SW(config)#ip dhcp snooping
SW(config)#ip dhcp snooping vlan
3) ( ):
SW(config-if)#ip dhcp snooping trust
, .
DHCP starvation
, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :
1) IP- DHCP- ;
2) MAC- , IP-, ;
3) , IP- .
, , :
β’ . IP- , . , .
β’ DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.
β MAC- . port-security:
1) access :
SW(config-if)#switchport mode access
2) port-security :
SW(config-if)#switchport port-security
3) MAC- :
SW(config-if)switchport port-security maximum
4) MAC- (, sticky): sticky , , sticky .
SW(config-if)#switchport port-security mac-address <mac-address | sticky>
5) MAC-:
protect β , MAC- .
restrict β , syslog SNMP.
shutdown β , .
SW(config-if)#switchport port-security violation <protect | restrict | shutdown>
IP- DHCP-, MAC-.
DHCP snooping,
SW(config-if)ip dhcp snooping limit rate
DHCP ( 100 pps), err-disable, . , , MAC- , .
AM-table overflow
, , , .
SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :
1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : Β« IP- 10.0.0.2, MAC- 10.0.0.1, Β».
2) , MAC- (0000.1111.1111) , , , .
3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 β MAC 0000.2222.2222). , , , . .
, CAM-, . β , , - .
. , MAC- . .
, . , , , VLAN, .
, , MAC- .
1) Port-security access- MAC-.
2) β , , , , .
VLAN hopping
- access trunk.
, access trunk :
, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .
VID, , . , .
802.1Q - .
802.1Q.
1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.
2) SW1 SW2 trunk-.
3) SW2 , CAM- access-, 802.1Q .
:
β’ VLAN , 802.1Q access-;
β’ (access) VLAN ( Cisco);
β’ (trunk) , VLAN.
β’ native VLAN β trunk- , native VLAN. native VLAN' VLAN1 ().
, native VLAN access-, trunk- .
:
, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :
, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .
, Cisco auto. access/auto trunk/auto.
, .
SW(config-if)#switchport nonegotiate
.
VLAN hopping β native VLAN . , VLAN, native VLAN trunk-.
native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .
, , .
:
trunk- VLAN native.
SW(config-if)# switchport trunk native vlan 999
, VLAN 999 access-.
MAC-Spoofing
MAC- , , , .
MAC- MAC- , source MAC. , , , CAM-, .
. :
SW:
, .. PC2 MAC Eth0/1, PC1 R SW :
, MAC- Eth0/0 MAC Eth0/1. :
SW# debug ethernet interface
, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.
, .
β port-security :
SW(config-if)#switchport mode access
SW(config-if)#switchport port-security
SW(config-if)#switchport port-security mac-address 0000.1111.1111
:
, MAC- Eth0/0. PC2, Eth0/1 , .
SW(config)#ip dhcp snooping vlan
3) ( ):
SW(config-if)#ip dhcp snooping trust
, .
DHCP starvation
, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :
1) IP- DHCP- ;
2) MAC- , IP-, ;
3) , IP- .
, , :
β’ . IP- , . , .
β’ DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.
β MAC- . port-security:
1) access :
SW(config-if)#switchport mode access
2) port-security :
SW(config-if)#switchport port-security
3) MAC- :
SW(config-if)switchport port-security maximum
4) MAC- (, sticky): sticky , , sticky .
SW(config-if)#switchport port-security mac-address <mac-address | sticky>
5) MAC-:
protect β , MAC- .
restrict β , syslog SNMP.
shutdown β , .
SW(config-if)#switchport port-security violation <protect | restrict | shutdown>
IP- DHCP-, MAC-.
DHCP snooping,
SW(config-if)ip dhcp snooping limit rate
DHCP ( 100 pps), err-disable, . , , MAC- , .
AM-table overflow
, , , .
SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :
1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : Β« IP- 10.0.0.2, MAC- 10.0.0.1, Β».
2) , MAC- (0000.1111.1111) , , , .
3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 β MAC 0000.2222.2222). , , , . .
, CAM-, . β , , - .
. , MAC- . .
, . , , , VLAN, .
, , MAC- .
1) Port-security access- MAC-.
2) β , , , , .
VLAN hopping
- access trunk.
, access trunk :
, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .
VID, , . , .
802.1Q - .
802.1Q.
1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.
2) SW1 SW2 trunk-.
3) SW2 , CAM- access-, 802.1Q .
:
β’ VLAN , 802.1Q access-;
β’ (access) VLAN ( Cisco);
β’ (trunk) , VLAN.
β’ native VLAN β trunk- , native VLAN. native VLAN' VLAN1 ().
, native VLAN access-, trunk- .
:
, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :
, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .
, Cisco auto. access/auto trunk/auto.
, .
SW(config-if)#switchport nonegotiate
.
VLAN hopping β native VLAN . , VLAN, native VLAN trunk-.
native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .
, , .
:
trunk- VLAN native.
SW(config-if)# switchport trunk native vlan 999
, VLAN 999 access-.
MAC-Spoofing
MAC- , , , .
MAC- MAC- , source MAC. , , , CAM-, .
. :
SW:
, .. PC2 MAC Eth0/1, PC1 R SW :
, MAC- Eth0/0 MAC Eth0/1. :
SW# debug ethernet interface
, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.
, .
β port-security :
SW(config-if)#switchport mode access
SW(config-if)#switchport port-security
SW(config-if)#switchport port-security mac-address 0000.1111.1111
:
, MAC- Eth0/0. PC2, Eth0/1 , .
SW(config)#ip dhcp snooping vlan
3) ( ):
SW(config-if)#ip dhcp snooping trust
, .
DHCP starvation
, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :
1) IP- DHCP- ;
2) MAC- , IP-, ;
3) , IP- .
, , :
β’ . IP- , . , .
β’ DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.
β MAC- . port-security:
1) access :
SW(config-if)#switchport mode access
2) port-security :
SW(config-if)#switchport port-security
3) MAC- :
SW(config-if)switchport port-security maximum
4) MAC- (, sticky): sticky , , sticky .
SW(config-if)#switchport port-security mac-address <mac-address | sticky>
5) MAC-:
protect β , MAC- .
restrict β , syslog SNMP.
shutdown β , .
SW(config-if)#switchport port-security violation <protect | restrict | shutdown>
IP- DHCP-, MAC-.
DHCP snooping,
SW(config-if)ip dhcp snooping limit rate
DHCP ( 100 pps), err-disable, . , , MAC- , .
AM-table overflow
, , , .
SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :
1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : Β« IP- 10.0.0.2, MAC- 10.0.0.1, Β».
2) , MAC- (0000.1111.1111) , , , .
3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 β MAC 0000.2222.2222). , , , . .
, CAM-, . β , , - .
. , MAC- . .
, . , , , VLAN, .
, , MAC- .
1) Port-security access- MAC-.
2) β , , , , .
VLAN hopping
- access trunk.
, access trunk :
, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .
VID, , . , .
802.1Q - .
802.1Q.
1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.
2) SW1 SW2 trunk-.
3) SW2 , CAM- access-, 802.1Q .
:
β’ VLAN , 802.1Q access-;
β’ (access) VLAN ( Cisco);
β’ (trunk) , VLAN.
β’ native VLAN β trunk- , native VLAN. native VLAN' VLAN1 ().
, native VLAN access-, trunk- .
:
, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :
, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .
, Cisco auto. access/auto trunk/auto.
, .
SW(config-if)#switchport nonegotiate
.
VLAN hopping β native VLAN . , VLAN, native VLAN trunk-.
native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .
, , .
:
trunk- VLAN native.
SW(config-if)# switchport trunk native vlan 999
, VLAN 999 access-.
MAC-Spoofing
MAC- , , , .
MAC- MAC- , source MAC. , , , CAM-, .
. :
SW:
, .. PC2 MAC Eth0/1, PC1 R SW :
, MAC- Eth0/0 MAC Eth0/1. :
SW# debug ethernet interface
, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.
, .
β port-security :
SW(config-if)#switchport mode access
SW(config-if)#switchport port-security
SW(config-if)#switchport port-security mac-address 0000.1111.1111
:
, MAC- Eth0/0. PC2, Eth0/1 , .
SW(config)#ip dhcp snooping vlan
3) ( ):
SW(config-if)#ip dhcp snooping trust
, .
DHCP starvation
, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :
1) IP- DHCP- ;
2) MAC- , IP-, ;
3) , IP- .
, , :
β’ . IP- , . , .
β’ DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.
β MAC- . port-security:
1) access :
SW(config-if)#switchport mode access
2) port-security :
SW(config-if)#switchport port-security
3) MAC- :
SW(config-if)switchport port-security maximum
4) MAC- (, sticky): sticky , , sticky .
SW(config-if)#switchport port-security mac-address <mac-address | sticky>
5) MAC-:
protect β , MAC- .
restrict β , syslog SNMP.
shutdown β , .
SW(config-if)#switchport port-security violation <protect | restrict | shutdown>
IP- DHCP-, MAC-.
DHCP snooping,
SW(config-if)ip dhcp snooping limit rate
DHCP ( 100 pps), err-disable, . , , MAC- , .
AM-table overflow
, , , .
SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :
1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : Β« IP- 10.0.0.2, MAC- 10.0.0.1, Β».
2) , MAC- (0000.1111.1111) , , , .
3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 β MAC 0000.2222.2222). , , , . .
, CAM-, . β , , - .
. , MAC- . .
, . , , , VLAN, .
, , MAC- .
1) Port-security access- MAC-.
2) β , , , , .
VLAN hopping
- access trunk.
, access trunk :
, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .
VID, , . , .
802.1Q - .
802.1Q.
1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.
2) SW1 SW2 trunk-.
3) SW2 , CAM- access-, 802.1Q .
:
β’ VLAN , 802.1Q access-;
β’ (access) VLAN ( Cisco);
β’ (trunk) , VLAN.
