switch security(交换安全)
mac layer attacks(mac地址攻击)
mac地址泛红
变换mac让交换机不停学习,占满mac地址表,其他pc发送报文就进行泛红。
port security(端口安全)
1未授权mac地址
2mac地址个数限制(默认1个)
3采取措施
switch(config-if)#switchport port-security [maximum value]
violation {shutdown | restrict | protect}
shutdown:默认把接口置为err-disable.向网管服务器发消息
restrict:限制,drop,发送日志
protect:drop,不会发送日志
做端口安全先把接口shutdown
switchport port-security(开启端口安全)
show port-security
sticky mac address(动态粘贴地址)
switch(config-if)#switchport port-security mac-address sticky
基于源mac允许流量:port-security
基于源mac 限制流量:
switch(config)#mac-address-table static 0010.7b80.7b9b vlan 1 drop
阻止未知或多播帧
switch(config)#switchport block [unicast | multicast]
show interface f0/1 switchport
vlan attacks(vlan攻击)
vlan hpping(跨越vlan):switch mode access
vacl:ip/mac ->fwd/drop
pvlan:
private vlans
sub domain
1.部署主vlan
2.secondary vlan分为lsolated(隔离)pc不能互访,community(社团)pc可以互访
端口角色
1混杂端口
2host端口包括isolated端口和community端口
配置:
1.vtp mode transparent
2.pri/sec vlan
3.将端口划进相应vlan
r1:
int e1/0
ip add 1.1.1.1 255.255.255.0
no sh
r2:
int e1
ip add 1.1.1.2 255.255.255.0
no sh
r3:
int e1/0
ip add 1.1.1.3 255.255.255.0
r4:
int e1
ip add 1.1.1.4 255.255.255.0
r5:
int e0/1
ip add 1.1.1.5 255.255.255.0
sw:
int range f0/1 -6
spanning-tree portfast
vtp mode transparent
vlan 20
private-vlan primary
vlan 501
private-vlan community
vlan 502
private-vlan isolated
vlan 20(关联vlan)
private-vlan association 501,502
int f0/1
switchport mode private-vlan promiscuous(混杂)
switchport private-vlan maping 20 501,502 (关联)
int range f0/2,f0/3
switchport mode private-vlan host
switchport private-vlan host-association 20 501
int range f0/4,f0/5
switchport mode private-vlan host
switchport private-vlan host-association 20 502
show vlan private-vlan(查看vlan关联表)
svi默认只有混杂接口可以访问,如果想让com和iso访问需要做的命令
int vlan 20
private-vlan mapping 501,502
switch(config-if)#int 0/4
switch(config-fi)#switchport protected(3550以下设置pvlan简化,几个隔离的交换机都要设置)
sponnfing attacks
dhcp spoof(dhcp欺骗)
启用dhcp snooping 默认都是untrusted,可以收dis,但是如果收到offer就会被drop掉,不发任何的dhcp任何消息,trusted能收任何时候的dhcp发任何的dhcp消息。
实验:
r4:
int e0/0
ip add 4.4.4.4 255.255.255.0
r6:
int f0/0
ip add 6.6.6.6 255.255.255.0
r3:
debug ip packet detail
r4:
debug ip packet detail
r6:
debug ip packet detail
r3:
int e0/0
ip add dhcp
no sh
r4:
ip dhcp pool wolf
network 4.4.4.0/24
r6:
ip dhcp pool wolf
network 6.6.6.0/24
r3:
show ip int br
sw1:
ip dhcp snooping
ip dhcp snooping vlan1
int f0/6
ip dhcp snooping trust
r6:
ip dhcp relay information trust-all(在合法路由器上做)
1全局启用snooping
2定义trust接口
3合法路由器启用trust-all
sw1:
show ip dhcp snooping binding
show ip dhcp snooping
conf t
int f0/4
ip dhcp snooping limit rate 1(定义每秒1个包)
show ip dhcp snooping
配置命令
switch(config)#ip dhcp snooping
switch(config)#ip dhcp snooping vlan number[number]
switch(config-if)#ip dhcp snooping trust
router(config)#ip dhcp relay informatcion trust-all
switch#show ip dhcp snooping
ip source grard(ip源防护应用在获取dhcp的接口)
switch(config-if)#ip verify source vlan dhcp-snooping port-security(启用ip源防护)
sw1:
int f0/3
switch(config-if)#ip verify port-security
dchp spofing:snooping
arp spoofiing(arp欺骗)
gratuituous arp(免费arp)
所有主机的ip都是我的mac,充当了所有的设备。把所有流量都引到我这里。
临时解决方案(绑定mac)
r3:
arp 10.1.1.2 aaaa.aaaa.aaaa arpa(绑定)
dai(动态arp监测)
必须结合dhcp snooping
trusted:收发arp报文
untrsted: 不能收requst
sw1:
ip arp inspection vlan 1 (开启动态arp监测)
int f0/6
ip arp inspection trust
r4:
int e0/0
mac-address aaaa.bbbb.cccc
sw1:
int f0/4
ip arp inspection limit rate 10
arp spoofing:dai和dhcp spooping结合起来用
attacks on switch devices
关闭cdp
no cdp run
no cdp enable
ssh启用,ios版本需要带k安全版本。
r2:
ip domain name smoke.com
crypto key generate rsa usage-keys
username smoke password smoke
line vty 0 4
login local
transport input ssh
r1:
ssh -l smoke 12.1.1.2