《BCMSN09交换网络性能优化与安全.ppt》由会员分享,可在线阅读,更多相关《BCMSN09交换网络性能优化与安全.ppt(36页珍藏版)》请在三一文库上搜索。
1、Optimizing and Securing Multilayer Switched Networks,Module 9,Optimizing Multilayer Switched Networks, 2003, Cisco Systems, Inc. All rights reserved.,BCMSN v2.09-2,Objectives,Upon completing this lesson, you will be able to: Describe techniques to enhance the performance of a multilayer switched net
2、work Monitor switch ports using SPAN and VSPAN Monitor switch ports using RSPAN Describe the features and operation of network analysis modules on Catalyst switches to improve network traffic management Verify and troubleshoot the operation of network analysis modules,Enhancing Network Performance,G
3、ather a baseline. Perform a what-if analysis. Perform exception reporting for capacity issues. Determine the network management overhead. Analyze the capacity information. Periodically review capacity information. Have upgrade or tuning procedures set up.,Switched Port Analyzer,Configuring SPAN,Swit
4、ch(config)#monitor session session_num source interface type/num | vlan num , | - | rx | tx |both,Configures a SPAN session to monitor traffic,Switch(config)#monitor session session_number destination interface type/num , | - | vlan num,Configures the destination for a SPAN session,Remote SPAN,Confi
5、guring RSPAN,Enters configuration mode for a specific VLAN,Switch(config)#vlan vlan-number,Enables RSPAN for the VLAN,Switch(config-vlan)#remote-span,Verifying SPAN and RSPAN,Switch#show monitor session session_number detail,Displays SPAN session information,Switch#show monitor session 2 Session 2 -
6、 Type : Remote Source Session Source Ports: RX Only: Fa3/1 Dest RSPAN VLAN: 901,Switch#show monitor session 2 detail Session 2 - Type : Remote Source Session Source Ports: RX Only: Fa1/1-3 TX Only: None Both: None Source VLANs: RX Only: None TX Only: None Both: None Source RSPAN VLAN: None Destinati
7、on Ports: None Filter VLANs: None Dest RSPAN VLAN: 901,Network Analysis Module,NAM Initial Configuration,Assign parameters IP address Subnet mask IP broadcast address IP host name Default gateway Domain name DNS name server SNMP (MIB variables, access control, system group settings) Start the web se
8、rver,Configuring NAM,Switch(config)#interface gi 8/0 Switch(config-if)#switchport access vlan 93 Switch(config-if)#end Switch(config)#monitor session 1 destination interface gi 8/1 rootlocalhost#autostart addressmap enable,Enables a collection type,Rootlocalhost#autostart collection enable,Verifying
9、 NAM,Switch#show module,Displays information about installed modules,Switch#show module Mod Ports Card Type Model Serial No. - - - - - 2 2 Catalyst 6000 supervisor 2 (Active) WS-X6K-SUP2-2GE SAD0410050B 3 48 48 port 10/100 mb RJ-45 ethernet WS-X6248-RJ-45 SAD03080485 5 2 Network Analysis Module WS-X
10、6380-NAM SAD05130AXB 7 2 Intrusion Detection System WS-X6381-IDS SAD05100HPT,Switch#show interface GigabitEthernet slot/1 | 2,Displays NAM interface information,Summary,Performance management maintains internetwork performance at acceptable levels by measuring and managing various network performanc
11、e variables. SPAN selects and copies network traffic to send to a network analyzer. Remote SPAN is a variation of SPAN that sends monitored traffic through an intermediate switch rather than directly to the traffic analyzer. A NAM uses SNMP RMON information to monitor and analyze network traffic. Us
12、e the show commands to verify NAM configuration.,Securing Multilayer Switched Networks, 2003, Cisco Systems, Inc. All rights reserved.,BCMSN v2.09-15,Objectives,Upon completing this lesson, you will be able to: Explain basic security concepts for the multilayer switched network Configure authenticat
13、ion, authorization, and accounting on Catalyst switches Configure port security and port-based authentication with 802.1X Verify the network access security configuration Configure VLAN access lists Verify the VLAN access list security configuration,Recommended Switch Security,Set system passwords C
14、onfigure basic ACLs Secure physical access to the console Secure access to VTYs Configure system warning banners Disable unneeded services SSH,Trim CDP Disable the integrated HTTP daemon Configure basic logging Secure SNMP Limit trunking connections Secure the spanning-tree topology,AAA Network Conf
15、iguration,Authentication Verifies a users identify Authorization Specifies the permitted tasks for the user Accounting Provides billing, auditing, and monitoring,Configuring Authentication,Switch(config)#aaa new-model,Enables AAA globally,Switch(config)#aaa authentication login default | list-name m
16、ethod1 method2.,Creates a local authentication list,Switch(config)#line aux | console | tty | vty line-number ending-line-number,Enters line configuration mode,Switch(config-line)#login authentication default | list-name,Applies the authentication list to a line,Configuring Authorization,Switch(conf