β’ native VLAN β trunk- , native VLAN. native VLAN' VLAN1 ().
, native VLAN access-, trunk- .
:
, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :
, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .
, Cisco auto. access/auto trunk/auto.
, .
SW(config-if)#switchport nonegotiate
.
VLAN hopping β native VLAN . , VLAN, native VLAN trunk-.
native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .
, , .
:
trunk- VLAN native.
SW(config-if)# switchport trunk native vlan 999
, VLAN 999 access-.
MAC-Spoofing
MAC- , , , .
MAC- MAC- , source MAC. , , , CAM-, .
. :
SW:
, .. PC2 MAC Eth0/1, PC1 R SW :
, MAC- Eth0/0 MAC Eth0/1. :
SW# debug ethernet interface
, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.
, .
β port-security :
SW(config-if)#switchport mode access
SW(config-if)#switchport port-security
SW(config-if)#switchport port-security mac-address 0000.1111.1111
:
, MAC- Eth0/0. PC2, Eth0/1 , .
SW(config)#ip dhcp snooping vlan
3) ( ):
SW(config-if)#ip dhcp snooping trust
, .
DHCP starvation
, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :
1) IP- DHCP- ;
2) MAC- , IP-, ;
3) , IP- .
, , :
β’ . IP- , . , .
β’ DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.
β MAC- . port-security:
1) access :
SW(config-if)#switchport mode access
2) port-security :
SW(config-if)#switchport port-security
3) MAC- :
SW(config-if)switchport port-security maximum
4) MAC- (, sticky): sticky , , sticky .
SW(config-if)#switchport port-security mac-address <mac-address | sticky>
5) MAC-:
protect β , MAC- .
restrict β , syslog SNMP.
shutdown β , .
SW(config-if)#switchport port-security violation <protect | restrict | shutdown>
IP- DHCP-, MAC-.
DHCP snooping,
SW(config-if)ip dhcp snooping limit rate
DHCP ( 100 pps), err-disable, . , , MAC- , .
AM-table overflow
, , , .
SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :
1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : Β« IP- 10.0.0.2, MAC- 10.0.0.1, Β».
2) , MAC- (0000.1111.1111) , , , .
3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 β MAC 0000.2222.2222). , , , . .
, CAM-, . β , , - .
. , MAC- . .
, . , , , VLAN, .
, , MAC- .
1) Port-security access- MAC-.
2) β , , , , .
VLAN hopping
- access trunk.
, access trunk :
, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .
VID, , . , .
802.1Q - .
802.1Q.
1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.
2) SW1 SW2 trunk-.
3) SW2 , CAM- access-, 802.1Q .
:
β’ VLAN , 802.1Q access-;
β’ (access) VLAN ( Cisco);
β’ (trunk) , VLAN.
β’ native VLAN β trunk- , native VLAN. native VLAN' VLAN1 ().
, native VLAN access-, trunk- .
:
, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :
, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .
, Cisco auto. access/auto trunk/auto.
, .
SW(config-if)#switchport nonegotiate
.
VLAN hopping β native VLAN . , VLAN, native VLAN trunk-.
native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .
, , .
:
trunk- VLAN native.
SW(config-if)# switchport trunk native vlan 999
, VLAN 999 access-.
MAC-Spoofing
MAC- , , , .
MAC- MAC- , source MAC. , , , CAM-, .
. :
SW:
, .. PC2 MAC Eth0/1, PC1 R SW :
, MAC- Eth0/0 MAC Eth0/1. :
SW# debug ethernet interface
, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.
, .
β port-security :
SW(config-if)#switchport mode access
SW(config-if)#switchport port-security
SW(config-if)#switchport port-security mac-address 0000.1111.1111
:
, MAC- Eth0/0. PC2, Eth0/1 , .
SW(config)#ip dhcp snooping vlan
3) ( ):
SW(config-if)#ip dhcp snooping trust
, .
DHCP starvation
, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :
1) IP- DHCP- ;
2) MAC- , IP-, ;
3) , IP- .
, , :
β’ . IP- , . , .
β’ DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.
β MAC- . port-security:
1) access :
SW(config-if)#switchport mode access
2) port-security :
SW(config-if)#switchport port-security
3) MAC- :
SW(config-if)switchport port-security maximum
4) MAC- (, sticky): sticky , , sticky .
SW(config-if)#switchport port-security mac-address <mac-address | sticky>
5) MAC-:
protect β , MAC- .
restrict β , syslog SNMP.
shutdown β , .
SW(config-if)#switchport port-security violation <protect | restrict | shutdown>
IP- DHCP-, MAC-.
DHCP snooping,
SW(config-if)ip dhcp snooping limit rate
DHCP ( 100 pps), err-disable, . , , MAC- , .
AM-table overflow
, , , .
SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :
1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : Β« IP- 10.0.0.2, MAC- 10.0.0.1, Β».
2) , MAC- (0000.1111.1111) , , , .
3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 β MAC 0000.2222.2222). , , , . .
, CAM-, . β , , - .
. , MAC- . .
, . , , , VLAN, .
, , MAC- .
1) Port-security access- MAC-.
2) β , , , , .
VLAN hopping
- access trunk.
, access trunk :
, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .
VID, , . , .
802.1Q - .
802.1Q.
1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.
2) SW1 SW2 trunk-.
3) SW2 , CAM- access-, 802.1Q .
:
β’ VLAN , 802.1Q access-;
β’ (access) VLAN ( Cisco);
β’ (trunk) , VLAN.
β’ native VLAN β trunk- , native VLAN. native VLAN' VLAN1 ().
, native VLAN access-, trunk- .
:
, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :
, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .
, Cisco auto. access/auto trunk/auto.
, .
SW(config-if)#switchport nonegotiate
.
VLAN hopping β native VLAN . , VLAN, native VLAN trunk-.
native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .
, , .
:
trunk- VLAN native.
SW(config-if)# switchport trunk native vlan 999
, VLAN 999 access-.
MAC-Spoofing
MAC- , , , .
MAC- MAC- , source MAC. , , , CAM-, .
. :
SW:
, .. PC2 MAC Eth0/1, PC1 R SW :
, MAC- Eth0/0 MAC Eth0/1. :
SW# debug ethernet interface
, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.
, .
β port-security :
SW(config-if)#switchport mode access
SW(config-if)#switchport port-security
SW(config-if)#switchport port-security mac-address 0000.1111.1111
:
, MAC- Eth0/0. PC2, Eth0/1 , .
SW(config)#ip dhcp snooping vlan
3) ( ):
SW(config-if)#ip dhcp snooping trust
, .
DHCP starvation
, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :
1) IP- DHCP- ;
2) MAC- , IP-, ;
3) , IP- .
, , :
β’ . IP- , . , .
β’ DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.
β MAC- . port-security:
1) access :
SW(config-if)#switchport mode access
2) port-security :
SW(config-if)#switchport port-security
3) MAC- :
SW(config-if)switchport port-security maximum
4) MAC- (, sticky): sticky , , sticky .
SW(config-if)#switchport port-security mac-address <mac-address | sticky>
5) MAC-:
protect β , MAC- .
restrict β , syslog SNMP.
shutdown β , .
SW(config-if)#switchport port-security violation <protect | restrict | shutdown>
IP- DHCP-, MAC-.
DHCP snooping,
SW(config-if)ip dhcp snooping limit rate
DHCP ( 100 pps), err-disable, . , , MAC- , .
AM-table overflow
, , , .
SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :
1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : Β« IP- 10.0.0.2, MAC- 10.0.0.1, Β».
2) , MAC- (0000.1111.1111) , , , .
3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 β MAC 0000.2222.2222). , , , . .
, CAM-, . β , , - .
. , MAC- . .
, . , , , VLAN, .
, , MAC- .
1) Port-security access- MAC-.
2) β , , , , .
VLAN hopping
- access trunk.
, access trunk :
, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .
VID, , . , .
802.1Q - .
802.1Q.
1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.
2) SW1 SW2 trunk-.
3) SW2 , CAM- access-, 802.1Q .
:
β’ VLAN , 802.1Q access-;
β’ (access) VLAN ( Cisco);
β’ (trunk) , VLAN.
β’ native VLAN β trunk- , native VLAN. native VLAN' VLAN1 ().
, native VLAN access-, trunk- .
:
, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :
, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .
, Cisco auto. access/auto trunk/auto.
, .
SW(config-if)#switchport nonegotiate
.
VLAN hopping β native VLAN . , VLAN, native VLAN trunk-.
native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .
, , .
:
trunk- VLAN native.
SW(config-if)# switchport trunk native vlan 999
, VLAN 999 access-.
MAC-Spoofing
MAC- , , , .
MAC- MAC- , source MAC. , , , CAM-, .
. :
SW:
, .. PC2 MAC Eth0/1, PC1 R SW :
, MAC- Eth0/0 MAC Eth0/1. :
SW# debug ethernet interface
, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.
, .
β port-security :
SW(config-if)#switchport mode access
SW(config-if)#switchport port-security
SW(config-if)#switchport port-security mac-address 0000.1111.1111
:
, MAC- Eth0/0. PC2, Eth0/1 , .
SW(config)#ip dhcp snooping vlan
3) ( ):
SW(config-if)#ip dhcp snooping trust
, .
DHCP starvation
, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :
1) IP- DHCP- ;
2) MAC- , IP-, ;
3) , IP- .
, , :
β’ . IP- , . , .
β’ DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.
β MAC- . port-security:
1) access :
SW(config-if)#switchport mode access
2) port-security :
SW(config-if)#switchport port-security
3) MAC- :
SW(config-if)switchport port-security maximum
4) MAC- (, sticky): sticky , , sticky .
SW(config-if)#switchport port-security mac-address <mac-address | sticky>
5) MAC-:
protect β , MAC- .
restrict β , syslog SNMP.
shutdown β , .
