已阅读5页,还剩31页未读, 继续免费阅读
版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
OptimizingandSecuringMultilayerSwitchedNetworks,Module9,OptimizingMultilayerSwitchedNetworks,2003,CiscoSystems,Inc.Allrightsreserved.,BCMSNv2.09-2,Objectives,Uponcompletingthislesson,youwillbeableto:DescribetechniquestoenhancetheperformanceofamultilayerswitchednetworkMonitorswitchportsusingSPANandVSPANMonitorswitchportsusingRSPANDescribethefeaturesandoperationofnetworkanalysismodulesonCatalystswitchestoimprovenetworktrafficmanagementVerifyandtroubleshoottheoperationofnetworkanalysismodules,EnhancingNetworkPerformance,Gatherabaseline.Performawhat-ifanalysis.Performexceptionreportingforcapacityissues.Determinethenetworkmanagementoverhead.Analyzethecapacityinformation.Periodicallyreviewcapacityinformation.Haveupgradeortuningproceduressetup.,SwitchedPortAnalyzer,ConfiguringSPAN,Switch(config)#monitorsessionsession_numsourceinterfacetype/num|vlannum,|-|rx|tx|both,ConfiguresaSPANsessiontomonitortraffic,Switch(config)#monitorsessionsession_numberdestinationinterfacetype/num,|-|vlannum,ConfiguresthedestinationforaSPANsession,RemoteSPAN,ConfiguringRSPAN,EntersconfigurationmodeforaspecificVLAN,Switch(config)#vlanvlan-number,EnablesRSPANfortheVLAN,Switch(config-vlan)#remote-span,VerifyingSPANandRSPAN,Switch#showmonitorsessionsession_numberdetail,DisplaysSPANsessioninformation,Switch#showmonitorsession2Session2-Type:RemoteSourceSessionSourcePorts:RXOnly:Fa3/1DestRSPANVLAN:901,Switch#showmonitorsession2detailSession2-Type:RemoteSourceSessionSourcePorts:RXOnly:Fa1/1-3TXOnly:NoneBoth:NoneSourceVLANs:RXOnly:NoneTXOnly:NoneBoth:NoneSourceRSPANVLAN:NoneDestinationPorts:NoneFilterVLANs:NoneDestRSPANVLAN:901,NetworkAnalysisModule,NAMInitialConfiguration,AssignparametersIPaddressSubnetmaskIPbroadcastaddressIPhostnameDefaultgatewayDomainnameDNSnameserverSNMP(MIBvariables,accesscontrol,systemgroupsettings)Startthewebserver,ConfiguringNAM,Switch(config)#interfacegi8/0Switch(config-if)#switchportaccessvlan93Switch(config-if)#endSwitch(config)#monitorsession1destinationinterfacegi8/1rootlocalhost#autostartaddressmapenable,Enablesacollectiontype,Rootlocalhost#autostartcollectionenable,VerifyingNAM,Switch#showmodule,Displaysinformationaboutinstalledmodules,Switch#showmoduleModPortsCardTypeModelSerialNo.-22Catalyst6000supervisor2(Active)WS-X6K-SUP2-2GESAD0410050B34848port10/100mbRJ-45ethernetWS-X6248-RJ-45SAD0308048552NetworkAnalysisModuleWS-X6380-NAMSAD05130AXB72IntrusionDetectionSystemWS-X6381-IDSSAD05100HPT,Switch#showinterfaceGigabitEthernetslot/1|2,DisplaysNAMinterfaceinformation,Summary,Performancemanagementmaintainsinternetworkperformanceatacceptablelevelsbymeasuringandmanagingvariousnetworkperformancevariables.SPANselectsandcopiesnetworktraffictosendtoanetworkanalyzer.RemoteSPANisavariationofSPANthatsendsmonitoredtrafficthroughanintermediateswitchratherthandirectlytothetrafficanalyzer.ANAMusesSNMPRMONinformationtomonitorandanalyzenetworktraffic.UsetheshowcommandstoverifyNAMconfiguration.,SecuringMultilayerSwitchedNetworks,2003,CiscoSystems,Inc.Allrightsreserved.,BCMSNv2.09-15,Objectives,Uponcompletingthislesson,youwillbeableto:ExplainbasicsecurityconceptsforthemultilayerswitchednetworkConfigureauthentication,authorization,andaccountingonCatalystswitchesConfigureportsecurityandport-basedauthenticationwith802.1XVerifythenetworkaccesssecurityconfigurationConfigureVLANaccesslistsVerifytheVLANaccesslistsecurityconfiguration,RecommendedSwitchSecurity,SetsystempasswordsConfigurebasicACLsSecurephysicalaccesstotheconsoleSecureaccesstoVTYsConfiguresystemwarningbannersDisableunneededservicesSSH,TrimCDPDisabletheintegratedHTTPdaemonConfigurebasicloggingSecureSNMPLimittrunkingconnectionsSecurethespanning-treetopology,AAANetworkConfiguration,AuthenticationVerifiesausersidentifyAuthorizationSpecifiesthepermittedtasksfortheuserAccountingProvidesbilling,auditing,andmonitoring,ConfiguringAuthentication,Switch(config)#aaanew-model,EnablesAAAglobally,Switch(config)#aaaauthenticationlogindefault|list-namemethod1method2.,Createsalocalauthenticationlist,Switch(config)#lineaux|console|tty|vtyline-numberending-line-number,Enterslineconfigurationmode,Switch(config-line)#loginauthenticationdefault|list-name,Appliestheauthenticationlisttoaline,ConfiguringAuthorization,Switch(config)#aaaauthorizationauth-proxy|network|exec|commandslevel|reverse-access|configuration|ipmobiledefault|list-namemethod1method2.,Createsanauthorizationmethodlistandenablesauthorization,Switch(config)#interfaceinterface-typeinterface-number,Entersinterfaceconfigurationmode,Switch(config-if)#pppauthorizationdefault|list-name,Appliesthenamedauthorizationmethodlisttotheinterface,ConfiguringAccounting,Switch(config)#aaaaccountingsystem|network|exec|connection|commandsleveldefault|list-namestart-stop|stop-only|nonemethod1method2.,Createsanaccountingmethodlistandenablesaccounting,Switch(config)#interfaceinterface-typeinterface-number,Entersinterfaceconfigurationmode,Switch(config-if)#pppaccountingdefault|list-name,Appliesthenamedaccountingmethodlisttotheinterface,PortsecurityisaMACaddresslockdownthatdisablestheportiftheMACaddressisnotvalid.,NetworkAccessPortSecurity,EnablingPortSecurity,Switch(config-if)#switchportport-securitymaximumvalueviolationprotect|restrict|shutdown,EnablesportsecurityandspecifiesthemaximumnumberofMACaddressesthatcanbesupportedbythisport,802.1XPort-BasedAuthentication,RestrictsunauthorizedclientsfromconnectingtoaLANthroughpubliclyaccessibleports,Configuring802.1XPort-BasedAuthentication,Switch(config)#aaaauthenticationdot1xdefaultmethod1method2.,Createsan802.1Xport-basedauthenticationmethodlist,Switch(config)#dot1xsystem-auth-control,Globallyenables802.1Xport-basedauthentication,Switch(config)#interfacetypeslot/port,Entersinterfaceconfigurationmode,Switch(config-if)#dot1xport-controlauto,Enables802.1Xport-basedauthenticationontheinterface,VerifyingPortSecurity,Switch#showport-security,Displayssecurityinformationforallinterfaces,Switch#showport-securitySecurePortMaxSecureAddrCurrentAddrSecurityViolationSecurityAction(Count)(Count)(Count)-Fa5/111110ShutdownFa5/51550RestrictFa5/11540Protect-TotalAddressesinSystem:21MaxAddresseslimitinSystem:128,VerifyingPortSecurity(Cont.),Switch#showport-securityinterfaceinterfacex/y,Displayssecurityinformationforaspecificinterface,Switch#showport-securityinterfacefastethernet5/1PortSecurity:EnabledPortstatus:SecureUpViolationmode:ShutdownMaximumMACAddresses:11TotalMACAddresses:11ConfiguredMACAddresses:3Agingtime:20minsAgingtype:InactivitySecureStaticaddressaging:EnabledSecurityViolationcount:0,VerifyingPortSecurity(Cont.),Switch#showport-securityaddress,DisplaysMACaddresstablesecurityinformation,Switch#showport-securityaddressSecureMacAddressTable-VlanMacAddressTypePortsRemainingAge(mins)-10001.0001.0001SecureDynamicFa5/115(I)10001.0001.0002SecureDynamicFa5/115(I)10001.0001.1111SecureConfiguredFa5/116(I)10001.0001.1112SecureConfiguredFa5/1-10001.0001.1113SecureConfiguredFa5/1-10005.0005.0001SecureConfiguredFa5/52310005.0005.0002SecureConfiguredFa5/52310005.0005.0003SecureConfiguredFa5/52310011.0011.0001SecureConfiguredFa5/1125(I)10011.0011.0002SecureConfiguredFa5/1125(I)-TotalAddressesinSystem:10MaxAddresseslimitinSystem:128,TypesofACLs,ConfiguringVACLs,Switch(config)#vlanaccess-mapmap_nameseq#,DefinesaVLANaccessmap,Switch(config-access-map)#matchipaddress1-199|1300-2699|acl_name|ipxaddress800-999|acl_name|macaddressacl_name,ConfiguresthematchclauseinaVLANaccessmapsequence,Switch(config-access-map)#actiondroplog|forwardcapture|redirecttypeslot/port|port-channelchannel_id,ConfigurestheactionclauseinaVLANaccessmapsequence,Switch(config)#vlanfiltermap_namevlan_listlist,AppliestheVLANaccessmaptothespecifiedVLANs,CustomerVLANRequirements,ISPcustomersrequireInternetaccessformultipleserversIsolationfromothercustomersCommunicationbetweenserversTraditionalsolution:oneVLANandIPsubnetpercustomerHighresourcerequirementsLimitedscalabilityHighmanagementcomplexity,PrivateVLANs,PVLANPortsandTypes,PrivateVLANports:Promiscuous:CancommunicatewithallotherportsIsolated:CanonlycommunicatewithpromiscuousportsCommunity:CancommunicatewithothermembersofcommunityandallpromiscuousportsPrivateVLANtypes:Primary:UsedbypromiscuousportstocommunicatewithallotherportsintheprivateVLANIsolated:UsedbyisolatedportstocommunicatewithpromiscuousportsCommunity:Usedbycommunityportstocommunicatewitheachotherandpromiscuousports,ConfiguringPrivateVLANs,Switch(config-vlan)#private-vlanprimary|isolated|community,ConfiguresaVLANasaprivateVLAN,Switch(config-vlan)#private-vlanassociationsecondary_vlan_list|addsvl|removesvl,AssociatessecondaryVLANswiththeprimaryVLAN,Switch#showvlanprivate-vlantype,Ver
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 河钢集团校招面试题及答案
- 海尔集团招聘题库及答案
- 公务员面试谨慎面试题及答案
- 国家管网校招题库及答案
- 公务员面试基本题型面试题及答案
- 公务员面试会务面试题及答案
- 公务员考试数量题真题试题及答案
- 格力电器秋招题库及答案
- 2026年江西信息应用职业技术学院单招职业适应性测试题库新版
- 2026年广东生态工程职业学院单招综合素质考试题库必考题
- 数学-江苏省常州市2024-2025学年高三第一(上)学期期中质量调研考试试题和答案
- 专题20 化学实验综合题-物质制备类-五年(2020-2024)高考化学真题分类汇编(原卷版)
- 医院精神科护理风险评估制度
- 工程款支付担保书范文2024年
- 期中阶段测试卷(试题)2024-2025学年统编版语文五年级上册
- 2024-2030年中国小型发电机行业发展规划及应用趋势预测报告
- 中国太平洋财产保险股份有限公司产品置换服务合同责任保险
- 危地马拉翡翠 分类与命名-编制说明
- 中华民族共同体概论课件专家版6第六讲 五胡入华与中华民族大交融(魏晋南北朝)
- 叶城县临钢矿业开发有限公司30万t-a选矿厂技改工程环评报告
- 群文阅读教学设计有魔力的拟声词(二年级)
评论
0/150
提交评论