CCIE试验备考之交换security(1) 推荐
2007-03-23 13:02
441 查看
第一部分 端口安全
端口安全是一种第2层特性,并且能够提供如下5种保护特性:
l 基于主机MAC地址允许流量
l 基于主机MAC地址限制流量
l 在期望的端口上阻塞单播扩散
l 避免MAC扩散攻击
l 避免MAC欺骗攻击
第一. 基于主机的MAC地址允许流量
端口安全能够基于主机MAC地址而允许流量。单个端口能够允许一个以上到某个特定数目的MAC地址。根据交换机型号的不同,他们所允许的最大MAC地址数也不相同。这种特性有助于规定每个端口所允许的主机数。例如,通过将用户端口限制到1个学到的MAC地址,而将会议室端口限制到10个MAC地址,将有助于避免网络的非授权访问。
通过如下步骤,将可以根据主机MAC地址来允许流量,进而启动端口安全:
步骤1:对存在问题的端口启用端口安全
步骤2:配置学习主机MAC地址
步骤3:指定安全违背行为(默认行为是永久性地关闭端口)
步骤4:如果安全违背行为准备关闭端口,就需要配置err-disable计时器,err-disable计时器是一个全局值。
配置过程
1. 配置每个端口所允许的最大MAC地址数
1) 进入全局模式 configure terminal
2) 进入接口模式 interface 接口
3) 配置接口模式
switchport mode access|trunk
注意:一个接口使用默认模式(动态协商)不能启用端口安全
4) 设置最大MAC数
swtichport port-security maximum 最大值
switchport port-security vlan vlan列表 [access|voice]
可以设置每个VLAN中允许的最大MAC数,access表示为该vlan是接入vlan,voice表示该vlan是语音vlan
2.配置端口允许的MAC地址
1) 进入接口模式 interface 接口
2) 配置允许的MAC地址
手工指定:
switchport port-security mac-address mac地址 [vlan vlan号|[access|voice]]
动态学习:交换机可以动态学习MAC地址并加入到MAC地址表中,当交换机重新启动后将丢失
粘性地址:可以动态学习或手工配置,学习后MAC地址加入到MAC地址表,如果保存配置文件,当交换机重新启动后,交换机不再需要动态学习的那些之前动态学习的地址了
switchport port-security mac-address sticky
3. 配置安全违背行为
1) 进入接口模式 interface 接口
2) 配置违规后的动作
switchport port-security violation protect|restrict|shutdown
protect:保护,当安全MAC地址数量达到了端口所允许的最大MAC地址数的时候,交换机会继续工作,但将把来自新主机的数据帧丢弃,直到删 除足够数量的MAC地址使其低于最大值。
Restrict:限制,交换机继续工作,向网络管理站(SNMP)发出一个陷阱trap通告
Shutdown:关闭,交换机将永久性或在特定时间周期内err-disable端口,并发送一个SNMP的trap陷阱通告
需要配置关闭模式下的err-disable计时器
err-disable recovery cause secure-violation
启用err-disable
err-disable recovery interval 计时器
案例:
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 50
Switch(config-if)# switchport port-security mac-address sticky
--------------------------------------------------------------------
Switch(config)# interface f0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 1
Switch(config-if)# switchport port-security mac-address 0000.0000.0008
Switch(config-if)# switchport port-security violation restrict
Switch(config)# interface f0/2
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 1
Switch(config-if)# switchport port-security mac-address 0000.0000.0011
Switch(config-if)# switchport port-security violation shutdown
-----------------------------------------------------------------------
案例:
Switch(config)#int f0/1
Switch(config-if)#switchport port-security
Command rejected: Fa0/1 is not an access port. //先启动端口安全会出现错误提示
Switch(config-if)#swit mode access
Switch(config-if)#switchport port-security //启动端口安全
Switch(config-if)#switchport port-security maximum ?
