版權(quán)說(shuō)明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請(qǐng)進(jìn)行舉報(bào)或認(rèn)領(lǐng)
文檔簡(jiǎn)介
CCNASecurityChapter6:SecuringtheLocalAreaNetworkLessonPlanningThislessonshouldtake3-4hourstopresentThelessonshouldincludelecture,demonstrations,discussionsandassessmentsThelessoncanbetaughtinpersonorusingremoteinstructionMajorConceptsDescribeendpointvulnerabilitiesandprotectionmethodsDescribebasicCatalystswitchvulnerabilitiesConfigureandverifyswitchsecurityfeatures,includingportsecurityandstormcontrolDescribethefundamentalsecurityconsiderationsofWireless,VoIP,andSANs.Contents6.1EndpointSecurity6.2Layer2SecurityConsiderations6.3ConfiguringLayer2Security6.4Wireless,VoIP,andSANSecurity6.1EndpointSecurityEndpointSecurityConsiderationsIntroducingEndpointSecurityEndpointSecuritywithIronPortEndpointSecuritywithNetworkAdmissionControlEndpointSecuritywithCiscoSecurityAgent6.1.1IntroducingEndpointSecuritySecuringtheLANAddressingEndpointSecurityOperatingSystemsBasicSecurityServicesTypesofApplicationAttacksCiscoSystemsEndpointSecuritySolutionsSecuringtheedgedevicebecauseofitsWANconnection?SecuringtheinternalLAN?Both!SecuringtheinternalLANisjustasimportantassecuringtheperimeterofanetwork.InternalLANsconsistsof:EndpointsNon-endpointLANdevicesLANinfrastructureWhichshouldbeprotected?SecuringtheLANIPSMARSVPNACSIronPortFirewallWeb
ServerEmailServerDNSLANHostsPerimeterInternetAreasofconcentration:SecuringendpointsSecuringnetwork
infrastructureALANconnectsmanynetworkendpointdevicesthatactasanetworkclients.Endpointdevicesinclude:LaptopsDesktopsIPphonesPersonaldigitalassistants(PDAs)ServersPrintersSecuringEndpointDevicesALANalsorequiresmanyintermediarydevicestointerconnectendpointdevices.Non-endpointLANdevices:SwitchesWirelessdevicesIPtelephonydevicesStorageareanetworking(SAN)devicesSecuringNon-EndpointDevicesAnetworkmustalsobeabletomitigatespecificLANattacksincluding:MACaddressspoofingattacksSTPmanipulationattacksMACaddresstableoverflowattacksLANstormattacksVLANattacksSecuringtheLANInfrastructureOperatingSystemsBasicSecurityServicesTrustedcodeandtrustedpath–ensuresthattheintegrityoftheoperatingsystemisnotviolatedPrivilegedcontextofexecution–providesidentity
authenticationandcertainprivilegesbasedontheidentityProcessmemoryprotectionandisolation–providesseparationfromotherusersandtheirdataAccesscontroltoresources–ensuresconfidentialityandintegrityofdataTypesofApplicationAttacksIhavegaineddirectaccesstothisapplication’sprivilegesIhavegainedaccesstothissystemwhichistrustedbytheothersystem,allowingmetoaccessit.IndirectDirectCiscoSystemsEndpointSecuritySolutionsCiscoNACIronPortCiscoSecurityAgentIronPortisaleadingproviderofanti-spam,anti-virus,andanti-spywareappliances.CiscoacquiredIronPortSystemsin2007.ItusesSenderBase,theworld'slargestthreatdetectiondatabase,tohelpprovidepreventiveandreactivesecuritymeasures.IronPort6.1.2EndpointSecuritywithIronPortCiscoIronPortProductsIronPortC-Series:Iron-PortS-SeriesCiscoIronPortProductsIronPortproductsinclude:E-mailsecurityappliancesforvirusandspamcontrolWebsecurityapplianceforspywarefiltering,URLfiltering,andanti-malwareSecuritymanagementapplianceIronPortC-SeriesInternetInternetAntispamAntivirusPolicyEnforcementMailRoutingBeforeIronPortIronPortE-mailSecurityApplianceFirewallGroupwareUsersAfterIronPortUsersGroupwareFirewallEncryptionPlatformMTADLPScannerDLPPolicyManagerIronPortS-SeriesWebProxyAntispywareAntivirusAntiphishingURLFilteringPolicyManagementFirewallUsersUsersFirewallIronPortS-SeriesBeforeIronPortAfterIronPortInternetInternet6.1.3EndpointSecuritywithNetworkAdmissionControlCiscoNACTheNACFrameworkNACComponentsCiscoNACApplianceProcessAccessWindowsCiscoNACNACFrameworkSoftwaremoduleembeddedwithinNAC-enabledproductsIntegratedframeworkleveragingmultipleCiscoandNAC-awarevendorproductsIn-bandCiscoNACAppliancesolutioncanbeusedonanyswitchorrouterplatformSelf-contained,turnkeysolution
ThepurposeofNAC:AllowonlyauthorizedandcompliantsystemstoaccessthenetworkToenforcenetworksecuritypolicyCiscoNACApplianceReferto
fourimportantfeaturesofNACTheNACFrameworkAAA
ServerCredentialsCredentialsEAP/UDP,EAP/802.1xRADIUSCredentialsHTTPSAccessRightsNotificationCiscoTrustAgentComply?VendorServersHostsAttemptingNetworkAccessNetworkAccessDevicesPolicyServerDecisionPointsandRemediationEnforcementNAC的示意圖當(dāng)運(yùn)行NAC時(shí),首先由網(wǎng)絡(luò)接入設(shè)備發(fā)出消息,從主機(jī)請(qǐng)求委托書。然后,AAA服務(wù)器CiscoTrustAgent(CTA)與主機(jī)上的CiscoTrustAgent(CTA)建立安全的EAP對(duì)話。此時(shí),CTA對(duì)AAA服務(wù)器執(zhí)行檢查。委托書可以通過(guò)主機(jī)應(yīng)用、CTA或網(wǎng)絡(luò)設(shè)備傳遞,由思科ACS接收后進(jìn)行認(rèn)證和授權(quán)。某些情況下,ACS可以作為防病毒策略服務(wù)器的代理,直接將防病毒軟件應(yīng)用委托書傳送到廠商的AV服務(wù)器接收檢查。委托書通過(guò)審查后,ACS將為網(wǎng)絡(luò)設(shè)備選擇相應(yīng)的實(shí)施策略。例如,ACS可以向路由器發(fā)送準(zhǔn)入控制表,對(duì)此主機(jī)實(shí)施特殊策略。對(duì)于非響應(yīng)性設(shè)備,可以對(duì)主動(dòng)運(yùn)行CTA(網(wǎng)絡(luò)或ACS)的設(shè)備實(shí)施默認(rèn)策略。在以后的各階段,還將通過(guò)掃描或其它機(jī)制對(duì)主機(jī)系統(tǒng)執(zhí)行進(jìn)一步檢查,以便收集其他端點(diǎn)安全信息。NACComponentsCiscoNAS(CiscoNACApplianceServer)Servesasanin-bandorout-of-banddevicefornetworkaccesscontrolCiscoNAM(CiscoNACApplianceManager)Centralizesmanagementforadministrators,supportpersonnel,andoperatorsCiscoNAA(CiscoNACApplianceAgent)Optionallightweightclientfordevice-basedregistryscansinunmanagedenvironmentsRule-setupdatesScheduledautomaticupdatesforantivirus,criticalhotfixes,andotherapplicationsMGRCiscoNACApplianceProcessTHEGOALIntranet/
Network2.Hostis
redirectedtoaloginpage.CiscoNACAppliancevalidatesusernameandpassword,alsoperformsdeviceandnetworkscanstoassessvulnerabilitiesondevice.Deviceisnoncompliant
orloginisincorrect.Hostisdeniedaccessandassigned
toaquarantinerolewithaccesstoonlineremediationresources.3a.3b.Deviceis“clean”.Machinegetson“certifieddeviceslist”andisgrantedaccesstonetwork.CiscoNASCiscoNAM1.Hostattemptstoaccessawebpageorusesanoptionalclient.Networkaccessisblockeduntilwiredorwirelesshostprovideslogininformation.AuthenticationServerMGRQuarantineRole3.Thehostisauthenticatedandoptionally
scannedforposturecomplianceAccessWindows4.LoginScreenScanisperformed(typesofchecksdependonuserrole)ScanfailsRemediate6.1.4EndpointSecuritywithCiscoSecurityAgentCSAArchitectureModelCSAOverviewCSAFunctionalityAttackPhasesCSALogMessagesCSAArchitectureManagementCenterforCiscoSecurityAgent
