Shulou(Shulou.com)06/01 Report--

I. mac binding

The switch security feature allows us to configure the switch port so that when a device with an illegal MAC address is connected, the switch automatically shuts down the interface or denies access to the illegal device, or it can limit the maximum number of MAC addresses on a port

Scenario Simulation (Cisco S3550)

The switch is configured to allow access only to hosts with MAC addresses of 00e0.fc01.0000 from the f0ram 11 interface.

S1 (config) # int f0and11

S1 (config-if) # shutdown

S1 (config-if) # switch mode access// changes the port to access mode

S1 (config-if) # switch port-security// opens the port security function of the switch

S1 (confg-if) # switch port-security maximum 1amp / setting only allows a maximum of 1 MAC entries under this port, that is, only one device is allowed to access

S1 (config-if) # switch port-security violation shutdown

The "switch port-securityviolation {protect | shutdown | restrict}" / / command means as follows:

Lprotect; when a new computer is connected, if the number of MAC entries for the interface exceeds the maximum, the new computer will not be accessible and the original computer will not be affected

Lshutdown; when a new computer is connected, if the number of MAC entries for the interface exceeds the maximum, the interface will be shut down, the new computer and the original computer will not be accessible, and the administrator will need to use the "no shutdown" command to turn it back on.

Lrestrcit; when a new computer is connected, if the number of MAC entries on the interface exceeds the maximum, the new computer can be accessed, but the switch will send a warning message to.

S1 (config-if) # switchport port-security mac-address 00e0.fc01.0000// sets the MAC address to match for accessing the port

II. ARP binding

ARP (Address Resolution Protocol, address Resolution Protocol) is a TCP/IP protocol for obtaining physical addresses. After an ARP request for a node's IP address is broadcast to the network, the node receives a reply confirming its physical address so that the packet can be sent out. RARP (inverse ARP) is often used on diskless workstations to obtain its logical IP address.

Using ARP binding can effectively avoid broadcasting, bind the ip address to the mac address, and prevent other hosts in this network segment from impersonating the local ip address to carry out illegal activities.

Example:

Quidway (config) # arp 129.102.0.1 00e0.fc01.0000 1 ethernet 0Tax 1

Configure the local area network IP address 129.102.0.1 corresponding to the MAC address 00e0.fc01.0000, via the VLAN1 through the Ethernet port Ethernet0/1

Scenario simulation (Huawei switch)

Only hosts with ip address 192.168.1.200 and Mac address 00e0.fc01.0000 are allowed to perform routine remote maintenance on the switch.

Acl number 2000

Rule 10 permit source 192.168.1.200 0.0.0.0

Rule 20 deny source any

User-interface vty 0 4

Acl 2000 inbound

At this time, only the host with the ip address of 192.168.1.200 can have remote access. At this time, it is necessary to prevent other hosts from stealing the ip address of the management host for remote access.

Arp static 192.168.1.200 00e0.fc01.0000

After arp binding, the host posing as the ip address of the management host cannot have remote access

III. Vlan

It can be realized that each port of the switch can not communicate with each other, and each port can be put in a different vlan. Each household can not communicate with each other in broadband access, but it can communicate with the uplink.

IV. Port isolation

Through the port isolation feature, users can add the ports that need to be controlled into an isolation group to achieve separation.

The isolation of layer 2 and layer 3 data between the ports in the leaving group not only enhances the security of the network, but also provides users with

A flexible networking scheme is proposed.

When a port in the aggregation group is added to the isolation group, other ports in the same aggregation group will automatically join.

In the isolation group.

Port isolation can be achieved on layer 2 and layer 3 switches

Only one isolation group can be created on the layer 2 switch, and the ports in the same isolation group cannot communicate with each other.

Example: (Huawei layer 2 switch)

1. Networking requirements

Community users PC2, PC3, PC4 and switch Ethernet ports Ethernet1/0/2,

Ethernet1/0/3 and Ethernet1/0/4 are connected

The switch is connected to the external network through the Ethernet1/0/1 port

Community users PC2, PC3 and PC4 cannot communicate with each other.

two。 Group network diagram

3. Configuration step

# add Ethernet ports Ethernet1/0/2, Ethernet1/0/3 and Ethernet1/0/4 to the isolation group.

System-view

System View: return to User View withCtrl+Z.