<1-132> Maximum addresses
Switch(config-if)#do show mac-address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
All 000d.6564.0280 STATIC CPU
All 0100.0ccc.cccc STATIC CPU
All 0100.0ccc.cccd STATIC CPU
All 0100.0cdd.dddd STATIC CPU
1 000b.5f2c.2097 DYNAMIC Fa0/23
1 0010.7b35.e9b6 DYNAMIC Fa0/1 //这是和路由器相连的地址
1 00a1.b003.3cd7 DYNAMIC Fa0/18
10 000b.5f2c.2097 DYNAMIC Fa0/23
20 000b.5f2c.2097 DYNAMIC Fa0/23
30 000b.5f2c.2097 DYNAMIC Fa0/23
40 000b.5f2c.2097 DYNAMIC Fa0/23
100 000b.5f2c.2097 DYNAMIC Fa0/23
200 000b.5f2c.2097 DYNAMIC Fa0/23
201 000b.5f2c.2097 DYNAMIC Fa0/23
202 000b.5f2c.2097 DYNAMIC Fa0/23
Total Mac Addresses for this criterion: 15
------------------------------------------------------------------
Switch(config-if)#switchport port-security mac-address 0010.7b35.e9b6
Switch(config-if)#switchport port-security violation shutdown
Switch#show port-security interface f0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address : 0010.7b35.e9b6
Security Violation Count : 1
-----------------------------------------------------
Switch#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Fa0/1 1 1 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
---------------------------------------------------------------------------
Switch#show port-security address
Secure Mac Address Table
-------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0010.7b35.e9b6 SecureConfigured Fa0/1 -
-------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
现在我们把mac地址为00a1.b003.3cd7的主机接入到f0/1中,此时会出现如下的信息:
00:24:08: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting
Fa0/1 in err-disable state
00:24:08: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 00a1.b003.3cd7 on port FastEthernet0/1.
00:24:09: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, chang
ed state to down
00:24:10: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down
-----------------------------------------
Switch#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Fa0/1 1 1 1 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
-------------------------------------------------------------------
Switch#show port-security interface f0/1
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address : 00a1.b003.3cd7
Security Violation Count : 1
4.配置MAC地址持续时间
1) 进入接口模式 interface 接口
2) 配置持续时间
switchport port-security aging time 时间 type absolute|inactivity
absolute模式:当持续时间过后,安全端口上的地址将被绝对删除
inactivity模式:在持续时间内,没有使用的端口将被删除
案例:
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# switchport port-security aging time 120
-------------------------------------------------------------------------
Switch(config-if)# switchport port-security aging time 2
Switch(config-if)# switchport port-security aging type inactivity
Switch(config-if)# switchport port-security aging static
5.验证结果
show port-security [interface 接口] address
案例:
CCIE-LAB(V135)
题目要求:
At sw1 port 15, there is a host need to be protected. You must config this port to protect it and must use arp command to bind the host’s ip address and mac address. Mac addresses 0080.2222.3333 and ip 172.1.1.1/24.
配置:
SW1
interface f0/15
switchport mode access
siwtchport port-security maximum 1
switchport port-security mac-address 0080.2222.3333
switchport port-security violation protect
arp 172.1.1.1 0080.2222.3333 arpa f0/15
CCIE-LAB(V142)
题目要求:安全部分
SW1的Fa0/12连接外部Public network drop的机器,这台机器的IP ADDRESS=X.X.X.X; MAC=0000.8333.3333,保证没有其他机器可使用这个端口。(考试没给出IP Address,故没必要用arp命令)
配置:
sw1
config termi
interface f0/12
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address 0000.8333.3333
switchport port-security violation protect
no shut
CCIE-LAB(V148)
题目要求:
Configure Sw2-Fa0/2 so that it only accepts traffic from R2. If another host is attached to the port then the traffic should be dropped, but the port should remain enabled.
配置:
SW2
Interface f0/2
Switchport mode access
Switchport port-security
Switchport port-securtiy mac-address R2的mac地址
Switchport port-security maximum 1
Switchport port-security violation protect
CCIE-LAB(yy)
题目要求:
VLAN_B need tight (high) security, configure the ports in this VLAN to physical address of the routers that are currently attached to them.
This configuration should survive the reboot of the switch.
Log violations of this policy while allowing correct traffic to proceed.
