Your SlideShare is downloading. ×
0
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Ch6
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Ch6

1,145

Published on

Published in: Education, Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,145
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  1. مقدمة لـ الطبقة 2 الأمن <ul><li>2 طبقة الأمن </li></ul><ul><li>لمحة عامة عن نموذج OSI </li></ul>
  2. الطبقة 2 الأمن IPS MARS VPN ACS Iron Port Firewall Web Server Email Server DNS Hosts محيط الإنترنت
  3. OSI نموذج <ul><li>عندما يتعلق الأمر الى الشبكات ، وطبقة 2 في كثير من الأحيان وجود صلة ضعيفة للغاية . </li></ul>MAC Addresses Physical Links المادية وصلات IP Addresses Protocols and Ports البروتوكولات والمنافذ Application Stream تطبيق دفق Compromised Application Presentation Session Transport Network Data Link Physical Application Presentation Session Transport Network Data Link Physical Initial Compromise
  4. طبقة 2 نقاط الضعف <ul><li>هجمات MAC العنوان الغش هجمات MAC تجاوز الجدول العنوان STP هجمات التلاعب عاصفة الهجمات هجمات شبكة محلية ظاهرية </li></ul>
  5. MAC عنوان الغش هجوم MAC Address: AABBcc AABBcc 12AbDd التبديل منفذ 1 2 MAC Address: AABBcc مهاجم Port 1 Port 2 MAC Address: 12AbDd ويرتبط أنا المنافذ 1 و 2 مع MAC عناوين الأجهزة المتصلة به . حركة المرور المتجهة لكل جهاز وسوف ترسل مباشرة التبديل يحتفظ من النهاية من خلال المحافظة على MAC معالجة الجدول . في MAC بالتحايل ، ومهاجم آخر يشكل وهوستا شركات € &quot; في هذه الحالة ، AABBcc
  6. MAC عنوان الغش هجوم MAC Address: AABBcc AABBcc التبديل منفذ 1 2 MAC Address: AABBcc Attacker Port 1 Port 2 لقد تغيرت عنوان MAC على الكمبيوتر لمطابقة الملقم . لقد تغير الجهاز مع MAC معالجة AABBcc مواقع ل Port2 . ولا بد لي من ضبط مائدتي عنوان MAC وفقا لذلك . AABBcc 1 2
  7. MAC العنوان تجاوز الجدول هجوم ويمكن التبديل بين الإطارات إلى الأمام و PC1 PC2 دون الفيضانات لأن الجدول يحتوي على عنوان MAC من المنفذ إلى MAC بين معالجة تعيينات في الجدول عنوان MAC لهذه الحواسيب .
  8. MAC العنوان تجاوز الجدول هجوم A B C D VLAN 10 VLAN 10 الدخيل يدير macof لبدء إرسال عناوين وهمية غير معروفة MAC . 3/25 3/25 MAC X 3/25 MAC Y 3/25 MAC Z XYZ flood يتم إضافة عناوين وهمية الى طاولة كام . كام الجدول الكامل . Host C التبديل الفيضانات الإطارات . يرى مهاجم حركة المرور إلى ملقمات باء ودال . VLAN 10 1 2 3 4 MAC Port X 3/25 Y 3/25 C 3/25
  9. STP التلاعب هجوم <ul><li>تمتد شجرة البروتوكول يعمل عن طريق انتخاب جسر الجذر </li></ul><ul><li>STP يبني طبولوجيا شجرة </li></ul><ul><li>تغييرات التلاعب STP طوبولوجيا من مضيف شبكة للضرب على ما يبدو الجسر الجذري </li></ul>F F F F F B Root Bridge Priority = 8192 MAC Address= 0000.00C0.1234
  10. STP التلاعب هجوم Root Bridge Priority = 8192 Root Bridge F F F F F B STP BPDU Priority = 0 STP BPDU Priority = 0 F B F F F F مهاجم البث المضيفة مهاجمة خارج التكوين و STP BPDUs تغيير الهيكل . هذا هو محاولة لفرض إعادة الحسابات التي تغطي شجرة .