SW(config-if)#switchport port-security violation <protect | restrict | shutdown>
IP- DHCP-, MAC-.
DHCP snooping,
SW(config-if)ip dhcp snooping limit rate
DHCP ( 100 pps), err-disable, . , , MAC- , .
AM-table overflow
, , , .
SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :
1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : Β« IP- 10.0.0.2, MAC- 10.0.0.1, Β».
2) , MAC- (0000.1111.1111) , , , .
3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 β MAC 0000.2222.2222). , , , . .
, CAM-, . β , , - .
. , MAC- . .
, . , , , VLAN, .
, , MAC- .
1) Port-security access- MAC-.
2) β , , , , .
VLAN hopping
- access trunk.
, access trunk :
, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .
VID, , . , .
802.1Q - .
802.1Q.
1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.
2) SW1 SW2 trunk-.
3) SW2 , CAM- access-, 802.1Q .
:
β’ VLAN , 802.1Q access-;
β’ (access) VLAN ( Cisco);
β’ (trunk) , VLAN.
β’ native VLAN β trunk- , native VLAN. native VLAN' VLAN1 ().
, native VLAN access-, trunk- .
:
, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :
, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .
, Cisco auto. access/auto trunk/auto.
, .
SW(config-if)#switchport nonegotiate
.
VLAN hopping β native VLAN . , VLAN, native VLAN trunk-.
native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .
, , .
:
trunk- VLAN native.
SW(config-if)# switchport trunk native vlan 999
, VLAN 999 access-.
MAC-Spoofing
MAC- , , , .
MAC- MAC- , source MAC. , , , CAM-, .
. :
SW:
, .. PC2 MAC Eth0/1, PC1 R SW :
, MAC- Eth0/0 MAC Eth0/1. :
SW# debug ethernet interface
, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.
, .
β port-security :
SW(config-if)#switchport mode access
SW(config-if)#switchport port-security
SW(config-if)#switchport port-security mac-address 0000.1111.1111
:
, MAC- Eth0/0. PC2, Eth0/1 , .
SW(config)#ip dhcp snooping vlan
3) ( ):
SW(config-if)#ip dhcp snooping trust
, .
DHCP starvation
, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :
1) IP- DHCP- ;
2) MAC- , IP-, ;
3) , IP- .
, , :
β’ . IP- , . , .
β’ DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.
β MAC- . port-security:
1) access :
SW(config-if)#switchport mode access
2) port-security :
SW(config-if)#switchport port-security
3) MAC- :
SW(config-if)switchport port-security maximum
4) MAC- (, sticky): sticky , , sticky .
SW(config-if)#switchport port-security mac-address <mac-address | sticky>
5) MAC-:
protect β , MAC- .
restrict β , syslog SNMP.
shutdown β , .
SW(config-if)#switchport port-security violation <protect | restrict | shutdown>
IP- DHCP-, MAC-.
DHCP snooping,
SW(config-if)ip dhcp snooping limit rate
DHCP ( 100 pps), err-disable, . , , MAC- , .
AM-table overflow
, , , .
SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :
1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : Β« IP- 10.0.0.2, MAC- 10.0.0.1, Β».
2) , MAC- (0000.1111.1111) , , , .
3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 β MAC 0000.2222.2222). , , , . .
, CAM-, . β , , - .
. , MAC- . .
, . , , , VLAN, .
, , MAC- .
1) Port-security access- MAC-.
2) β , , , , .
VLAN hopping
- access trunk.
, access trunk :
, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .
VID, , . , .
802.1Q - .
802.1Q.
1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.
2) SW1 SW2 trunk-.
3) SW2 , CAM- access-, 802.1Q .
:
β’ VLAN , 802.1Q access-;
β’ (access) VLAN ( Cisco);
β’ (trunk) , VLAN.
β’ native VLAN β trunk- , native VLAN. native VLAN' VLAN1 ().
, native VLAN access-, trunk- .
:
, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :
, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .
, Cisco auto. access/auto trunk/auto.
, .
SW(config-if)#switchport nonegotiate
.
VLAN hopping β native VLAN . , VLAN, native VLAN trunk-.
native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .
, , .
:
trunk- VLAN native.
SW(config-if)# switchport trunk native vlan 999
, VLAN 999 access-.
MAC-Spoofing
MAC- , , , .
MAC- MAC- , source MAC. , , , CAM-, .
. :
SW:
, .. PC2 MAC Eth0/1, PC1 R SW :
, MAC- Eth0/0 MAC Eth0/1. :
SW# debug ethernet interface
, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.
, .
β port-security :
SW(config-if)#switchport mode access
SW(config-if)#switchport port-security
SW(config-if)#switchport port-security mac-address 0000.1111.1111
:
, MAC- Eth0/0. PC2, Eth0/1 , .
SW(config)#ip dhcp snooping vlan
3) ( ):
SW(config-if)#ip dhcp snooping trust
, .
DHCP starvation
, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :
1) IP- DHCP- ;
2) MAC- , IP-, ;
3) , IP- .
, , :
β’ . IP- , . , .
β’ DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.
β MAC- . port-security:
1) access :
SW(config-if)#switchport mode access
2) port-security :
SW(config-if)#switchport port-security
3) MAC- :
SW(config-if)switchport port-security maximum
4) MAC- (, sticky): sticky , , sticky .
SW(config-if)#switchport port-security mac-address <mac-address | sticky>
5) MAC-:
protect β , MAC- .
restrict β , syslog SNMP.
shutdown β , .
SW(config-if)#switchport port-security violation <protect | restrict | shutdown>
IP- DHCP-, MAC-.
DHCP snooping,
SW(config-if)ip dhcp snooping limit rate
DHCP ( 100 pps), err-disable, . , , MAC- , .
AM-table overflow
, , , .
SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :
1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : Β« IP- 10.0.0.2, MAC- 10.0.0.1, Β».
2) , MAC- (0000.1111.1111) , , , .
3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 β MAC 0000.2222.2222). , , , . .
, CAM-, . β , , - .
. , MAC- . .
, . , , , VLAN, .
, , MAC- .
1) Port-security access- MAC-.
2) β , , , , .
VLAN hopping
- access trunk.
, access trunk :
, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .
VID, , . , .
802.1Q - .
802.1Q.
1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.
2) SW1 SW2 trunk-.
3) SW2 , CAM- access-, 802.1Q .
:
β’ VLAN , 802.1Q access-;
β’ (access) VLAN ( Cisco);
β’ (trunk) , VLAN.
β’ native VLAN β trunk- , native VLAN. native VLAN' VLAN1 ().
, native VLAN access-, trunk- .
:
, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :
, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .
, Cisco auto. access/auto trunk/auto.
, .
SW(config-if)#switchport nonegotiate
.
VLAN hopping β native VLAN . , VLAN, native VLAN trunk-.
native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .
, , .
:
trunk- VLAN native.
SW(config-if)# switchport trunk native vlan 999
, VLAN 999 access-.
MAC-Spoofing
MAC- , , , .
MAC- MAC- , source MAC. , , , CAM-, .
. :
SW:
, .. PC2 MAC Eth0/1, PC1 R SW :
, MAC- Eth0/0 MAC Eth0/1. :
SW# debug ethernet interface
, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.
, .
β port-security :
SW(config-if)#switchport mode access
SW(config-if)#switchport port-security
SW(config-if)#switchport port-security mac-address 0000.1111.1111
:
, MAC- Eth0/0. PC2, Eth0/1 , .
SW(config)#ip dhcp snooping vlan
3) ( ):
SW(config-if)#ip dhcp snooping trust
, .
DHCP starvation
, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :
1) IP- DHCP- ;
2) MAC- , IP-, ;
3) , IP- .
, , :
β’ . IP- , . , .
β’ DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.
β MAC- . port-security:
1) access :
SW(config-if)#switchport mode access
2) port-security :
SW(config-if)#switchport port-security
3) MAC- :
SW(config-if)switchport port-security maximum
4) MAC- (, sticky): sticky , , sticky .
SW(config-if)#switchport port-security mac-address <mac-address | sticky>
5) MAC-:
protect β , MAC- .
restrict β , syslog SNMP.
shutdown β , .
SW(config-if)#switchport port-security violation <protect | restrict | shutdown>
IP- DHCP-, MAC-.
DHCP snooping,
SW(config-if)ip dhcp snooping limit rate
DHCP ( 100 pps), err-disable, . , , MAC- , .
AM-table overflow
, , , .
SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :
1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : Β« IP- 10.0.0.2, MAC- 10.0.0.1, Β».
2) , MAC- (0000.1111.1111) , , , .
3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 β MAC 0000.2222.2222). , , , . .
, CAM-, . β , , - .
. , MAC- . .
, . , , , VLAN, .
, , MAC- .
1) Port-security access- MAC-.
2) β , , , , .
VLAN hopping
- access trunk.
, access trunk :
, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .
VID, , . , .
802.1Q - .
802.1Q.
1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.
2) SW1 SW2 trunk-.
3) SW2 , CAM- access-, 802.1Q .
:
β’ VLAN , 802.1Q access-;
β’ (access) VLAN ( Cisco);
β’ (trunk) , VLAN.
β’ native VLAN β trunk- , native VLAN. native VLAN' VLAN1 ().
, native VLAN access-, trunk- .
:
, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :
, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .
, Cisco auto. access/auto trunk/auto.
, .
SW(config-if)#switchport nonegotiate
.
VLAN hopping β native VLAN . , VLAN, native VLAN trunk-.
native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .
, , .
:
trunk- VLAN native.
SW(config-if)# switchport trunk native vlan 999
, VLAN 999 access-.
MAC-Spoofing
MAC- , , , .
MAC- MAC- , source MAC. , , , CAM-, .