withInternalorExternalDatabaseSecurity
PolicyServerProtectedbyCiscoSecurityAgentAdministration
WorkstationSSLEventsAlertsCSAOverviewStateRulesandPoliciesRules
EngineCorrelation
EngineFileSystemInterceptorNetwork
InterceptorConfiguration
InterceptorExecutionSpaceInterceptorApplicationAllowedRequestBlockedRequestCSAFunctionalitySecurityApplicationNetwork
InterceptorFileSystemInterceptorConfiguration
InterceptorExecution
Space
InterceptorDistributedFirewallX―――HostIntrusionPreventionX――XApplication
Sandbox―XXXNetworkWormPreventionX――XFileIntegrityMonitor―XX―AttackPhasesFilesysteminterceptorNetworkinterceptorConfigurationinterceptorExecutionspaceinterceptorServerProtectedbyCiscoSecurityAgentProbephasePingscansPortscansPenetratephaseTransferexploitcodetotargetPersistphaseInstallnewcodeModifyconfigurationPropagatephaseAttackothertargetsParalyzephaseErasefilesCrashsystemStealdataCSAstoppedtheseattacksbyidentifyingtheirmaliciousbehaviorwithoutanyupdatesCSALogMessages6.2Layer2SecurityConsiderationsLayer2SecurityConsiderationsIntroductiontoLayer2SecurityMACAddressSpoofingAttacksMACAddressTableOverflowAttacksSTPManipulationAttacksLANStormAttacksVLANAttacks6.2.1IntroductiontoLayer2SecurityLayer2SecurityOverviewofOSIModelIPSMARSVPNACSIronPortFirewallWeb
ServerEmailServerDNSHostsPerimeterInternetLayer2SecurityOSIModelMACAddressesWhenitcomestonetworking,Layer2isoftenaveryweaklink.PhysicalLinksIPAddressesProtocolsandPortsApplicationStreamApplicationPresentationSessionTransportNetworkDataLinkPhysicalCompromisedApplicationPresentationSessionTransportNetworkDataLinkPhysicalInitialCompromiseLayer2VulnerabilitiesMACAddressSpoofingAttacksMACAddressTableOverflowAttacksSTPManipulationAttacksStormAttacksVLANAttacksMACAddressSpoofingAttackMACAddress:AABBccAABBcc12AbDdSwitchPort12MACAddress:AABBccAttackerPort1Port2MACAddress:12AbDdIhaveassociatedPorts1and2withtheMACaddressesofthedevicesattached.Trafficdestinedforeachdevicewillbeforwardeddirectly.Theswitchkeepstrackofthe
endpointsbymaintainingaMACaddresstable.InMAC
spoofing,theattackerposes
asanotherhost—inthiscase,
AABBcc6.2.2MACAddressSpoofingAttackMACAddress:AABBccAABBccSwitchPort12MACAddress:AABBccAttackerPort1Port2AABBcc12IhavechangedtheMAC
addressonmycomputer
tomatchtheserver.ThedevicewithMACaddressAABBcchaschangedlocationstoPort2.ImustadjustmyMACaddresstableaccordingly.MACAddressTableOverflowAttackABCDVLAN10VLAN10IntruderrunsmacoftobeginsendingunknownbogusMACaddresses.3/253/25MACX3/25MACY3/25MACZXYZfloodMACPortX3/25Y3/25C3/25BogusaddressesareaddedtotheCAMtable.CAMtableisfull.HostCTheswitchfloodstheframes.AttackerseestraffictoserversBandD.VLAN101234BothMACspoofingandMACaddresstableoverflowattackscanbemitigatedbyconfiguringportsecurityontheswitch.Portsecuritycaneither:StaticallyspecifytheMACaddressesonaparticularswitchport.AllowtheswitchtodynamicallylearnafixednumberofMACaddressesforaswitchport.StaticallyspecifyingtheMACaddressesisnotamanageablesolutionforaproductionenvironment.AllowingtheswitchtodynamicallylearnafixednumberofMACaddressesisanadministrativelyscalablesolution.MACAddressMitigationTechniquesAnSTPattacktypicallyinvolvesthecreationofabogusRootbridge.ThiscanbeaccomplishedusingavailablesoftwarefromtheInternetsuchasbrconfigorstp-packet.TheseprogramscanbeusedtosimulateabogusswitchwhichcanforwardSTPBPDUs.STPAttackMitigationtechniquesincludeenablingPortFast,rootguardandBPDUguard.6.2.4STPManipulationAttackSpanningtreeprotocoloperatesbyelectingarootbridgeSTPbuildsatreetopologySTPmanipulationchangesthetopologyofanetwork—theattackinghostappearstobetherootbridgeFFFFFBRootBridge
Priority=8192
MACAddress=0000.00C0.1234STPManipulationAttackRootBridge
Priority=8192RootBridgeFFFFFBSTPBPDU
Priority=0STPBPDU
Priority=0FBFFFFAttackerTheattackinghostbroadcastsoutSTP
configurationandtopologychangeBPDUs.Thisisanattempttoforcespanningtree
recalculations.6.2.5LANStormAttackBroadcast,multicast,orunicastpacketsarefloodedonallportsinthesameVLAN.ThesestormscanincreasetheCPUutilizationonaswitchto100%,reducingtheperformanceofthenetwork.BroadcastBroadcastBroadcastBroadcastBroadcastBroadcastBroadcastBroadcastBroadcastBroadcastBroadcastBroadcastALANstormoccurswhenpacketsfloodtheLAN,creatingexcessivetrafficanddegradingnetworkperformance.Possiblecauses:ErrorsintheprotocolstackimplementationMis-configurationsUsersissuingaDoSattackBroadcaststormscanalsooccuronnetworks.Rememberthatswitchesalwaysforwardbroadcastsoutallports.Somenecessaryprotocols,suchasARPandDHCPusebroadcasts;therefore,switchesmustbeabletoforwardbroadcasttraffic.LANStormAttacksMitigationtechniquesincludeconfiguringstormcontrol.StormControlTotal
numberof
broadcastpacketsorbytes6.2.6VLANAttacksVLAN=BroadcastDomain=LogicalNetwork(Subnet)SegmentationFlexibilitySecurityTrunkportspasstrafficforallVLANsusingeitherIEEE802.1Qorinter-switchlink(ISL)VLANencapsulation.AVLANhoppingattackcanbelaunchedinoneoftwoways:IntroducingarogueswitchonanetworkwithDTPenabled.DTPenablestrunkingtoaccessalltheVLANsonthetargetswitch.Double-taggingVLANattackbyspoofingDTPmessagesfromtheattackinghosttocausetheswitchtoentertrunkingmode.TheattackercanthensendtraffictaggedwiththetargetVLAN,andtheswitchthendeliversthepacketstothedestination.VLANAttacksBydefaultmostswitchessupportDynamicTrunkProtocol(DTP)whichautomaticallytrytonegotiatetrunklinks.AnattackercouldconfigureahosttospoofaswitchandadvertiseitselfasbeingcapableofusingeitherISLor802.1q.Ifsuccessful,theattackingsystemthenbecomesamemberofallVLANs.VLANHoppingAttack-RogueSwitchThesecondswitchreceivesthepacket,onthenativeVLANDouble-TaggingVLANAttackAttackeron
VLAN10,butputsa20taginthepacketVictim
(VLAN20)Note:ThisattackworksonlyifthetrunkhasthesamenativeVLANastheattacker.Thefirstswitchstripsoffthefirsttaganddoesnotretagit(nativetrafficisnotretagged).Itthenforwardsthepackettoswitch2.20,1020Trunk
