




版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請(qǐng)進(jìn)行舉報(bào)或認(rèn)領(lǐng)
文檔簡(jiǎn)介
CCNASecurityChapter6:SecuringtheLocalAreaNetworkLessonPlanningThislessonshouldtake3-4hourstopresentThelessonshouldincludelecture,demonstrations,discussionsandassessmentsThelessoncanbetaughtinpersonorusingremoteinstructionMajorConceptsDescribeendpointvulnerabilitiesandprotectionmethodsDescribebasicCatalystswitchvulnerabilitiesConfigureandverifyswitchsecurityfeatures,includingportsecurityandstormcontrolDescribethefundamentalsecurityconsiderationsofWireless,VoIP,andSANs.Contents6.1EndpointSecurity6.2Layer2SecurityConsiderations6.3ConfiguringLayer2Security6.4Wireless,VoIP,andSANSecurity6.1EndpointSecurityEndpointSecurityConsiderationsIntroducingEndpointSecurityEndpointSecuritywithIronPortEndpointSecuritywithNetworkAdmissionControlEndpointSecuritywithCiscoSecurityAgent6.1.1IntroducingEndpointSecuritySecuringtheLANAddressingEndpointSecurityOperatingSystemsBasicSecurityServicesTypesofApplicationAttacksCiscoSystemsEndpointSecuritySolutionsSecuringtheedgedevicebecauseofitsWANconnection?SecuringtheinternalLAN?Both!SecuringtheinternalLANisjustasimportantassecuringtheperimeterofanetwork.InternalLANsconsistsof:EndpointsNon-endpointLANdevicesLANinfrastructureWhichshouldbeprotected?SecuringtheLANIPSMARSVPNACSIronPortFirewallWeb
ServerEmailServerDNSLANHostsPerimeterInternetAreasofconcentration:SecuringendpointsSecuringnetwork
infrastructureALANconnectsmanynetworkendpointdevicesthatactasanetworkclients.Endpointdevicesinclude:LaptopsDesktopsIPphonesPersonaldigitalassistants(PDAs)ServersPrintersSecuringEndpointDevicesALANalsorequiresmanyintermediarydevicestointerconnectendpointdevices.Non-endpointLANdevices:SwitchesWirelessdevicesIPtelephonydevicesStorageareanetworking(SAN)devicesSecuringNon-EndpointDevicesAnetworkmustalsobeabletomitigatespecificLANattacksincluding:MACaddressspoofingattacksSTPmanipulationattacksMACaddresstableoverflowattacksLANstormattacksVLANattacksSecuringtheLANInfrastructureOperatingSystemsBasicSecurityServicesTrustedcodeandtrustedpath–ensuresthattheintegrityoftheoperatingsystemisnotviolatedPrivilegedcontextofexecution–providesidentity
authenticationandcertainprivilegesbasedontheidentityProcessmemoryprotectionandisolation–providesseparationfromotherusersandtheirdataAccesscontroltoresources–ensuresconfidentialityandintegrityofdataTypesofApplicationAttacksIhavegaineddirectaccesstothisapplication’sprivilegesIhavegainedaccesstothissystemwhichistrustedbytheothersystem,allowingmetoaccessit.IndirectDirectCiscoSystemsEndpointSecuritySolutionsCiscoNACIronPortCiscoSecurityAgentIronPortisaleadingproviderofanti-spam,anti-virus,andanti-spywareappliances.CiscoacquiredIronPortSystemsin2007.ItusesSenderBase,theworld'slargestthreatdetectiondatabase,tohelpprovidepreventiveandreactivesecuritymeasures.IronPort6.1.2EndpointSecuritywithIronPortCiscoIronPortProductsIronPortC-Series:Iron-PortS-SeriesCiscoIronPortProductsIronPortproductsinclude:E-mailsecurityappliancesforvirusandspamcontrolWebsecurityapplianceforspywarefiltering,URLfiltering,andanti-malwareSecuritymanagementapplianceIronPortC-SeriesInternetInternetAntispamAntivirusPolicyEnforcementMailRoutingBeforeIronPortIronPortE-mailSecurityApplianceFirewallGroupwareUsersAfterIronPortUsersGroupwareFirewallEncryptionPlatformMTADLPScannerDLPPolicyManagerIronPortS-SeriesWebProxyAntispywareAntivirusAntiphishingURLFilteringPolicyManagementFirewallUsersUsersFirewallIronPortS-SeriesBeforeIronPortAfterIronPortInternetInternet6.1.3EndpointSecuritywithNetworkAdmissionControlCiscoNACTheNACFrameworkNACComponentsCiscoNACApplianceProcessAccessWindowsCiscoNACNACFrameworkSoftwaremoduleembeddedwithinNAC-enabledproductsIntegratedframeworkleveragingmultipleCiscoandNAC-awarevendorproductsIn-bandCiscoNACAppliancesolutioncanbeusedonanyswitchorrouterplatformSelf-contained,turnkeysolution
ThepurposeofNAC:AllowonlyauthorizedandcompliantsystemstoaccessthenetworkToenforcenetworksecuritypolicyCiscoNACApplianceReferto
fourimportantfeaturesofNACTheNACFrameworkAAA
ServerCredentialsCredentialsEAP/UDP,EAP/802.1xRADIUSCredentialsHTTPSAccessRightsNotificationCiscoTrustAgentComply?VendorServersHostsAttemptingNetworkAccessNetworkAccessDevicesPolicyServerDecisionPointsandRemediationEnforcementNAC的示意圖當(dāng)運(yùn)行NAC時(shí),首先由網(wǎng)絡(luò)接入設(shè)備發(fā)出消息,從主機(jī)請(qǐng)求委托書。然后,AAA服務(wù)器CiscoTrustAgent(CTA)與主機(jī)上的CiscoTrustAgent(CTA)建立安全的EAP對(duì)話。此時(shí),CTA對(duì)AAA服務(wù)器執(zhí)行檢查。委托書可以通過主機(jī)應(yīng)用、CTA或網(wǎng)絡(luò)設(shè)備傳遞,由思科ACS接收后進(jìn)行認(rèn)證和授權(quán)。某些情況下,ACS可以作為防病毒策略服務(wù)器的代理,直接將防病毒軟件應(yīng)用委托書傳送到廠商的AV服務(wù)器接收檢查。委托書通過審查后,ACS將為網(wǎng)絡(luò)設(shè)備選擇相應(yīng)的實(shí)施策略。例如,ACS可以向路由器發(fā)送準(zhǔn)入控制表,對(duì)此主機(jī)實(shí)施特殊策略。對(duì)于非響應(yīng)性設(shè)備,可以對(duì)主動(dòng)運(yùn)行CTA(網(wǎng)絡(luò)或ACS)的設(shè)備實(shí)施默認(rèn)策略。在以后的各階段,還將通過掃描或其它機(jī)制對(duì)主機(jī)系統(tǒng)執(zhí)行進(jìn)一步檢查,以便收集其他端點(diǎn)安全信息。NACComponentsCiscoNAS(CiscoNACApplianceServer)Servesasanin-bandorout-of-banddevicefornetworkaccesscontrolCiscoNAM(CiscoNACApplianceManager)Centralizesmanagementforadministrators,supportpersonnel,andoperatorsCiscoNAA(CiscoNACApplianceAgent)Optionallightweightclientfordevice-basedregistryscansinunmanagedenvironmentsRule-setupdatesScheduledautomaticupdatesforantivirus,criticalhotfixes,andotherapplicationsMGRCiscoNACApplianceProcessTHEGOALIntranet/
Network2.Hostis
redirectedtoaloginpage.CiscoNACAppliancevalidatesusernameandpassword,alsoperformsdeviceandnetworkscanstoassessvulnerabilitiesondevice.Deviceisnoncompliant
orloginisincorrect.Hostisdeniedaccessandassigned
toaquarantinerolewithaccesstoonlineremediationresources.3a.3b.Deviceis“clean”.Machinegetson“certifieddeviceslist”andisgrantedaccesstonetwork.CiscoNASCiscoNAM1.Hostattemptstoaccessawebpageorusesanoptionalclient.Networkaccessisblockeduntilwiredorwirelesshostprovideslogininformation.AuthenticationServerMGRQuarantineRole3.Thehostisauthenticatedandoptionally
scannedforposturecomplianceAccessWindows4.LoginScreenScanisperformed(typesofchecksdependonuserrole)ScanfailsRemediate6.1.4EndpointSecuritywithCiscoSecurityAgentCSAArchitectureModelCSAOverviewCSAFunctionalityAttackPhasesCSALogMessagesCSAArchitectureManagementCenterforCiscoSecurityAgent