. :
SW:
, .. PC2 MAC Eth0/1, PC1 R SW :
, MAC- Eth0/0 MAC Eth0/1. :
SW# debug ethernet interface
, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.
, .
β port-security :
SW(config-if)#switchport mode access
SW(config-if)#switchport port-security
SW(config-if)#switchport port-security mac-address 0000.1111.1111
:
, MAC- Eth0/0. PC2, Eth0/1 , .
SW(config)#ip dhcp snooping vlan
3) ( ):
SW(config-if)#ip dhcp snooping trust
, .
DHCP starvation
, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :
1) IP- DHCP- ;
2) MAC- , IP-, ;
3) , IP- .
, , :
β’ . IP- , . , .
β’ DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.
β MAC- . port-security:
1) access :
SW(config-if)#switchport mode access
2) port-security :
SW(config-if)#switchport port-security
3) MAC- :
SW(config-if)switchport port-security maximum
4) MAC- (, sticky): sticky , , sticky .
SW(config-if)#switchport port-security mac-address <mac-address | sticky>
5) MAC-:
protect β , MAC- .
restrict β , syslog SNMP.
shutdown β , .
SW(config-if)#switchport port-security violation <protect | restrict | shutdown>
IP- DHCP-, MAC-.
DHCP snooping,
SW(config-if)ip dhcp snooping limit rate
DHCP ( 100 pps), err-disable, . , , MAC- , .
AM-table overflow
, , , .
SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :
1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : Β« IP- 10.0.0.2, MAC- 10.0.0.1, Β».
2) , MAC- (0000.1111.1111) , , , .
3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 β MAC 0000.2222.2222). , , , . .
, CAM-, . β , , - .
. , MAC- . .
, . , , , VLAN, .
, , MAC- .
1) Port-security access- MAC-.
2) β , , , , .
VLAN hopping
- access trunk.
, access trunk :
, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .
VID, , . , .
802.1Q - .
802.1Q.
1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.
2) SW1 SW2 trunk-.
3) SW2 , CAM- access-, 802.1Q .
:
β’ VLAN , 802.1Q access-;
β’ (access) VLAN ( Cisco);
β’ (trunk) , VLAN.
β’ native VLAN β trunk- , native VLAN. native VLAN' VLAN1 ().
, native VLAN access-, trunk- .
:
, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :
, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .
, Cisco auto. access/auto trunk/auto.
, .
SW(config-if)#switchport nonegotiate
.
VLAN hopping β native VLAN . , VLAN, native VLAN trunk-.
native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .
, , .
:
trunk- VLAN native.
SW(config-if)# switchport trunk native vlan 999
, VLAN 999 access-.
MAC-Spoofing
MAC- , , , .
MAC- MAC- , source MAC. , , , CAM-, .
. :
SW:
, .. PC2 MAC Eth0/1, PC1 R SW :
, MAC- Eth0/0 MAC Eth0/1. :
SW# debug ethernet interface
, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.
, .
β port-security :
SW(config-if)#switchport mode access
SW(config-if)#switchport port-security
SW(config-if)#switchport port-security mac-address 0000.1111.1111
:
, MAC- Eth0/0. PC2, Eth0/1 , .
SW(config)#ip dhcp snooping vlan
3) ( ):
SW(config-if)#ip dhcp snooping trust
, .
DHCP starvation
, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :
1) IP- DHCP- ;
2) MAC- , IP-, ;
3) , IP- .
, , :
β’ . IP- , . , .
β’ DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.
β MAC- . port-security:
1) access :
SW(config-if)#switchport mode access
2) port-security :
SW(config-if)#switchport port-security
3) MAC- :
SW(config-if)switchport port-security maximum
4) MAC- (, sticky): sticky , , sticky .
SW(config-if)#switchport port-security mac-address <mac-address | sticky>
5) MAC-:
protect β , MAC- .
restrict β , syslog SNMP.
shutdown β , .
SW(config-if)#switchport port-security violation <protect | restrict | shutdown>
IP- DHCP-, MAC-.
DHCP snooping,
SW(config-if)ip dhcp snooping limit rate
DHCP ( 100 pps), err-disable, . , , MAC- , .
AM-table overflow
, , , .
SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :
1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : Β« IP- 10.0.0.2, MAC- 10.0.0.1, Β».
2) , MAC- (0000.1111.1111) , , , .
3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 β MAC 0000.2222.2222). , , , . .
, CAM-, . β , , - .
. , MAC- . .
, . , , , VLAN, .
, , MAC- .
1) Port-security access- MAC-.
2) β , , , , .
VLAN hopping
- access trunk.
, access trunk :
, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .
VID, , . , .
802.1Q - .
802.1Q.
1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.
2) SW1 SW2 trunk-.
3) SW2 , CAM- access-, 802.1Q .
:
β’ VLAN , 802.1Q access-;
β’ (access) VLAN ( Cisco);
β’ (trunk) , VLAN.
β’ native VLAN β trunk- , native VLAN. native VLAN' VLAN1 ().
, native VLAN access-, trunk- .
:
, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :
, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .
, Cisco auto. access/auto trunk/auto.
, .
SW(config-if)#switchport nonegotiate
.
VLAN hopping β native VLAN . , VLAN, native VLAN trunk-.
native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .
, , .
:
trunk- VLAN native.
SW(config-if)# switchport trunk native vlan 999
, VLAN 999 access-.
MAC-Spoofing
MAC- , , , .
MAC- MAC- , source MAC. , , , CAM-, .
. :
SW:
, .. PC2 MAC Eth0/1, PC1 R SW :
, MAC- Eth0/0 MAC Eth0/1. :
SW# debug ethernet interface
, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.
, .
β port-security :
SW(config-if)#switchport mode access
SW(config-if)#switchport port-security
SW(config-if)#switchport port-security mac-address 0000.1111.1111
:
, MAC- Eth0/0. PC2, Eth0/1 , .
SW(config)#ip dhcp snooping vlan
3) ( ):
SW(config-if)#ip dhcp snooping trust
, .
DHCP starvation
, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :
1) IP- DHCP- ;
2) MAC- , IP-, ;
3) , IP- .
, , :
β’ . IP- , . , .
β’ DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.
β MAC- . port-security:
1) access :
SW(config-if)#switchport mode access
2) port-security :
SW(config-if)#switchport port-security
3) MAC- :
SW(config-if)switchport port-security maximum
4) MAC- (, sticky): sticky , , sticky .
SW(config-if)#switchport port-security mac-address <mac-address | sticky>
5) MAC-:
protect β , MAC- .
restrict β , syslog SNMP.
shutdown β , .
SW(config-if)#switchport port-security violation <protect | restrict | shutdown>
IP- DHCP-, MAC-.
DHCP snooping,
SW(config-if)ip dhcp snooping limit rate
DHCP ( 100 pps), err-disable, . , , MAC- , .
AM-table overflow
, , , .
SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :
1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : Β« IP- 10.0.0.2, MAC- 10.0.0.1, Β».
2) , MAC- (0000.1111.1111) , , , .
3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 β MAC 0000.2222.2222). , , , . .
, CAM-, . β , , - .
. , MAC- . .
, . , , , VLAN, .
, , MAC- .
1) Port-security access- MAC-.
2) β , , , , .
VLAN hopping
- access trunk.
, access trunk :
, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .
VID, , . , .
802.1Q - .
802.1Q.
1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.
2) SW1 SW2 trunk-.
3) SW2 , CAM- access-, 802.1Q .
:
β’ VLAN , 802.1Q access-;
β’ (access) VLAN ( Cisco);
β’ (trunk) , VLAN.
β’ native VLAN β trunk- , native VLAN. native VLAN' VLAN1 ().
, native VLAN access-, trunk- .
:
, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :
, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .
, Cisco auto. access/auto trunk/auto.
, .
SW(config-if)#switchport nonegotiate
.
VLAN hopping β native VLAN . , VLAN, native VLAN trunk-.
native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .
, , .
:
trunk- VLAN native.
SW(config-if)# switchport trunk native vlan 999
, VLAN 999 access-.
MAC-Spoofing
MAC- , , , .
MAC- MAC- , source MAC. , , , CAM-, .
. :
SW:
, .. PC2 MAC Eth0/1, PC1 R SW :
, MAC- Eth0/0 MAC Eth0/1. :
SW# debug ethernet interface
, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.
, .
β port-security :
SW(config-if)#switchport mode access
SW(config-if)#switchport port-security
SW(config-if)#switchport port-security mac-address 0000.1111.1111
:
, MAC- Eth0/0. PC2, Eth0/1 , .
SW(config)#ip dhcp snooping vlan
3) ( ):
SW(config-if)#ip dhcp snooping trust
, .
DHCP starvation
, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :
1) IP- DHCP- ;
2) MAC- , IP-, ;
3) , IP- .
, , :
β’ . IP- , . , .
β’ DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.
β MAC- . port-security:
1) access :
SW(config-if)#switchport mode access
2) port-security :
SW(config-if)#switchport port-security
3) MAC- :
SW(config-if)switchport port-security maximum
4) MAC- (, sticky): sticky , , sticky .
SW(config-if)#switchport port-security mac-address <mac-address | sticky>
5) MAC-:
protect β , MAC- .
restrict β , syslog SNMP.
shutdown β , .
SW(config-if)#switchport port-security violation <protect | restrict | shutdown>
IP- DHCP-, MAC-.
DHCP snooping,
SW(config-if)ip dhcp snooping limit rate
DHCP ( 100 pps), err-disable, . , , MAC- , .
AM-table overflow
, , , .
SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :
1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : Β« IP- 10.0.0.2, MAC- 10.0.0.1, Β».
2) , MAC- (0000.1111.1111) , , , .
3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 β MAC 0000.2222.2222). , , , . .
, CAM-, . β , , - .
. , MAC- . .
, . , , , VLAN, .
, , MAC- .
1) Port-security access- MAC-.
2) β , , , , .