  11. الشبكة المحلية هجوم العاصفة وقد غمرت الفيضانات البث والبث المتعدد أو أحادي الإرسال الحزم على جميع المنافذ في شبكة محلية ظاهرية واحدة . ويمكن لهذه العواصف زيادة استخدام وحدة المعالجة المركزية على التحول إلى 100 ٪ ، وخفض أداء الشبكة . Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast
  12. عاصفة التحكم Total number of broadcast packets or bytes
  13. VLAN Attacks VLAN = Broadcast Domain = Logical Network (Subnet) <ul><ul><li>تقسيم </li></ul></ul><ul><ul><li>مرونة </li></ul></ul><ul><ul><li>أمن </li></ul></ul>
  14. هجمات شبكة محلية ظاهرية 802.1Q 802.1Q Server يرى مهاجم حركة المرور المتجهة للخوادم Server Trunk Trunk VLAN 20 VLAN 10 ويمكن إطلاق شبكة محلية ظاهرية التنقل هجوم بطريقتين :    خداع النشر المكتبي رسائل من المضيف لمهاجمة قضية التحول إلى إدخال وضع الكابلات   إدخال مفتاح المارقة وتشغيل مقسم الهاتف
  15. المزدوج الدالة شبكة محلية ظاهرية هجوم التبديل الثاني يتلقى الحزمة على شبكة محلية ظاهرية الأصلي مهاجم على شبكة محلية ظاهرية 10 ، ولكن يضع علامة 20 في الحزمة Victim (VLAN 20) ملاحظة : هذا الهجوم يعمل فقط إذا الجذع لديه شبكة محلية ظاهرية نفس الأم كما المهاجم . الشرائط التبديل الأول قبالة العلامة الأولى وأنه لا ريتاج ( ليس retagged الحركة الأم ). إلى الأمام ثم الحزمة للتبديل 2. 20,10 20 Trunk (Native VLAN = 10) 802.1Q, 802.1Q 802.1Q, Frame Frame 1 2 3 4 التبديل الثاني يتلقى الحزمة على شبكة محلية ظاهرية الأصلي
  16. تكوين الأمن التبديل <ul><li>تكوين أمن المنافذ التحقق من أمن المنافذ BPDU الحرس والحرس الجذر عاصفة التحكم شبكة محلية ظاهرية تكوين تحول سيسكو محلل منفذ سيسكو البعيد محلل منفذ مبدلة أفضل الممارسات لطبقة 2 </li></ul>
  17. تكوين أمن المنافذ <ul><li>منفذ الأمن لمحة عامة منفذ تكوين الأمان Switch port بورت الأمن معلمات المنفذ الأمن انتهاك تكوين Switch port بورت الأمن انتهاك معلمات منفذ الأمن تكوين الشيخوخة Switch port بورت معلمات الأمن الشيخوخة تكوين نموذجي </li></ul>
  18. منفذ الأمن لمحة عامة MAC A MAC A Port 0/1 allows MAC A Port 0/2 allows MAC B Port 0/3 allows MAC C المهاجم 1 المهاجم 2 0/1 0/2 0/3 MAC F السماح لمسؤول لتحديد ثابت MAC عناوين منفذ أو السماح للتبديل إلى تعلم بشكل حيوي على عدد محدود من MAC عناوين
  19. المبادرة القطرية أوامر switchport mode access Switch(config-if)# <ul><li>تعيين وضع واجهة وصول </li></ul>switchport port-security Switch(config-if)# <ul><li>تمكن أمن المنافذ على الواجهة </li></ul>switchport port-security maximum value Switch(config-if)# <ul><li>يحدد الحد الأقصى لعدد عناوين MAC آمن للواجهة ( اختياري ) </li></ul>
  20. التبديل منفذ بورت الأمن معلمات المعلمة وصف mac-address mac-address (Optional) Specify a secure MAC address for the port by entering a 48-bit MAC aaddress. You can add additional secure MAC addresses up to the maximum value configured. vlan vlan-id (Optional) On a trunk port only, specify the VLAN ID and the MAC address. If no VLAN ID is specified, the native VLAN is used. vlan access (Optional) On an access port only, specify the VLAN as an access VLAN. vlan voice (Optional) On an access port only, specify the VLAN as a voice VLAN mac-address sticky [ mac-address ] (Optional) Enable the interface for sticky learning by entering only the mac-address sticky keywords. When sticky learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running configuration