公司因為資安問題限制某部門只能用內部的電腦PC0,PC1上網,MIS 必須要知道是否有違規的情形,所以在 Switch 上建立 Port-Security 規則,有人違規即刻切斷網路。
做法1:Static Learning
SiteA_SW01(config)#interface FastEthernet0/1
SiteA_SW01(config-if)#switchport mode access(只有一個Data VLAN可以流通)
SiteA_SW01(config-if)#switchport port-security (啟用)
SiteA_SW01(config-if)#switchport port-security maximum 2(看該部門該有幾台電腦數量)
SiteA_SW01(config-if)#switchport port-security mac-address 0000.1111.1111
SiteA_SW01(config-if)#switchport port-security mac-address 0000.1111.2222
(把 mac-addr 都設上去,若數量多就用 sticky 沾黏的)
SiteA_SW01(config-if)#switchport port-security violation shutdown
(violation有3種模式:
1.Protect 保護:違反擋住,合法通過
2.Restrict 限制:違反擋住,合法通過,但會送出告警
3.Shutdown:違反發生即全部擋住)
SiteA_SW01#sh port-security address
Secure Mac Address Table
-------------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0000.1111.1111 SecureConfigured FastEthernet0/1 -
1 0000.1111.2222 SecureConfigured FastEthernet0/1 -
------------------------------------------------------------------------------
Total Addresses in System (excluding one mac per port) : 1
Max Addresses limit in System (excluding one mac per port) : 1024
無違反時的狀態:
SiteA_SW01#sh ip int b
Interface IP-Address OK? Method Status Protocol
FastEthernet0/1 unassigned YES manual up up
FastEthernet0/2 unassigned YES manual up up
SiteA_SW01(config-if)#do sh port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
--------------------------------------------------------------------
Fa0/1 2 2 0 Shutdown
----------------------------------------------------------------------
Switch(config-if)#do sh port-security int fa0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 2
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.1111.2222:1
Security Violation Count : 0
假設有位即將離職的員工想連入內網偷資料,於是拔掉 PC0 的網路線私接她自己的筆電,switch 隨即啟動 port-security,同時 fa0/1 介面下的所有電腦流量全被中斷,她就會發現慘了,趕快把網路接回去,但是沒有用的。
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
此時該部門就會有人打電話來通知 MIS 網路怎麼全斷了?
我們來查看看是不是有人在搞鬼。
SiteA_SW01#sh ip int b
Interface IP-Address OK? Method Status Protocol
FastEthernet0/1 unassigned YES manual down down
FastEthernet0/2 unassigned YES manual up up
SiteA_SW01#sh int fa0/1
FastEthernet0/1 is down, line protocol is down (err-disabled)
Hardware is Lance, address is 0060.3e68.cb01 (bia 0060.3e68.cb01)
BW 100000 Kbit, DLY 1000 usec,
reliability 255/255, txload 1/255, rxload 1/255
...
...
SiteA_SW01#sh port-security
Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action
(Count) (Count) (Count)
--------------------------------------------------------------------
Fa0/1 2 2 1 Shutdown
----------------------------------------------------------------------
Switch(config-if)#do sh port-security int fa0/1
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2
Configured MAC Addresses : 2
Sticky MAC Addresses : 0
Last Source Address:Vlan : 00D0.BA9D.5550:1
Security Violation Count : 1
ok,確定有人違反,通知該部門主管斷線原因還有證據,mac address 為 00D0.BA9D.5550,
暫時恢復 int fa0/1 的介面:
SiteA_SW01(config)#interface Fa0/1
SiteA_SW01(config-if)#shutdown
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down
SiteA_SW01(config-if)#no shutdown
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to up
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
危機解除,該部門的網路即可恢復。
做法2:Dynamic Learning,只限制數量。
假設另一個部門有3個跑外面的業務,他們辦公室只有1個座位有公用電腦PC2,若我們這次採用動態學習,不想固定 Mac Address,應該要如何設定?
SiteA_SW01(config)#interface Fa0/2
SiteA_SW01(config-if)#switchport mode access
SiteA_SW01(config-if)#switchport port-security
SiteA_SW01(config-if)#switchport port-security max 1
(這次不設 mac addr 了,讓它動態學習)
SiteA_SW01(config-if)#switchport port-security vio shutdown
SiteA_SW01#sh port-security addr
Secure Mac Address Table
-------------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0000.1111.1111 SecureConfigured FastEthernet0/1 -
1 0000.1111.2222 SecureConfigured FastEthernet0/1 -
1 0000.1111.3333 DynamicConfigured FastEthernet0/2
SiteA_SW01#sh port-security int fa0/2
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0000.1111.3333:1
Security Violation Count : 0
這次反向思考,要怎麼做才會違反規定?
可從 Switch 接跳線到一台小 Hub,再接上一台筆電跟原 PC2,ping 一下 Gateway 網路就會掛了。
SiteA_SW01(config-if)#sh port-security int fa0/2
Port Security : Enabled
Port Status : Secure-shutdown
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0030.A3BD.2087:1
Security Violation Count : 1
要恢復也是連線也是將fa0/2界面sh,no sh一次。
第3種Combination of Dynamic ans Static Learning:
我們先接一下 IP Phone 的電源,它的規則是要限制 PC3 的 Mac Addr,但 IP Phone 不用,數量是:2,所以就是綜合上面兩種模式。
SiteA_SW01(config)#interface Fa0/3
SiteA_SW01(config-if)#switchport mode access
SiteA_SW01(config-if)#switchport port-security (啟用)
SiteA_SW01(config-if)#switchport port-security maximum 2
SiteA_SW01(config-if)#switchport port-security mac-address 0000.1111.4444 (PC3的)
SiteA_SW01(config-if)#switchport port-security vio shutdown
SiteA_SW01(config-if)#do sh port-security int fa0/3
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 2
Total MAC Addresses : 2 (一開始是1,用 pc3 去 ping 一下外面)
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0001.6451.9C01:1
Security Violation Count : 0
SiteA_SW01#sh port-security addr
Secure Mac Address Table
-------------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 0000.1111.4444 SecureConfigured FastEthernet0/3 (靜態打上去的)
1 0001.6451.9C01 DynamicConfigured FastEthernet0/3 (IP Phone 動態學到的)
介紹最後一種:Dynamic Sticky Learning
我們來設定 fa0/4 最多允許學習一個 MAC
SiteA_SW01(config)#interface Fa0/4
SiteA_SW01(config-if)#switchport mode access
SiteA_SW01(config-if)#switchport port-security (啟用)
SiteA_SW01(config-if)#switchport port-security maximum 1
SiteA_SW01(config-if)#switchport port-security sticky
SiteA_SW01(config-if)#switchport port-security vio shutdown
SiteA_SW01#sh port-security int fa0/4
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 0000.1111.5555:1
Security Violation Count : 0
SiteA_SW01#sh port-sec address
SiteA_SW01#sh run
SiteA_SW01#sh start
SiteA_SW01#write(sticky 做完一定要存)
沒有留言:
張貼留言