VLAN hopping
- access trunk.
, access trunk :
, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .
VID, , . , .
802.1Q - .
802.1Q.
1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.
2) SW1 SW2 trunk-.
3) SW2 , CAM- access-, 802.1Q .
:
β’ VLAN , 802.1Q access-;
β’ (access) VLAN ( Cisco);
β’ (trunk) , VLAN.
β’ native VLAN β trunk- , native VLAN. native VLAN' VLAN1 ().
, native VLAN access-, trunk- .
:
, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :
, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .
, Cisco auto. access/auto trunk/auto.
, .
SW(config-if)#switchport nonegotiate
.
VLAN hopping β native VLAN . , VLAN, native VLAN trunk-.
native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .
, , .
:
trunk- VLAN native.
SW(config-if)# switchport trunk native vlan 999
, VLAN 999 access-.
MAC-Spoofing
MAC- , , , .
MAC- MAC- , source MAC. , , , CAM-, .
. :
SW:
, .. PC2 MAC Eth0/1, PC1 R SW :
, MAC- Eth0/0 MAC Eth0/1. :
SW# debug ethernet interface
, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.
, .
β port-security :
SW(config-if)#switchport mode access
SW(config-if)#switchport port-security
SW(config-if)#switchport port-security mac-address 0000.1111.1111
:
, MAC- Eth0/0. PC2, Eth0/1 , .
SW(config)#ip dhcp snooping vlan
3) ( ):
SW(config-if)#ip dhcp snooping trust
, .
DHCP starvation
, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :
1) IP- DHCP- ;
2) MAC- , IP-, ;
3) , IP- .
, , :
β’ . IP- , . , .
β’ DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.
β MAC- . port-security:
1) access :
SW(config-if)#switchport mode access
2) port-security :
SW(config-if)#switchport port-security
3) MAC- :
SW(config-if)switchport port-security maximum
4) MAC- (, sticky): sticky , , sticky .
SW(config-if)#switchport port-security mac-address <mac-address | sticky>
5) MAC-:
protect β , MAC- .
restrict β , syslog SNMP.
shutdown β , .
SW(config-if)#switchport port-security violation <protect | restrict | shutdown>
IP- DHCP-, MAC-.
DHCP snooping,
SW(config-if)ip dhcp snooping limit rate
DHCP ( 100 pps), err-disable, . , , MAC- , .
AM-table overflow
, , , .
SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :
1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : Β« IP- 10.0.0.2, MAC- 10.0.0.1, Β».
2) , MAC- (0000.1111.1111) , , , .
3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 β MAC 0000.2222.2222). , , , . .
, CAM-, . β , , - .
. , MAC- . .
, . , , , VLAN, .
, , MAC- .
1) Port-security access- MAC-.
2) β , , , , .
VLAN hopping
- access trunk.
, access trunk :
, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .
VID, , . , .
802.1Q - .
802.1Q.
1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.
2) SW1 SW2 trunk-.
3) SW2 , CAM- access-, 802.1Q .
:
β’ VLAN , 802.1Q access-;
β’ (access) VLAN ( Cisco);
β’ (trunk) , VLAN.
β’ native VLAN β trunk- , native VLAN. native VLAN' VLAN1 ().
, native VLAN access-, trunk- .
:
, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :
, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .
, Cisco auto. access/auto trunk/auto.
, .
SW(config-if)#switchport nonegotiate
.
VLAN hopping β native VLAN . , VLAN, native VLAN trunk-.
native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .
, , .
:
trunk- VLAN native.
SW(config-if)# switchport trunk native vlan 999
, VLAN 999 access-.
MAC-Spoofing
MAC- , , , .
MAC- MAC- , source MAC. , , , CAM-, .
. :
SW:
, .. PC2 MAC Eth0/1, PC1 R SW :
, MAC- Eth0/0 MAC Eth0/1. :
SW# debug ethernet interface
, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.
, .
β port-security :
SW(config-if)#switchport mode access
SW(config-if)#switchport port-security
SW(config-if)#switchport port-security mac-address 0000.1111.1111
:
, MAC- Eth0/0. PC2, Eth0/1 , .
SW(config)#ip dhcp snooping vlan
3) ( ):
SW(config-if)#ip dhcp snooping trust
, .
DHCP starvation
, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :
1) IP- DHCP- ;
2) MAC- , IP-, ;
3) , IP- .
, , :
β’ . IP- , . , .
β’ DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.
β MAC- . port-security:
1) access :
SW(config-if)#switchport mode access
2) port-security :
SW(config-if)#switchport port-security
3) MAC- :
SW(config-if)switchport port-security maximum
4) MAC- (, sticky): sticky , , sticky .
SW(config-if)#switchport port-security mac-address <mac-address | sticky>
5) MAC-:
protect β , MAC- .
restrict β , syslog SNMP.
shutdown β , .
SW(config-if)#switchport port-security violation <protect | restrict | shutdown>
IP- DHCP-, MAC-.
DHCP snooping,
SW(config-if)ip dhcp snooping limit rate
DHCP ( 100 pps), err-disable, . , , MAC- , .
AM-table overflow
, , , .
SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :
1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : Β« IP- 10.0.0.2, MAC- 10.0.0.1, Β».
2) , MAC- (0000.1111.1111) , , , .
3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 β MAC 0000.2222.2222). , , , . .
, CAM-, . β , , - .
. , MAC- . .
, . , , , VLAN, .
, , MAC- .
1) Port-security access- MAC-.
2) β , , , , .
VLAN hopping
- access trunk.
, access trunk :
, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .
VID, , . , .
802.1Q - .
802.1Q.
1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.
2) SW1 SW2 trunk-.
3) SW2 , CAM- access-, 802.1Q .
:
β’ VLAN , 802.1Q access-;
β’ (access) VLAN ( Cisco);
β’ (trunk) , VLAN.
β’ native VLAN β trunk- , native VLAN. native VLAN' VLAN1 ().
, native VLAN access-, trunk- .
:
, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :
, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .
, Cisco auto. access/auto trunk/auto.
, .
SW(config-if)#switchport nonegotiate
.
VLAN hopping β native VLAN . , VLAN, native VLAN trunk-.
native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .
, , .
:
trunk- VLAN native.
SW(config-if)# switchport trunk native vlan 999
, VLAN 999 access-.
MAC-Spoofing
MAC- , , , .
MAC- MAC- , source MAC. , , , CAM-, .
. :
SW:
, .. PC2 MAC Eth0/1, PC1 R SW :
, MAC- Eth0/0 MAC Eth0/1. :
SW# debug ethernet interface
, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.
, .
β port-security :
SW(config-if)#switchport mode access
SW(config-if)#switchport port-security
SW(config-if)#switchport port-security mac-address 0000.1111.1111
:
, MAC- Eth0/0. PC2, Eth0/1 , .
SW(config)#ip dhcp snooping vlan
3) ( ):
SW(config-if)#ip dhcp snooping trust
, .
DHCP starvation
, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :
1) IP- DHCP- ;
2) MAC- , IP-, ;
3) , IP- .
, , :
β’ . IP- , . , .
β’ DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.
β MAC- . port-security:
1) access :
SW(config-if)#switchport mode access
2) port-security :
SW(config-if)#switchport port-security
3) MAC- :
SW(config-if)switchport port-security maximum
4) MAC- (, sticky): sticky , , sticky .
SW(config-if)#switchport port-security mac-address <mac-address | sticky>
5) MAC-:
protect β , MAC- .
restrict β , syslog SNMP.
shutdown β , .
SW(config-if)#switchport port-security violation <protect | restrict | shutdown>
IP- DHCP-, MAC-.
DHCP snooping,
SW(config-if)ip dhcp snooping limit rate
DHCP ( 100 pps), err-disable, . , , MAC- , .
AM-table overflow
, , , .
SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :
1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : Β« IP- 10.0.0.2, MAC- 10.0.0.1, Β».
2) , MAC- (0000.1111.1111) , , , .
3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 β MAC 0000.2222.2222). , , , . .
, CAM-, . β , , - .
. , MAC- . .
, . , , , VLAN, .
, , MAC- .
1) Port-security access- MAC-.
2) β , , , , .
VLAN hopping
- access trunk.
, access trunk :
, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .
VID, , . , .
802.1Q - .
802.1Q.
1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.
2) SW1 SW2 trunk-.
3) SW2 , CAM- access-, 802.1Q .
:
β’ VLAN , 802.1Q access-;
β’ (access) VLAN ( Cisco);
β’ (trunk) , VLAN.
β’ native VLAN β trunk- , native VLAN. native VLAN' VLAN1 ().
, native VLAN access-, trunk- .
:
, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :
, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .
, Cisco auto. access/auto trunk/auto.
, .
SW(config-if)#switchport nonegotiate
.
VLAN hopping β native VLAN . , VLAN, native VLAN trunk-.
native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .
, , .
:
trunk- VLAN native.
SW(config-if)# switchport trunk native vlan 999
, VLAN 999 access-.
MAC-Spoofing
MAC- , , , .
MAC- MAC- , source MAC. , , , CAM-, .
. :
SW:
, .. PC2 MAC Eth0/1, PC1 R SW :
, MAC- Eth0/0 MAC Eth0/1. :
SW# debug ethernet interface
, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.
, .
β port-security :
SW(config-if)#switchport mode access
SW(config-if)#switchport port-security
SW(config-if)#switchport port-security mac-address 0000.1111.1111
:
, MAC- Eth0/0. PC2, Eth0/1 , .
SW(config)#ip dhcp snooping vlan
3) ( ):
SW(config-if)#ip dhcp snooping trust
, .
DHCP starvation
, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :
1) IP- DHCP- ;
2) MAC- , IP-, ;
3) , IP- .
, , :
β’ . IP- , . , .
β’ DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.