[Quidway] interface ethernet1/0/2

[Quidway-Ethernet1/0/2] port isolate

[Quidway-Ethernet1/0/2] quit

[Quidway] interface ethernet1/0/3

[Quidway-Ethernet1/0/3] port isolate

[Quidway-Ethernet1/0/3] quit

[Quidway] interface ethernet1/0/4

[Quidway-Ethernet1/0/4] port isolate

[Quidway-Ethernet1/0/4] quit

[Quidway]

# displays port information in the isolation group.

Display isolate port

Isolated port (s) on UNIT 1:

Ethernet1/0/2, Ethernet1/0/3, Ethernet1/0/4

Multiple isolation groups can be created on a layer 3 switch. Ports in the same isolation group cannot communicate with each other, but can communicate with ports in other isolation groups

Example: (Huawei S3526)

1. Networking requirements

Community users PC2, PC3, PC4 and switch Ethernet ports Ethernet1/0/2,

Ethernet1/0/3 and Ethernet1/0/4 are connected

The switch is connected to the external network through the Ethernet1/0/1 port

There is no interworking between PC2 and PC3, but both of them can communicate with PC4.

two。 Group network diagram

3. Configuration step

# add Ethernet ports Ethernet1/0/2 and Ethernet1/0/3 to the isolation group.

System-view

System View: return to User View withCtrl+Z.

[Quidway] am enable

[Quidway] interface ethernet1/0/2

[Quidway-Ethernet1/0/2] am isolate ethernet1/0/3

[Quidway-Ethernet1/0/2] quit

# since the port to be isolated has been specified in ethernet1/0/2 as ethernet1/0/3, there is no need to specify repeatedly in port ethernet1/0/3 that its isolated port is ethernet1/0/2,ethernet1/0/3 port. Port ethernet1/0/2 will be automatically regarded as isolated port.

On the layer 3 switch, not only the function of port isolation similar to that on the layer 2 switch can be realized, but also the binding between the port and the IP address can be realized. Port and ip binding requires that data traffic must pass through layer 3 devices, such as when communicating between vlan, this technology can be used, but if data traffic does not pass through layer 3 devices, such as communication within vlan, port and ip binding is meaningless

Example: (Huawei S3526)

1. Networking requirements

The gateway of vlan20 is the Ethernet1/0/2 port of the switch

The gateway of vlan30 is the Ethernet1/0/3 port of the switch

The switch is connected to the external network through the Ethernet1/0/1 port

Hosts in vlan20 only allow hosts with an IP address of 192.168.20.10 to communicate with the outside through the Ethernet1/0/2 port

two。 Group network diagram

3. Configuration step

# modify port type

System-view

System View: return to User View withCtrl+Z.

[Quidway] interface Ethernet 1-0-2

[Quidway-Ethernet1/0/2] port link-type access

[Quidway-Ethernet1/0/2] interface Ethernet1/0/ 3

[Quidway-Ethernet3/0/3] port link-type access

[Quidway-Ethernet3/0/3] quit

# create a svi port

[Quidway] vlan 20

[Quidway-vlan20] port Ethernet 1-0-2

[Quidway-vlan20] vlan 30

[Quidway-vlan30] port Ethernet 1-0-3

[Quidway-vlan30] quit

[Quidway] interface Vlanif 20

[Quidway-Vlanif20] ip address 192.168.20.1 255.255.255.0

[Quidway-Vlanif20] interface Vlanif 30

[Quidway-Vlanif30] ip address 192.168.30.1255.255.255.0

[Quidway-Vlanif30] quit

# set the hosts allowed to pass through

[Quidway] am enable

[Quidway] interface ethernet1/0/2

[Quidway-Ethernet1/0/2] am ip-pool 192.168.20.10

[Quidway-Ethernet1/0/2] quit

# the only host in vlan20 that can pass through its gateway is 192.168.20.10.

5. ACL (second floor, third floor)

ACL (Access Control List, access control list) is mainly used to realize the function of flow identification. The network device is

After filtering packets, you need to configure a series of matching rules to identify the messages that need to be filtered. Before identifying the special

After the message is fixed, the corresponding data packet can be allowed or prohibited according to the pre-set policy.

ACL classifies packets through a series of matching conditions, which can be the source address of the packet,

Destination address, port number, etc.