withInternalorExternalDatabaseSecurity
PolicyServerProtectedbyCiscoSecurityAgentAdministration
WorkstationSSLEventsAlertsCSAOverviewStateRulesandPoliciesRules
EngineCorrelation
EngineFileSystemInterceptorNetwork
InterceptorConfiguration
InterceptorExecutionSpaceInterceptorApplicationAllowedRequestBlockedRequestCSAFunctionalitySecurityApplicationNetwork
InterceptorFileSystemInterceptorConfiguration
InterceptorExecution
Space
InterceptorDistributedFirewallX―――HostIntrusionPreventionX――XApplication
Sandbox―XXXNetworkWormPreventionX――XFileIntegrityMonitor―XX―AttackPhasesFilesysteminterceptorNetworkinterceptorConfigurationinterceptorExecutionspaceinterceptorServerProtectedbyCiscoSecurityAgentProbephasePingscansPortscansPenetratephaseTransferexploitcodetotargetPersistphaseInstallnewcodeModifyconfigurationPropagatephaseAttackothertargetsParalyzephaseErasefilesCrashsystemStealdataCSAstoppedtheseattacksbyidentifyingtheirmaliciousbehaviorwithoutanyupdatesCSALogMessages6.2Layer2SecurityConsiderationsLayer2SecurityConsiderationsIntroductiontoLayer2SecurityMACAddressSpoofingAttacksMACAddressTableOverflowAttacksSTPManipulationAttacksLANStormAttacksVLANAttacks6.2.1IntroductiontoLayer2SecurityLayer2SecurityOverviewofOSIModelIPSMARSVPNACSIronPortFirewallWeb
ServerEmailServerDNSHostsPerimeterInternetLayer2SecurityOSIModelMACAddressesWhenitcomestonetworking,Layer2isoftenaveryweaklink.PhysicalLinksIPAddressesProtocolsandPortsApplicationStreamApplicationPresentationSessionTransportNetworkDataLinkPhysicalCompromisedApplicationPresentationSessionTransportNetworkDataLinkPhysicalInitialCompromiseLayer2VulnerabilitiesMACAddressSpoofingAttacksMACAddressTableOverflowAttacksSTPManipulationAttacksStormAttacksVLANAttacksMACAddressSpoofingAttackMACAddress:AABBccAABBcc12AbDdSwitchPort12MACAddress:AABBccAttackerPort1Port2MACAddress:12AbDdIhaveassociatedPorts1and2withtheMACaddressesofthedevicesattached.Trafficdestinedforeachdevicewillbeforwardeddirectly.Theswitchkeepstrackofthe
endpointsbymaintainingaMACaddresstable.InMAC
spoofing,theattackerposes
asanotherhost—inthiscase,
AABBcc6.2.2MACAddressSpoofingAttackMACAddress:AABBccAABBccSwitchPort12MACAddress:AABBccAttackerPort1Port2AABBcc12IhavechangedtheMAC
addressonmycomputer
tomatchtheserver.ThedevicewithMACaddressAABBcchaschangedlocationstoPort2.ImustadjustmyMACaddresstableaccordingly.MACAddressTableOverflowAttackABCDVLAN10VLAN10IntruderrunsmacoftobeginsendingunknownbogusMACaddresses.3/253/25MACX3/25MACY3/25MACZXYZfloodMACPortX3/25Y3/25C3/25BogusaddressesareaddedtotheCAMtable.CAMtableisfull.HostCTheswitchfloodstheframes.AttackerseestraffictoserversBandD.VLAN101234BothMACspoofingandMACaddresstableoverflowattackscanbemitigatedbyconfiguringportsecurityontheswitch.Portsecuritycaneither:StaticallyspecifytheMACaddressesonaparticularswitchport.AllowtheswitchtodynamicallylearnafixednumberofMACaddressesforaswitchport.StaticallyspecifyingtheMACaddressesisnotamanageablesolutionforaproductionenvironment.AllowingtheswitchtodynamicallylearnafixednumberofMACaddressesisanadministrativelyscalablesolution.MACAddressMitigationTechniquesAnSTPattacktypicallyinvolvesthecreationofabogusRootbridge.ThiscanbeaccomplishedusingavailablesoftwarefromtheInternetsuchasbrconfigorstp-packet.TheseprogramscanbeusedtosimulateabogusswitchwhichcanforwardSTPBPDUs.STPAttackMitigationtechniquesincludeenablingPortFast,rootguardandBPDUguard.6.2.4STPManipulationAttackSpanningtreeprotocoloperatesbyelectingarootbridgeSTPbuildsatreetopologySTPmanipulationchangesthetopologyofanetwork—theattackinghostappearstobetherootbridgeFFFFFBRootBridge
Priority=8192
MACAddress=0000.00C0.1234STPManipulationAttackRootBridge
Priority=8192RootBridgeFFFFFBSTPBPDU
Priority=0STPBPDU
Priority=0FBFFFFAttackerTheattackinghostbroadcastsoutSTP
configurationandtopologychangeBPDUs.Thisisanattempttoforcespanningtree
recalculations.6.2.5LANStormAttackBroadcast,multicast,orunicastpacketsarefloodedonallportsinthesameVLAN.ThesestormscanincreasetheCPUutilizationonaswitchto100%,reducingtheperformanceofthenetwork.BroadcastBroadcastBroadcastBroadcastBroadcastBroadcastBroadcastBroadcastBroadcastBroadcastBroadcastBroadcastALANstormoccurswhenpacketsfloodtheLAN,creatingexcessivetrafficanddegradingnetworkperformance.Possiblecauses:ErrorsintheprotocolstackimplementationMis-configurationsUsersissuingaDoSattackBroadcaststormscanalsooccuronnetworks.Rememberthatswitchesalwaysforwardbroadcastsoutallports.Somenecessaryprotocols,suchasARPandDHCPusebroadcasts;therefore,switchesmustbeabletoforwardbroadcasttraffic.LANStormAttacksMitigationtechniquesincludeconfiguringstormcontrol.StormControlTotal
numberof
broadcastpacketsorbytes6.2.6VLANAttacksVLAN=BroadcastDomain=LogicalNetwork(Subnet)SegmentationFlexibilitySecurityTrunkportspasstrafficforallVLANsusingeitherIEEE802.1Qorinter-switchlink(ISL)VLANencapsulation.AVLANhoppingattackcanbelaunchedinoneoftwoways:IntroducingarogueswitchonanetworkwithDTPenabled.DTPenablestrunkingtoaccessalltheVLANsonthetargetswitch.Double-taggingVLANattackbyspoofingDTPmessagesfromtheattackinghosttocausetheswitchtoentertrunkingmode.TheattackercanthensendtraffictaggedwiththetargetVLAN,andtheswitchthendeliversthepacketstothedestination.VLANAttacksBydefaultmostswitchessupportDynamicTrunkProtocol(DTP)whichautomaticallytrytonegotiatetrunklinks.AnattackercouldconfigureahosttospoofaswitchandadvertiseitselfasbeingcapableofusingeitherISLor802.1q.Ifsuccessful,theattackingsystemthenbecomesamemberofallVLANs.VLANHoppingAttack-RogueSwitchThesecondswitchreceivesthepacket,onthenativeVLANDouble-TaggingVLANAttackAttackeron
VLAN10,butputsa20taginthepacketVictim
(VLAN20)Note:ThisattackworksonlyifthetrunkhasthesamenativeVLANastheattacker.Thefirstswitchstripsoffthefirsttaganddoesnotretagit(nativetrafficisnotretagged).Itthenforwardsthepackettoswitch2.20,1020Trunk