图:
VLAN B---VLAN12
配置:
SW2
conf t
interface range f0/2,f0/5
shut down
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address sticky
switchport port-security violation restrict
另外解决方案:
sw2
config terminal
show mac-address-table //查看r2和r5的mac地址
interface f0/2
shut
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address r2的mac地址
switchport port-security violation restrict
no shut
interface f0/5
shut
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address r2的mac地址
switchport port-security violation restrict
no shut
案例:
CCIE-LAB(V180)
题目要求:
The customer wants to connect guest Ipphones to Sw4 f0/11-15
l He wants to protecte interface from a user connecting a PC or a hub
l He wants the interface to learning first mac-address connected and become part of the configuration
l He does not want to have to manually bring backup the interface if the encounter a security viotation,but he do to ensure that the phones’s address is the only one allowed,and be able to check eth steales violation.
配置:
sw4
config termi
mls qos
interface range f0/11 –15
switchport mode access
switchport voice vlan dot1p
switchport port-security
switchport port-security mac-address sticky
switchport port-security violation restrict
mls qos trust cos
第二. 基于主机MAC地址限制流量
对于MAC过滤的特性,它能够根据主机MAC地址来限制流量,在使用该特性的情况下,交换机能够丢弃源自所配置MAC地址的流量。通过使用这种特性,网络管理源能够防止未授权主机向网络发送流量。
注意,交换机只允许对单播的源MAC地址流量进行过滤,而不允许对多播的源MAC地址流量进行过滤。他对采用多播源MAC地址发送数据报的规范是无效的。
交换机允许在整个VLAN或单个接口上配置单播过滤。如果数据帧采用的源MAC地址没有被指定,那么交换机就可以正常地传递数据帧。对于基于cisco IOS软件的交换机,它只支持重启之后仍然存在的单播过滤。
配置过程:
1) 进入全局模式 configure terminal
2) 配置限制MAC地址流量
mac-address-table static MAC地址 vlan vlan号 drop
3) 验证结果
show mac-address-table static vlan 1
案例:
switch(config)#mac-address-table static 0000.0000.0008 vlan 1 drop
switch#show mac-address-table static vlan 1
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 000d.6564.0280 STATIC CPU
1 0100.0ccc.cccc STATIC CPU
1 0100.0ccc.cccd STATIC CPU
1 0100.0cdd.dddd STATIC CPU
1 0000.0000.0008 STATIC Drop
Total Mac Addresses for this criterion: 5
第三。阻塞端口的单播或多播扩散
默认情况下,如果数据包具有未知的目标MAC地址,那么交换机将把它扩散到与接收端口的VLAN相同的VLAN中所有端口。某些端口不需要扩散功能。例如,如果某个端口只有手工分配的MAC地址,并且没有连接所配置MAC地址之外的其它任何网络设备,那么它就不需要接收扩散数据包。此外,如果端口已经学到最大数目的MAC地址,那么对于通过配置安全MAC地址或端口启用端口安全的端口,它就不必接收未知的单播扩散。
通过使用单播或多播扩散阻塞的特性,将可以避免在不必要的端口上转发单播扩散流量。通过以每个端口为基础而限制流量大小,不仅可以增加网络的安全限制,并且还可以防止网络设备徒然地处理无定向的数据包。
配置过程:
1) 进入全局模式 configure terminal
2) 进入接口模式 interface 接口
3) 配置其端口阻塞单播
switchport block unicast
4) 配置其端口阻塞多播流量
switchport block multicast
5) 验证结果
show interface 接口 switchport
案例:
Switch# configure terminal
Switch(config)# interface fa0/1
Switch(config-if)# switchport block multicast
Switch(config-if)# switchport block unicast
Switch(config-if)# end
Switch#show interface f0/1 switchport
案例:
CCIE-LAB(V160)
题目要求:
在SW2种fa0/10上阻塞所有未知的组播流量
配置:
SW2
config termi
interface f0/10
switchport block multicast
端口安全是一种第2层特性,并且能够提供如下5种保护特性:
l 基于主机MAC地址允许流量
l 基于主机MAC地址限制流量
l 在期望的端口上阻塞单播扩散
l 避免MAC扩散攻击
l 避免MAC欺骗攻击
第一. 基于主机的MAC地址允许流量
端口安全能够基于主机MAC地址而允许流量。单个端口能够允许一个以上到某个特定数目的MAC地址。根据交换机型号的不同,他们所允许的最大MAC地址数也不相同。这种特性有助于规定每个端口所允许的主机数。例如,通过将用户端口限制到1个学到的MAC地址,而将会议室端口限制到10个MAC地址,将有助于避免网络的非授权访问。
通过如下步骤,将可以根据主机MAC地址来允许流量,进而启动端口安全:
步骤1:对存在问题的端口启用端口安全
步骤2:配置学习主机MAC地址
步骤3:指定安全违背行为(默认行为是永久性地关闭端口)
步骤4:如果安全违背行为准备关闭端口,就需要配置err-disable计时器,err-disable计时器是一个全局值。
配置过程
1. 配置每个端口所允许的最大MAC地址数
1) 进入全局模式 configure terminal
2) 进入接口模式 interface 接口
3) 配置接口模式
switchport mode access|trunk
注意:一个接口使用默认模式(动态协商)不能启用端口安全
4) 设置最大MAC数
swtichport port-security maximum 最大值
switchport port-security vlan vlan列表 [access|voice]
