Catalyst 3560培训.ppt

Catalyst 3560培训,叶明,内容安排,Catalyst 3560 介绍 基本配置介绍 二层配置介绍 三层配置介绍 安全功能介绍 QoS功能介绍,Cisco Catalyst Switches Industrys Most Comprehensive Portfolio,Catalyst 6500,Catalyst 4500,Catalyst 3550/3560/3750,Catalyst 2950/2970,Deployment Focus,Core Distribution Data center access/core + services High performance wiring closets,Medium wiring closets Small/medium distribution/core Medium data center access/core Large/medium branch offices,Small wiring closets Medium branch office Small data center access Small network aggregation,Small wiring closets Small branch offices Industrial environments Classroom deployments,Mid-Range Modular Chassis,Industry Leading Modular Chassis,Advanced Fixed Configuration,Entry Level Fixed Configuration,Multiple deployment and performance options Highest availability and 10/100/1000 + GbE densities Integrated WAN and advanced IP services modules Wire-speed 10 GbE aggregation,Resilient Layer 3 switching with intelligent Layer 3 and 4 services High density 10/100/1000 Power over Ethernet modules Media configuration flexibility with WAN connectivity options,Layer 3 switching with intelligent Layer 3 and 4 services Resilient stacking options Medium density 10/100/1000 Power over Ethernet versions,Layer 2 switching with intelligent Layer 3 and 4 services Advanced cluster management Fixed-configuration 10/100/1000 Redundant power option,Density Functions Services Performance,Catalyst 3560-48PS,Catalyst 3560-24PS,Cisco Catalyst 3560 Model Overview,24 10/100 PoE ports 2 SFP ports,48 10/100 PoE ports 4 SFP ports,24个100兆端口 2个千兆端口,48个100兆端口 4个千兆端口,Supervisor Subsystem,硬件转发：IP路由、Ethernet交换 CPU进行协议处理：IP路由协议、STP协议,关键点：,具备3层功能的交换机 维护3张表：IP路由表（处于路由器中）、 CAM表（处于交换机中，维护端口间交换形式）、 ARP表（处于路由器中）,1,2,3,4,5,6,7,8,9,10,11,12,Access Port 1,Access Port 2,Access Port 3,Trunk Port 1,Access Port 4,Access Port 5,Access Port 6,Routed Port 1,Access Port 7,Access Port 8,Access Port 9,Routed Port 2,VLAN 1,VLAN 2,VLAN 3,SVI 1,SVI 2,RP 1,RP 2,Routing Function,丰富的功能,Intelligent Switching is a common foundation of capabilities across Cisco Catalyst switches,Performance, Availability,Wire-speed forwarding No performance effect with all services enabled,QoS,Layer 2, 3, 4 classification Policing and shaping Multiple queues Granular control,Security,Layer 2, 3, 4 access control Identity-based authentication Management security,Manageability,End-to-end manageability for centralized administration Web-based or command-line interface (CLI) Analysis and planning tools,内容安排,Catalyst 3560 介绍 基本配置介绍 二层配置介绍 三层配置介绍 安全功能介绍 QoS功能介绍,配置准备,Console线 9600 bit 速率,密码设置,(config)# enable secret xxxxx 特权密码加密 (config)# enable password xxxxxx 特权密码不加密 (config-line) # login password xxxx (config-line) # login local (config)# username xxx password xxx (config)# AAA authentication xxxxxx 集中式认证(3A认证),日志设置,(config)# logging buffered 开启log (config)# logging x.x.x.x 发送log至主机x.x.x.x (config)# timestamp 记录log发生时间 #show log,软件升级和配置文件保存,Tftp server建立 # copy tftp flash: 从主机down文件到flash # show flash (config)# boot system flash:xxxxxxx 升级flash文件为xxxxxx # copy startup-config flash: 文件保存至flash # copy startup-config tftp: 文件保存至tftp server,配置技巧,Copy and paste 上下键 Ctrl A,管理端口建立,(config)# int vlan 1 (config-if)# ip address xxx.xxx.xxx.xxx 配置管理端口地址 (config)# ip default gateway 配置缺省网关,物理端口配置,速率 双工,内容安排,Catalyst 3560 介绍 基本配置介绍 二层配置介绍 三层配置介绍 安全功能介绍 QoS功能介绍,建立VLAN,缺省所有端口都属于 vlan 1（用作管理） (config)# vlan x (config-vlan)# name xxx # show vlan,VLAN分配,用户端口 (config)# int f0/x (config-if )# switchport mode access 将端口配置为属于一个vlan的端口 (config-if )# switchport access vlan x # show vlan 上联端口 (config)# int f0/x (config-if )# switchport mode trunk 将端口配置为属于多个vlan的端口 (config-if )# switchport trunk encapsulation dot1q #show int f0/x switchport trunk,内容安排,Catalyst 3560 介绍 基本配置介绍 二层配置介绍 三层配置介绍 安全功能介绍 QoS功能介绍,建立三层端口,(config-if)# no sw (config)# int vlan x #Show ip int brief 查看三层端口是否启动,运行3层路由协议,(config)#ip routing OSPF RIP, IGRP, EIGRP 静态路由,路由协议配置,Router ospf xxx 配置路由进程 Network x.x.x.x area 0 Show ip route,静态路由配置,Ip route x.x.x.x 255.255.x.x (gateway) 双向 意思是静态路由为起始路由器都应配置,内容安排,Catalyst 3560 介绍 基本配置介绍 二层配置介绍 三层配置介绍 安全功能介绍 QoS功能介绍,Agenda 安全防范,MAC security 用户恶意发CAM表，解决办法是限制用户端口接入过多MAC地址 VLAN security Vlan 1自身安全隐患，vlan 1可以访问所有其它vlan的电脑，一般不用做业务 DHCP security 同一vlan的黑客，冒充DHCP Server，解决办法是指定端口只允许一个DHCP通过 ARP security IP/MAC spoof security 地址映射隐患。