第7个模块：最小化园区网的服务丢失数据窃听-1-理解交换机的安全问题CCNP交换部分中文版教学课件

1、最小化园区网的服务丢失和数据窃听,理解交换机的安全问题,交换机安全概览,Rogue Access Points,流氓化网络可能是: 无线接入点 无线网路由器 访问层交换机 Hubs 这些是接入到访问层交换机的典型设备,交换机攻击种类,MAC层攻击 VLAN 攻击 欺骗攻击 攻击交换机设备,MAC 泛洪攻击,端口安全,Port security restricts port access by MAC address.,在交换机上配置 Port Security,启用端口安全 设置MAC地址限制 定义允许的 MAC 地址 定义违反以上MAC地址的动作,Switch(config-if)#swit

2、chport port-security maximum value violation protect | restrict | shutdown,Enables port security and specifies the maximum number of MAC addresses that can be supported by this port.,验证 Port Security,Switch#show port-security,Displays security information for all interfaces,Switch#show port-security

3、Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count)- Fa5/1 11 11 0 ShutdownFa5/5 15 5 0 RestrictFa5/11 5 4 0 Protect-Total Addresses in System: 21Max Addresses limit in System: 128,验证 Port Security (Cont.),Switch#show port-security interface type mod/port,

4、Displays security information for a specific interface,Switch#show port-security interface fastethernet 5/1Port Security: EnabledPort status: SecureUpViolation mode: ShutdownMaximum MAC Addresses: 11Total MAC Addresses: 11Configured MAC Addresses: 3Aging time: 20 minsAging type: InactivitySecureStat

5、ic address aging: EnabledSecurity Violation count: 0,验证 Port Security (Cont.),Switch#show port-security address,Displays MAC address table security information,Switch#show port-security address Secure Mac Address Table-Vlan Mac Address Type Ports Remaining Age (mins)- - - - -1 0001.0001.0001 SecureD

6、ynamic Fa5/1 15 (I)1 0001.0001.0002 SecureDynamic Fa5/1 15 (I)1 0001.0001.1111 SecureConfigured Fa5/1 16 (I)1 0001.0001.1112 SecureConfigured Fa5/1 -1 0001.0001.1113 SecureConfigured Fa5/1 -1 0005.0005.0001 SecureConfigured Fa5/5 231 0005.0005.0002 SecureConfigured Fa5/5 231 0005.0005.0003 SecureCon

7、figured Fa5/5 231 0011.0011.0001 SecureConfigured Fa5/11 25 (I)1 0011.0011.0002 SecureConfigured Fa5/11 25 (I)-Total Addresses in System: 10Max Addresses limit in System: 128,Port Security with Sticky MAC Addresses,Sticky MAC存储动态学习到的MAC.,AAA 网络配置,认证 验证用户身份 授权 为用户定义允许的任务 记帐(计费） 提供帐单, 审计, 监测,认证方法,Enab

8、le password Kerberos 5 Kerberos 5-Telnet authentication Line password Local database,Local database with case sensitivity No authentication RADIUS TACACS+,Switch(config)#aaa authentication login default | list-name method1 method2.,Creates a local authentication list,Cisco IOS AAA 支持以下认证方法:,802.1x 基

9、于端口的认证,通过交换机访问网络要求认证,配置 802.1x,Switch(config)#aaa authentication dot1x default method1 method2,Creates an 802.1x port-based authentication method list,Switch(config)#dot1x system-auth-control,Globally enables 802.1x port-based authentication,Switch(config)#interface type slot/port,Enters interface configuration mode,Switch(config-if)#dot1x port-control auto,Enables 802.1x port-based authentication on the interface,Switch(config)#aaa new-model,Enables AAA,总结,必需评估2层的安全，作为整个网络安全计划的1个子集 接入层的安全 流氓化访问破坏网络安全 交换机攻击有4类 MAC泛洪攻击是针对