可以设置每个VLAN中允许的最大MAC数,access表示为该vlan是接入vlan,voice表示该vlan是语音vlan
2.配置端口允许的MAC地址
1) 进入接口模式 interface 接口
2) 配置允许的MAC地址
手工指定:
switchport port-security mac-address mac地址 [vlan vlan号|[access|voice]]
动态学习:交换机可以动态学习MAC地址并加入到MAC地址表中,当交换机重新启动后将丢失
粘性地址:可以动态学习或手工配置,学习后MAC地址加入到MAC地址表,如果保存配置文件,当交换机重新启动后,交换机不再需要动态学习的那些之前动态学习的地址了
switchport port-security mac-address sticky
3. 配置安全违背行为
1) 进入接口模式 interface 接口
2) 配置违规后的动作
switchport port-security violation protect|restrict|shutdown
protect:保护,当安全MAC地址数量达到了端口所允许的最大MAC地址数的时候,交换机会继续工作,但将把来自新主机的数据帧丢弃,直到删 除足够数量的MAC地址使其低于最大值。
Restrict:限制,交换机继续工作,向网络管理站(SNMP)发出一个陷阱trap通告
Shutdown:关闭,交换机将永久性或在特定时间周期内err-disable端口,并发送一个SNMP的trap陷阱通告
需要配置关闭模式下的err-disable计时器
err-disable recovery cause secure-violation
启用err-disable
err-disable recovery interval 计时器
案例:
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 50
Switch(config-if)# switchport port-security mac-address sticky
--------------------------------------------------------------------
Switch(config)# interface f0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 1
Switch(config-if)# switchport port-security mac-address 0000.0000.0008
Switch(config-if)# switchport port-security violation restrict
Switch(config)# interface f0/2
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 1
Switch(config-if)# switchport port-security mac-address 0000.0000.0011
Switch(config-if)# switchport port-security violation shutdown
-----------------------------------------------------------------------
案例:
Switch(config)#int f0/1
Switch(config-if)#switchport port-security
Command rejected: Fa0/1 is not an access port. //先启动端口安全会出现错误提示
Switch(config-if)#swit mode access
Switch(config-if)#switchport port-security //启动端口安全
Switch(config-if)#switchport port-security maximum ?
<1-132> Maximum addresses
Switch(config-if)#do show mac-address-table
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
All 000d.6564.0280 STATIC CPU
All 0100.0ccc.cccc STATIC CPU
All 0100.0ccc.cccd STATIC CPU
All 0100.0cdd.dddd STATIC CPU
1 000b.5f2c.2097 DYNAMIC Fa0/23
1 0010.7b35.e9b6 DYNAMIC Fa0/1 //这是和路由器相连的地址
1 00a1.b003.3cd7 DYNAMIC Fa0/18
10 000b.5f2c.2097 DYNAMIC Fa0/23
20 000b.5f2c.2097 DYNAMIC Fa0/23
30 000b.5f2c.2097 DYNAMIC Fa0/23
40 000b.5f2c.2097 DYNAMIC Fa0/23
100 000b.5f2c.2097 DYNAMIC Fa0/23
200 000b.5f2c.2097 DYNAMIC Fa0/23
201 000b.5f2c.2097 DYNAMIC Fa0/23
202 000b.5f2c.2097 DYNAMIC Fa0/23
Total Mac Addresses for this criterion: 15
------------------------------------------------------------------
Switch(config-if)#switchport port-security mac-address 0010.7b35.e9b6
Switch(config-if)#switchport port-security violation shutdown
Switch#show port-security interface f0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address : 0010.7b35.e9b6
Security Violation Count : 1
-----------------------------------------------------
Switch#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Fa0/1 1 1 0 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
---------------------------------------------------------------------------
Switch#show port-security address
Secure Mac Address Table
-------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0010.7b35.e9b6 SecureConfigured Fa0/1 -
-------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
现在我们把mac地址为00a1.b003.3cd7的主机接入到f0/1中,此时会出现如下的信息:
00:24:08: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/1, putting
Fa0/1 in err-disable state
00:24:08: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 00a1.b003.3cd7 on port FastEthernet0/1.
