overview of switch security
需要部署多层次的防御技术
需要保障物理安全
有些内部服务器需要对外提供服务,需要额外保护
保护技术之间需要相互独立,深度防御
用户恶意链接设备包含:
1.交换机
2.ap
3.集线器
可以使用stp防御技术(root guard,bpdu guard)和port security等二层技术进行防护。
基于mac地址攻击
vlan 跳跃攻击
欺骗攻击dhcp,arp,mac
设备攻击
cdp
管理协议
mac flooding attack(mac泛红攻击)
配置
r1:
int f0/0
ip add 10.1.1.1 255.255.255.0
r2:
int f0/0
ip add 10.1.1.2 255.255.255.0
sw:
vlan 2 name lestvlan2
int range f0/1,f0/2
sw mo access
sw acc vlan 2
int f0/1
switchport port-security
show port-security address(查看安全表)r1:
int f0/0
mac-address 1.1.1
sw:
show port-security int f0/1
switchport port-security maximum 3(设置接口mac地址容量为3个)
switchport port-security mac-address 1.1.1(手工指派接口学习mac)switchport port-security violation restrict(更改违规行为)
switchport port-security aging time 60(学习mac地址时间)
switchport port-security aging type inactivity(不活动60分钟就是aging)
switchport port-security aging static(手动配置的也可以配aging掉)
switchport port-security mac-address sticky(把学到的mac贴到startup-config)
aaa network 配置
认证
授权
审计
配置:username admin password cisco
aaa new-model
radius-server host 10.1.1.50 auth-port 1812 key xyz123
aaa authentication login default group radius local line
aaa authentication login no_auth none
line vty 0 15
login authentication default
password sanfran
line console 0
login authenttication no_auth
实验:
sw:
username admin password cisco
aaa new-model
radius-server host 150.1.45.241 key cisco
test aaa group radius acsuser cisco new-code
aaa authentication login noacs none
line con 0
login authentication noacs
password cisco
aaa authentication login acs.authen group radius local
line vty 0 15
login authentication acs.authen
802.1x基于端口的认证
物理访问控制
路由器也支持802.1x client.
802.1x必须使用radius服务器,而且不支持命名,只能使用default
配置:
aaa new-model
radius-server host 10.1.1.50 auth-port 1812 key xyz123
aaa authentication dot1x default group radius
dot1x system-auth-control
int f0/1
doscrprion access port
switchport mode access
dot1x port-control auto
实验:
sw:
aaa authentication dot1x default group radius
dot1x system-auth-control
int f0/2(在接口启用)
dot1x port-control auto
show dot1x intf/2 details
r2:(路由器作为客户端)
dot1x credentials test(名字随便)
username acsuser
password cisco
int f0/0
dot1x pae supplicant(dot1x请求者)
dotx ccredentials test