笔记:CCNAS_ PTA_L2-Security

笔记:CCNAS_ PTA_L2-Security

嚯嚯嚯www 34 2022-08-26

一、题目环境

实验拓扑
22123-ycjh9sas3ir.png

实验要点

· Assign the Central switch as the root bridge.
·指定Central交换机为根桥接器。
· Secure spanning-tree parameters to prevent STP manipulation attacks.
·配置生成树安全,防止STP操作攻击。
· Enable storm control to prevent broadcast storms.
·启用风暴控制,抑制广播风暴。
· Enable port security to prevent MAC address table overflow attacks.
·启用端口安全,防止MAC地址表溢出攻击。

二、配置过程

1. Using the spanning-tree vlan 1 root primary command, assign the 3560 Central switch as the root bridge.
//使用生成树vlan 1 作为根,将3560配为根桥。
Assign SW-1 as the secondary root bridge using the spanning-tree vlan 1 root secondary command.
//将SW-1上的vlan1配置为子桥。

Central(config)#spanning-tree vlan 1 root primary

SW-1(config)#spanning-tree vlan 1 root secondary

2. On the connected access ports of the SW-A and SW-B switches, use the spanning-tree portfast command.
//在连接的SW-A和SW-B交换机的访问端口上,使用spanning-tree portfast命令。

SW-A(config)#interface range fastEthernet 0/1-4
SW-A(config-if-range)#spanning-tree portfast

SW-B(config)#interface range fastEthernet 0/1-4
SW-B(config-if-range)#spanning-tree portfast

3. Enable BPDU guard on SW-A and SW-B access ports.
//在SW-A和SW-B访问端口上启用BPDU保护。

SW-A(config-if-range)#spanning-tree bpduguard enable

SW-B(config-if-range)#spanning-tree bpduguard enable

4. On switch SW-1 and SW-1, enable root guard on ports Fa0/23 and Fa0/24.
//在SW-1 和SW-2上,在端口Fa0/23和Fa0/24上启用根保护。

SW-1(config)#interface range fastEthernet 0/23-24
SW-1(config-if-range)#spanning-tree guard root

SW-2(config)#interface range fastEthernet 0/23-24
SW-2(config-if-range)#spanning-tree guard root

5. Set a 50 percent rising suppression level using the storm-control broadcast command.
//使用storm-control broadcast命令设置50%的压制级别。
Enable storm-control on interfaces connecting Central, SW-1, and SW-2.
//在连接Central、SW-1和SW-2的接口上启用广播风暴控制。

SW-1(config)#interface  gigabitEthernet 0/1
SW-1(config-if)#storm-control broadcast level 50
SW-1(config-if)#interface fastethernet 0/1
SW-1(config-if)#storm-control broadcast level 50
SW-1(config-if)#interface range fastethernet 0/23-24
SW-1(config-if-range)#storm-control broadcast level 50
SW-1(config-if-range)#exit

SW-2(config)#interface gigabitEthernet 0/1
SW-2(config-if)#storm-control broadcast level 50
SW-2(config-if)#interface fastethernet 0/1
SW-2(config-if)#storm-control broadcast level 50
SW-2(config-if)#interface range fastethernet 0/23-24
SW-2(config-if-range)#storm-control broadcast level 50
SW-2(config-if-range)#exit

6. Configure basic port security on all ports connected to host devices.
//在SW-A and SW-B连接到主机设备的所有端口上配置端口安全。
Set the maximum number of learned MAC address to 2, allow the MAC address to be learned dynamically, and set the violation to shut-down.
//设置端口连接MAC地址的最大数量为2,允许动态学习MAC地址,并将冲突设置为关闭。

SW-A(config)#interface range fastEthernet 0/1-5
SW-A(config-if-range)#switchport mode access
SW-A(config-if-range)#switchport port-security 
SW-A(config-if-range)#switchport port-security maximum 2
SW-A(config-if-range)#switchport port-security violation shutdown
SW-A(config-if-range)#switchport port-security mac-address sticky

SW-B(config)#interface range fastEthernet 0/1-4
SW-B(config-if-range)#switchport mode access
SW-B(config-if-range)#switchport port-security
SW-B(config-if-range)#switchport port-security maximum 2
SW-B(config-if-range)#switchport port-security violation shutdown
SW-B(config-if-range)#switchport port-security mac-address sticky
SW-B(config-if-range)#exit

7. Disable all ports that are currently unused.
//禁用当前未使用的所有端口。
For efficiency purposes, the Activity Wizard will only grade Fa0/5 and Fa0/6 on SW-A and SW-B.
//本实验只对SW-A和SW-B上的Fa0/5和Fa0/6进行测试。

