我的笔记本

以太网交换安全

1.实验要求
作为公司的网络管理员,为了提高公司网络的安全性,你决定在接入层交换机部署一些安全技术: DHCP Snooping、IPSG、端口安全、端口隔离。



2.实验拓扑



3.关键技术

3.1 DHCP 配置
[S3]dhcp enable
[S3]ip pool vlan 10
[S3-ip-pool-vlan10] gateway-list 172.16.10.254
[S3-ip-pool-vlan10] network 172.16.10.0 mask 255.255.255.0
[S3-ip-pool-vlan10] dns-list 172.16.10.254
#静态指定ip与mac地址绑定
[S3-ip-pool-vlan10] static-bind ip-address 172.16.10.1 mac-address 5479-98bf-6555
[S3-ip-pool-vlan10] quit
#在vlan10接口下开启dhcp select
[S3]interface Vlanif 10
[S3-Vlanif10] dhcp select global

3.2 DHCP Snooping
[S1]dhcp enable
[S1]dhcp snooping enable ipv4
[S1]interface GigabitEthernet 0/0/12
[S1-GigabitEthernet0/0/12] dhcp snooping trusted
[S1-GigabitEthernet0/0/12] quit



#注意,需要先开启 DHCP 功能
#使能 S1连接 R1、R2 接口的 DHCP Snooping 功能
[S1linterface GigabitEthernet 0/0/1
[S1-GigabitEthernet0/0/1] dhcp snooping enable
[S1-GigabitEthernet0/0/17 quit
[S1linterface GigabitEthernet 0/0/2
[S1-GigabitEthernet0/0/2] dhcp snooping enable
[S1-GigabitEthernet0/0/2] quit



检查dhcp snooping绑定表:
[S1]display dhcp snooping user-bind all

3.3 IPSG配置
#使能 S1 GEO/0/1、GEO/0/2 接口的PSG 功能
[S1]interface GigabitEthernet 0/0/1
[S1-GigabitEthernet0/0/1] ip source check user-bind enable
[S1-GigabitEthernet0/0/1] ip source check user-bind alarm enable
[S1-GigabitEthernet0/0/1] ip source check user-bind alarm threshold 3
[S1-GigabitEthernet0/0/1] quit
[S1]interface GigabitEthernet 0/0/2
[S1-GigabitEthernet0/0/2] ip source check user-bind enable
[S1-GigabitEthernet0/0/2] ip source check user-bind alarm enable
[S1-GigabitEthernet0/0/2] ip source check user-bind alarm threshold 3

3.4 端口安全
限制接入交换机接口下只允许一台终端接入,在 S1 连接终端的接口上开启端口安全,限制每接口只允许接入一台终端
#S1 连接 R2 的端口开启端口安全
[S1] interface GigabitEthernet 0/0/2
[S1-GigabitEthernet0/0/2] port-security enable
[S1-GigabitEthernet0/0/2] port-security max-mac-num 1
[S1-GigabitEthernet0/0/21 port-security mac-address sticky
[S1-GigabitEthernet0/0/2] port-security protect-action restrict
[S1-GigabitEthernet0/0/2] quit
如果要修改port-security max-mac-num 数量,如果往小的改,需要删掉mac-address sticky先:






3.5 端口隔离
作用:限制终端之间的访问
#S1 上开启端口隔离,隔离模式限制为 L2
[S1lport-isolate mode 12
[S1]interface GigabitEthernet 0/0/1
[S1-GigabitEthernet0/0/1] port-isolate enable group 1
[S1-GigabitEthernet0/0/1] quit
[S1] interface GigabitEthernet 0/0/2
[S1-GigabitEthernet0/0/2] port-isolate enable group 1
[S1-GigabitEthernet0/0/2] quit