Fa0/4, Fa0/5
孤立VLAN数量测试:结果是任何一个主VLAN都只能有一个孤立VLAN
Switch(config)#vlan 500
Switch(config-vlan)#private-vlan isolated
Switch(config-vlan)#exit
Switch(config)#
Switch(config)#vlan 10
Switch(config-vlan)#private-vlan association add 500
%Command rejected: invalid private vlan association between vlan10 and vlan500. Isolated VLAN 120 is already associated with VLAN 10.
3.PVLAN跳跃***阻止:
网关设备上增加ACL,防止用户间通过32位主机路由互相通信
access-list 101 permit ip any host 10.0.0.5
access-list 101 deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit ip any any
R5(config)#interface g0/0
R5(config-if)#ip access-group 101 in
利用多层交换的路由功能,在多层交换设备上实现混杂端口:
Switch(config)#ip routing
Switch(config)#interface vlan 10
Switch(config-if)#ip address 10.0.0.5 255.255.255.0
Switch(config-if)#private-vlan mapping 110,120
Switch(config-if)#exit
1.[/b]拓扑图:
---备注:GNS无法做该实验,L2IOU能敲命令,但是没有实际效果。
2.操作步骤:
A.交换机开启DHCP[/b]功能[/b]
Switch(config)#ip dhcp snooping
B.[/b] [/b]交换机指定定审查的VLAN[/b]
Switch(config)#ip dhcp snooping vlan 10
C.交换机指定授权DHCP[/b]服务器对应的端口为可信端口[/b]
Switch(config)#interface f0/1
Switch(config-if)#ip dhcp snooping trust
Switch(config-if)#exit
D. [/b]DHCP服务器不支持82[/b]选项,可以选择信任或者关闭[/b]
R1(config)#interface g0/0
R1(config-if)#ip dhcp relay information trusted
R1(config-if)#exit
----交换机82选项见如下所示:
Switch#sh ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
10[/b]
Insertion of option 82 is enabled
circuit-id format: vlan-mod-port
remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Interface Trusted Rate limit (pps)
------------------------ ------- ----------------
FastEthernet0/1 yes unlimited
Switch#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
00:24:C4:94:81:20 10.0.0.3 86227 dhcp-snooping 10 FastEthernet0/2
00:0B:FD:3F:10:A0 10.0.0.4 86322 dhcp-snooping 10 FastEthernet0/3
Total number of bindings: 2
E.交换机 [/b]对用户端口的DHCP[/b]请求进行流量限制[/b]
Switch(config)#interface range f0/2 - 3
Switch(config-if-range)#switchport port-security
Switch(config-if-range)#switchport port-security maximum 2
Switch(config-if-range)#ip dhcp snooping limit rate 2
Switch(config-if-range)#exit
---最后效果:
Switch#show ip dhcp snooping
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
10
Insertion of option 82 is enabled
circuit-id format: vlan-mod-port
remote-id format: MAC
Option 82 on untrusted port is not allowed
Verification of hwaddr field is enabled
Interface Trusted Rate limit (pps)
------------------------ ------- ----------------
FastEthernet0/1 yes unlimited
FastEthernet0/2 no 2
FastEthernet0/3 no 2
二、 ARP审查:
1. [/b]基本配置[/b]
Switch(config)#ip arp inspection vlan 10
Switch#show ip arp inspection interfaces
Interface Trust State Rate (pps) Burst Interval
--------------- ----------- ---------- --------------
Fa0/1 Untrusted 15 1
Fa0/2 Untrusted 15 1
Fa0/3 Untrusted 15 1
Fa0/4 Untrusted 15 1
Fa0/5 Untrusted 15 1
Switch#show ip arp inspection
Source Mac Validation : Disabled
Destination Mac Validation : Disabled
IP Address Validation : Disabled
Vlan Configuration Operation ACL Match Static ACL
---- ------------- --------- --------- ----------
10 Enabled Active
Vlan ACL Logging DHCP Logging
---- ----------- ------------
10 Deny Deny
Vlan Forwarded Dropped DHCP Drops ACL Drops
---- --------- ------- ---------- ---------
10 0 0 0 0
Vlan DHCP Permits ACL Permits Source MAC Failures
---- ------------ ----------- -------------------
10 0 0 0
Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data
---- ----------------- ---------------------- ---------------------
Vlan Dest MAC Failures IP Validation Failures Invalid Protocol Data
---- ----------------- ---------------------- ---------------------
10 0 0 0
2. [/b]指定[/b]不受arp[/b]审查影响[/b]的trust[/b]端口,[/b]
Switch(config)#interface f0/1
Switch(config-if)#ip arp inspection trust
Switch(config-if)#exit
3. [/b]限定端口单位时间内转发Arp[/b]数据包的数量[/b]
Switch(config)#interface range f0/1 - 4
Switch(config-if-range)#ip arp inspection limit rate 5
Switch(config-if-range)#exit
Switch#sh ip arp inspection interfaces
Interface Trust State Rate (pps) Burst Interval
--------------- ----------- ---------- --------------
Fa0/1 Trusted 5 1
Fa0/2 Untrusted 5 1
Fa0/3 Untrusted 5 1
Fa0/4 Untrusted 5 1
Fa0/5 Untrusted 15 1
Fa0/6 Untrusted 15 1
三、 IP源防护
1. [/b]基于端口的策略,在端口下配置[/b]
Switch(config)#interface range f0/1 - 4
Switch(config-if-range)#ip verify source
Switch(config-if-range)#exit
Switch#sh ip verify source
Interface Filter-type Filter-mode IP-address Mac-address Vlan
--------- ----------- ----------- --------------- ----------------- ----------
Fa0/1 ip inactive-trust-port
Fa0/2 ip active 10.0.0.3 10
Fa0/3 ip active 10.0.0.5 10
Fa0/4 ip active deny-all 10
2. [/b]设定IP+MAC[/b]的源防护[/b]
Switch(config)#interface range f0/1 – 4
Switch(config-if)#switchport port-security
Switch(config-if-range)#ip verify source port-security
Switch(config-if-range)#^Z
Switch#sh ip verify source
Interface Filter-type Filter-mode IP-address Mac-address Vlan
--------- ----------- ----------- --------------- ----------------- ----------
Fa0/1 ip-mac inactive-trust-port
Fa0/2 ip-mac active 10.0.0.3 00:24:C4:94:81:20 10
Fa0/3 ip-mac active 10.0.0.5 00:0B:FD:3F:10:A0 10
Fa0/4 ip-mac active deny-all permit-all 10
3. [/b]静态IP[/b]源防护[/b]
Switch(config)#ip source binding 0017.5AED.DDF8 vlan 10 10.0.0.40 interface Fa0/4
Switch#show ip verify source
Interface Filter-type Filter-mode IP-address Mac-address Vlan
--------- ----------- ----------- --------------- ----------------- ----------