and converts these addresses to sticky secure MAC addresses. Specify a sticky secure MAC address by entering the mac-address sticky mac-address keywords.. maximum value (Optional) Set the maximum number of secure MAC addresses for the interface. The maximum number of secure MAC addresses that you can configure on a switch is set by the maximum number of available MAC addresses allowed in the system. The active Switch Database Management (SDM) template determines this number. This number represents the total of available MAC addresses, including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces. The default setting is 1. vlan [ vlan-list ] <ul><li>(Optional) For trunk ports, you can set the maximum number of secure MAC addresses on a VLAN. If the vlan keyword is not entered, the default value is used. </li></ul><ul><li>vlan: set a per-VLAN maximum value. </li></ul><ul><li>vlan vlan-list : set a per-VLAN maximum value on a range of VLANs separated by a hyphen or a series of VLANs separated by commas. For nonspecified VLANs, the per-VLAN maximum value is used. </li></ul>
  21. منفذ تكوين الأمان انتهاك switchport port-security mac-address sticky Switch(config-if)# <ul><li>يتيح التعلم لزجة على واجهة ( اختياري ) </li></ul>switchport port-security violation {protect | restrict | shutdown} Switch(config-if)# <ul><li>تعيين وضع انتهاك ( اختياري ) </li></ul>switchport port-security mac-address mac-address Switch(config-if)# <ul><li>يدخل عنوان ثابت MAC لتأمين واجهة ( اختياري ) </li></ul>
  22. التبديل منفذ بورت الأمن انتهاك معلمات المعلمة الوصف protect (Optional) Set the security violation protect mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred. restrict (Optional) Set the security violation restrict mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred. shutdown (Optional) Set the security violation shutdown mode. In this mode, a port security violation causes the interface to immediately become error-disabled and turns off the port LED. It also sends an SNMP trap, logs a syslog message, and increments the violation counter. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shut down interface configuration commands. shutdown vlan Set the security violation mode to per-VLAN shutdown. In this mode, only the VLAN on which the violation occurred is error-disabled.
  23. منفذ الأمن تكوين الشيخوخة switchport port-security aging {static | time time | type {absolute | inactivity}} Switch(config-if)# <ul><li>تمكين أو تعطيل الشيخوخة ثابت للمنفذ آمن أو يحدد وقت الشيخوخة أو نوع </li></ul>
  24. التبديل منفذ بورت الأمن الشيخوخة معلمات المعلمة وصف static Enable aging for statically configured secure addresses on this port. time time Specify the aging time for this port. The range is 0 to 1440 minutes. If the time is 0, aging is disabled for this port. type absolute Set absolute aging type. All the secure addresses on this port age out exactly after the time (minutes) specified and are removed from the secure address list. type inactivity Set the inactivity aging type. The secure addresses on this port age out only if there is no data traffic from the secure source address for the specified time period.
