bcmsn09optimizing and securing multilayer switched networks

1、 2003, Cisco Systems, Inc. All rights reserved.9-1 Optimizing and Securing Multilayer Switched Networks Module 9 2003, Cisco Systems, Inc. All rights reserved.BCMSN v2.09-2 Objectives Upon completing this module, you will be able to: Enhance multilayer switched networks to provide optimal performanc

2、e, and monitor performance 为增强多层交换网络提供优化和监控性能 Secure the multilayer switched network with authentication, and Layer 2 and Layer 3 security 带有认证的安全多层交换网络和2，3层安全 2003, Cisco Systems, Inc. All rights reserved.9-3 Optimizing Multilayer Switched Networks Session 1 2003, Cisco Systems, Inc. All rights res

3、erved.BCMSN v2.09-3 2003, Cisco Systems, Inc. All rights reserved.BCMSN v2.09-4 Objectives Upon completing this lesson, you will be able to: Describe techniques to enhance the performance of a multilayer switched network 描述增强的多层交换网络技术 Monitor switch ports using SPAN and VSPAN 用SPAN和VSPAN监控交换端口 Monit

4、or switch ports using RSPAN 用RSPAN监控交换端口 Describe the features and operation of network analysis modules on Catalyst switches to improve network traffic management 在交换机上描述网络分析模型的特点来提高网络流量管理 Verify and troubleshoot the operation of network analysis modules 对网络分析模型实施来做验证和排错 2003, Cisco Systems, Inc. A

5、ll rights reserved.BCMSN v2.09-5 Enhancing Network Performance Gather a baseline. Perform a what-if analysis. Perform exception reporting for capacity issues. Determine the network management overhead. Analyze the capacity information. Periodically review capacity information. Have upgrade or tuning

6、 procedures set up. 2003, Cisco Systems, Inc. All rights reserved.BCMSN v2.09-6 Switched Port Analyzer 2003, Cisco Systems, Inc. All rights reserved.BCMSN v2.09-7 Configuring SPAN Switch(config)#monitor session session_num source interface type/num | vlan num , | - | rx | tx |both Configures a SPAN

7、session to monitor traffic 配置配置SPAN来监控流量来监控流量 Switch(config)#monitor session session_number destination interface type/num , | - | vlan num Configures the destination for a SPAN session 配置基于目的地的配置基于目的地的SPAN 2003, Cisco Systems, Inc. All rights reserved.BCMSN v2.09-8 Remote SPAN 2003, Cisco Systems,

8、Inc. All rights reserved.BCMSN v2.09-9 Configuring RSPAN Enters configuration mode for a specific VLAN Switch(config)#vlan vlan-number Enables RSPAN for the VLAN 在在VLAN上启用上启用RSPAN Switch(config-vlan)#remote-span 2003, Cisco Systems, Inc. All rights reserved.BCMSN v2.09-10 Verifying SPAN and RSPAN Sw

9、itch#show monitor session session_number detail Displays SPAN session information Switch#show monitor session 2 Session 2 - Type : Remote Source Session Source Ports: RX Only: Fa3/1 Dest RSPAN VLAN: 901 Switch#show monitor session 2 detail Session 2 - Type : Remote Source Session Source Ports: RX On

10、ly: Fa1/1-3 TX Only: None Both: None Source VLANs: RX Only: None TX Only: None Both: None Source RSPAN VLAN: None Destination Ports: None Filter VLANs: None Dest RSPAN VLAN: 901 2003, Cisco Systems, Inc. All rights reserved.BCMSN v2.09-11 Network Analysis Module 2003, Cisco Systems, Inc. All rights

11、reserved.BCMSN v2.09-12 NAM Initial Configuration Assign parameters IP address Subnet mask IP broadcast address IP host name Default gateway Domain name DNS name server SNMP (MIB variables, access control, system group settings) Start the web server 2003, Cisco Systems, Inc. All rights reserved.BCMS

12、N v2.09-13 Verifying NAM Switch#show module Displays information about installed modules Switch#show module Mod Ports Card Type Model Serial No. - - - - - 2 2 Catalyst 6000 supervisor 2 (Active) WS-X6K-SUP2-2GE SAD0410050B 3 48 48 port 10/100 mb RJ-45 ethernet WS-X6248-RJ-45 SAD03080485 5 2 Network

13、Analysis Module WS-X6380-NAM SAD05130AXB 7 2 Intrusion Detection System WS-X6381-IDS SAD05100HPT Switch#show interface GigabitEthernet slot/1 | 2 Displays NAM interface information 2003, Cisco Systems, Inc. All rights reserved.BCMSN v2.09-14 Configuring NAM Switch(config)#interface gi 8/0 Switch(con

14、fig-if)#switchport access vlan 93 Switch(config-if)#end Switch(config)#monitor session 1 destination interface gi 8/1 rootlocalhost#autostart addressmap enable Enables a collection type Rootlocalhost#autostart collection enable 2003, Cisco Systems, Inc. All rights reserved.BCMSN v2.09-15 Summary Per

