Shulou(Shulou.com)06/01 Report--

1. MAC flooding

Principle: due to the automatic learning ability of the switch, the source MAC in the data frame is mapped with the incoming port to form a MAC address table, which is stored in memory. If the switch sends a large number of fake source MAC data frames to the switch, then the switch will produce a large number of errors corresponding to a MAC.

Statically bind the MAC corresponding to this port

1. / / enter the MAC entry of the switch interface, resulting in memory overflow.

2. Defense method: limit the number of hosts that can enter a port-- learn the number of MAC addresses.

Enable the feature in the access layer, default to a switch

Switch (config) # int interface

/ / bind the MAC corresponding to this port statically

Switch (config-if) # switchport mode access

Switch (config-if) # switchport port-security

Switch (config-if) # switchport port-security mac-address?

H.H.H 48 bit mac address

/ / learn the MAC address of the data frame dynamically, and then automatically bind it to static.

Switch (config-if) # switchport port-security mac-address sticky

/ / limit the maximum number of corresponding MAC addresses

Switch (config-if) # switchport port-security maximum 2

/ / if the defined rule is violated, the default rule is to shut down the interface automatically.

Switch (config-if) # switchport port-security violation?

Protect Security violation protect mode

Restrict Security violation restrict mode

Shutdown Security violation shutdown mode

Protect: when a rule is violated, the data that violates the rule will be discarded and the port will be kept open

Restrict: if you violate the rules, a trap trap message will be sent to the SNMP server, and the data that violates the rules will be discarded, leaving the port open.

View validation:

Switch#show port-security address

Secure Mac Address Table

VlanMac AddressTypePortsRemaining Age

(mins)

-

Total Addresses in System (excluding one mac per port): 0

Max Addresses limit in System (excluding one mac per port): 1024

Switch#show port-security interface f0/1

Port Security: Enabled

Port Status: Secure-down

Violation Mode: Shutdown

Aging Time: 0 mins

Aging Type: Absolute

SecureStatic Address Aging: Disabled

Maximum MAC Addresses: 2

Total MAC Addresses: 0

Configured MAC Addresses: 0

Sticky MAC Addresses: 0

Last Source Address:Vlan: 0000.0000.0000:0

Security Violation Count: 0

Second, jump based on VLAN *

1. VLAN Jump *

* principle: by default, the port mode of the switch is in dynamic negotiation mode, either auto or desirable mode, which may lead to the formation of TRUNK between the host and the switch.

Of course, on this premise, either the port of the switch is not defined in access mode, or the port is not configured by default; the switch will send flooding traffic from other VLAN to this * host.

Solution: shut down all unused interfaces; change the interface mode to access

2. Double-tagged 802.1Q data frame hopping *

* principle: by giving priority to adding a tag of the target VLAN when sending data, and all the original VLAN of the user is the specified native VLAN on the exchange and exchange connection TRUNK, then when the data that is first tagged is forwarded to the first exchange, the exchange will not tag the data again, because-this data is the data of native VLAN When other exchanges arrive, those exchanges will check the tag and see the inner label-- the label of the target VLAN, and then forward this data into the * target VLAN.

Solution: first, set native VLAN to VLAN without users

Second, native VLAN is also tagged.

3. DHCP snooping, DAI dynamic ARP interception, IP source protection

1. The above methods are used within the enterprise network.

2. The deception of DHCP

* principle: because DHCP is divided into four processes when obtaining an address

Client sends DHCP Discovery message-broadcast to send; find dhcp server

DHCP server sends offer response-broadcasts send; tells who dhcpserver is and describes which addresses can be assigned

Client- sends request- broadcast; request to get that address

Server send ACK--- broadcast send

If a person acts as a DHCP server and the response speed is faster than a normal server, the client will select information such as the IP address and gateway assigned by the user.

Defense principle: by setting the interface of the uplink connection to dhcpserver as the trust interface, all dhcp messages entering from the trust interface are possible; the remaining interfaces are untrusted interfaces and cannot enter the offer messages of the dhcp; thus the access layer hosts below are prevented from sending offer; into the dhcp offer by listening from those interfaces

Deployment:

Turn on monitoring of dhcp

Set the VLAN for listening

Set dhcp snooping trust interface

Verification method, which is verified on the switch that turns on dhcp snooping

You can also view the binding information of DHCP address on DHCp server.

3. DAI: dynamic ARP interception

The principle of ARP spoofing: in fact, the MAC address of the * * is used to replace the (destination) MAC address of the gateway; the arp entry is dynamic; later ARP information will overwrite the original.

DAI defense principle: when doing DAI, dhcp snooping must be turned on first. Snooping through dhcp will leave a bound information table on the exchange-IP and MAC information table.

If the uplink interface is set as the trusted interface of DAI, and the other interfaces are untrusted interfaces, then the ARP information entered by the untrusted interface will be reviewed by DAI. If it is found that IP and MAC do not match, then the data will be discarded.

Deployment

The first step-- turn on dhcp snooping

Step 2: turn on the DAI function of arp

The third step is to set the trust port of DAI-the upstream interface of uplink

4. IP source protection characteristics

Ip spoofing: * * principle: by forging the source IP address, and the source MAC address is correct or also forged, then send this data to other hosts, and the source IP address itself exists; it will create opportunities for DDOS or DOS***

Defense principle: on the exchange, through the existing dhcp snooping binding information, check whether the source IP address and MAC address of the data entering from this port match, and whether the data should enter from this port; if not, discard the data; source protection is enabled on untrusted ports

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.