BCMSN09交换网络性能优化与安全PPT课件

1、BCMSN09交换网络性能优化与安全Optimizing and Securing Multilayer Switched Networks Module 9BCMSN09交换网络性能优化与安全Optimizing Multilayer Switched Networks 2003, 2003, Cisco Systems, Inc. All rights reserved.BCMSN v2.09-BCMSN v2.09-2 2BCMSN09交换网络性能优化与安全ObjectivesUpon completing this lesson, you will be able to: Descri

2、be techniques to enhance the performance of a multilayer switched network Monitor switch ports using SPAN and VSPAN Monitor switch ports using RSPAN Describe the features and operation of network analysis modules on Catalyst switches to improve network traffic management Verify and troubleshoot the

3、operation of network analysis modulesBCMSN09交换网络性能优化与安全Enhancing Network Performance Gather a baseline. Perform a what-if analysis. Perform exception reporting for capacity issues. Determine the network management overhead. Analyze the capacity information. Periodically review capacity information.

4、Have upgrade or tuning procedures set up. BCMSN09交换网络性能优化与安全Switched Port AnalyzerBCMSN09交换网络性能优化与安全Configuring SPANSwitch(config)#monitor session session_num source interface type/num | vlan num , | - | rx | tx |both Configures a SPAN session to monitor trafficSwitch(config)#monitor session session

5、_number destination interface type/num , | - | vlan num Configures the destination for a SPAN sessionBCMSN09交换网络性能优化与安全Remote SPANBCMSN09交换网络性能优化与安全Configuring RSPAN Enters configuration mode for a specific VLANSwitch(config)#vlan vlan-number Enables RSPAN for the VLANSwitch(config-vlan)#remote-span

6、 BCMSN09交换网络性能优化与安全Verifying SPAN and RSPANSwitch#show monitor session session_number detail Displays SPAN session informationSwitch#show monitor session 2Session 2-Type : Remote Source SessionSource Ports: RX Only: Fa3/1 Dest RSPAN VLAN: 901 Switch#show monitor session 2 detailSession 2-Type : Remo

7、te Source SessionSource Ports: RX Only: Fa1/1-3 TX Only: None Both: NoneSource VLANs: RX Only: None TX Only: None Both: None Source RSPAN VLAN: None Destination Ports: None Filter VLANs: None Dest RSPAN VLAN: 901BCMSN09交换网络性能优化与安全Network Analysis ModuleBCMSN09交换网络性能优化与安全NAM Initial Configuration Ass

8、ign parameters IP address Subnet mask IP broadcast address IP host name Default gateway Domain name DNS name server SNMP (MIB variables, access control, system group settings) Start the web serverBCMSN09交换网络性能优化与安全Configuring NAMSwitch(config)#interface gi 8/0Switch(config-if)#switchport access vlan

9、 93Switch(config-if)#endSwitch(config)#monitor session 1 destination interface gi 8/1 rootlocalhost#autostart addressmap enable Enables a collection typeRootlocalhost#autostart collection enableBCMSN09交换网络性能优化与安全Verifying NAMSwitch#show module Displays information about installed modulesSwitch#show

10、moduleMod Ports Card Type Model Serial No.- - - - -2 2 Catalyst 6000 supervisor 2 (Active) WS-X6K-SUP2-2GE SAD0410050B3 48 48 port 10/100 mb RJ-45 ethernet WS-X6248-RJ-45 SAD030804855 2 Network Analysis Module WS-X6380-NAM SAD05130AXB7 2 Intrusion Detection System WS-X6381-IDS SAD05100HPTSwitch#show

11、 interface GigabitEthernet slot/1 | 2 Displays NAM interface informationBCMSN09交换网络性能优化与安全Summary Performance management maintains internetwork performance at acceptable levels by measuring and managing various network performance variables. SPAN selects and copies network traffic to send to a netwo

12、rk analyzer. Remote SPAN is a variation of SPAN that sends monitored traffic through an intermediate switch rather than directly to the traffic analyzer. A NAM uses SNMP RMON information to monitor and analyze network traffic. Use the show commands to verify NAM configuration. BCMSN09交换网络性能优化与安全Secu

13、ring Multilayer Switched Networks 2003, 2003, Cisco Systems, Inc. All rights reserved.BCMSN v2.09-BCMSN v2.09-1515BCMSN09交换网络性能优化与安全ObjectivesUpon completing this lesson, you will be able to: Explain basic security concepts for the multilayer switched network Configure authentication, authorization,

14、 and accounting on Catalyst switches Configure port security and port-based authentication with 802.1X Verify the network access security configuration Configure VLAN access lists Verify the VLAN access list security configuration BCMSN09交换网络性能优化与安全Recommended Switch Security Set system passwords Co

15、nfigure basic ACLs Secure physical access to the console Secure access to VTYs Configure system warning banners Disable unneeded services SSH Trim CDP Disable the integrated HTTP daemon Configure basic logging Secure SNMP Limit trunking connections Secure the spanning-tree topologyBCMSN09交换网络性能优化与安全

16、AAA Network Configuration Authentication Verifies a users identify Authorization Specifies the permitted tasks for the user Accounting Provides billing, auditing, and monitoringBCMSN09交换网络性能优化与安全Configuring AuthenticationSwitch(config)#aaa new-model Enables AAA globallySwitch(config)#aaa authenticat

17、ion login default | list-name method1 method2. Creates a local authentication listSwitch(config)#line aux | console | tty | vty line-number ending-line-number Enters line configuration modeSwitch(config-line)#login authentication default | list-name Applies the authentication list to a lineBCMSN09交换