  25. تكوين نموذجي switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security violation shutdown switchport port-security mac-address sticky switchport port-security aging time 120 Switch(config-if)# S2 PC B
  26. التحقق من أمن المنافذ <ul><li>المبادرة القطرية أوامر عرض الآمنة عناوين MAC MAC العنوان إعلام </li></ul>
  27. المبادرة القطرية أوامر <ul><li>sw-class# show port-security </li></ul><ul><li>Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action </li></ul><ul><li>(Count) (Count) (Count) </li></ul><ul><li>--------------------------------------------------------------------------- </li></ul><ul><li>Fa0/12 2 0 0 Shutdown </li></ul><ul><li>--------------------------------------------------------------------------- </li></ul><ul><li>Total Addresses in System (excluding one mac per port) : 0 </li></ul><ul><li>Max Addresses limit in System (excluding one mac per port) : 1024 </li></ul>sw-class# show port-security interface f0/12 Port Security : Enabled Port status : Secure-down Violation mode : Shutdown Maximum MAC Addresses : 2 Total MAC Addresses : 1 Configured MAC Addresses : 0 Aging time : 120 mins Aging type : Absolute SecureStatic address aging : Disabled Security Violation Count : 0
  28. عرض تامين عنوان الماك <ul><li>sw-class# show port-security address </li></ul><ul><li>Secure Mac Address Table </li></ul><ul><li>------------------------------------------------------------------- </li></ul><ul><li>Vlan Mac Address Type Ports Remaining Age </li></ul><ul><li>(mins) </li></ul><ul><li>---- ----------- ---- ----- ------------- </li></ul><ul><li>1 0000.ffff.aaaa SecureConfigured Fa0/12 - </li></ul><ul><li>------------------------------------------------------------------- </li></ul><ul><li>Total Addresses in System (excluding one mac per port) : 0 </li></ul><ul><li>Max Addresses limit in System (excluding one mac per port) : 1024 </li></ul>
  29. اعلام عنوان الماك <ul><ul><li>اعلام عنوان الماك يسمح رصد عناوين الماك ، على مستوى وحدة نمطية والمنفذ ، وأضاف قبل التبديل أو إزالتها من الجدول كام لمنافذ آمنة . </li></ul></ul>NMS MAC A MAC B F1/1 = MAC A F1/2 = MAC B F2/1 = MAC D (address ages out) Switch CAM Table أرسل إلى فخاخ تجميعيه المتحف عند عناوين جديدة MAC ، أو عندما تظهر القديمة مهلة . MAC D بعيدا عن الشبكة . F1/2 F1/1 F2/1
  30. BPDU الحرس والحرس الجذر <ul><li>تكوين Portfast BPDU الحرس عرض دولة الشجرة الممتدة جذر الحرس التحقق من الجذر الحرس </li></ul>
  31. تكوين Portfast خادم محطة عمل الامر الوصف Command Description Switch(config-if)# spanning-tree portfast Enables PortFast on a Layer 2 access port and forces it to enter the forwarding stateimmediately. Switch(config-if)# no spanning-tree portfast Disables PortFast on a Layer 2 access port. PortFast is disabled by default. Switch(config)# spanning-tree portfast default Globally enables the PortFast feature on all nontrunking ports. Switch# show running-config interface type slot/port Indicates whether PortFast has been configured on a port.
  32. Introduction to Layer2 Security <ul><li>Layer 2 Security </li></ul><ul><li>Overview of OSI Model </li></ul>
  33. Layer 2 Security IPS MARS VPN ACS Iron Port Firewall Web Server Email Server DNS Hosts Perimeter Internet
  34. OSI Model <ul><li>When it comes to networking, Layer 2 is often a very weak link. </li></ul>MAC Addresses Physical Links IP Addresses Protocols and Ports Application Stream Compromised Application Presentation Session Transport Network Data Link Physical Application Presentation Session Transport Network Data Link Physical Initial Compromise
  35. Layer 2 Vulnerabilities <ul><li>MAC Address Spoofing Attacks </li></ul><ul><li>MAC Address Table Overflow Attacks </li></ul><ul><li>STP Manipulation Attacks </li></ul><ul><li>Storm Attacks </li></ul><ul><li>VLAN Attacks </li></ul>
  36. MAC Address Spoofing Attack MAC Address: AABBcc AABBcc 12AbDd Switch Port 1 2 MAC Address: AABBcc Attacker Port 1 Port 2 MAC Address: 12AbDd I have associated Ports 1 and 2 with the MAC addresses of the devices attached. Traffic destined for each device will be forwarded directly. The switch keeps track of the endpoints by maintaining a MAC address table. In MAC spoofing, the attacker poses as another host—in this case, AABBcc
  37. MAC Address Spoofing Attack MAC Address: AABBcc AABBcc Switch Port 1 2 MAC Address: AABBcc Attacker Port 1 Port 2 I have changed the MAC address on my computer to match the server. The device with MAC address AABBcc has changed locations to Port2. I must adjust my MAC address table accordingly. AABBcc 1 2
  38. MAC Address Table Overflow Attack The switch can forward frames between PC1 and PC2 without flooding because the MAC address table contains port-to-MAC-address mappings in the MAC address table for these PCs.
