第7个模块：最小化园区网的服务丢失数据窃听-1-理解交换机的安全问题 ccnp交换部分中文版 教学课件

最小化园区网的服务丢失和数据窃听,理解交换机的安全问题,交换机安全概览,Rogue Access Points,流氓化网络可能是:无线接入点无线网路由器访问层交换机Hubs这些是接入到访问层交换机的典型设备,交换机攻击种类,MAC层攻击VLAN 攻击欺骗攻击攻击交换机设备,MAC 泛洪攻击,端口安全,Port security restricts port access by MAC address.,在交换机上配置 Port Security,启用端口安全设置MAC地址限制定义允许的 MAC 地址定义违反以上MAC地址的动作,Switch(config-if)#switchport port-security maximum value violation protect | restrict | shutdown,Enables port security and specifies the maximum number of MAC addresses that can be supported by this port.,验证 Port Security,Switch#show port-security,Displays security information for all interfaces,Switch#show port-securitySecure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count)- Fa5/1 11 11 0 ShutdownFa5/5 15 5 0 RestrictFa5/11 5 4 0 Protect-Total Addresses in System: 21Max Addresses limit in System: 128,验证 Port Security (Cont.),Switch#show port-security interface type mod/port,Displays security information for a specific interface,Switch#show port-security interface fastethernet 5/1Port Security: EnabledPort status: SecureUpViolation mode: ShutdownMaximum MAC Addresses: 11Total MAC Addresses: 11Configured MAC Addresses: 3Aging time: 20 minsAging type: InactivitySecureStatic address aging: EnabledSecurity Violation count: 0,验证 Port Security (Cont.),Switch#show port-security address,Displays MAC address table security information,Switch#show port-security address Secure Mac Address Table-Vlan Mac Address Type Ports Remaining Age (mins)- - - - -1 0001.0001.0001 SecureDynamic Fa5/1 15 (I)1 0001.0001.0002 SecureDynamic Fa5/1 15 (I)1 0001.0001.1111 SecureConfigured Fa5/1 16 (I)1 0001.0001.1112 SecureConfigured Fa5/1 -1 0001.0001.1113 SecureConfigured Fa5/1 -1 0005.0005.0001 SecureConfigured Fa5/5 231 0005.0005.0002 SecureConfigured Fa5/5 231 0005.0005.0003 SecureConfigured Fa5/5 231 0011.0011.0001 SecureConfigured Fa5/11 25 (I)1 0011.0011.0002 SecureConfigured Fa5/11 25 (I)-Total Addresses in System: 10Max Addresses limit in System: 128,Port Security with Sticky MAC Addresses,Sticky MAC存储动态学习到的MAC.,AAA 网络配置,认证验证用户身份授权为用户定义允许的任务记帐(计费）提供帐单, 审计, 监测,认证方法,Enable passwordKerberos 5Kerberos 5-Telnet authenticationLine passwordLocal database,Local database with case sensitivity No authenticationRADIUSTACACS+,Switch(config)#aaa authentication login default | list-name method1 method2.,Creates a local authentication list,Cisco IOS AAA 支持以下认证方法:,802.1x 基于端口的认证,通过交换机访问网络要求认证,配置 802.1x,Switch(config)#aaa authentication dot1x default method1method2,Creates an 802.1x port-based authentication method list,Switch(config)#dot1x system-auth-control,Globally enables 802.1x port-based authentication,Switch(config)#interface type slot/port,Enters interface configuration mode,Switch(config-if)#dot1x port-control auto,Enables 802.1x port-based authentication on the interface,Switch(config)#aaa new-model,Enables AAA,总结,必需评估2层的安全，作为整个网络安全计划的1个子集 接入层的安全流氓化访问破坏网络安全交换机攻击有4类MAC泛洪攻