解决办法IP地址和MAC地址绑定 SPT security 生成树 spanning-tree Other layer2 security,MAC Attacks,CAM Overflow 3/3,MAC A,MAC B,MAC C,Port 1,Port 2,Port 3,B Unknown Flood the Frame,I See Traffic to B !,A-B,MAC Port X 3 Y 3 C 3,MAC Flooding Attack Mitigation,Port security Capabilities are dependent on the platform Allows you to specify MAC addresses for each port, or to learn a certain number of MAC addresses per port Upon detection of an invalid MAC the switch can be configured to block only the offending MAC or just shut down the port Port security prevents macof from flooding the CAM table,/univercd/cc/td/doc/product/lan/cat5000/rel_5_4/config/sec_port.htm,Countermeasures for MAC Attacks,00:0e:00:aa:aa:aa 00:0e:00:bb:bb:bb,132,000 Bogus MACs,Only 3 MAC Addresses Allowed on the Port: Shutdown,Solution:,Port security limits MAC flooding attack and locks down port and sends an SNMP trap,Port Security Limits the Amount of MACs on an Interface,Port Security: Example Config,3 MAC addresses encompass the phone, the switch in the phone, and the PC “Restrict” rather then “error disable” to allow only 3, and log more then 3,CatOS set port security 5/1 enable set port security 5/1 port max 3 set port security 5/1 violation restrict set port security 5/1 age 2 set port security 5/1 timer-type inactivity IOS switchport port-security switchport port-security maximum 3 switchport port-security violation restrict switchport port-security aging time 2 switchport port-security aging type inactivity,VLAN “Hopping” Attacks,Trunk Port Refresher,Trunk ports have access to all VLANs by default Used to route traffic for multiple VLANs across the same physical link (generally used between switches) Encapsulation can be 802.1Q or ISL,Trunk Port,Disabling Auto-Trunking,Defaults change depending on switch; always check: From the Cisco docs: “The default mode is dependent on the platform” To check from the CLI:,CatOS (enable) set trunk off or CatOS (enable) set port host IOS(config-if)#switchport mode access,CatOS (enable) show trunk mod|mod/port IOS# show interface type number switchport,ATTACKS AND COUNTERMEASURES: DHCP ATTACKS,34,34,34,DHCP Function: High Level,Server dynamically assigns IP address on demand Administrator creates pools of addresses available for assignment Address is assigned with lease time DHCP delivers other configuration information in options,DHCP Server,Client,DHCP Attack Types DHCP Starvation Attack,Client,Gobbler looks at the entire DHCP scope and tries to lease all of the DHCP addresses available in the DHCP scope This is a Denial of Service DoS attack using DHCP leases,DHCP Server,Countermeasures for DHCP Attacks DHCP Starvation Attack = Port Security,Gobbler uses a new MAC address to request a new DHCP lease Restrict the number of MAC addresses on an port Will not be able to lease more IP address then MAC addresses allowed on the port In the example the attacker would get 1 IP address from the DHCP server,Client,DHCP Server,CatOS set port security 5/1 enable set port security 5/1 port max 1 set port security 5/1 violation restrict set port security 5/1 age 2 set port security 5/1 timer-type inactivity IOS switchport port-security switchport port-security maximum 1 switchport port-security violation restrict switchport port-security aging time 2 switchport port-security aging type inactivity,Countermeasures for DHCP Attacks Rogue DHCP Server = DHCP Snooping,By default all ports in the vlan are untrusted,Client,DHCP Server,Rogue Server,Trusted,Untrusted,Untrusted,DHCP Snooping Enabled,DHCP Snooping Untrusted Client,Interface Commands no ip dhcp snooping trust (Default) ip dhcp snooping limit rate 10 (pps),IOS Global Commands ip dhcp snooping vlan 4,104 no ip dhcp snooping information option ip dhcp snooping,DHCP Snooping Trusted Server or uplink,BAD DHCP Responses: offer, ack, nak,OK DHCP Responses: offer, ack, nak,Interface Commands ip dhcp snooping trust,ARP Attacks,Gratuitous ARP,Gratuitous ARP is used by HA network devices to inform clients when a failover has occurred; some network devices cache gARP info even if the device doesnt have an immediate need to communicate with the system Gratuitous ARP is a broadcast packet (like an ARP request) HOST W: Hey everyone Im host W and my IP address is and my MAC address is 12:34:56:78:9A:BC,V,X,Z,W,Y,Misuse of Gratuitous ARP,ARP has no security or ownership of IP or MAC addresses What if we did the following? Host W broadcasts Im with MAC 12:34:56:78:9A:BC (Wait 5 seconds) Host W broadcasts Im with MAC 12:34:56:78:9A:BC,/24,Host W .4,.1,Host Y .2,Host X .3,Countermeasures to ARP Attacks: Dynamic ARP Inspection,Uses the DHCP Snooping Binding Table Information Dynamic ARP Inspection All ARP packets must match the IP/MAC Binding table entries If the entries do not match, throw them in the bit bucket, MAC A, MAC B, MAC C,ARP Saying is MAC C,ARP Saying is MAC C,None Matching ARPs in the Bit Bucket,DHCP Snooping Enabled Dynamic ARP inspection Enabled,Countermeasures to ARP Attacks: Dynamic ARP Inspection,Uses the information from the DHCP Snooping Binding table Looks at the MacAddress and IpAddress fields to see if the ARP from the Interface is in the binding, it not, traffic is blocked,sh ip dhcp snooping binding MacAddress IpAddress Lease(sec) Type VLAN Interface - - - - - - 00:03:47:B5:9F:AD 0 193185 dhcp-snooping 4 FastEthernet3/18 00:03:47:c4:6f:83 1 213454 dhcp-snooping 4 FastEthermet3/21,Countermeasures to ARP Attacks: Dynamic ARP Inspection,Dynamic ARP Inspection Commands,IOS Global Commands ip dhcp snooping vlan 4,104 no ip dhcp snooping information option ip dhcp snooping ip arp inspection vlan 4,104 ip arp inspection log-buffer entries 1024 ip arp inspection log-buffer logs 1024 interval 10 Interface Commands ip dhcp snooping trust ip arp inspection trust,IOS Interface Commands no ip arp inspection trust (default) ip arp inspection limit rate 15 (pps),Promiscuous Port,Promiscuous Port,Community A,Community B,Isolated Ports,Primary VLAN Community VLAN Community VLAN Isolated VLAN,Only One Subnet!,x,x,x,x,ARP Spoof Mitigation (Cont.): Private VLANs,PVLANs isolate traffic in specific communities to create distinct “networks” within a normal VLAN Note: Most inter-host communication is disabled with PVLANs turned on,/univercd/cc/td/doc/product/lan/cat6000/sw_7_1/conf_gd/vlans.htm#xtocid854519,ATTACKS AND COUNTERMEASURES: SPOOFING ATTACKS,46,46,46,Countermeasures to Snooping Attacks: IP Source Guard,Uses the DHCP Snooping Binding Table Information IP Source Guard Operates just like Dynamic ARP Inspection, but looks at every packet, not just ARP Packet, MAC A, MAC B, MAC C,Received Traffic Source IP Mac B, MAC C,Traffic Sent with IP Mac B,Traffic Sent with IP Mac C,Non Matching Traffic Dropped,DHCP Snooping Enabled Dynamic ARP inspection Enabled IP Source Guard Enabled,Spanning Tree Attacks,Spanning Tree Basics,STP is very simple. Messages are sent using Bridge Protocol Data Units (BPDUs); basic messages include: configuration, topology change notification/acknowledgment (TCN/TCA); most have no “payload” Avoiding loops ensures broadcast traffic does not become storms,X,A Switch Is Elected as Root Root Selection Is Based on the Lowest Configured Priority of Any Switch 0-65535,F,F,F,F,B,F,F,A Tree-Like Loop-Free Topology Is Established from the Perspective of the Root Bridge,F,Root,STP Purpose: To Maintain Loop-Free Topologies in a Redundant Layer 2 Infrastructure,B,F,Spanning Tree Attack Example 2/2,Send BPDU messages to become root bridge,Attacker,Access Switches,Root,F,F,F,F,F,Root,B,X,The attacker then sees frames he shouldnt MITM, DoS, etc. all possible Any attack is very sensitive to the original topology, trunking, PVST, etc. Although STP takes link speed into consideration, it is always done from the perspective of the root bridge. Taking a Gb backbone to half-duplex 10 Mb was verified Requires attacker is dual homed to two different switches (with a hub, it can be done with just one interface on the attacking host),STP Attack Mitigation,Dont disable STP, introducing a loop would become another attack BPDU Guard Disables ports using portfast upon detection of a BPDU message on the port Globally enabled on all ports running portfast Available in CatOS 5.4.1 for Cat 2K, 4K, 5K, and 6K; 12.0XE for native IOS 6K; 12.1(8a)EW for 4K IOS; 12.1(4)EA1 for 3550; 12.1(6)EA2 for 2950,Root Guard Disables ports who would become the root bridge due to their BPDU advertisemen