  39. MAC Address Table Overflow Attack A B C D VLAN 10 VLAN 10 Intruder runs macof to begin sending unknown bogus MAC addresses. 3/25 3/25 MAC X 3/25 MAC Y 3/25 MAC Z XYZ flood Bogus addresses are added to the CAM table. CAM table is full. Host C The switch floods the frames. Attacker sees traffic to servers B and D. VLAN 10 1 2 3 4 MAC Port X 3/25 Y 3/25 C 3/25
  40. STP Manipulation Attack <ul><li>Spanning tree protocol operates by electing a root bridge </li></ul><ul><li>STP builds a tree topology </li></ul><ul><li>STP manipulation changes the topology of a network—the attacking host appears to be the root bridge </li></ul>F F F F F B Root Bridge Priority = 8192 MAC Address= 0000.00C0.1234
  41. STP Manipulation Attack Root Bridge Priority = 8192 Root Bridge F F F F F B STP BPDU Priority = 0 STP BPDU Priority = 0 F B F F F F Attacker The attacking host broadcasts out STP configuration and topology change BPDUs. This is an attempt to force spanning tree recalculations.
  42. LAN Storm Attack <ul><li>Broadcast, multicast, or unicast packets are flooded on all ports in the same VLAN. </li></ul><ul><li>These storms can increase the CPU utilization on a switch to 100%, reducing the performance of the network. </li></ul>Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast Broadcast
  43. Storm Control Total number of broadcast packets or bytes
  44. VLAN Attacks VLAN = Broadcast Domain = Logical Network (Subnet) <ul><ul><li>Segmentation </li></ul></ul><ul><ul><li>Flexibility </li></ul></ul><ul><ul><li>Security </li></ul></ul>
  45. VLAN Attacks 802.1Q 802.1Q Server Attacker sees traffic destined for servers Server Trunk Trunk VLAN 20 VLAN 10 <ul><li>A VLAN hopping attack can be launched in two ways: </li></ul><ul><li>Spoofing DTP Messages from the attacking host to cause the switch to enter trunking mode </li></ul><ul><li>Introducing a rogue switch and turning trunking on </li></ul>
  46. Double-Tagging VLAN Attack The second switch receives the packet, on the native VLAN Attacker on VLAN 10, but puts a 20 tag in the packet Victim (VLAN 20) Note: This attack works only if the trunk has the same native VLAN as the attacker. The first switch strips off the first tag and does not retag it (native traffic is not retagged). It then forwards the packet to switch 2. 20,10 20 Trunk (Native VLAN = 10) 802.1Q, 802.1Q 802.1Q, Frame Frame 1 2 3 4 The second switch examines the packet, sees the VLAN 20 tag and forwards it accordingly.