Packet matching rules defined by ACL can be referenced by other functions that need to distinguish traffic, such as

Definition of flow classification rules in QoS.

According to the purpose of application, ACL can be divided into the following categories:

Basic ACL: rules are made based only on layer 3 source IP addresses.

Advanced ACL: based on the source IP address information of the packet, the destination IP address information, and the protocol class hosted by the IP

The third and fourth layers of information, such as type An and protocol characteristics, make rules.

Layer 2 ACL: based on source MAC address, destination MAC address, VLAN priority, layer 2 protocol class

B-type and other two-tier information to make rules.

The Application of ACL on the switch

1. ACL is sent directly to the hardware.

The ACL in the switch can be sent directly to the hardware of the switch for packet filtering and packet filtering in the data forwarding process.

Stream classification. In this case, the matching order of multiple rules in an ACL is determined by the hardware of the switch, even if the user

The matching order is configured when the ACL is defined, and it does not work.

Situations where ACL is sent directly to the hardware include: when the switch implements the QoS function, it refers to ACL and passes through ACL.

Filter and forward data, etc.

2. ACL is referenced by the upper module.

The switch also uses ACL to filter and classify messages processed by the software. The match of the ACL rule at this time

There are two matching orders: config (specifying matching according to the user's configuration order when matching the rule) and auto (specifying matching)

This rule is sorted automatically by the system, that is, in the order of "depth first". In this case, the user can define

ACL specifies the matching order of multiple rules in an ACL. Once the user specifies the match of a certain ACL

Match the order, you can no longer change the order. Only after all the rules in the list have been deleted can the

Specifies the order in which they match.

Situations in which ACL is referenced by the software include referencing ACL when controlling logged-in users.

Example: (Huawei S3526)

ACL is sent directly to the hardware.

1. Networking requirements

The gateway of vlan20 is the Ethernet1/0/2 port of the switch

The gateway of vlan30 is the Ethernet1/0/3 port of the switch

The switch is connected to the external network through the Ethernet1/0/1 port

The host with IP address 192.168.20.10 has the MAC address 1E-65-9D-2D-21-E2

The host with IP address 192.168.30.10 has the MAC address 1C-65-9D-2D-21-E2

Prohibit the host of 192.168.20.10 from communicating with the host of 192.168.30.10

two。 Group network diagram

3. Configuration step

# modify port type

System-view

System View: return to User View withCtrl+Z.

[Quidway] interface Ethernet 1-0-2

[Quidway-Ethernet1/0/2] port link-type access

[Quidway-Ethernet1/0/2] interface Ethernet1/0/ 3

[Quidway-Ethernet3/0/3] port link-type access

[Quidway-Ethernet3/0/3] quit

# create a svi port

[Quidway] vlan 20

[Quidway-vlan20] port Ethernet 1-0-2

[Quidway-vlan20] vlan 30

[Quidway-vlan30] port Ethernet 1-0-3

[Quidway-vlan30] quit

[Quidway] interface Vlanif 20

[Quidway-Vlanif20] ip address 192.168.20.1255.255.255.0

[Quidway-Vlanif20] interface Vlanif 30

[Quidway-Vlanif30] ip address 192.168.30.1255.255.255.0

[Quidway-Vlanif30] quit

# set the host whose communication is prohibited

[Quidway] acl number 4000 match-order auto

[Quidway-acl-link-4000] rule 10 deny ingress1e-65-9d-2d-21-e2 egress 1c-65-9d-2d-21-e2

[Quidway-acl-link-4000] quit

[Quidway] packet-filter link-group 4000

Example: (Huawei S3526)

ACL is referenced by the upper module

1. Demand

A device only allows remote access by the administrator host, assuming that the administrator host IP is 192.168.2.100

2. Configuration

# create an access control list

System-view

[Quidway] acl number 2000 match-order auto

[Quidway-acl-basic-2000] rule 10 permit source 192.168.2.100 0.0.0.0

[Quidway-acl-basic-2000] rule deny source any

[Quidway-acl-basic-2000] quit

# referenced by the upper module

[Quidway] user-interface vty 0 4

[Quidway-ui-vty0-4] authentication-mode none

[Quidway-ui-vty0-4] acl 2000 inbound

[Quidway-ui-vty0-4] quit

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.