(NativeVLAN=10)802.1Q,802.1Qtrunk802.1Q,FrameFrame1234Thesecondswitchexaminesthepacket,seestheVLAN20tagandforwardsitaccordingly.Involvestaggingtransmittedframeswithtwo802.1qheadersinordertoforwardtheframestothewrongVLAN.Thefirstswitchstripsthefirsttagofftheframeandforwardstheframe.ThesecondswitchthenforwardsthepackettothedestinationbasedontheVLANidentifierinthesecond802.1qheader.UseadedicatednativeVLANforalltrunkports.SetthenativeVLANonthetrunkportstoanunusedVLAN.Disabletrunknegotiationonallportsconnectingtoworkstations.VLANHoppingAttack-Double-TaggingMitigationtechniquesincludeensuringthatthenativeVLANofthetrunkportsisdifferentfromthenativeVLANoftheuserports.6.3ConfiguringLayer2SecurityConfiguringSwitchSecurityConfiguringPortSecurityVerifyingPortSecurityBPDUGuardandRootGuardStormControlVLANConfigurationCiscoSwitchedPortAnalyzerCiscoRemoteSwitchedPortAnalyzerBestPracticesforLayer26.3.1ConfiguringPortSecurityPortSecurityOverviewPortSecurityConfigurationSwitchportPort-SecurityParametersPort-SecurityViolationConfigurationSwitchportPort-SecurityViolationParametersPortSecurityAgingConfigurationSwitchportPort-SecurityAgingParametersTypicalConfigurationPortSecurityOverviewMACAMACAPort0/1allowsMACA
Port0/2allowsMACB
Port0/3allowsMACCAttacker1Attacker20/10/20/3MACFAllowsanadministratortostaticallyspecifyMACAddressesforaportortopermittheswitchtodynamicallylearnalimitednumberofMACaddressesConfiguringPortSecurityTopreventMACspoofingandMACtableoverflows,enableportsecurity.PortSecuritycanbeusedtostaticallyspecifyMACaddressesforaportortopermittheswitchtodynamicallylearnalimitednumberofMACaddresses.BylimitingthenumberofpermittedMACaddressesonaporttoone,portsecuritycanbeusedtocontrolunauthorizedexpansionofthenetwork.OnceMACaddressesareassignedtoasecureport,theportdoesnotforwardframeswithsourceMACaddressesoutsidethegroupofdefinedaddresses.Securesourceaddressescanbe:ManuallyconfiguredAutoconfigured(learned)PortSecurityWhenaMACaddressdiffersfromthelistofsecureaddresses,theporteither:Shutsdownuntilitisadministrativelyenabled(defaultmode).Dropsincomingframesfromtheinsecurehost(restrictoption).Theportbehaviordependsonhowitisconfiguredtorespondtoasecurityviolation.Shutdownistherecommendedsecurityviolation.PortSecurityCLICommandsswitchportmodeaccess
Switch(config-if)#Setstheinterfacemodeasaccessswitchportport-security
Switch(config-if)#Enablesportsecurityontheinterfaceswitchportport-securitymaximumvalue
Switch(config-if)#SetsthemaximumnumberofsecureMACaddressesfortheinterface(optional)SwitchportPort-SecurityParametersParameterDescriptionmac-address
mac-address(Optional)SpecifyasecureMACaddressfortheportbyenteringa48-bitMACaaddress.YoucanaddadditionalsecureMACaddressesuptothemaximumvalueconfigured.vlanvlan-id(Optional)Onatrunkportonly,specifytheVLANIDandtheMACaddress.IfnoVLANIDisspecified,thenativeVLANisused.vlanaccess(Optional)Onanaccessportonly,specifytheVLANasanaccessVLAN.vlanvoice(Optional)Onanaccessportonly,specifytheVLANasavoiceVLANmac-addresssticky
[mac-address](Optional)Enabletheinterfaceforstickylearningbyenteringonlythemac-addressstickykeywords.Whenstickylearningisenabled,theinterfaceaddsallsecureMACaddressesthataredynamicallylearnedtotherunningconfigurationandconvertstheseaddressestostickysecureMACaddresses.SpecifyastickysecureMACaddressbyenteringthemac-addressstickymac-addresskeywords..maximum