(NativeVLAN=10)802.1Q,802.1Qtrunk802.1Q,FrameFrame1234Thesecondswitchexaminesthepacket,seestheVLAN20tagandforwardsitaccordingly.Involvestaggingtransmittedframeswithtwo802.1qheadersinordertoforwardtheframestothewrongVLAN.Thefirstswitchstripsthefirsttagofftheframeandforwardstheframe.ThesecondswitchthenforwardsthepackettothedestinationbasedontheVLANidentifierinthesecond802.1qheader.UseadedicatednativeVLANforalltrunkports.SetthenativeVLANonthetrunkportstoanunusedVLAN.Disabletrunknegotiationonallportsconnectingtoworkstations.VLANHoppingAttack-Double-TaggingMitigationtechniquesincludeensuringthatthenativeVLANofthetrunkportsisdifferentfromthenativeVLANoftheuserports.6.3ConfiguringLayer2SecurityConfiguringSwitchSecurityConfiguringPortSecurityVerifyingPortSecurityBPDUGuardandRootGuardStormControlVLANConfigurationCiscoSwitchedPortAnalyzerCiscoRemoteSwitchedPortAnalyzerBestPracticesforLayer26.3.1ConfiguringPortSecurityPortSecurityOverviewPortSecurityConfigurationSwitchportPort-SecurityParametersPort-SecurityViolationConfigurationSwitchportPort-SecurityViolationParametersPortSecurityAgingConfigurationSwitchportPort-SecurityAgingParametersTypicalConfigurationPortSecurityOverviewMACAMACAPort0/1allowsMACA
Port0/2allowsMACB
Port0/3allowsMACCAttacker1Attacker20/10/20/3MACFAllowsanadministratortostaticallyspecifyMACAddressesforaportortopermittheswitchtodynamicallylearnalimitednumberofMACaddressesConfiguringPortSecurityTopreventMACspoofingandMACtableoverflows,enableportsecurity.PortSecuritycanbeusedtostaticallyspecifyMACaddressesforaportortopermittheswitchtodynamicallylearnalimitednumberofMACaddresses.BylimitingthenumberofpermittedMACaddressesonaporttoone,portsecuritycanbeusedtocontrolunauthorizedexpansionofthenetwork.OnceMACaddressesareassignedtoasecureport,theportdoesnotforwardframeswithsourceMACaddressesoutsidethegroupofdefinedaddresses.Securesourceaddressescanbe:ManuallyconfiguredAutoconfigured(learned)PortSecurityWhenaMACaddressdiffersfromthelistofsecureaddresses,theporteither:Shutsdownuntilitisadministrativelyenabled(defaultmode).Dropsincomingframesfromtheinsecurehost(restrictoption).Theportbehaviordependsonhowitisconfiguredtorespondtoasecurityviolation.Shutdownistherecommendedsecurityviolation.PortSecurityCLICommandsswitchportmodeaccess
Switch(config-if)#Setstheinterfacemodeasaccessswitchportport-security
Switch(config-if)#Enablesportsecurityontheinterfaceswitchportport-securitymaximumvalue
Switch(config-if)#SetsthemaximumnumberofsecureMACaddressesfortheinterface(optional)SwitchportPort-SecurityParametersParameterDescriptionmac-address
mac-address(Optional)SpecifyasecureMACaddressfortheportbyenteringa48-bitMACaaddress.YoucanaddadditionalsecureMACaddressesuptothemaximumvalueconfigured.vlanvlan-id(Optional)Onatrunkportonly,specifytheVLANIDandtheMACaddress.IfnoVLANIDisspecified,thenativeVLANisused.vlanaccess(Optional)Onanaccessportonly,specifytheVLANasanaccessVLAN.vlanvoice(Optional)Onanaccessportonly,specifytheVLANasavoiceVLANmac-addresssticky
[mac-address](Optional)Enabletheinterfaceforstickylearningbyenteringonlythemac-addressstickykeywords.Whenstickylearningisenabled,theinterfaceaddsallsecureMACaddressesthataredynamicallylearnedtotherunningconfigurationandconvertstheseaddressestostickysecureMACaddresses.SpecifyastickysecureMACaddressbyenteringthemac-addressstickymac-addresskeywords..maximum
value(Optional)SetthemaximumnumberofsecureMACaddressesfortheinterface.ThemaximumnumberofsecureMACaddressesthatyoucanconfigureonaswitchissetbythemaximumnumberofavailableMACaddressesallowedinthesystem.TheactiveSwitchDatabaseManagement(SDM)templatedeterminesthisnumber.ThisnumberrepresentsthetotalofavailableMACaddresses,includingthoseusedforotherLayer2functionsandanyothersecureMACaddressesconfiguredoninterfaces.Thedefaultsettingis1.vlan[vlan-list](Optional)Fortrunkports,youcansetthemaximumnumberofsecureMACaddressesonaVLAN.Ifthevlankeywordisnotentered,thedefaultvalueisused.vlan:setaper-VLANmaximumvalue.vlanvlan-list:setaper-VLANmaximumvalueonarangeofVLANsseparatedbyahyphenoraseriesofVLANsseparatedbycommas.FornonspecifiedVLANs,theper-VLANmaximumvalueisused.PortSecurityViolationConfigurationswitchportport-securitymac-addresssticky
Switch(config-if)#Enablesstickylearningontheinterface(optional)switchportport-securityviolation{protect|restrict|shutdown}
Switch(config-if)#Setstheviolationmode(optional)switchportport-securitymac-addressmac-address
Switch(config-if)#EntersastaticsecureMACaddressfortheinterface(optional)SwitchportPort-SecurityViolationParametersParameterDescriptionprotect(Optional)Setthesecurityviolationprotectmode.WhenthenumberofsecureMACaddressesreachesthelimitallowedontheport,packetswithunknownsourceaddressesaredroppeduntilyouremoveasufficientnumberofsecureMACaddressesorincreasethenumberofmaximumallowableaddresses.Youarenotnotifiedthatasecurityviolationhasoccurred.restrict(Optional)Setthesecurityviolationrestrictmode.WhenthenumberofsecureMACaddressesreachesthelimitallowedontheport,packetswithunknownsourceaddressesaredroppeduntilyouremoveasufficientnumberofsecureMACaddressesorincreasethenumberofmaximumallowableaddresses.Inthismode,youarenotifiedthatasecurityviolationhasoccurred.shutdown(Optional)Setthesecurityviolationshutdownmode.Inthismode,aportsecurityviolationcausestheinterfacetoimmediatelybecomeerror-disabledandturnsofftheportLED.ItalsosendsanSNMPtrap,logsasyslogmessage,andincrementstheviolationcounter.Whenasecureportisintheerror-disabledstate,youcanbringitoutofthisstatebyenteringtheerrdisablerecoverycause
psecure-violation
globalconfigurationcommand,oryoucanmanuallyre-enableitbyenteringtheshutdownandnoshutdowninterfaceconfigurationcommands.shutdown
vlanSetthesecurityviolationmodetoper-VLANshutdown.Inthismode,onlytheVLANonwhichtheviolationoccurrediserror-disabled.PortSecurityAgingConfigurationswitchportport-securityaging{static|timetime|type{absolute|inactivity}}
Switch(config-if)#EnablesordisablesstaticagingforthesecureportorsetstheagingtimeortypePortsecurityagingcanbeusedtosettheagingtimeforstaticanddynamicsecureaddressesonaport.Twotypesofagingaresupportedperport:absolute-Thesecureaddressesontheportaredeletedafterthespecifiedagingtime.inactivity-Thesecureaddressesontheportaredeletedonlyiftheyareinactiveforthespecifiedagingtime.SwitchportPort-SecurityAgingParametersParameterDescriptionstaticEnableagingforstaticallyconfiguredsecureaddressesonthisport.timetimeSpecifytheagingtimeforthisport.Therangeis0to1440minutes.Ifthetimeis0,agingisdisabledforthisport.typeabsoluteSetabsoluteagingtype.Allthesecureaddressesonthisportageoutexactlyafterthetime(minutes)specifiedandareremovedfromthesecureaddresslist.typeinactivitySettheinactivityagingtype.Thesecureaddressesonthisportageoutonlyifthereisnodatatrafficfromthesecuresourceaddressforthespecifiedtimeperiod.TypicalConfigurationswitchportmodeaccessswitchportport-securityswitchportport-securitymaximum2
switchportport-securityviolationshutdown switchportport-securitymac-addressstickyswitchportport-securityagingtime120Switch(config-if)#S2PCB(config)#errdisablerecoverycausepsecure-violation(config)#Errdiablerecoveryintervla1006.3.2VerifyingPortSecurityCLICommandsViewSecureMACAddressesMACAddressNotificationsw-class#showport-securitySecurePortMaxSecureAddrCurrentAddrSecurityViolationSecurityAction(Count)(Count)(Count)Fa0/12200ShutdownTotalAddressesinSystem(excludingonemacperport):0MaxAddresseslimitinSystem(excludingonemacperport):1024CLICommandssw-class#showport-securityinterfacef0/12PortSecurity:EnabledPortstatus:Secure-downViolationmode:ShutdownMaximumMACAddresses:2TotalMACAddresses:1ConfiguredMACAddresses:0Agingtime:120minsAgingtype:AbsoluteSecureStaticaddressaging:DisabledSecurityViolationCount:0ViewSecureMACAddressessw-class#showport-securityaddressSecureMacAddressTableVlanMacAddressTypePortsRemainingAge(mins)
10000.ffff.aaaaSecureConfiguredFa0/12-TotalAddressesinSystem(excludingonemacperport):0MaxAddresseslimitinSystem(excludingonemacperport):1024MACAddressNotification
MACaddressnotificationallowsmonitoringoftheMACaddresses,atthemoduleandportlevel,addedbytheswitchorremovedfromtheCAMtableforsecureports.NMSMACAMACBF1/1=MACAF1/2=MACBF2/1=MACD
(addressagesout)SwitchCAMTableSNMPtrapssenttoNMSwhennewMACaddressesappearorwhenoldonestimeout.MACDisaway
fromthenetwork.F1/2F1/1F2/1TheMACAddressNotificationfeaturesendsSNMPtrapstothenetworkmanagementstation(NMS)wheneveranewMACaddressisaddedtooranoldaddressisdeletedfromtheforwardingtables.MACAddressNotificationSwitch(config)#macaddress-tablenotificationSwitch(config-if)#snmptrapmac-notificationSwitch(config)#snmp-serverenabletrapsmac-notification6.3.3ConfiguringBPDUGuardandRootGuardConfigurePortfastBPDUGuardDisplaytheStateofSpanningTreeRootGuardVerifyRootGuardCausesaLayer2interfacetotransitionfromtheblockingtotheforwardingstateimmediately,bypassingthelisteningandlearningstates.UsedonLayer2accessportsthatconnecttoasingleworkstationorserver.Itallowsthosedevicestoconnecttothenetworkimmediately,insteadofwaitingforSTPtoconverge.Configuredusingthespanning-treeportfastcommand.PortFastConfigurePortfastCommand
DescriptionSwitch(config-if)#spanning-treeportfast
EnablesPortFastonaLayer2accessportandforcesittoentertheforwardingstateimmediately.Switch(config-if)#nospanning-treeportfast
DisablesPortFastonaLayer2accessport.PortFastisdisabledbydefault.Switch(config)#spanning-treeportfastdefaultGloballyenablesthePortFastfeatureonallnontrunkingports.Switch#showrunning-configinterfacetype