  47. Configuring Switch Security <ul><li>Configuring Port Security </li></ul><ul><li>Verifying Port Security </li></ul><ul><li>BPDU Guard and Root Guard </li></ul><ul><li>Storm Control </li></ul><ul><li>VLAN Configuration </li></ul><ul><li>Cisco Switched Port Analyzer </li></ul><ul><li>Cisco Remote Switched Port Analyzer </li></ul><ul><li>Best Practices for Layer 2 </li></ul>
  48. Configuring Port Security <ul><li>Port Security Overview </li></ul><ul><li>Port Security Configuration </li></ul><ul><li>Switchport Port-Security Parameters </li></ul><ul><li>Port-Security Violation Configuration </li></ul><ul><li>Switchport Port-Security Violation Parameters </li></ul><ul><li>Port Security Aging Configuration </li></ul><ul><li>Switchport Port-Security Aging Parameters </li></ul><ul><li>Typical Configuration </li></ul>
  49. Port Security Overview MAC A MAC A Port 0/1 allows MAC A Port 0/2 allows MAC B Port 0/3 allows MAC C Attacker 1 Attacker 2 0/1 0/2 0/3 MAC F Allows an administrator to statically specify MAC Addresses for a port or to permit the switch to dynamically learn a limited number of MAC addresses
  50. CLI Commands switchport mode access Switch(config-if)# <ul><li>Sets the interface mode as access </li></ul>switchport port-security Switch(config-if)# <ul><li>Enables port security on the interface </li></ul>switchport port-security maximum value Switch(config-if)# <ul><li>Sets the maximum number of secure MAC addresses for the interface (optional) </li></ul>
  51. Switchport Port-Security Parameters Parameter Description mac-address mac-address (Optional) Specify a secure MAC address for the port by entering a 48-bit MAC aaddress. You can add additional secure MAC addresses up to the maximum value configured. vlan vlan-id (Optional) On a trunk port only, specify the VLAN ID and the MAC address. If no VLAN ID is specified, the native VLAN is used. vlan access (Optional) On an access port only, specify the VLAN as an access VLAN. vlan voice (Optional) On an access port only, specify the VLAN as a voice VLAN mac-address sticky [ mac-address ] (Optional) Enable the interface for sticky learning by entering only the mac-address sticky keywords. When sticky learning is enabled, the interface adds all secure MAC addresses that are dynamically learned to the running configuration and converts these addresses to sticky secure MAC addresses. Specify a sticky secure MAC address by entering the mac-address sticky mac-address keywords.. maximum value (Optional) Set the maximum number of secure MAC addresses for the interface. The maximum number of secure MAC addresses that you can configure on a switch is set by the maximum number of available MAC addresses allowed in the system. The active Switch Database Management (SDM) template determines this number. This number represents the total of available MAC addresses, including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces. The default setting is 1. vlan [ vlan-list ] <ul><li>(Optional) For trunk ports, you can set the maximum number of secure MAC addresses on a VLAN. If the vlan keyword is not entered, the default value is used. </li></ul><ul><li>vlan: set a per-VLAN maximum value. </li></ul><ul><li>vlan vlan-list : set a per-VLAN maximum value on a range of VLANs separated by a hyphen or a series of VLANs separated by commas. For nonspecified VLANs, the per-VLAN maximum value is used. </li></ul>
  52. Port Security Violation Configuration switchport port-security mac-address sticky Switch(config-if)# <ul><li>Enables sticky learning on the interface (optional) </li></ul>switchport port-security violation {protect | restrict | shutdown} Switch(config-if)# <ul><li>Sets the violation mode (optional) </li></ul>switchport port-security mac-address mac-address Switch(config-if)# <ul><li>Enters a static secure MAC address for the interface (optional) </li></ul>
  53. Switchport Port-Security Violation Parameters Parameter Description protect (Optional) Set the security violation protect mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred. restrict (Optional) Set the security violation restrict mode. When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred. shutdown (Optional) Set the security violation shutdown mode. In this mode, a port security violation causes the interface to immediately become error-disabled and turns off the port LED. It also sends an SNMP trap, logs a syslog message, and increments the violation counter. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shut down interface configuration commands. shutdown vlan Set the security violation mode to per-VLAN shutdown. In this mode, only the VLAN on which the violation occurred is error-disabled.