value(Optional)SetthemaximumnumberofsecureMACaddressesfortheinterface.ThemaximumnumberofsecureMACaddressesthatyoucanconfigureonaswitchissetbythemaximumnumberofavailableMACaddressesallowedinthesystem.TheactiveSwitchDatabaseManagement(SDM)templatedeterminesthisnumber.ThisnumberrepresentsthetotalofavailableMACaddresses,includingthoseusedforotherLayer2functionsandanyothersecureMACaddressesconfiguredoninterfaces.Thedefaultsettingis1.vlan[vlan-list](Optional)Fortrunkports,youcansetthemaximumnumberofsecureMACaddressesonaVLAN.Ifthevlankeywordisnotentered,thedefaultvalueisused.vlan:setaper-VLANmaximumvalue.vlanvlan-list:setaper-VLANmaximumvalueonarangeofVLANsseparatedbyahyphenoraseriesofVLANsseparatedbycommas.FornonspecifiedVLANs,theper-VLANmaximumvalueisused.PortSecurityViolationConfigurationswitchportport-securitymac-addresssticky
Switch(config-if)#Enablesstickylearningontheinterface(optional)switchportport-securityviolation{protect|restrict|shutdown}
Switch(config-if)#Setstheviolationmode(optional)switchportport-securitymac-addressmac-address
Switch(config-if)#EntersastaticsecureMACaddressfortheinterface(optional)SwitchportPort-SecurityViolationParametersParameterDescriptionprotect(Optional)Setthesecurityviolationprotectmode.WhenthenumberofsecureMACaddressesreachesthelimitallowedontheport,packetswithunknownsourceaddressesaredroppeduntilyouremoveasufficientnumberofsecureMACaddressesorincreasethenumberofmaximumallowableaddresses.Youarenotnotifiedthatasecurityviolationhasoccurred.restrict(Optional)Setthesecurityviolationrestrictmode.WhenthenumberofsecureMACaddressesreachesthelimitallowedontheport,packetswithunknownsourceaddressesaredroppeduntilyouremoveasufficientnumberofsecureMACaddressesorincreasethenumberofmaximumallowableaddresses.Inthismode,youarenotifiedthatasecurityviolationhasoccurred.shutdown(Optional)Setthesecurityviolationshutdownmode.Inthismode,aportsecurityviolationcausestheinterfacetoimmediatelybecomeerror-disabledandturnsofftheportLED.ItalsosendsanSNMPtrap,logsasyslogmessage,andincrementstheviolationcounter.Whenasecureportisintheerror-disabledstate,youcanbringitoutofthisstatebyenteringtheerrdisablerecoverycause
psecure-violation
globalconfigurationcommand,oryoucanmanuallyre-enableitbyenteringtheshutdownandnoshutdowninterfaceconfigurationcommands.shutdown
vlanSetthesecurityviolationmodetoper-VLANshutdown.Inthismode,onlytheVLANonwhichtheviolationoccurrediserror-disabled.PortSecurityAgingConfigurationswitchportport-securityaging{static|timetime|type{absolute|inactivity}}
Switch(config-if)#EnablesordisablesstaticagingforthesecureportorsetstheagingtimeortypePortsecurityagingcanbeusedtosettheagingtimeforstaticanddynamicsecureaddressesonaport.Twotypesofagingaresupportedperport:absolute-Thesecureaddressesontheportaredeletedafterthespecifiedagingtime.inactivity-Thesecureaddressesontheportaredeletedonlyiftheyareinactiveforthespecifiedagingtime.SwitchportPort-SecurityAgingParametersParameterDescriptionstaticEnableagingforstaticallyconfiguredsecureaddressesonthisport.timetimeSpecifytheagingtimeforthisport.Therangeis0to1440minutes.Ifthetimeis0,agingisdisabledforthisport.typeabsoluteSetabsoluteagingtype.Allthesecureaddressesonthisportageoutexactlyafterthetime(minutes)specifiedandareremovedfromthesecureaddresslist.typeinactivitySettheinactivityagingtype.Thesecureaddressesonthisportageoutonlyifthereisnodatatrafficfromthesecuresourceaddressforthespecifiedtimeperiod.TypicalConfigurationswitchportmodeaccessswitchportport-securityswitchportport-securitymaximum2