00:24:09: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, chang
ed state to down
00:24:10: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to down
-----------------------------------------
Switch#show port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
---------------------------------------------------------------------------
Fa0/1 1 1 1 Shutdown
---------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 0
Max Addresses limit in System (excluding one mac per port) : 1024
-------------------------------------------------------------------
Switch#show port-security interface f0/1
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address : 00a1.b003.3cd7
Security Violation Count : 1
4.配置MAC地址持续时间
1) 进入接口模式 interface 接口
2) 配置持续时间
switchport port-security aging time 时间 type absolute|inactivity
absolute模式:当持续时间过后,安全端口上的地址将被绝对删除
inactivity模式:在持续时间内,没有使用的端口将被删除
案例:
Switch(config)# interface gigabitethernet0/1
Switch(config-if)# switchport port-security aging time 120
-------------------------------------------------------------------------
Switch(config-if)# switchport port-security aging time 2
Switch(config-if)# switchport port-security aging type inactivity
Switch(config-if)# switchport port-security aging static
5.验证结果
show port-security [interface 接口] address
案例:
CCIE-LAB(V135)
题目要求:
At sw1 port 15, there is a host need to be protected. You must config this port to protect it and must use arp command to bind the host’s ip address and mac address. Mac addresses 0080.2222.3333 and ip 172.1.1.1/24.
配置:
SW1
interface f0/15
switchport mode access
siwtchport port-security maximum 1
switchport port-security mac-address 0080.2222.3333
switchport port-security violation protect
arp 172.1.1.1 0080.2222.3333 arpa f0/15
CCIE-LAB(V142)
题目要求:安全部分
SW1的Fa0/12连接外部Public network drop的机器,这台机器的IP ADDRESS=X.X.X.X; MAC=0000.8333.3333,保证没有其他机器可使用这个端口。(考试没给出IP Address,故没必要用arp命令)
配置:
sw1
config termi
interface f0/12
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address 0000.8333.3333
switchport port-security violation protect
no shut
CCIE-LAB(V148)
题目要求:
Configure Sw2-Fa0/2 so that it only accepts traffic from R2. If another host is attached to the port then the traffic should be dropped, but the port should remain enabled.
配置:
SW2
Interface f0/2
Switchport mode access
Switchport port-security
Switchport port-securtiy mac-address R2的mac地址
Switchport port-security maximum 1
Switchport port-security violation protect
CCIE-LAB(yy)
题目要求:
VLAN_B need tight (high) security, configure the ports in this VLAN to physical address of the routers that are currently attached to them.
This configuration should survive the reboot of the switch.
Log violations of this policy while allowing correct traffic to proceed.
图:
VLAN B---VLAN12
配置:
SW2
conf t
interface range f0/2,f0/5
shut down
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address sticky
switchport port-security violation restrict
另外解决方案:
sw2
config terminal
show mac-address-table //查看r2和r5的mac地址
interface f0/2
shut
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address r2的mac地址
switchport port-security violation restrict
no shut
interface f0/5
shut
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address r2的mac地址
switchport port-security violation restrict
no shut
案例:
CCIE-LAB(V180)
题目要求:
The customer wants to connect guest Ipphones to Sw4 f0/11-15
l He wants to protecte interface from a user connecting a PC or a hub
l He wants the interface to learning first mac-address connected and become part of the configuration
l He does not want to have to manually bring backup the interface if the encounter a security viotation,but he do to ensure that the phones’s address is the only one allowed,and be able to check eth steales violation.
