【Ethernet Security Experiment】--- Port Security/Anti-MAC Address Drift/Anti-counterfeiting DHCP Attack/MAC Address Table Security

Foreword:

These are some very common technologies for Ethernet security, and they are not difficult. I have been in a bad mood recently, and the explanations are not so detailed. Sorry! The mind map has been converted to PDF and uploaded, and can be downloaded for free.

1. Port security

Configuration requirements:

1. Each access layer device can only be connected to one pc
. 2. Penalize ports that are connected to multiple PCs by closing the port.

Note: The picture of lsw3 is not used, so it is not configured.

Configuration ideas:
1. Enable port security
2. Specify the port security type
3. Specify the penalty action

Experimental steps: The
old rule is to configure the Layer 2 interface first and then complete the requirements

LSW2

sys lsw2
vlan b 10
int e 0/0/1
p l a
p d v 10
int e 0/0/3
p l t
p t a v 10

LSW1

sys lsw1
vlan b 10
int g 0/0/1
p l t
p t a v 10
int g 0/0/2
p l t
p t a v 10

After the second-layer configuration is completed, we configure the PC gateway (to ensure Internet access)

LSW1

interface Vlanif10
 ip address 192.168.1.254 255.255.255.0
#

---

You can access the Internet normally, and then complete the requirements.

LSW2

#
interface Ethernet0/0/1
 port link-type access
 port default vlan 10
 port-security enable
 #配置此接口最大连接数量（缺省也为1），注意这一个位置是先到先得
 port-security max-mac-num 1 
 #处罚模式为关闭端口
 port-security protect-action shutdown
 #端口安全模式为stick（自动将学习到的源mac地址进行静态绑定）
 port-security mac-address sticky

Test results:
We first used a normal host to access the Internet, and found that the switch can perform normal execution and automatically statically bind the learned source mac address.

Then we used the rubnet host to conduct the Internet test, and found that the Internet could not be accessed, and the port was forcibly closed.

The configuration is complete and the test is successful.

---

2. Prevent MAC address drift (simple)

Configuration requirements:
Protect server security by preventing mac address table drift
Configuration steps:
Enable the function of preventing mac address drift

int vlan 10
//缺省情况已经存在可不用配置
mac-address flapping detection
//检测flapping
display mac-address flapping record

The server link learning priority is increased (the higher the priority)

interface GigabitEthernet0/0/1
 mac-learning priority 3
#

Configuration is complete!

---

3. In order to prevent DHCP spoofing server attack experiment (interface mode)

Experiment requirements:
1. Based on interface configuration
2. DHCP Snooping function to ensure network security
Interface view configuration ideas:
1. Globally enable DHCP Snooping function
2. Targeted opening of ports that need to be added
3. Configure trusted ports of legitimate DHCP servers
Configuration ideas of vlan view:
1. Enable the DHCP Snooping function globally
2. Enter the vlan and then enable the DHCP Snooping function
3. Configure the trusted port in the vlan Note: The experimental steps
to take effect on all hosts in the vlan:

Relatively simple and direct command

dhcp enable
dhcp snooping enable ipv4
int g 0/0/1
dhcp snooping enable 
int g 0/0/2
dhcp snooping enable 
int g 0/0/3
dhcp snooping enable 
//配置信任接口
dhcp snooping trusted 

---

Fourth, mac address table security

Configuration requirements:

Party A needs a secure Internet access environment, please make static MAC address entries here, and make static bindings to important servers and gateways.

Experimental steps: The
basic configuration of the second layer is omitted, which is too simple

配置命令
针对于服务器：
全局状态下：
mac-address static 5489-9851-03C1 g 0/0/2 vlan  10
查看dis mac-address

Experimental result:
Test screenshot after configuration:
Cannot communicate with other devices after masquerading, blocked by g0/0/1 port

Thinking question:
You can try to forge a MAC address yourself. Can you deceive it? For
example, if you change the MAC address of the device connected to the same switch as the server, can you ping other devices before you change it, and can you ping it after you change it? Where did the bag disappear?

Answer: You can ping other devices before the change, but you cannot ping other devices after adding the pc3mac address and changing it to the server address, because the server mac is bound to g0/0/2, and the switch SWD receives the source except g0/0/2. The port whose mac is the server's mac address will be discarded directly.