switchportport-securityviolationshutdown switchportport-securitymac-addressstickyswitchportport-securityagingtime120Switch(config-if)#S2PCB(config)#errdisablerecoverycausepsecure-violation(config)#Errdiablerecoveryintervla1006.3.2VerifyingPortSecurityCLICommandsViewSecureMACAddressesMACAddressNotificationsw-class#showport-securitySecurePortMaxSecureAddrCurrentAddrSecurityViolationSecurityAction(Count)(Count)(Count)Fa0/12200ShutdownTotalAddressesinSystem(excludingonemacperport):0MaxAddresseslimitinSystem(excludingonemacperport):1024CLICommandssw-class#showport-securityinterfacef0/12PortSecurity:EnabledPortstatus:Secure-downViolationmode:ShutdownMaximumMACAddresses:2TotalMACAddresses:1ConfiguredMACAddresses:0Agingtime:120minsAgingtype:AbsoluteSecureStaticaddressaging:DisabledSecurityViolationCount:0ViewSecureMACAddressessw-class#showport-securityaddressSecureMacAddressTableVlanMacAddressTypePortsRemainingAge(mins)
10000.ffff.aaaaSecureConfiguredFa0/12-TotalAddressesinSystem(excludingonemacperport):0MaxAddresseslimitinSystem(excludingonemacperport):1024MACAddressNotification
MACaddressnotificationallowsmonitoringoftheMACaddresses,atthemoduleandportlevel,addedbytheswitchorremovedfromtheCAMtableforsecureports.NMSMACAMACBF1/1=MACAF1/2=MACBF2/1=MACD
(addressagesout)SwitchCAMTableSNMPtrapssenttoNMSwhennewMACaddressesappearorwhenoldonestimeout.MACDisaway
fromthenetwork.F1/2F1/1F2/1TheMACAddressNotificationfeaturesendsSNMPtrapstothenetworkmanagementstation(NMS)wheneveranewMACaddressisaddedtooranoldaddressisdeletedfromtheforwardingtables.MACAddressNotificationSwitch(config)#macaddress-tablenotificationSwitch(config-if)#snmptrapmac-notificationSwitch(config)#snmp-serverenabletrapsmac-notification6.3.3ConfiguringBPDUGuardandRootGuardConfigurePortfastBPDUGuardDisplaytheStateofSpanningTreeRootGuardVerifyRootGuardCausesaLayer2interfacetotransitionfromtheblockingtotheforwardingstateimmediately,bypassingthelisteningandlearningstates.UsedonLayer2accessportsthatconnecttoasingleworkstationorserver.Itallowsthosedevicestoconnecttothenetworkimmediately,insteadofwaitingforSTPtoconverge.Configuredusingthespanning-treeportfastcommand.PortFastConfigurePortfastCommand
DescriptionSwitch(config-if)#spanning-treeportfast
EnablesPortFastonaLayer2accessportandforcesittoentertheforwardingstateimmediately.Switch(config-if)#nospanning-treeportfast
DisablesPortFastonaLayer2accessport.PortFastisdisabledbydefault.Switch(config)#spanning-treeportfastdefaultGloballyenablesthePortFastfeatureonallnontrunkingports.Switch#showrunning-configinterfacetype