β MAC- . port-security:
1) access :
SW(config-if)#switchport mode access
2) port-security :
SW(config-if)#switchport port-security
3) MAC- :
SW(config-if)switchport port-security maximum
4) MAC- (, sticky): sticky , , sticky .
SW(config-if)#switchport port-security mac-address <mac-address | sticky>
5) MAC-:
protect β , MAC- .
restrict β , syslog SNMP.
shutdown β , .
SW(config-if)#switchport port-security violation <protect | restrict | shutdown>
IP- DHCP-, MAC-.
DHCP snooping,
SW(config-if)ip dhcp snooping limit rate
DHCP ( 100 pps), err-disable, . , , MAC- , .
AM-table overflow
, , , .
SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :
1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : Β« IP- 10.0.0.2, MAC- 10.0.0.1, Β».
2) , MAC- (0000.1111.1111) , , , .
3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 β MAC 0000.2222.2222). , , , . .
, CAM-, . β , , - .
. , MAC- . .
, . , , , VLAN, .
, , MAC- .
1) Port-security access- MAC-.
2) β , , , , .
VLAN hopping
- access trunk.
, access trunk :
, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .
VID, , . , .
802.1Q - .
802.1Q.
1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.
2) SW1 SW2 trunk-.
3) SW2 , CAM- access-, 802.1Q .
:
β’ VLAN , 802.1Q access-;
β’ (access) VLAN ( Cisco);
β’ (trunk) , VLAN.
β’ native VLAN β trunk- , native VLAN. native VLAN' VLAN1 ().
, native VLAN access-, trunk- .
:
, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :
, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .
, Cisco auto. access/auto trunk/auto.
, .
SW(config-if)#switchport nonegotiate
.
VLAN hopping β native VLAN . , VLAN, native VLAN trunk-.
native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .
, , .
:
trunk- VLAN native.
SW(config-if)# switchport trunk native vlan 999
, VLAN 999 access-.
MAC-Spoofing
MAC- , , , .
MAC- MAC- , source MAC. , , , CAM-, .
. :
SW:
, .. PC2 MAC Eth0/1, PC1 R SW :
, MAC- Eth0/0 MAC Eth0/1. :
SW# debug ethernet interface
, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.
, .
β port-security :
SW(config-if)#switchport mode access
SW(config-if)#switchport port-security
SW(config-if)#switchport port-security mac-address 0000.1111.1111
:
, MAC- Eth0/0. PC2, Eth0/1 , .
SW(config)#ip dhcp snooping vlan
3) ( ):
SW(config-if)#ip dhcp snooping trust
, .
DHCP starvation
, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :
1) IP- DHCP- ;
2) MAC- , IP-, ;
3) , IP- .
, , :
β’ . IP- , . , .
β’ DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.
β MAC- . port-security:
1) access :
SW(config-if)#switchport mode access
2) port-security :
SW(config-if)#switchport port-security
3) MAC- :
SW(config-if)switchport port-security maximum
4) MAC- (, sticky): sticky , , sticky .
SW(config-if)#switchport port-security mac-address <mac-address | sticky>
5) MAC-:
protect β , MAC- .
restrict β , syslog SNMP.
shutdown β , .
SW(config-if)#switchport port-security violation <protect | restrict | shutdown>
IP- DHCP-, MAC-.
DHCP snooping,
SW(config-if)ip dhcp snooping limit rate
DHCP ( 100 pps), err-disable, . , , MAC- , .
AM-table overflow
, , , .
SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :
1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : Β« IP- 10.0.0.2, MAC- 10.0.0.1, Β».
2) , MAC- (0000.1111.1111) , , , .
3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 β MAC 0000.2222.2222). , , , . .
, CAM-, . β , , - .
. , MAC- . .
, . , , , VLAN, .
, , MAC- .
1) Port-security access- MAC-.
2) β , , , , .
VLAN hopping
- access trunk.
, access trunk :
, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .
VID, , . , .
802.1Q - .
802.1Q.
1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.
2) SW1 SW2 trunk-.
3) SW2 , CAM- access-, 802.1Q .
:
β’ VLAN , 802.1Q access-;
β’ (access) VLAN ( Cisco);
β’ (trunk) , VLAN.
β’ native VLAN β trunk- , native VLAN. native VLAN' VLAN1 ().
, native VLAN access-, trunk- .
:
, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :
, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .
, Cisco auto. access/auto trunk/auto.
, .
SW(config-if)#switchport nonegotiate
.
VLAN hopping β native VLAN . , VLAN, native VLAN trunk-.
native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .
, , .
:
trunk- VLAN native.
SW(config-if)# switchport trunk native vlan 999
, VLAN 999 access-.
MAC-Spoofing
MAC- , , , .
MAC- MAC- , source MAC. , , , CAM-, .
. :
SW:
, .. PC2 MAC Eth0/1, PC1 R SW :
, MAC- Eth0/0 MAC Eth0/1. :
SW# debug ethernet interface
, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.
, .
β port-security :
SW(config-if)#switchport mode access
SW(config-if)#switchport port-security
SW(config-if)#switchport port-security mac-address 0000.1111.1111
:
, MAC- Eth0/0. PC2, Eth0/1 , .
SW(config)#ip dhcp snooping vlan
3) ( ):
SW(config-if)#ip dhcp snooping trust
, .
DHCP starvation
, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :
1) IP- DHCP- ;
2) MAC- , IP-, ;
3) , IP- .
, , :
β’ . IP- , . , .
β’ DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.
β MAC- . port-security:
1) access :
SW(config-if)#switchport mode access
2) port-security :
SW(config-if)#switchport port-security
3) MAC- :
SW(config-if)switchport port-security maximum
4) MAC- (, sticky): sticky , , sticky .
SW(config-if)#switchport port-security mac-address <mac-address | sticky>
5) MAC-:
protect β , MAC- .
restrict β , syslog SNMP.
shutdown β , .
SW(config-if)#switchport port-security violation <protect | restrict | shutdown>
IP- DHCP-, MAC-.
DHCP snooping,
SW(config-if)ip dhcp snooping limit rate
DHCP ( 100 pps), err-disable, . , , MAC- , .
AM-table overflow
, , , .
SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :
1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : Β« IP- 10.0.0.2, MAC- 10.0.0.1, Β».
2) , MAC- (0000.1111.1111) , , , .
3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 β MAC 0000.2222.2222). , , , . .
, CAM-, . β , , - .
. , MAC- . .
, . , , , VLAN, .
, , MAC- .
1) Port-security access- MAC-.
2) β , , , , .
VLAN hopping
- access trunk.
, access trunk :
, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .
VID, , . , .
802.1Q - .
802.1Q.
1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.
2) SW1 SW2 trunk-.
3) SW2 , CAM- access-, 802.1Q .
:
β’ VLAN , 802.1Q access-;
β’ (access) VLAN ( Cisco);
β’ (trunk) , VLAN.
β’ native VLAN β trunk- , native VLAN. native VLAN' VLAN1 ().
, native VLAN access-, trunk- .
:
, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :
, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .
, Cisco auto. access/auto trunk/auto.
, .
SW(config-if)#switchport nonegotiate
.
VLAN hopping β native VLAN . , VLAN, native VLAN trunk-.
native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .
, , .
:
trunk- VLAN native.
SW(config-if)# switchport trunk native vlan 999
, VLAN 999 access-.
MAC-Spoofing
MAC- , , , .
MAC- MAC- , source MAC. , , , CAM-, .
. :
SW:
, .. PC2 MAC Eth0/1, PC1 R SW :
, MAC- Eth0/0 MAC Eth0/1. :
SW# debug ethernet interface
, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.
, .
β port-security :
SW(config-if)#switchport mode access
SW(config-if)#switchport port-security
SW(config-if)#switchport port-security mac-address 0000.1111.1111
:
, MAC- Eth0/0. PC2, Eth0/1 , .
SW(config)#ip dhcp snooping vlan
3) ( ):
SW(config-if)#ip dhcp snooping trust
, .
DHCP starvation
, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :
1) IP- DHCP- ;
2) MAC- , IP-, ;
3) , IP- .
, , :
β’ . IP- , . , .
β’ DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.
β MAC- . port-security:
1) access :
SW(config-if)#switchport mode access
2) port-security :
SW(config-if)#switchport port-security
3) MAC- :
SW(config-if)switchport port-security maximum
4) MAC- (, sticky): sticky , , sticky .
SW(config-if)#switchport port-security mac-address <mac-address | sticky>
5) MAC-:
protect β , MAC- .
restrict β , syslog SNMP.
shutdown β , .
SW(config-if)#switchport port-security violation <protect | restrict | shutdown>
IP- DHCP-, MAC-.
DHCP snooping,
SW(config-if)ip dhcp snooping limit rate
DHCP ( 100 pps), err-disable, . , , MAC- , .
AM-table overflow
, , , .
SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :
1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : Β« IP- 10.0.0.2, MAC- 10.0.0.1, Β».
2) , MAC- (0000.1111.1111) , , , .
3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 β MAC 0000.2222.2222). , , , . .
, CAM-, . β , , - .
. , MAC- . .
, . , , , VLAN, .
, , MAC- .
1) Port-security access- MAC-.
2) β , , , , .
VLAN hopping
- access trunk.
, access trunk :
, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .
VID, , . , .
802.1Q - .
802.1Q.
1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.
2) SW1 SW2 trunk-.
3) SW2 , CAM- access-, 802.1Q .
:
β’ VLAN , 802.1Q access-;
β’ (access) VLAN ( Cisco);
β’ (trunk) , VLAN.
β’ native VLAN β trunk- , native VLAN. native VLAN' VLAN1 ().
, native VLAN access-, trunk- .
:
, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :
, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .
, Cisco auto. access/auto trunk/auto.
, .
SW(config-if)#switchport nonegotiate
.
VLAN hopping β native VLAN . , VLAN, native VLAN trunk-.
native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .
