Bezpecnost Typy portov: - dynamic secure - static secure - sticky secure - dynamicky pridana aj do konfigurakuk Akcie pri nebezpecnych ramcoch: - shutdown - restrict - zahodi + log - protect - zahodi Nastavenie: switchport port-security - toto zapina bezpecnost swtichport port-security maximum - max pocet MAC adries switchport port-security mac-address H.H.H - nastavanie static secure switchport port-security mac-address sticky - zapnutie seticky secure switchport port-security violation ... - akcie pri nebezpecnych ramcoch switchport port-security aging - vyprsanie platnosti MAC adries *** - DTP by sa malo vypynat - koli nejakym ujom, kt by to spustili a tym by sa dostali do vsetkych VLANniek switchport nonegotiate - vypnutie DTP *** - utok pomocou dvojiteho znackovania - ruky prec od VLAN1 :-) NEPOUZIVAT ako accessovu!!! - pouzitie ISL - na lepsich switchoch zapnut, aby sa vsetko tagovalo (aj nativna VLAN) *** Pouzitie ACL Typy: - RACL (RouterACL) -> Na L3 rozhraniach (klasicke acl-ka) - PACL (PortACL) -> access list postaveny na MAC adresach - mac access list extended MENO - permit/deny ODOSIELATEL PRIJEMCA ET - na interface sa potom pridava cez: mac access-group MENO in - VLANACL -> len na 35xx - vlan access-map MENO match {ip|mac} address MENO action {forward|drop} - vlan filter MENO_VLANACL vlan-list ZOZNAM_VLANNIEK *** RADIUS - Remote Authentication Dial In User Service EAP Radius PC <--------> Athenticator (Switch) <---------> Radius server Supplicant RADIUS pouziva AAA Authentication - meno + heslo Authorization - co moze uzivatel robit Accounting - info pre zuctovanie EAP - protokol na authentifikaciu - na Ethernete sa pouziva EAPOL (over LAN) EAPOL + RADIUS = 802.1X (dot1x) Zapnutie: aaa new-model - vypne stary styl na konzole a pod. aaa authentification dot1x default group radius radius-server host 192.0.2.254 auth-port 1812 acct-port 1813 key Heslo dot1x system-auth-control - globalne zapnutie pre overovanie na interface: switchport mode access dot1x port-control auto zapnutie priradenie do VLAniek aaa authorization network default group radius *** Privatne VLAN - sklada sa z primarnej VLAN (pokryvajuca) - viacej komunitnych VLAN --- sekundarne VLAN - jedna izolovana VLAN -| - na trunkoch v primarnej VLAN sa pouzivaju sekundarne znacky - port na rozhrani primarnej VLAN a svet sa vola promiskuidny port - tri druhy portov: - isolated - komunikuje len s trunkami a s promiskuidnym portom - community - komunikuje so vsetkymi trunkami, s promiskuidnym a s portami v tej ist komunikte - promiskuidny - ten so vsetkymi Konfiguracia: - vypnut VTP vtp mode transparent - vytvorit VLANky vlan XXX private-vlan isolated/community vlan 10 private-vlan comm vlan 20 private-vlan comm vlan 30 private-vlan iso vlan 100 private-vlan primary private-vlan asso VLANKY Na porte pri zadavani do kom alebo izolo: interface INTERFACE switchport mode private-vlan host switchport private-vlan host-accos PRIMAR_VLAN SEKUNDAR_VLAN Promiskuidny port: interface INTERFACE switchport mode private-vlan promisc swtichport private-vlan mapping PRIMAR_VLAN ZOZNAM_SEKUNDAR_VLAN - keby sme mali L3 switch so soft. interfacom (koli routovaniu na swithci) interface VLAN 100 private vlan mapping ZOZNAM_SEKUNDAR_VLAN *** DHCP Snooping Na switchi: ip dhcp snooping ip dhcp snooping vlan 1 na interface kde je DHCP server: ip dhcp snooping trust Na routeri: ip dhcp relay information trusted Ak by som chcel mat napriklad 3 pristupove swtiche a tie vsetky by boli do jedneho agregacneho napojene, tak by sa to riesilo: - Na aggregation: ip dhcp snooping info option allow-untrusted Nastavenie limitu DHCP packatov na interface: ip dhcp snooping limit rate POCET_PACKETOV_ZA_SEKUNDU - ak sa prekroci, tak sa port vypne *** IP Source guard - kontroluje ci stanica pouziva IPcku, kt jej DHCP pridelil ip verify source ip verify source port-security - kontroluje sa aj MAC adresa - treba zapnut port-security na porte *** ARP Spoofing (Dynamic ARP Inspection) ip arp inspection vlan VLANKY - je to zapnutie prezerania arp packetov - ak treba na nejakom porte vypnut kontrolu inter ... ip arp inspection trust exit ip arp inspection validate [src-mac] [dst-mac] [ip pallow-zeros]] *** BPDU Guard - na prijatie BPDU reaguje vypnutim portu - len pre portfast portoch spanning-tree portfast bpduguard default alebo na interface: int INTER spanning-tree bpduguard enable *** BPDU Filter - zabrani posielaniu a prijatiu BPDU - ak ho zapnem globalne: - pre vsetky portfast porty - pri starte portu sa odosle 10 BPDUciek, potom prestane - ak nedostane odpoved, nebude robit nic - ak hocikedy dostane nejake BPDU, z portu sa stava non-edge port span portfast bpdufilter default - ak je to na porte: - neposiela/neprijima BPDUcka spanning-tree bpdufilter enabled *** Root Guard - dohliada na to, aby sa root switchom nestal iny port int INTER spanning-tree guard root *** Loop guard - ochrana proti tomu aby sa root alebo alternate port stali designated port inter INTER spanning-tree guart loop *** UDLD - pri portchanneli by 'loop guard' vypol cely portchannel keby padla jedna linka - v globalnom: udld enable (iba na optike zapnute) - v inter: inter INTER udld port - dva rezimy: - normal - nezhadzuje port ak nedostavas UDLD vyzvy (nieco pre optiku) - aggressive - port padne dole udld aggressive (global( udld port aggressive (na porte)