SW-A(config)#interface range fastEthernet 0/5-6
SW-A(config-if-range)#shutdown

SW-B(config)#interface range fastEthernet 0/5-6
SW-B(config-if-range)#shutdown

实验完整配置文档


Central running-config
Building configuration…

Current configuration : 1320 bytes
!
version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname Central
!
!
!
enable secret 5 11mERr$TfFTxE.mmb5O5BVC56ndL0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip ssh version 1
ip name-server 0.0.0.0
!
!
spanning-tree mode pvst
spanning-tree vlan 1 priority 24576
!
!
!
!
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
shutdown
!
ip classless
!
ip flow-export version 9
!
!
!
!
!
!
!
logging trap debugging
line con 0
password ciscoconpa55
!
line aux 0
!
line vty 0 4
password ciscovtypa55
login
!
!
!
End


SW-1 running-config
Building configuration…

Current configuration : 1402 bytes
!
version 12.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname SW-1
!
enable secret 5 11mERr$TfFTxE.mmb5O5BVC56ndL0
!
ip name-server 0.0.0.0
!
!
spanning-tree mode pvst
spanning-tree vlan 1 priority 28672
!
interface FastEthernet0/1
storm-control broadcast level 50
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
spanning-tree guard root
storm-control broadcast level 50
!
interface FastEthernet0/24
spanning-tree guard root
storm-control broadcast level 50
!
interface GigabitEthernet0/1
storm-control broadcast level 50
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
shutdown
!
logging trap debugging
!
!
!
line con 0
password ciscoconpa55
!
line vty 0 4
password ciscovtypa55
login
line vty 5 15
login
!
!
End


SW-2 running-config
Building configuration…

Current configuration : 1366 bytes
!
version 12.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname SW-2
!
enable secret 5 11mERr$TfFTxE.mmb5O5BVC56ndL0
!
ip name-server 0.0.0.0
!
!
spanning-tree mode pvst
!
interface FastEthernet0/1
storm-control broadcast level 50
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface FastEthernet0/5
!
interface FastEthernet0/6
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
spanning-tree guard root
storm-control broadcast level 50
!
interface FastEthernet0/24
spanning-tree guard root
storm-control broadcast level 50
!
interface GigabitEthernet0/1
storm-control broadcast level 50
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
shutdown
!
logging trap debugging
!
!
!
line con 0
password ciscoconpa55
!
line vty 0 4
password ciscovtypa55
login
line vty 5 15
login
!
!
End


SW-A running-config
Building configuration…

Current configuration : 2082 bytes
!
version 12.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname SW-A
!
enable secret 5 11mERr$TfFTxE.mmb5O5BVC56ndL0
!
ip name-server 0.0.0.0
!
!
spanning-tree mode pvst
!
interface FastEthernet0/1
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/2
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/3
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/4
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/5
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
shutdown
!
interface FastEthernet0/6
shutdown
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
shutdown
!
logging trap debugging
!
!
!
line con 0
password ciscoconpa55
!
line vty 0 4
password ciscovtypa55
login
line vty 5 15
login
!
!
End


SW-B running-config
Building configuration…

Current configuration : 1950 bytes
!
version 12.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname SW-B
!
enable secret 5 11mERr$TfFTxE.mmb5O5BVC56ndL0
!
ip name-server 0.0.0.0
!
!
spanning-tree mode pvst
!
interface FastEthernet0/1
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/2
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/3
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/4
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address sticky
spanning-tree portfast
spanning-tree bpduguard enable
!
interface FastEthernet0/5
shutdown
!
interface FastEthernet0/6
shutdown
!
interface FastEthernet0/7
!
interface FastEthernet0/8
!
interface FastEthernet0/9
!
interface FastEthernet0/10
!
interface FastEthernet0/11
!
interface FastEthernet0/12
!
interface FastEthernet0/13
!
interface FastEthernet0/14
!
interface FastEthernet0/15
!
interface FastEthernet0/16
!
interface FastEthernet0/17
!
interface FastEthernet0/18
!
interface FastEthernet0/19
!
interface FastEthernet0/20
!
interface FastEthernet0/21
!
interface FastEthernet0/22
!
interface FastEthernet0/23
!
interface FastEthernet0/24
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface Vlan1
no ip address
shutdown
!
logging trap debugging
!
!
!
line con 0
password ciscoconpa55
!
line vty 0 4
password ciscovtypa55
login
line vty 5 15
login
!
!
end