Shulou(Shulou.com)06/01 Report--

one。 Summary: on the forum, I saw that someone wanted to ask what way to prevent long-distance optical fiber lines from being eavesdropped or connected to other illegal switches, such as preventing random connections through port security, so log on to the rack to test. Record the test results. Forum question link: http://bbs.51cto.com/thread-1080361-1.html---- optical fiber line, if the middle is not maliciously connected to other devices, it should be very difficult to eavesdrop, so feel that anti-eavesdropping can start from the direction of anti-random connection.

two。 Basic idea: A. Suppose the switch is layer 3 switch B. If the two switches are connected by layer 3 ports and bind the mac corresponding to the peer IP, although it can prevent access to layer 3 devices, it cannot prevent layer 2 devices from eavesdropping in the middle. c. Encrypt traffic through the ipsec between hosts. Unless there are too many hosts connected to the switch at both ends of the wiring, it is not feasible for each host to configure IPsec. -High-end switches have not been played, and ordinary layer 3 switches do not seem to be able to configure ipsec * D. Although data encryption is the best way to prevent eavesdropping, it seems that encryption is not easy to achieve E. Prevent random connection through layer 2 security:-access ports are used for connecting ports of the switch, and svi--- of VLAN is configured at both ends. Each switch ensures that there is only one interconnection interface for the vlan used for interconnection-layer 3 switches need to turn on route forwarding, and two layer 3 switches refer to each other (static or default) to achieve PC mutual access on both sides of the switch-- configure port security of the interconnection ports. Only 2 mac are allowed to be learned, so that only the middle line has no other layer 2 devices. When connected to other layer 2 devices, the port will down to prevent it from being monitored-this lab is just to verify the feasibility. In practice, if possible, it is recommended to interconnect with routers and configure ipsec. three。 Test the topology:

four。 Basic configuration: A.R4:interface FastEthernet0/0

Ip address 20.1.1.4 255.255.255.0 no shutno ip routingip default-gateway 20.1.1.1B.SW1:ip routinginterface FastEthernet0/4

Switchport access vlan 20

Switchport mode accessinterface FastEthernet0/20

Switchport access vlan 10

Switchport mode access

Switchport port-security maximum 2

Switchport port-security

Switchport port-security mac-address stickyinterface Vlan10

Ip address 10.1.1.1 255.255.255.252

Interface Vlan20

Ip address 20.1.1.1 255.255.255.0

Ip route 0.0.0.0 0.0.0.0 10.1.1.2C.SW2:ip routinginterface FastEthernet0/5

Switchport access vlan 30

Switchport mode accessinterface FastEthernet0/20

Switchport access vlan 10

Switchport mode access

Switchport port-security maximum 2

Switchport port-security

Switchport port-security mac-address stickyinterface Vlan30ip address 30.1.1.1 255.255.255.0

Interface Vlan100

Ip address 10.1.1.2 255.255.255.252

Ip route 0.0.0.0 0.0.0.0 10.1.1.1D.R5:interface FastEthernet0/1

Ip address 30.1.1.5 255.255.255.0 no shutno ip routingip default-gateway 30.1.1.1 V. Verification: R4#ping 30.1.1.5

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 30.1.1.5, timeout is 2 seconds:

!

Success rate is 100 percent (5amp 5), round-trip min/avg/max = 1-1-4 ms

R4#R5#ping 20.1.1.4

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.1.1.4, timeout is 2 seconds:

!

Success rate is 100 percent (5amp 5), round-trip min/avg/max = 1-2-4 ms

R5#sw1#show running-config interface f0/20

Building configuration...

Current configuration: 336 bytes

!

Interface FastEthernet0/20

Switchport access vlan 10

Switchport mode access

Switchport port-security maximum 2

Switchport port-security

Switchport port-security mac-address sticky

Switchport port-security mac-address sticky 0014.a80a.f716 vlan access

Switchport port-security mac-address sticky 0014.a80a.f741 vlan access

Endsw2#show int f0ap20 | in Hardware

Hardware is Fast Ethernet, address is 0014.a80a.f716 (bia 0014.a80a.f716) sw2#show int vlan 10 | in Hardware

Hardware is EtherSVI, address is 0014.a80a.f741 (bia 0014.a80a.f741) sw1#show mac address-table | in 0Table20

10 0014.a80a.f716 STATIC Fa0/20

10 0014.a80a.f741 STATIC Fa0/20

Sw1#

Sw2#show running-config int f0/20

Building configuration...

Current configuration: 312 bytes

!

Interface FastEthernet0/20

Switchport access vlan 10

Switchport mode access

Switchport port-security maximum 2

Switchport port-security

Switchport port-security mac-address sticky

Switchport port-security mac-address sticky 001a.a164.b216

Switchport port-security mac-address sticky 001a.a164.b241

End

Sw1#show int f0ap20 | in Hardware

Hardware is Fast Ethernet, address is 001a.a164.b216 (bia 001a.a164.b216)

Sw1#show int vlan 10 | in Hardware

Hardware is EtherSVI, address is 001a.a164.b241 (bia 001a.a164.b241) sw2#show mac address-table | in 0Table20

10 001a.a164.b216 STATIC Fa0/20

10 001a.a164.b241 STATIC Fa0/20--- because the rack cannot add other layer 2 devices by default, but it can be tested by adding other interfaces to the vlan where the interconnect interface is located, because the interface receives packets from other mac addresses and the interface will down.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.