, , .
:
trunk- VLAN native.
SW(config-if)# switchport trunk native vlan 999
, VLAN 999 access-.
MAC-Spoofing
MAC- , , , .
MAC- MAC- , source MAC. , , , CAM-, .
. :
SW:
, .. PC2 MAC Eth0/1, PC1 R SW :
, MAC- Eth0/0 MAC Eth0/1. :
SW# debug ethernet interface
, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.
, .
β port-security :
SW(config-if)#switchport mode access
SW(config-if)#switchport port-security
SW(config-if)#switchport port-security mac-address 0000.1111.1111
:
, MAC- Eth0/0. PC2, Eth0/1 , .
SW(config)#ip dhcp snooping vlan
3) ( ):
SW(config-if)#ip dhcp snooping trust
, .
DHCP starvation
, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :
1) IP- DHCP- ;
2) MAC- , IP-, ;
3) , IP- .
, , :
β’ . IP- , . , .
β’ DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.
β MAC- . port-security:
1) access :
SW(config-if)#switchport mode access
2) port-security :
SW(config-if)#switchport port-security
3) MAC- :
SW(config-if)switchport port-security maximum
4) MAC- (, sticky): sticky , , sticky .
SW(config-if)#switchport port-security mac-address <mac-address | sticky>
5) MAC-:
protect β , MAC- .
restrict β , syslog SNMP.
shutdown β , .
SW(config-if)#switchport port-security violation <protect | restrict | shutdown>
IP- DHCP-, MAC-.
DHCP snooping,
SW(config-if)ip dhcp snooping limit rate
DHCP ( 100 pps), err-disable, . , , MAC- , .
AM-table overflow
, , , .
SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :
1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : Β« IP- 10.0.0.2, MAC- 10.0.0.1, Β».
2) , MAC- (0000.1111.1111) , , , .
3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 β MAC 0000.2222.2222). , , , . .
, CAM-, . β , , - .
. , MAC- . .
, . , , , VLAN, .
, , MAC- .
1) Port-security access- MAC-.
2) β , , , , .
VLAN hopping
- access trunk.
, access trunk :
, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .
VID, , . , .
802.1Q - .
802.1Q.
1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.
2) SW1 SW2 trunk-.
3) SW2 , CAM- access-, 802.1Q .
:
β’ VLAN , 802.1Q access-;
β’ (access) VLAN ( Cisco);
β’ (trunk) , VLAN.
β’ native VLAN β trunk- , native VLAN. native VLAN' VLAN1 ().
, native VLAN access-, trunk- .
:
, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :
, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .
, Cisco auto. access/auto trunk/auto.
, .
SW(config-if)#switchport nonegotiate
.
VLAN hopping β native VLAN . , VLAN, native VLAN trunk-.
native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .
, , .
:
trunk- VLAN native.
SW(config-if)# switchport trunk native vlan 999
, VLAN 999 access-.
MAC-Spoofing
MAC- , , , .
MAC- MAC- , source MAC. , , , CAM-, .
. :
SW:
, .. PC2 MAC Eth0/1, PC1 R SW :
, MAC- Eth0/0 MAC Eth0/1. :
SW# debug ethernet interface
, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.
, .
β port-security :
SW(config-if)#switchport mode access
SW(config-if)#switchport port-security
SW(config-if)#switchport port-security mac-address 0000.1111.1111
:
, MAC- Eth0/0. PC2, Eth0/1 , .
SW(config)#ip dhcp snooping vlan
3) ( ):
SW(config-if)#ip dhcp snooping trust
, .
DHCP starvation
, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :
1) IP- DHCP- ;
2) MAC- , IP-, ;
3) , IP- .
, , :
β’ . IP- , . , .
β’ DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.
β MAC- . port-security:
1) access :
SW(config-if)#switchport mode access
2) port-security :
SW(config-if)#switchport port-security
3) MAC- :
SW(config-if)switchport port-security maximum
4) MAC- (, sticky): sticky , , sticky .
SW(config-if)#switchport port-security mac-address <mac-address | sticky>
5) MAC-:
protect β , MAC- .
restrict β , syslog SNMP.
shutdown β , .
SW(config-if)#switchport port-security violation <protect | restrict | shutdown>
IP- DHCP-, MAC-.
DHCP snooping,
SW(config-if)ip dhcp snooping limit rate
DHCP ( 100 pps), err-disable, . , , MAC- , .
AM-table overflow
, , , .
SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :
1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : Β« IP- 10.0.0.2, MAC- 10.0.0.1, Β».
2) , MAC- (0000.1111.1111) , , , .
3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 β MAC 0000.2222.2222). , , , . .
, CAM-, . β , , - .
. , MAC- . .
, . , , , VLAN, .
, , MAC- .
1) Port-security access- MAC-.
2) β , , , , .
VLAN hopping
- access trunk.
, access trunk :
, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .
VID, , . , .
802.1Q - .
802.1Q.
1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.
2) SW1 SW2 trunk-.
3) SW2 , CAM- access-, 802.1Q .
:
β’ VLAN , 802.1Q access-;
β’ (access) VLAN ( Cisco);
β’ (trunk) , VLAN.
β’ native VLAN β trunk- , native VLAN. native VLAN' VLAN1 ().
, native VLAN access-, trunk- .
:
, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :
, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .
, Cisco auto. access/auto trunk/auto.
, .
SW(config-if)#switchport nonegotiate
.
VLAN hopping β native VLAN . , VLAN, native VLAN trunk-.
native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .
, , .
:
trunk- VLAN native.
SW(config-if)# switchport trunk native vlan 999
, VLAN 999 access-.
MAC-Spoofing
MAC- , , , .
MAC- MAC- , source MAC. , , , CAM-, .
. :
SW:
, .. PC2 MAC Eth0/1, PC1 R SW :
, MAC- Eth0/0 MAC Eth0/1. :
SW# debug ethernet interface
, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.
, .
β port-security :
SW(config-if)#switchport mode access
SW(config-if)#switchport port-security
SW(config-if)#switchport port-security mac-address 0000.1111.1111
:
, MAC- Eth0/0. PC2, Eth0/1 , .
SW(config)#ip dhcp snooping vlan
3) ( ):
SW(config-if)#ip dhcp snooping trust
, .
DHCP starvation
, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :
1) IP- DHCP- ;
2) MAC- , IP-, ;
3) , IP- .
, , :
β’ . IP- , . , .
β’ DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.
β MAC- . port-security:
1) access :
SW(config-if)#switchport mode access
2) port-security :
SW(config-if)#switchport port-security
3) MAC- :
SW(config-if)switchport port-security maximum
4) MAC- (, sticky): sticky , , sticky .
SW(config-if)#switchport port-security mac-address <mac-address | sticky>
5) MAC-:
protect β , MAC- .
restrict β , syslog SNMP.
shutdown β , .
SW(config-if)#switchport port-security violation <protect | restrict | shutdown>
IP- DHCP-, MAC-.
DHCP snooping,
SW(config-if)ip dhcp snooping limit rate
DHCP ( 100 pps), err-disable, . , , MAC- , .
AM-table overflow
, , , .
SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :
1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : Β« IP- 10.0.0.2, MAC- 10.0.0.1, Β».
2) , MAC- (0000.1111.1111) , , , .
3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 β MAC 0000.2222.2222). , , , . .
, CAM-, . β , , - .
. , MAC- . .
, . , , , VLAN, .
, , MAC- .
1) Port-security access- MAC-.
2) β , , , , .
VLAN hopping
- access trunk.
, access trunk :
, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .
VID, , . , .
802.1Q - .
802.1Q.
1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.
2) SW1 SW2 trunk-.
3) SW2 , CAM- access-, 802.1Q .
:
β’ VLAN , 802.1Q access-;
β’ (access) VLAN ( Cisco);
β’ (trunk) , VLAN.
β’ native VLAN β trunk- , native VLAN. native VLAN' VLAN1 ().
, native VLAN access-, trunk- .
:
, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :
, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .
, Cisco auto. access/auto trunk/auto.
, .
SW(config-if)#switchport nonegotiate
.
VLAN hopping β native VLAN . , VLAN, native VLAN trunk-.
native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .
, , .
:
trunk- VLAN native.
SW(config-if)# switchport trunk native vlan 999
, VLAN 999 access-.
MAC-Spoofing
MAC- , , , .
MAC- MAC- , source MAC. , , , CAM-, .
. :
SW:
, .. PC2 MAC Eth0/1, PC1 R SW :
, MAC- Eth0/0 MAC Eth0/1. :
SW# debug ethernet interface
, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.
, .
β port-security :
SW(config-if)#switchport mode access
SW(config-if)#switchport port-security
SW(config-if)#switchport port-security mac-address 0000.1111.1111
:
, MAC- Eth0/0. PC2, Eth0/1 , .
SW(config)#ip dhcp snooping vlan
3) ( ):
SW(config-if)#ip dhcp snooping trust
, .
DHCP starvation
, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :
1) IP- DHCP- ;
2) MAC- , IP-, ;
3) , IP- .
, , :
β’ . IP- , . , .
β’ DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.
β MAC- . port-security:
1) access :
SW(config-if)#switchport mode access
2) port-security :
SW(config-if)#switchport port-security
3) MAC- :
SW(config-if)switchport port-security maximum
4) MAC- (, sticky): sticky , , sticky .
SW(config-if)#switchport port-security mac-address <mac-address | sticky>
5) MAC-:
protect β , MAC- .
restrict β , syslog SNMP.
shutdown β , .
SW(config-if)#switchport port-security violation <protect | restrict | shutdown>
IP- DHCP-, MAC-.
DHCP snooping,
SW(config-if)ip dhcp snooping limit rate
DHCP ( 100 pps), err-disable, . , , MAC- , .
AM-table overflow
, , , .
SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :
1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : Β« IP- 10.0.0.2, MAC- 10.0.0.1, Β».
