Protecting the L2 network with switches

Good day. In this article, the story will focus on several possible attacks on network equipment, which can be protected from the correct configuration of switches.



All terminology and configuration commands are listed in accordance with the Cisco documentation as an unofficial industry standard. At the beginning of the description of each attack contains a brief insight into the mechanism of the attacked protocol. The article is intended for beginners rather than professional networkers.

')

Will be considered:



• Rogue DHCP Server

• DHCP starvation

• CAM-table overflow

• VLAN hopping

• MAC-spoofing



Based on the CBT nuggets video tutorial from the CCNA security cycle.

Rogue DHCP Server

Description

We give a simplified diagram of the operation of the DHCP protocol:



Discover: A client that does not have an IP address sends a broadcast request to the address 255.255.255.255, requesting that DHCP servers available on the network respond.

Offer: DHCP servers send a response in which they offer configuration parameters (IP address, DNS servers, default gateway). The answer is sent to the MAC address of the client.

Request: The client chooses which server (if there are several) is more convenient for him to work with and sends the address request. This request is also sent broadcast, but the IP address of a specific server is already specified as one of the options.

Acknowledgment: At this stage, the request is confirmed by the server. After receiving this package, the client configures its network parameters and the process of obtaining the address can be considered valid.







The purpose of this attack is to replace the DHCP server. While there are two DHCP servers on the network at the same time, one of which is “enemy”, some of the clients will configure incorrect addresses and other network details.



Due to the replacement of the default gateway, an unauthorized DHCP server will be able to listen to all client traffic, redirecting packets to the destination in the future. Thus, we have the simplest implementation of the MitM (Man in the Middle) attack, which can be implemented in most modern networks.



It is worth noting that most often an attack with the substitution of a DHCP server is not an attack as such. There are cases when, unknowingly, a SOHO router with a configured DHCP server is connected to the network, and it is connected to a LAN port. After that, clients who have obtained IP addresses from him have at least significant losses in speed, and most often complete inability to use local and global resources.

Protection methods

The easiest way to protect against attacks of this kind is to enable DHCP snooping on all switches. Next, you need to define two types of ports:



• Trusted — the switch ports to which the DHCP server is connected, or another switch.

• Untrusted — ports for client connections beyond which a DHCP server cannot be located, but an attacking device may well be located.



In this case, DHCP snooping is necessary in order to indicate to the switch that attention should be paid to the DHCP offer and acknowledgment packets passing through it, and to prevent these packets from passing from untrusted ports. Also, broadcast requests from the client (discover and request) will now be redirected only to trusted ports. The topology should look like this:



To configure the DHCP snooping function, you must:



1) Enable it on the switch:

SW(config)#ip dhcp snooping

2) Specify which VLAN to monitor packets for:

SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust



, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access

2) port-security :

SW(config-if)#switchport port-security

3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>

5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>



IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999



, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface







, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access

SW(config-if)#switchport port-security

SW(config-if)#switchport port-security mac-address 0000.1111.1111



:







, MAC- Eth0/0. PC2, Eth0/1 , .

SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust



, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access

2) port-security :

SW(config-if)#switchport port-security

3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>

5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>



IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999



, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface







, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access

SW(config-if)#switchport port-security

SW(config-if)#switchport port-security mac-address 0000.1111.1111



:







, MAC- Eth0/0. PC2, Eth0/1 , .

SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust



, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access

2) port-security :

SW(config-if)#switchport port-security

3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>

5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>



IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999



, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface







, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access

SW(config-if)#switchport port-security

SW(config-if)#switchport port-security mac-address 0000.1111.1111



:







, MAC- Eth0/0. PC2, Eth0/1 , .

SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust



, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access

2) port-security :

SW(config-if)#switchport port-security

3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>

5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>



IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999



, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface







, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access

SW(config-if)#switchport port-security

SW(config-if)#switchport port-security mac-address 0000.1111.1111



:







, MAC- Eth0/0. PC2, Eth0/1 , .

SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust



, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access

2) port-security :

SW(config-if)#switchport port-security

3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>

5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>



IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999



, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface







, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access

SW(config-if)#switchport port-security

SW(config-if)#switchport port-security mac-address 0000.1111.1111



:







, MAC- Eth0/0. PC2, Eth0/1 , .

SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust



, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access

2) port-security :

SW(config-if)#switchport port-security

3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>

5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>



IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999



, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface







, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access

SW(config-if)#switchport port-security

SW(config-if)#switchport port-security mac-address 0000.1111.1111



:







, MAC- Eth0/0. PC2, Eth0/1 , .

SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust



, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access

2) port-security :

SW(config-if)#switchport port-security

3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>

5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>



IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999



, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface







, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access

SW(config-if)#switchport port-security

SW(config-if)#switchport port-security mac-address 0000.1111.1111



:







, MAC- Eth0/0. PC2, Eth0/1 , .

SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust



, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access

2) port-security :

SW(config-if)#switchport port-security

3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>

5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>



IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999



, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface







, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access

SW(config-if)#switchport port-security

SW(config-if)#switchport port-security mac-address 0000.1111.1111



:







, MAC- Eth0/0. PC2, Eth0/1 , .

SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust



, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access

2) port-security :

SW(config-if)#switchport port-security

3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>

5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>



IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999



, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface







, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access

SW(config-if)#switchport port-security

SW(config-if)#switchport port-security mac-address 0000.1111.1111



:







, MAC- Eth0/0. PC2, Eth0/1 , .

SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust



, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access

2) port-security :

SW(config-if)#switchport port-security

3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>

5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>



IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999



, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface







, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access

SW(config-if)#switchport port-security

SW(config-if)#switchport port-security mac-address 0000.1111.1111



:







, MAC- Eth0/0. PC2, Eth0/1 , .

SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust



, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access

2) port-security :

SW(config-if)#switchport port-security

3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>

5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>



IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999



, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface







, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access

SW(config-if)#switchport port-security

SW(config-if)#switchport port-security mac-address 0000.1111.1111



:







, MAC- Eth0/0. PC2, Eth0/1 , .

SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust



, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access

2) port-security :

SW(config-if)#switchport port-security

3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>

5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>



IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999



, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface







, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access

SW(config-if)#switchport port-security

SW(config-if)#switchport port-security mac-address 0000.1111.1111



:







, MAC- Eth0/0. PC2, Eth0/1 , .

SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust



, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access

2) port-security :

SW(config-if)#switchport port-security

3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>

5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>



IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999



, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface







, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access

SW(config-if)#switchport port-security

SW(config-if)#switchport port-security mac-address 0000.1111.1111



:







, MAC- Eth0/0. PC2, Eth0/1 , .

SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust



, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access

2) port-security :

SW(config-if)#switchport port-security

3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>

5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>



IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999



, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface







, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access

SW(config-if)#switchport port-security

SW(config-if)#switchport port-security mac-address 0000.1111.1111



:







, MAC- Eth0/0. PC2, Eth0/1 , .

SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust



, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access

2) port-security :

SW(config-if)#switchport port-security

3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>

5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>



IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999



, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface







, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access

SW(config-if)#switchport port-security

SW(config-if)#switchport port-security mac-address 0000.1111.1111



:







, MAC- Eth0/0. PC2, Eth0/1 , .

SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust



, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access

2) port-security :

SW(config-if)#switchport port-security

3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>

5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>



IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999



, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface







, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access

SW(config-if)#switchport port-security

SW(config-if)#switchport port-security mac-address 0000.1111.1111



:







, MAC- Eth0/0. PC2, Eth0/1 , .

SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust



, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access

2) port-security :

SW(config-if)#switchport port-security

3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>

5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>



IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999



, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface







, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access

SW(config-if)#switchport port-security

SW(config-if)#switchport port-security mac-address 0000.1111.1111



:







, MAC- Eth0/0. PC2, Eth0/1 , .

SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust



, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access

2) port-security :

SW(config-if)#switchport port-security

3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>

5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>



IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999



, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface







, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access

SW(config-if)#switchport port-security

SW(config-if)#switchport port-security mac-address 0000.1111.1111



:







, MAC- Eth0/0. PC2, Eth0/1 , .

SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust



, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access

2) port-security :

SW(config-if)#switchport port-security

3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>

5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>



IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999



, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface







, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access

SW(config-if)#switchport port-security

SW(config-if)#switchport port-security mac-address 0000.1111.1111



:







, MAC- Eth0/0. PC2, Eth0/1 , .

SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust



, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access

2) port-security :

SW(config-if)#switchport port-security

3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>

5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>



IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999



, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface







, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access

SW(config-if)#switchport port-security

SW(config-if)#switchport port-security mac-address 0000.1111.1111



:







, MAC- Eth0/0. PC2, Eth0/1 , .

SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust



, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access

2) port-security :

SW(config-if)#switchport port-security

3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>

5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>



IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999



, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface







, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access

SW(config-if)#switchport port-security

SW(config-if)#switchport port-security mac-address 0000.1111.1111



:







, MAC- Eth0/0. PC2, Eth0/1 , .

SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust



, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access

2) port-security :

SW(config-if)#switchport port-security

3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>

5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>



IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999



, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface







, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access

SW(config-if)#switchport port-security

SW(config-if)#switchport port-security mac-address 0000.1111.1111



:







, MAC- Eth0/0. PC2, Eth0/1 , .

SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust



, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access

2) port-security :

SW(config-if)#switchport port-security

3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>

5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>



IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999



, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface







, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access

SW(config-if)#switchport port-security

SW(config-if)#switchport port-security mac-address 0000.1111.1111



:







, MAC- Eth0/0. PC2, Eth0/1 , .

SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust



, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access

2) port-security :

SW(config-if)#switchport port-security

3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>

5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>



IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999



, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface







, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access

SW(config-if)#switchport port-security

SW(config-if)#switchport port-security mac-address 0000.1111.1111



:







, MAC- Eth0/0. PC2, Eth0/1 , .

SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust



, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access

2) port-security :

SW(config-if)#switchport port-security

3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>

5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>



IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999



, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface







, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access

SW(config-if)#switchport port-security

SW(config-if)#switchport port-security mac-address 0000.1111.1111



:







, MAC- Eth0/0. PC2, Eth0/1 , .

SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust



, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access

2) port-security :

SW(config-if)#switchport port-security

3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>

5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>



IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999



, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface







, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access

SW(config-if)#switchport port-security

SW(config-if)#switchport port-security mac-address 0000.1111.1111



:







, MAC- Eth0/0. PC2, Eth0/1 , .

SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust



, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access

2) port-security :

SW(config-if)#switchport port-security

3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>

5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>



IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999



, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface







, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access

SW(config-if)#switchport port-security

SW(config-if)#switchport port-security mac-address 0000.1111.1111



:







, MAC- Eth0/0. PC2, Eth0/1 , .

SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust



, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access

2) port-security :

SW(config-if)#switchport port-security

3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>

5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>



IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999



, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface







, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access

SW(config-if)#switchport port-security

SW(config-if)#switchport port-security mac-address 0000.1111.1111



:







, MAC- Eth0/0. PC2, Eth0/1 , .

SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust



, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access

2) port-security :

SW(config-if)#switchport port-security

3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>

5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>



IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999



, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface







, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access

SW(config-if)#switchport port-security

SW(config-if)#switchport port-security mac-address 0000.1111.1111



:







, MAC- Eth0/0. PC2, Eth0/1 , .