15、formance management maintains internetwork performance at acceptable levels by measuring and managing various network performance variables. SPAN selects and copies network traffic to send to a network analyzer. Remote SPAN is a variation of SPAN that sends monitored traffic through an intermediate

16、switch rather than directly to the traffic analyzer. A NAM uses SNMP RMON information to monitor and analyze network traffic. Use the show commands to verify NAM configuration. 2003, Cisco Systems, Inc. All rights reserved.BCMSN v2.09-16 2003, Cisco Systems, Inc. All rights reserved. 2003, Cisco Sys

17、tems, Inc. All rights reserved.9-17 Securing Multilayer Switched Networks Session2 2003, Cisco Systems, Inc. All rights reserved.BCMSN v2.09-17 2003, Cisco Systems, Inc. All rights reserved.BCMSN v2.09-18 Objectives Upon completing this lesson, you will be able to: Explain basic security concepts fo

18、r the multilayer switched network 说明多层交换网络基本的安全观念 Configure authentication, authorization, and accounting on Catalyst switches 在交换机上配置认证，授权，统计 Configure port security and port-based authentication with 802.1X 配置端口安全和基于端口认证的802.1x Verify the network access security configuration 验证网络安全访问配置 Configure

19、VLAN access lists 配置VLAN访问列表 Verify the VLAN access list security configuration 验证VLAN访问列表安全配置 2003, Cisco Systems, Inc. All rights reserved.BCMSN v2.09-19 Recommended Switch Security Set system passwords Configure basic ACLs Secure physical access to the console Secure access to VTYs Configure syst

20、em warning banners Disable unneeded services SSH Trim CDP Disable the integrated HTTP daemon Configure basic logging Secure SNMP Limit trunking connections Secure the spanning-tree topology 2003, Cisco Systems, Inc. All rights reserved.BCMSN v2.09-20 AAA Network Configuration Authentication 认证 Verif

21、ies a users identify 检验用户身份 Authorization 授权 Specifies the permitted tasks for the user 为用户指定允许做的事 Accounting 统计 Provides billing, auditing, and monitoring 提供列表，审核和监控 2003, Cisco Systems, Inc. All rights reserved.BCMSN v2.09-21 Configuring Authentication Switch(config)#aaa new-model Enables AAA glob

22、ally Switch(config)#aaa authentication login default | list-name method1 method2. Creates a local authentication list Switch(config)#line aux | console | tty | vty line-number ending-line-number Enters line configuration mode Switch(config-line)#login authentication default | list-name Applies the a

23、uthentication list to a line 2003, Cisco Systems, Inc. All rights reserved.BCMSN v2.09-22 Configuring Authorization Switch(config)#aaa authorization auth-proxy | network | exec | commands level | reverse-access | configuration | ipmobile default | list-name method1 method2. Creates an authorization

24、method list and enables authorization Switch(config)#interface interface-type interface-number Enters interface configuration mode Switch(config-if)#ppp authorization default | list-name Applies the named authorization method list to the interface 2003, Cisco Systems, Inc. All rights reserved.BCMSN

25、v2.09-23 Configuring Accounting Switch(config)#aaa accounting system | network | exec | connection | commands level default | list-name start- stop | stop-only | none method1 method2. Creates an accounting method list and enables accounting 创建统计方法列表和启用统计创建统计方法列表和启用统计 Switch(config)#interface interfa

26、ce-type interface-number Enters interface configuration mode 进入接口配置模式进入接口配置模式 Switch(config-if)#ppp accounting default | list-name Applies the named accounting method list to the interface 在接口上应用命名统计方法列表在接口上应用命名统计方法列表 2003, Cisco Systems, Inc. All rights reserved.BCMSN v2.09-24 Port security is a MA

27、C address lockdown that disables the port if the MAC address is not valid. Network Access Port Security 2003, Cisco Systems, Inc. All rights reserved.BCMSN v2.09-25 Enabling Port Security Switch(config-if)#switchport port-security maximum value violation protect | restrict | shutdown Enables port se

28、curity and specifies the maximum number of MAC addresses that can be supported by this port 启用端口安全并指定最多支持启用端口安全并指定最多支持MAC地址的数量地址的数量 2003, Cisco Systems, Inc. All rights reserved.BCMSN v2.09-26 802.1X Port-Based Authentication Restricts unauthorized clients from connecting to a LAN through publicly a

29、ccessible ports 约束未经授权的客户通过访问端口接入本地网络 2003, Cisco Systems, Inc. All rights reserved.BCMSN v2.09-27 Configuring 802.1X Port-Based Authentication Switch(config)#aaa authentication dot1x default method1 method2. Creates an 802.1X port-based authentication method list 创建基于端口的创建基于端口的802.1x认证方法列表认证方法列表 Sw