配置:
sw4
config termi
mls qos
interface range f0/11 –15
switchport mode access
switchport voice vlan dot1p
switchport port-security
switchport port-security mac-address sticky
switchport port-security violation restrict
mls qos trust cos
第二. 基于主机MAC地址限制流量
对于MAC过滤的特性,它能够根据主机MAC地址来限制流量,在使用该特性的情况下,交换机能够丢弃源自所配置MAC地址的流量。通过使用这种特性,网络管理源能够防止未授权主机向网络发送流量。
注意,交换机只允许对单播的源MAC地址流量进行过滤,而不允许对多播的源MAC地址流量进行过滤。他对采用多播源MAC地址发送数据报的规范是无效的。
交换机允许在整个VLAN或单个接口上配置单播过滤。如果数据帧采用的源MAC地址没有被指定,那么交换机就可以正常地传递数据帧。对于基于cisco IOS软件的交换机,它只支持重启之后仍然存在的单播过滤。
配置过程:
1) 进入全局模式 configure terminal
2) 配置限制MAC地址流量
mac-address-table static MAC地址 vlan vlan号 drop
3) 验证结果
show mac-address-table static vlan 1
案例:
switch(config)#mac-address-table static 0000.0000.0008 vlan 1 drop
switch#show mac-address-table static vlan 1
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
1 000d.6564.0280 STATIC CPU
1 0100.0ccc.cccc STATIC CPU
1 0100.0ccc.cccd STATIC CPU
1 0100.0cdd.dddd STATIC CPU
1 0000.0000.0008 STATIC Drop
Total Mac Addresses for this criterion: 5
第三。阻塞端口的单播或多播扩散
默认情况下,如果数据包具有未知的目标MAC地址,那么交换机将把它扩散到与接收端口的VLAN相同的VLAN中所有端口。某些端口不需要扩散功能。例如,如果某个端口只有手工分配的MAC地址,并且没有连接所配置MAC地址之外的其它任何网络设备,那么它就不需要接收扩散数据包。此外,如果端口已经学到最大数目的MAC地址,那么对于通过配置安全MAC地址或端口启用端口安全的端口,它就不必接收未知的单播扩散。
通过使用单播或多播扩散阻塞的特性,将可以避免在不必要的端口上转发单播扩散流量。通过以每个端口为基础而限制流量大小,不仅可以增加网络的安全限制,并且还可以防止网络设备徒然地处理无定向的数据包。
配置过程:
1) 进入全局模式 configure terminal
2) 进入接口模式 interface 接口
3) 配置其端口阻塞单播
switchport block unicast
4) 配置其端口阻塞多播流量
switchport block multicast
5) 验证结果
show interface 接口 switchport
案例:
Switch# configure terminal
Switch(config)# interface fa0/1
Switch(config-if)# switchport block multicast
Switch(config-if)# switchport block unicast
Switch(config-if)# end
Switch#show interface f0/1 switchport
案例:
CCIE-LAB(V160)
题目要求:
在SW2种fa0/10上阻塞所有未知的组播流量
配置:
SW2
config termi
interface f0/10
switchport block multicast
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- CCIE试验备考之交换security(4) 推荐
- CCIE试验备考之交换security(2) 推荐
- CCIE试验备考之交换security(3) 推荐
- CCIE试验备考之交换VTP1 推荐
- CCIE试验备考之交换SPAN 推荐
- CCIE试验备考之交换TRUNK 推荐
- CCIE试验备考之交换security(5)
- CCIE试验备考之交换增强特性 推荐
- CCIE试验备考之交换VLAN间路由 推荐
- CCIE试验备考之交换security
- CCIE试验备考---交换STP(1) 推荐
- CCIE试验备考之交换STP(2)
- CCIE试验备考之交换STP(3)
- CCIE试验备考之交换Voice VLAN
- CCIE试验备考之交换STP(2)
- CCIE试验备考之冗余备份(HSRP) 推荐
- CCIE试验备考之交换增强特性
- CCIE试验备考之交换STP(3)
- CCIE试验备考之交换TRUNK
- CCIE试验备考---交换STP(1)