利用二層埠安全防止兩個三層交換機長距離光纖線路被亂接測試

技術小阿哥發表於2017-11-27
一.概述:
在論壇上看到有人想問通過什麼方式來防止長距離的光纖線路被竊聽,或連到其它非法交換機上,如是相同通過埠安全來實現防止亂接,於是登入機架進行測試,將測試結果記錄下來。
—-光纖線路,如果中間沒有被惡意接入其他裝置,應該很難竊聽,因此覺得防竊聽可以從防亂接方向入手。
二.基本思路:
A.假定交換機為三層交換機
B.如果兩個交換機用三層口相連,並繫結對端IP所對應的mac,雖然可以防止接入三層裝置,但是無法防止中間串接二層裝置進行竊聽。
C.通過主機之間的ipsec來加密流量,除非接線兩端為路由器,否則兩端連線交換機的主機太多的話,每臺主機去配置IPsec不大可行。
—–高階的交換機沒有玩過,一般普通的三層交換機貌似無法配置ipsec vpn
D.資料加密雖然是防竊聽的最好方式,但是目前這種情況,貌似加密不容易實現
E.通過二層的安全來防止亂接:
—交換機相連的口採用access口,並且兩端都配置VLAN的svi
—每個交換機保證用於互聯的vlan只有一個互聯介面
—三層交換機要開啟路由轉發,兩個三層交換機互指路由(靜態或預設),來實現交換機兩邊的PC互訪
—配置互聯埠的埠安全,只允許學習到2個mac,這樣只有中間線路沒有其他二層裝置,當接入其他二層裝置時,埠就會down,防止被監聽
—本實驗只是驗證可行性,實際工作如果可能的話,還是建議用路由器互聯,並配置ipsec。
三.測試拓撲:
105822533.jpg
四.基本配置:

A.R4:

interface FastEthernet0/0

ip address 20.1.1.4 255.255.255.0
no shut
no ip routing
ip default-gateway 20.1.1.1
B.SW1:
ip routing
interface FastEthernet0/4

switchport access vlan 20

switchport mode access
interface FastEthernet0/20

switchport access vlan 10

switchport mode access

switchport port-security maximum 2

switchport port-security

switchport port-security mac-address sticky
interface Vlan10

ip address 10.1.1.1 255.255.255.252

interface Vlan20

ip address 20.1.1.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 10.1.1.2
C.SW2:
ip routing
interface FastEthernet0/5

switchport access vlan 30

switchport mode access
interface FastEthernet0/20

switchport access vlan 10

switchport mode access

switchport port-security maximum 2

switchport port-security

switchport port-security mac-address sticky
interface Vlan30
ip address 30.1.1.1 255.255.255.0

interface Vlan100

ip address 10.1.1.2 255.255.255.252

ip route 0.0.0.0 0.0.0.0 10.1.1.1
D.R5:
interface FastEthernet0/1

ip address 30.1.1.5 255.255.255.0
no shut
no ip routing
ip default-gateway 30.1.1.1
五.驗證:
R4#ping 30.1.1.5

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 30.1.1.5, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
R4#

R5#ping 20.1.1.4

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.1.1.4, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

R5#
sw1#show running-config interface f0/20
Building configuration…


Current configuration : 336 bytes

!

interface FastEthernet0/20

switchport access vlan 10

switchport mode access

switchport port-security maximum 2

switchport port-security

switchport port-security mac-address sticky

switchport port-security mac-address sticky 0014.a80a.f716 vlan access

switchport port-security mac-address sticky 0014.a80a.f741 vlan access

end
sw2#show int f0/20 | in Hardware

Hardware is Fast Ethernet, address is 0014.a80a.f716 (bia 0014.a80a.f716)
sw2#show int vlan 10 | in Hardware

Hardware is EtherSVI, address is 0014.a80a.f741 (bia 0014.a80a.f741)
sw1#show mac address-table | in 0/20
10 0014.a80a.f716 STATIC Fa0/20

10 0014.a80a.f741 STATIC Fa0/20

sw1#

sw2#show running-config int f0/20
Building configuration…


Current configuration : 312 bytes

!

interface FastEthernet0/20

switchport access vlan 10

switchport mode access

switchport port-security maximum 2

switchport port-security

switchport port-security mac-address sticky

switchport port-security mac-address sticky 001a.a164.b216

switchport port-security mac-address sticky 001a.a164.b241

end
sw1#show int f0/20 | in Hardware

Hardware is Fast Ethernet, address is 001a.a164.b216 (bia 001a.a164.b216)

sw1#show int vlan 10 | in Hardware

Hardware is EtherSVI, address is 001a.a164.b241 (bia 001a.a164.b241)
sw2#show mac address-table | in 0/20
10 001a.a164.b216 STATIC Fa0/20

10 001a.a164.b241 STATIC Fa0/20

—因為機架無法預設中間加入其它二層裝置,但是可以通過往互聯介面所在vlan新增其他介面來測試,因為介面收到其他mac地址的包,介面會down。




本文轉自 碧雲天 51CTO部落格,原文連結:http://blog.51cto.com/333234/1318930,如需轉載請自行聯絡原作者


相關文章