slot/portIndicateswhetherPortFasthasbeenconfiguredonaport.ServerWorkstationThefeaturekeepstheactivenetworktopologypredictable.ItprotectsaswitchednetworkfromreceivingBPDUsonportsthatshouldnotbereceivingthem.ReceivedBPDUsmightbeaccidentalorpartofanattack.IfaportconfiguredwithPortFastandBPDUGuardreceivesaBPDU,theswitchwillputtheportintothedisabledstate.BPDUguardisbestdeployedtowarduser-facingportstopreventrogueswitchnetworkextensionsbyanattackinghost.BPDUGuardBPDUGuardSwitch(config)#spanning-treeportfastbpduguarddefaultGloballyenablesBPDUguardonallportswithPortFastenabledFFFFFBRootBridgeBPDUGuardEnabledAttackerSTPBPDUDisplaytheStateofSpanningTreeSwitch#showspanning-treesummarytotals
Rootbridgefor:none.PortFastBPDUGuardisenabledUplinkFastisdisabledBackboneFastisdisabledSpanningtreedefaultpathcostmethodusedisshortNameBlockingListeningLearningForwardingSTPActive
1VLAN00011<outputomitted>ThefeaturepreventsinterfacesthatareinaPortFast-operationalstatefromsendingorreceivingBPDUs.TheinterfacesstillsendafewBPDUsatlink-upbeforetheswitchbeginstofilteroutboundBPDUs.Thefeaturecanbeconfiguredgloballyorattheinterfacelevel.GloballyenableBPDUfilteringonaswitchsothathostsconnectedtotheseinterfacesdonotreceiveBPDUs.IfaBPDUisreceivedonaPortFast-enabledinterfacebecauseitisconnectedtoaswitch,theinterfacelosesitsPortFast-operationalstatus,andBPDUfilteringisdisabled.Attheinterfacelevel,thefeaturepreventstheinterface
溫馨提示
- 1. 本站所有資源如無(wú)特殊說(shuō)明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請(qǐng)下載最新的WinRAR軟件解壓。
- 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請(qǐng)聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
- 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁(yè)內(nèi)容里面會(huì)有圖紙預(yù)覽,若沒(méi)有圖紙預(yù)覽就沒(méi)有圖紙。
- 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
- 5. 人人文庫(kù)網(wǎng)僅提供信息存儲(chǔ)空間,僅對(duì)用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對(duì)用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對(duì)任何下載內(nèi)容負(fù)責(zé)。
- 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請(qǐng)與我們聯(lián)系,我們立即糾正。
- 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時(shí)也不承擔(dān)用戶因使用這些下載資源對(duì)自己和他人造成任何形式的傷害或損失。
最新文檔
- 關(guān)于土地流轉(zhuǎn)協(xié)議
- 顱縫早閉病因介紹
- 醫(yī)患爭(zhēng)議調(diào)解協(xié)議書
- 2025就業(yè)協(xié)議樣本
- 河南省許昌市(2024年-2025年小學(xué)六年級(jí)語(yǔ)文)統(tǒng)編版質(zhì)量測(cè)試(下學(xué)期)試卷及答案
- 《電機(jī)技術(shù)應(yīng)用》課件 3.1.2 直流電機(jī)電樞繞組
- (可研報(bào)告)天津東疆保稅區(qū)設(shè)立spv公司可行性報(bào)告
- (2024)紙塑復(fù)合袋生產(chǎn)建設(shè)項(xiàng)目可行性研究報(bào)告(一)
- (2024)觀光餐廳建設(shè)項(xiàng)目可行性研究報(bào)告(一)
- 2023年天津市濱海新區(qū)八所重點(diǎn)學(xué)校高考語(yǔ)文聯(lián)考試卷
- 2025年1月“八省聯(lián)考”考前猜想卷化學(xué)試題(15 4) 含解析
- 沖壓團(tuán)隊(duì)協(xié)作力培訓(xùn)
- 高性能SVG渲染算法
- 2024年公務(wù)員考試時(shí)事政治考試題(綜合題)
- 2024-2030年中國(guó)呼叫中心行業(yè)發(fā)展展望及投資管理模式分析報(bào)告權(quán)威版
- 2025屆浙江省高二物理第一學(xué)期期末學(xué)業(yè)水平測(cè)試試題含解析
- 《視覺神經(jīng)生理學(xué)》期末考試復(fù)習(xí)題庫(kù)(含答案)
- 《廠內(nèi)專用機(jī)動(dòng)車輛安全技術(shù)規(guī)程》TSG81-2022知識(shí)培訓(xùn)
- 2024年安全員A證證考試題庫(kù)及答案(1000題)
- 軸線翻身課件講稿
- 2024年2個(gè)居間人內(nèi)部合作協(xié)議書模板
評(píng)論
0/150
提交評(píng)論