2) , MAC- (0000.1111.1111) , , , .
3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 β MAC 0000.2222.2222). , , , . .
, CAM-, . β , , - .
. , MAC- . .
, . , , , VLAN, .
, , MAC- .
1) Port-security access- MAC-.
2) β , , , , .
VLAN hopping
- access trunk.
, access trunk :
, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .
VID, , . , .
802.1Q - .
802.1Q.
1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.
2) SW1 SW2 trunk-.
3) SW2 , CAM- access-, 802.1Q .
:
β’ VLAN , 802.1Q access-;
β’ (access) VLAN ( Cisco);
β’ (trunk) , VLAN.
β’ native VLAN β trunk- , native VLAN. native VLAN' VLAN1 ().
, native VLAN access-, trunk- .
:
, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :
, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .
, Cisco auto. access/auto trunk/auto.
, .
SW(config-if)#switchport nonegotiate
.
VLAN hopping β native VLAN . , VLAN, native VLAN trunk-.
native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .
, , .
:
trunk- VLAN native.
SW(config-if)# switchport trunk native vlan 999
, VLAN 999 access-.
MAC-Spoofing
MAC- , , , .
MAC- MAC- , source MAC. , , , CAM-, .
. :
SW:
, .. PC2 MAC Eth0/1, PC1 R SW :
, MAC- Eth0/0 MAC Eth0/1. :
SW# debug ethernet interface
, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.
, .
β port-security :
SW(config-if)#switchport mode access
SW(config-if)#switchport port-security
SW(config-if)#switchport port-security mac-address 0000.1111.1111
:
, MAC- Eth0/0. PC2, Eth0/1 , .
SW(config)#ip dhcp snooping vlan
3) ( ):
SW(config-if)#ip dhcp snooping trust
, .
DHCP starvation
, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :
1) IP- DHCP- ;
2) MAC- , IP-, ;
3) , IP- .
, , :
β’ . IP- , . , .
β’ DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.
β MAC- . port-security:
1) access :
SW(config-if)#switchport mode access
2) port-security :
SW(config-if)#switchport port-security
3) MAC- :
SW(config-if)switchport port-security maximum
4) MAC- (, sticky): sticky , , sticky .
SW(config-if)#switchport port-security mac-address <mac-address | sticky>
5) MAC-:
protect β , MAC- .
restrict β , syslog SNMP.
shutdown β , .
SW(config-if)#switchport port-security violation <protect | restrict | shutdown>
IP- DHCP-, MAC-.
DHCP snooping,
SW(config-if)ip dhcp snooping limit rate
DHCP ( 100 pps), err-disable, . , , MAC- , .
AM-table overflow
, , , .
SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :
1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : Β« IP- 10.0.0.2, MAC- 10.0.0.1, Β».
2) , MAC- (0000.1111.1111) , , , .
3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 β MAC 0000.2222.2222). , , , . .
, CAM-, . β , , - .
. , MAC- . .
, . , , , VLAN, .
, , MAC- .
1) Port-security access- MAC-.
2) β , , , , .
VLAN hopping
- access trunk.
, access trunk :
, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .
VID, , . , .
802.1Q - .
802.1Q.
1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.
2) SW1 SW2 trunk-.
3) SW2 , CAM- access-, 802.1Q .
:
β’ VLAN , 802.1Q access-;
β’ (access) VLAN ( Cisco);
β’ (trunk) , VLAN.
β’ native VLAN β trunk- , native VLAN. native VLAN' VLAN1 ().
, native VLAN access-, trunk- .
:
, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :
, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .
, Cisco auto. access/auto trunk/auto.
, .
SW(config-if)#switchport nonegotiate
.
VLAN hopping β native VLAN . , VLAN, native VLAN trunk-.
native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .
, , .
:
trunk- VLAN native.
SW(config-if)# switchport trunk native vlan 999
, VLAN 999 access-.
MAC-Spoofing
MAC- , , , .
MAC- MAC- , source MAC. , , , CAM-, .
. :
SW:
, .. PC2 MAC Eth0/1, PC1 R SW :
, MAC- Eth0/0 MAC Eth0/1. :
SW# debug ethernet interface
, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.
, .
β port-security :
SW(config-if)#switchport mode access
SW(config-if)#switchport port-security
SW(config-if)#switchport port-security mac-address 0000.1111.1111
:
, MAC- Eth0/0. PC2, Eth0/1 , .
SW(config)#ip dhcp snooping vlan
3) ( ):
SW(config-if)#ip dhcp snooping trust
, .
DHCP starvation
, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :
1) IP- DHCP- ;
2) MAC- , IP-, ;
3) , IP- .
, , :
β’ . IP- , . , .
β’ DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.
β MAC- . port-security:
1) access :
SW(config-if)#switchport mode access
2) port-security :
SW(config-if)#switchport port-security
3) MAC- :
SW(config-if)switchport port-security maximum
4) MAC- (, sticky): sticky , , sticky .
SW(config-if)#switchport port-security mac-address <mac-address | sticky>
5) MAC-:
protect β , MAC- .
restrict β , syslog SNMP.
shutdown β , .
SW(config-if)#switchport port-security violation <protect | restrict | shutdown>
IP- DHCP-, MAC-.
DHCP snooping,
SW(config-if)ip dhcp snooping limit rate
DHCP ( 100 pps), err-disable, . , , MAC- , .
AM-table overflow
, , , .
SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :
1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : Β« IP- 10.0.0.2, MAC- 10.0.0.1, Β».
2) , MAC- (0000.1111.1111) , , , .
3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 β MAC 0000.2222.2222). , , , . .
, CAM-, . β , , - .
. , MAC- . .
, . , , , VLAN, .
, , MAC- .
1) Port-security access- MAC-.
2) β , , , , .
VLAN hopping
- access trunk.
, access trunk :
, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .
VID, , . , .
802.1Q - .
802.1Q.
1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.
2) SW1 SW2 trunk-.
3) SW2 , CAM- access-, 802.1Q .
:
β’ VLAN , 802.1Q access-;
β’ (access) VLAN ( Cisco);
β’ (trunk) , VLAN.
β’ native VLAN β trunk- , native VLAN. native VLAN' VLAN1 ().
, native VLAN access-, trunk- .
:
, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :
, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .
, Cisco auto. access/auto trunk/auto.
, .
SW(config-if)#switchport nonegotiate
.
VLAN hopping β native VLAN . , VLAN, native VLAN trunk-.
native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .
, , .
:
trunk- VLAN native.
SW(config-if)# switchport trunk native vlan 999
, VLAN 999 access-.
MAC-Spoofing
MAC- , , , .
MAC- MAC- , source MAC. , , , CAM-, .
. :
SW:
, .. PC2 MAC Eth0/1, PC1 R SW :
, MAC- Eth0/0 MAC Eth0/1. :
SW# debug ethernet interface
, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.
, .
β port-security :
SW(config-if)#switchport mode access
SW(config-if)#switchport port-security
SW(config-if)#switchport port-security mac-address 0000.1111.1111
:
, MAC- Eth0/0. PC2, Eth0/1 , .
SW(config)#ip dhcp snooping vlan
3) ( ):
SW(config-if)#ip dhcp snooping trust
, .
DHCP starvation
, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :
1) IP- DHCP- ;
2) MAC- , IP-, ;
3) , IP- .
, , :
β’ . IP- , . , .
β’ DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.
β MAC- . port-security:
1) access :
SW(config-if)#switchport mode access
2) port-security :
SW(config-if)#switchport port-security
3) MAC- :
SW(config-if)switchport port-security maximum
4) MAC- (, sticky): sticky , , sticky .
SW(config-if)#switchport port-security mac-address <mac-address | sticky>
5) MAC-:
protect β , MAC- .
restrict β , syslog SNMP.
shutdown β , .
SW(config-if)#switchport port-security violation <protect | restrict | shutdown>
IP- DHCP-, MAC-.
DHCP snooping,
SW(config-if)ip dhcp snooping limit rate
DHCP ( 100 pps), err-disable, . , , MAC- , .
AM-table overflow
, , , .
SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :
1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : Β« IP- 10.0.0.2, MAC- 10.0.0.1, Β».
2) , MAC- (0000.1111.1111) , , , .
3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 β MAC 0000.2222.2222). , , , . .
, CAM-, . β , , - .
. , MAC- . .
, . , , , VLAN, .
, , MAC- .
1) Port-security access- MAC-.
2) β , , , , .
VLAN hopping
- access trunk.
, access trunk :
, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .
VID, , . , .
802.1Q - .
802.1Q.
1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.
2) SW1 SW2 trunk-.
3) SW2 , CAM- access-, 802.1Q .
:
β’ VLAN , 802.1Q access-;
β’ (access) VLAN ( Cisco);
β’ (trunk) , VLAN.
β’ native VLAN β trunk- , native VLAN. native VLAN' VLAN1 ().
, native VLAN access-, trunk- .
:
, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :
, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .
, Cisco auto. access/auto trunk/auto.
, .
SW(config-if)#switchport nonegotiate
.
VLAN hopping β native VLAN . , VLAN, native VLAN trunk-.
native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .
, , .
:
trunk- VLAN native.
SW(config-if)# switchport trunk native vlan 999
, VLAN 999 access-.
MAC-Spoofing
MAC- , , , .
MAC- MAC- , source MAC. , , , CAM-, .
. :
SW:
, .. PC2 MAC Eth0/1, PC1 R SW :
, MAC- Eth0/0 MAC Eth0/1. :
SW# debug ethernet interface
, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.
, .
β port-security :
SW(config-if)#switchport mode access
SW(config-if)#switchport port-security
SW(config-if)#switchport port-security mac-address 0000.1111.1111
:
, MAC- Eth0/0. PC2, Eth0/1 , .
Source: https://habr.com/ru/post/231491/