  54. Port Security Aging Configuration switchport port-security aging {static | time time | type {absolute | inactivity}} Switch(config-if)# <ul><li>Enables or disables static aging for the secure port or sets the aging time or type </li></ul>
  55. Switchport Port-Security Aging Parameters Parameter Description static Enable aging for statically configured secure addresses on this port. time time Specify the aging time for this port. The range is 0 to 1440 minutes. If the time is 0, aging is disabled for this port. type absolute Set absolute aging type. All the secure addresses on this port age out exactly after the time (minutes) specified and are removed from the secure address list. type inactivity Set the inactivity aging type. The secure addresses on this port age out only if there is no data traffic from the secure source address for the specified time period.
  56. Typical Configuration switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security violation shutdown switchport port-security mac-address sticky switchport port-security aging time 120 Switch(config-if)# S2 PC B
  57. Verifying Port Security <ul><li>CLI Commands </li></ul><ul><li>View Secure MAC Addresses </li></ul><ul><li>MAC Address Notification </li></ul>
  58. CLI Commands <ul><li>sw-class# show port-security </li></ul><ul><li>Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action </li></ul><ul><li>(Count) (Count) (Count) </li></ul><ul><li>--------------------------------------------------------------------------- </li></ul><ul><li>Fa0/12 2 0 0 Shutdown </li></ul><ul><li>--------------------------------------------------------------------------- </li></ul><ul><li>Total Addresses in System (excluding one mac per port) : 0 </li></ul><ul><li>Max Addresses limit in System (excluding one mac per port) : 1024 </li></ul>sw-class# show port-security interface f0/12 Port Security : Enabled Port status : Secure-down Violation mode : Shutdown Maximum MAC Addresses : 2 Total MAC Addresses : 1 Configured MAC Addresses : 0 Aging time : 120 mins Aging type : Absolute SecureStatic address aging : Disabled Security Violation Count : 0
  59. View Secure MAC Addresses <ul><li>sw-class# show port-security address </li></ul><ul><li>Secure Mac Address Table </li></ul><ul><li>------------------------------------------------------------------- </li></ul><ul><li>Vlan Mac Address Type Ports Remaining Age </li></ul><ul><li>(mins) </li></ul><ul><li>---- ----------- ---- ----- ------------- </li></ul><ul><li>1 0000.ffff.aaaa SecureConfigured Fa0/12 - </li></ul><ul><li>------------------------------------------------------------------- </li></ul><ul><li>Total Addresses in System (excluding one mac per port) : 0 </li></ul><ul><li>Max Addresses limit in System (excluding one mac per port) : 1024 </li></ul>
  60. MAC Address Notification <ul><ul><li>MAC address notification allows monitoring of the MAC addresses, at the module and port level, added by the switch or removed from the CAM table for secure ports. </li></ul></ul>NMS MAC A MAC B F1/1 = MAC A F1/2 = MAC B F2/1 = MAC D (address ages out) Switch CAM Table SNMP traps sent to NMS when new MAC addresses appear or when old ones time out. MAC D is away from the network. F1/2 F1/1 F2/1
  61. BPDU Guard and Root Guard <ul><li>Configure Portfast </li></ul><ul><li>BPDU Guard </li></ul><ul><li>Display the State of Spanning Tree </li></ul><ul><li>Root Guard </li></ul><ul><li>Verify Root Guard </li></ul>
  62. Configure Portfast Server Workstation Command Description Switch(config-if)# spanning-tree portfast Enables PortFast on a Layer 2 access port and forces it to enter the forwarding stateimmediately. Switch(config-if)# no spanning-tree portfast Disables PortFast on a Layer 2 access port. PortFast is disabled by default. Switch(config)# spanning-tree portfast default Globally enables the PortFast feature on all nontrunking ports. Switch# show running-config interface type slot/port Indicates whether PortFast has been configured on a port.

×