30、itch(config)#dot1x system-auth-control Globally enables 802.1X port-based authentication 启用基于端口的启用基于端口的802.1x认证认证 Switch(config)#interface type slot/port Enters interface configuration mode 进入接口配置模式进入接口配置模式 Switch(config-if)#dot1x port-control auto Enables 802.1X port-based authentication on the int

31、erface 在接口上启用基于端口的在接口上启用基于端口的802.1x认证认证 2003, Cisco Systems, Inc. All rights reserved.BCMSN v2.09-28 Verifying Port Security Switch#show port-security Displays security information for all interfaces Switch#show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (C

32、ount) (Count) (Count) - Fa5/1 11 11 0 Shutdown Fa5/5 15 5 0 Restrict Fa5/11 5 4 0 Protect - Total Addresses in System: 21 Max Addresses limit in System: 128 2003, Cisco Systems, Inc. All rights reserved.BCMSN v2.09-29 Verifying Port Security (Cont.) Switch#show port-security interface interface x/y

33、Displays security information for a specific interface Switch#show port-security interface fastethernet 5/1 Port Security: Enabled Port status: SecureUp Violation mode: Shutdown Maximum MAC Addresses: 11 Total MAC Addresses: 11 Configured MAC Addresses: 3 Aging time: 20 mins Aging type: Inactivity S

34、ecureStatic address aging: Enabled Security Violation count: 0 2003, Cisco Systems, Inc. All rights reserved.BCMSN v2.09-30 Verifying Port Security (Cont.) Switch#show port-security address Displays MAC address table security information Switch#show port-security address Secure Mac Address Table - V

35、lan Mac Address Type Ports Remaining Age (mins) - - - - - 1 0001.0001.0001 SecureDynamic Fa5/1 15 (I) 1 0001.0001.0002 SecureDynamic Fa5/1 15 (I) 1 0001.0001.1111 SecureConfigured Fa5/1 16 (I) 1 0001.0001.1112 SecureConfigured Fa5/1 - 1 0001.0001.1113 SecureConfigured Fa5/1 - 1 0005.0005.0001 Secure

36、Configured Fa5/5 23 1 0005.0005.0002 SecureConfigured Fa5/5 23 1 0005.0005.0003 SecureConfigured Fa5/5 23 1 0011.0011.0001 SecureConfigured Fa5/11 25 (I) 1 0011.0011.0002 SecureConfigured Fa5/11 25 (I) - Total Addresses in System: 10 Max Addresses limit in System: 128 2003, Cisco Systems, Inc. All r

37、ights reserved.BCMSN v2.09-31 Types of ACLs 2003, Cisco Systems, Inc. All rights reserved.BCMSN v2.09-32 Configuring VACLs Switch(config)#vlan access-map map_name seq# Defines a VLAN access map Switch(config-access-map)# match ip address 1-199 | 1300-2699 | acl_name | ipx address 800-999 | acl_name|

38、 mac address acl_name Configures the match clause in a VLAN access map sequence Switch(config-access-map)#action drop log | forward capture | redirect type slot/port | port-channel channel_id Configures the action clause in a VLAN access map sequence Switch(config)#vlan filter map_name vlan_list lis

39、t Applies the VLAN access map to the specified VLANs 2003, Cisco Systems, Inc. All rights reserved.BCMSN v2.09-33 Customer VLAN Requirements ISP customers require Internet access for multiple servers Isolation from other customers Communication between servers Traditional solution: one VLAN and IP s

40、ubnet per customer High resource requirements Limited scalability High management complexity 2003, Cisco Systems, Inc. All rights reserved.BCMSN v2.09-34 Private VLANs 2003, Cisco Systems, Inc. All rights reserved.BCMSN v2.09-35 PVLAN Ports and Types Private VLAN ports: Promiscuous: Can communicate

41、with all other ports 混杂端口：能和其他所有端口通信 Isolated: Can only communicate with promiscuous ports 隔离端口：仅能与混杂端口通信 Community: Can communicate with other members of community and all promiscuous ports 团体：能与相同VLAN中的端口通信还可以与混杂端口通信 Private VLAN types: Primary: Used by promiscuous ports to communicate with all ot

42、her ports in the private VLAN 主VLAN：在私有VLAN中通过用混杂和其它端口通信 Isolated: Used by isolated ports to communicate with promiscuous ports 隔离VLAN：用隔离端口与混杂端口通信 Community: Used by community ports to communicate with each other and promiscuous ports 团体VLAN：团体端口之间且与混杂端口可以通信 2003, Cisco Systems, Inc. All rights res

43、erved.BCMSN v2.09-36 Configuring Private VLANs Switch(config-vlan)#private-vlan primary | isolated | community Configures a VLAN as a private VLAN Switch(config-vlan)#private-vlan association secondary_vlan_list | add svl | remove svl Associates secondary VLANs with the primary VLAN Switch#show vlan private-vlan type Verifies private VLAN configuration 2003, Cisco Systems, Inc. All rights reserved.BCMSN v2.09-37 Configuring Pri