Fa0/1 ip-mac inactive-trust-port
Fa0/2 ip-mac active 10.0.0.3 00:24:C4:94:81:20 10
Fa0/3 ip-mac active 10.0.0.5 00:0B:FD:3F:10:A0 10
Fa0/4 ip-mac active 10.0.0.40 permit-all 10
四、PVLAN:
1.二层VLAN体系:
A.主VLAN对外可见,适用于和外部设备通信的VLAN号
B.辅助VLAN仅内部可见,用于在VLAN内被按照用户流量特点进行反内部分组
团体辅助VLAN:
相同团体VLAN内的成员可以互相通信,但是不能和其他孤立VLAN中的成员通信,也不能和其他团体VLAN中的成员通信。
孤立辅助VLAN:
相同孤立VLAN内的成员之间不允许互相通信,也不能和其他孤立VLAN中的成员通信,也不能和其他团体VLAN中的成员通信。
混杂端口:
混杂端口属于主VLAN,是主VLAN内部所有用户对外访问的网关。
混杂端口可以根据管理员控制与所有的主VLAN成员或者特定的辅助VLAN中的成员通信,
2.配置步骤:
第一步:交换机改为透明模式
vtp mode transparent
第二步:设定辅助VLAN
Switch(config)#vlan 120
Switch(config-vlan)#private-vlan isolated
Switch(config-vlan)#quit
第三步:设定主VLAN,并且关联辅助VLAN到主VLAN
Switch(config)#vlan 10
Switch(config-vlan)#private-vlan primary
Switch(config-vlan)#private-vlan association 120
Switch(config-vlan)#exit
第四步:辅助VLAN用户添加
Switch(config)#interface range f0/3 - 4
Switch(config-if-range)#switchport mode private-vlan host
Switch(config-if-range)#switchport private-vlan host-association 10 120
第五步:设定混杂端口,并声明混杂端口为那些辅助VLAN服务
Switch(config)#interface f0/5
Switch(config-if)#switchport mode private-vlan promiscuous
Switch(config-if)#switchport private-vlan mapping 10 add 120
Switch#show vlan private-vlan
Primary Secondary Type Ports
------- --------- ----------------- ------------------------------------------
10 120 isolated Fa0/3, Fa0/4, Fa0/5
孤立VLAN数量测试:结果是任何一个主VLAN都只能有一个孤立VLAN
Switch(config)#vlan 500
Switch(config-vlan)#private-vlan isolated
Switch(config-vlan)#exit
Switch(config)#
Switch(config)#vlan 10
Switch(config-vlan)#private-vlan association add 500
%Command rejected: invalid private vlan association between vlan10 and vlan500. Isolated VLAN 120 is already associated with VLAN 10.
3.PVLAN跳跃***阻止:
网关设备上增加ACL,防止用户间通过32位主机路由互相通信
access-list 101 permit ip any host 10.0.0.5
access-list 101 deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit ip any any
R5(config)#interface g0/0
R5(config-if)#ip access-group 101 in
利用多层交换的路由功能,在多层交换设备上实现混杂端口:
Switch(config)#ip routing
Switch(config)#interface vlan 10
Switch(config-if)#ip address 10.0.0.5 255.255.255.0
Switch(config-if)#private-vlan mapping 110,120
Switch(config-if)#exit
相关文章推荐
- 补3.11作业:书上P135的SET协议工作流程与老师课堂笔记的区别
- 复旦陈果老师关于孤独、寂寞、朋友和人际的课堂笔记
- 【安全牛课堂笔记】tcpdump选项
- 【安全牛学习笔记】密钥交换、AIRCRACK-NG基础、AIRODUMP-NG排错
- 听老师课堂笔记及感受总结
- 朱有鹏老师课堂笔记,从uboot官方移植到s5pv210上(二)
- 高级交换(防环,通信,冗余,安全)学习笔记
- 【安全牛学习笔记】密钥交换、AIRCRACK-NG基础、AIRODUMP-NG排错
- 如何打造高颜值PPT——小鱼儿何艳老师ppt课-课堂笔记
- 母传键老师课堂笔记 -----ViewController的生命周期
- Linux之进程控制与系统监视--课堂老师操作笔记
- 精通CSS(7.1对数据表格应用样式&7.2简单的表单布局)&R语言课堂笔记(王中贤老师)
- 课堂笔记2013.4.10
- 课堂笔记
- Android应用安全学习笔记前言
- CentOS 7运维管理笔记(9)----Apache 安全控制与认证
- 课堂笔记
- 菜鸟必读:RHCE课堂学习笔记(2)
- ICMP协议-路由交换原理4-【HCNA笔记】
- [笔记][Java7并发编程实战手册]3.8 并发任务间的数据交换Exchanger