18、网络性能优化与安全Configuring AuthorizationSwitch(config)#aaa authorization auth-proxy | network | exec | commands level | reverse-access | configuration | ipmobile default | list-name method1 method2. Creates an authorization method list and enables authorizationSwitch(config)#interface interface-type inter

19、face-number Enters interface configuration modeSwitch(config-if)#ppp authorization default | list-name Applies the named authorization method list to the interfaceBCMSN09交换网络性能优化与安全Configuring AccountingSwitch(config)#aaa accounting system | network | exec | connection | commands level default | lis

20、t-name start-stop | stop-only | none method1 method2. Creates an accounting method list and enables accountingSwitch(config)#interface interface-type interface-number Enters interface configuration modeSwitch(config-if)#ppp accounting default | list-name Applies the named accounting method list to t

21、he interfaceBCMSN09交换网络性能优化与安全 Port security is a MAC address lockdown that disables the port if the MAC address is not valid.Network Access Port SecurityBCMSN09交换网络性能优化与安全Enabling Port SecuritySwitch(config-if)#switchport port-security maximum value violation protect | restrict | shutdown Enables p

22、ort security and specifies the maximum number of MAC addresses that can be supported by this portBCMSN09交换网络性能优化与安全802.1802.1X Port-Based Authentication Restricts unauthorized clients from connecting to a LAN through publicly accessible ports BCMSN09交换网络性能优化与安全Configuring 802.1X Port-Based Authentic

23、ationSwitch(config)#aaa authentication dot1x default method1 method2. Creates an 802.1X port-based authentication method listSwitch(config)#dot1x system-auth-control Globally enables 802.1X port-based authenticationSwitch(config)#interface type slot/port Enters interface configuration modeSwitch(con

24、fig-if)#dot1x port-control auto Enables 802.1X port-based authentication on the interfaceBCMSN09交换网络性能优化与安全Verifying Port SecuritySwitch#show port-security Displays security information for all interfacesSwitch#show port-securitySecure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action

25、 (Count) (Count) (Count)- Fa5/1 11 11 0 ShutdownFa5/5 15 5 0 RestrictFa5/11 5 4 0 Protect-Total Addresses in System: 21Max Addresses limit in System: 128BCMSN09交换网络性能优化与安全Verifying Port Security (Cont.)Switch#show port-security interface interface x/y Displays security information for a specific int

26、erfaceSwitch#show port-security interface fastethernet 5/1Port Security: EnabledPort status: SecureUpViolation mode: ShutdownMaximum MAC Addresses: 11Total MAC Addresses: 11Configured MAC Addresses: 3Aging time: 20 minsAging type: InactivitySecureStatic address aging: EnabledSecurity Violation count

27、: 0BCMSN09交换网络性能优化与安全Verifying Port Security (Cont.)Switch#show port-security address Displays MAC address table security informationSwitch#show port-security address Secure Mac Address Table-Vlan Mac Address Type Ports Remaining Age (mins)- - - - -1 0001.0001.0001 SecureDynamic Fa5/1 15 (I)1 0001.0

28、001.0002 SecureDynamic Fa5/1 15 (I)1 0001.0001.1111 SecureConfigured Fa5/1 16 (I)1 0001.0001.1112 SecureConfigured Fa5/1 -1 0001.0001.1113 SecureConfigured Fa5/1 -1 0005.0005.0001 SecureConfigured Fa5/5 231 0005.0005.0002 SecureConfigured Fa5/5 231 0005.0005.0003 SecureConfigured Fa5/5 231 0011.0011

29、.0001 SecureConfigured Fa5/11 25 (I)1 0011.0011.0002 SecureConfigured Fa5/11 25 (I)-Total Addresses in System: 10Max Addresses limit in System: 128BCMSN09交换网络性能优化与安全Types of ACLsBCMSN09交换网络性能优化与安全Configuring VACLsSwitch(config)#vlan access-map map_name seq# Defines a VLAN access mapSwitch(config-acc

30、ess-map)# match ip address 1-199 | 1300-2699 | acl_name | ipx address 800-999 | acl_name| mac address acl_name Configures the match clause in a VLAN access map sequenceSwitch(config-access-map)#action drop log | forward capture | redirect type slot/port | port-channel channel_id Configures the actio

31、n clause in a VLAN access map sequenceSwitch(config)#vlan filter map_name vlan_list list Applies the VLAN access map to the specified VLANsBCMSN09交换网络性能优化与安全Customer VLAN Requirements ISP customers require Internet access for multiple servers Isolation from other customers Communication between serv

32、ers Traditional solution: one VLAN and IP subnet per customer High resource requirements Limited scalability High management complexityBCMSN09交换网络性能优化与安全Private VLANsBCMSN09交换网络性能优化与安全PVLAN Ports and TypesPrivate VLAN ports: Promiscuous: Can communicate with all other ports Isolated: Can only commun

33、icate with promiscuous ports Community: Can communicate with other members of community and all promiscuous portsPrivate VLAN types: Primary: Used by promiscuous ports to communicate with all other ports in the private VLAN Isolated: Used by isolated ports to communicate with promiscuous ports Commu

34、nity: Used by community ports to communicate with each other and promiscuous portsBCMSN09交换网络性能优化与安全Configuring Private VLANsSwitch(config-vlan)#private-vlan primary | isolated | community Configures a VLAN as a private VLANSwitch(config-vlan)#private-vlan association secondary_vlan_list | add svl | remove svl Associates secondary VLANs with the primary VLANSwitch#show vlan private-vla