edge&DMZ core&distribution access
firewall routers switch
1. mac flooding attacks
cam arp mac flooding
基于mac也许流量
port-security (先shutdown port 然后做完安全no shutdown)
conf ter
interface fastethernet 0/0
switchport port-security
switchport port-security {max-value | mac-address}
switchport port-security violation {shutdown | restrict | protect} (shutdown——>err-disable)
switchport port-security mac-address sticky
switchport port-security aging static
spanning-tree portfast
conf ter
errdisable recovery cause psecure-violation
#errdisable recovery interval 30
show errdisable recovery
show port-security
show port-security interface fastethernet 0/0
show port-security address
基于mac限制流量
mac-address-table static 0010.7b80.7b9b vlan 1 drop
阻止未知的unicast & multicast blocked
switchport block {unicast | multicast}
2. vlan attacks
vlan hopping
vlan hopping with double tagging
conf ter
switchport mode access
vacl
ip/mac——>FWD/DROP
conf ter
vlan access-map map_name [seq#]
match {ip address {1-199 | 1300-2699 | acl_name} | ipx address (800-999 | acl_name) | mac address acl_name }
action {drop [log]} | {foreward [capture]} | {redirect {type slot/port} | {port-channel channel_id}}
vlan filter map_name vlan_list list
private vlan (2个sub domain :primary vlan,secondary vlan(隔离vlan isolated 团体vlan community))
promiscuous:communicate with all other port
isolated:communicate with only promiscuous ports
community:communicate with other members of community and all promiscuous port
vtp模式transparent
pri、sec vlan
port——>vlan
交换机高版本
config
vtp mode transparent
vlan 20
private-vlan private
exit
vlan 501
private-vlan community
exit
vlan 502
private-vlan isolated
exit
vlan 20
private-vlan association 501,502
exit
conf ter
interface f 0/1
switchport mode private-vlan promiscuous
switchport private-vlan mapping 20 501,502
spanning-tree portfast
no shutdown
conf ter
interface range f 0/2 f 0/3
switchport mode private-vlan host
switchport private-vlan host-association 20 501
spanning-tree portfast
no shutdown
conf ter
interface range f 0/4 f 0/5
switchport mode private-vlan host
switchport private-vlan host-association 20 502
spanning-tree portfast
no shutdown
网管交换机
conf ter
interface vlan 20
ip add 1.1.1.100 255.255.255.0
private-vlan mapping 501,502
no shutdown
exit
ip routing
低版本交换机
interface f0/0
switchport protected
interface f0/1
switchport protected
3. spoofing attacks
dhcp spoof attacks
R1是不合法的dhcp服务器
R2是合法的dhcp服务器
R3是dhcp客户端
配置
端口在同一个vlan
都为access端口
都启用spanning-tree portfast
R1分发1.1.1.0/24 不合法
ip dhcp pool DAVY
network 1.1.1.0 /24
R2分发2.2.2.0/24 合法
ip dhcp pool DAVY
network 2.2.2.0 /24
交换机上
ip dhcp snooping
ip dhcp snooping vlan 1 (基于vlan 交换机上端口全为untrust)
interface fastethernet 0/2
ip dhcp snooping trust
R2上还要做
ip dhcp relay information trust-all
R1限制discovery包的发生频率
ip dhcp snooping limit rate 1
交换机上对client端 (防止dos攻击 ip source guard)
interface fastethernet 0/3
ip verify source (vlan dhcp-snooping) port-security
arp spoofing (DAI&dhcp snooping)
临时解决方法:静态arp绑定
正常网关路由器和pc之间做
arp 10.1.1.2 aaaa.bbbb.cccc arpa
show arp
arp -s 10.1.1.2 aaaa.bbbb.cccc arpa
dynamic arp inspection
client
interface fastethernet 0/1 (sw的0/1 untrust)
ip address dhcp
假使中毒虚拟个mac
interface fastethernet 0/1
mac-address aaaa.bbbb.cccc (被deny了)
dhcp server
ip arp inspection vlan 1
interface f 0/2 (合法)
ip arp inspection trust
int f 0/1
ip arp inspection limit rate 10
show ip arp
4. attacks on switch device
show cdp neighbors
show cdp neighbors detail
no cdp run
interface e 0/0
no cdp enable
实验
在R1上
conf ter
int e 0/0
ip address 192.168.1.100 255.255.255.0
no shutdown
exit
username DAVY password amanda
line vty 0 4
login local
exit
SSH(secure shell protocol)
show version (iso有k指安全版本)
conf ter
ip domain name davy.com
crypto key generate rsa usage-keysgeneral-keys)modulus 512
username DAVY password amanda
line vty 0 4
login local
transport input ssh
exit
客户端(win使用ssh软件 路由器可直接使用)
ssh -l DAVY 192.168.1.100