slot/portIndicateswhetherPortFasthasbeenconfiguredonaport.ServerWorkstationThefeaturekeepstheactivenetworktopologypredictable.ItprotectsaswitchednetworkfromreceivingBPDUsonportsthatshouldnotbereceivingthem.ReceivedBPDUsmightbeaccidentalorpartofanattack.IfaportconfiguredwithPortFastandBPDUGuardreceivesaBPDU,theswitchwillputtheportintothedisabledstate.BPDUguardisbestdeployedtowarduser-facingportstopreventrogueswitchnetworkextensionsbyanattackinghost.BPDUGuardBPDUGuardSwitch(config)#spanning-treeportfastbpduguarddefaultGloballyenablesBPDUguardonallportswithPortFastenabledFFFFFBRootBridgeBPDUGuardEnabledAttackerSTPBPDUDisplaytheStateofSpanningTreeSwitch#showspanning-treesummarytotals
Rootbridgefor:none.PortFastBPDUGuardisenabledUplinkFastisdisabledBackboneFastisdisabledSpanningtreedefaultpathcostmethodusedisshortNameBlockingListeningLearningForwardingSTPActive
1VLAN00011<outputomitted>ThefeaturepreventsinterfacesthatareinaPortFast-operationalstatefromsendingorreceivingBPDUs.TheinterfacesstillsendafewBPDUsatlink-upbeforetheswitchbeginstofilteroutboundBPDUs.Thefeaturecanbeconfiguredgloballyorattheinterfacelevel.GloballyenableBPDUfilteringonaswitchsothathostsconnectedtotheseinterfacesdonotreceiveBPDUs.IfaBPDUisreceivedonaPortFast-enabledinterfacebecauseitisconnectedtoaswitch,theinterfacelosesitsPortFast-operationalstatus,andBPDUfilteringisdisabled.Attheinterfacelevel,thefeaturepreventstheinterface
溫馨提示
- 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請(qǐng)下載最新的WinRAR軟件解壓。
- 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請(qǐng)聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
- 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會(huì)有圖紙預(yù)覽,若沒有圖紙預(yù)覽就沒有圖紙。
- 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
- 5. 人人文庫網(wǎng)僅提供信息存儲(chǔ)空間,僅對(duì)用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對(duì)用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對(duì)任何下載內(nèi)容負(fù)責(zé)。
- 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請(qǐng)與我們聯(lián)系,我們立即糾正。
- 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時(shí)也不承擔(dān)用戶因使用這些下載資源對(duì)自己和他人造成任何形式的傷害或損失。
最新文檔
- 2025內(nèi)蒙古自治區(qū)農(nóng)牧業(yè)科學(xué)院招聘控制數(shù)人員93人模擬試卷及答案詳解(新)
- 2025昆明市盤龍區(qū)東華街道社區(qū)服務(wù)中心見習(xí)崗位招錄(若干)模擬試卷帶答案詳解
- 2025遼寧沈陽市東北大學(xué)非教師崗位招聘25人模擬試卷及答案詳解(奪冠)
- 2025年河北雄安新區(qū)新建片區(qū)學(xué)校公開選聘教職人員102名模擬試卷及一套完整答案詳解
- 2025安徽蕪湖鳩江區(qū)招聘區(qū)屬國(guó)有企業(yè)領(lǐng)導(dǎo)人員擬聘用人員(二)模擬試卷及答案詳解(典優(yōu))
- 2025年執(zhí)法專業(yè)考試試題及答案
- 2025年杭州市臨安區(qū)部分醫(yī)療衛(wèi)生事業(yè)單位招聘工作人員35人考前自測(cè)高頻考點(diǎn)模擬試題含答案詳解
- 2025安徽阜陽市潁州區(qū)教育局面向本區(qū)教育系統(tǒng)選調(diào)專職教研員6人模擬試卷及答案詳解(奪冠系列)
- 2025江蘇宿遷市宿城區(qū)招聘公辦學(xué)校教師12人模擬試卷及答案詳解(考點(diǎn)梳理)
- 2025年黃山市徽州國(guó)有投資集團(tuán)有限公司招聘13人模擬試卷及1套完整答案詳解
- 安全強(qiáng)安考試題及答案
- 2026秋季國(guó)家管網(wǎng)集團(tuán)東北公司高校畢業(yè)生招聘筆試備考試題及答案解析
- 2025年10.13日少先隊(duì)建隊(duì)日主題班會(huì)課件薪火相傳強(qiáng)國(guó)有我
- 2025小學(xué)關(guān)于教育領(lǐng)域不正之風(fēng)和腐敗問題專項(xiàng)整治工作方案
- 2025年工會(huì)社會(huì)工作者招聘筆試模擬試題庫及答案
- 家鄉(xiāng)的變化課件
- 2025年甘肅省武威市涼州區(qū)發(fā)放鎮(zhèn)招聘專業(yè)化管理大學(xué)生村文書備考考試題庫附答案解析
- 2024年成人高等考試《政治》(專升本)試題真題及答案
- 暖通施工工程方案(3篇)
- 消化內(nèi)科常見疾病診療標(biāo)準(zhǔn)與流程
- 農(nóng)作物土地租賃合同5篇
評(píng)論
0/150
提交評(píng)論