17、ig)#aaa authorization auth-proxy | network | exec | commands level | reverse-access | configuration | ipmobile default | list-name method1 method2.,Creates an authorization method list and enables authorization,Switch(config)#interface interface-type interface-number,Enters interface configuration m
18、ode,Switch(config-if)#ppp authorization default | list-name,Applies the named authorization method list to the interface,Configuring Accounting,Switch(config)#aaa accounting system | network | exec | connection | commands level default | list-name start-stop | stop-only | none method1 method2.,Creat
19、es an accounting method list and enables accounting,Switch(config)#interface interface-type interface-number,Enters interface configuration mode,Switch(config-if)#ppp accounting default | list-name,Applies the named accounting method list to the interface,Port security is a MAC address lockdown that
20、 disables the port if the MAC address is not valid.,Network Access Port Security,Enabling Port Security,Switch(config-if)#switchport port-security maximum value violation protect | restrict | shutdown,Enables port security and specifies the maximum number of MAC addresses that can be supported by th
21、is port,802.1X Port-Based Authentication,Restricts unauthorized clients from connecting to a LAN through publicly accessible ports,Configuring 802.1X Port-Based Authentication,Switch(config)#aaa authentication dot1x default method1 method2.,Creates an 802.1X port-based authentication method list,Swi
22、tch(config)#dot1x system-auth-control,Globally enables 802.1X port-based authentication,Switch(config)#interface type slot/port,Enters interface configuration mode,Switch(config-if)#dot1x port-control auto,Enables 802.1X port-based authentication on the interface,Verifying Port Security,Switch#show
23、port-security,Displays security information for all interfaces,Switch#show port-security Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) - Fa5/1 11 11 0 Shutdown Fa5/5 15 5 0 Restrict Fa5/11 5 4 0 Protect - Total Addresses in System: 21 Max Addresses l
24、imit in System: 128,Verifying Port Security (Cont.),Switch#show port-security interface interface x/y,Displays security information for a specific interface,Switch#show port-security interface fastethernet 5/1 Port Security: Enabled Port status: SecureUp Violation mode: Shutdown Maximum MAC Addresse
25、s: 11 Total MAC Addresses: 11 Configured MAC Addresses: 3 Aging time: 20 mins Aging type: Inactivity SecureStatic address aging: Enabled Security Violation count: 0,Verifying Port Security (Cont.),Switch#show port-security address,Displays MAC address table security information,Switch#show port-secu
26、rity address Secure Mac Address Table - Vlan Mac Address Type Ports Remaining Age (mins) - - - - - 1 0001.0001.0001 SecureDynamic Fa5/1 15 (I) 1 0001.0001.0002 SecureDynamic Fa5/1 15 (I) 1 0001.0001.1111 SecureConfigured Fa5/1 16 (I) 1 0001.0001.1112 SecureConfigured Fa5/1 - 1 0001.0001.1113 SecureC
27、onfigured Fa5/1 - 1 0005.0005.0001 SecureConfigured Fa5/5 23 1 0005.0005.0002 SecureConfigured Fa5/5 23 1 0005.0005.0003 SecureConfigured Fa5/5 23 1 0011.0011.0001 SecureConfigured Fa5/11 25 (I) 1 0011.0011.0002 SecureConfigured Fa5/11 25 (I) - Total Addresses in System: 10 Max Addresses limit in Sy
28、stem: 128,Types of ACLs,Configuring VACLs,Switch(config)#vlan access-map map_name seq#,Defines a VLAN access map,Switch(config-access-map)# match ip address 1-199 | 1300-2699 | acl_name | ipx address 800-999 | acl_name| mac address acl_name,Configures the match clause in a VLAN access map sequence,S
29、witch(config-access-map)#action drop log | forward capture | redirect type slot/port | port-channel channel_id,Configures the action clause in a VLAN access map sequence,Switch(config)#vlan filter map_name vlan_list list,Applies the VLAN access map to the specified VLANs,Customer VLAN Requirements,I
30、SP customers require Internet access for multiple servers Isolation from other customers Communication between servers Traditional solution: one VLAN and IP subnet per customer High resource requirements Limited scalability High management complexity,Private VLANs,PVLAN Ports and Types,Private VLAN
31、ports: Promiscuous: Can communicate with all other ports Isolated: Can only communicate with promiscuous ports Community: Can communicate with other members of community and all promiscuous ports Private VLAN types: Primary: Used by promiscuous ports to communicate with all other ports in the privat
32、e VLAN Isolated: Used by isolated ports to communicate with promiscuous ports Community: Used by community ports to communicate with each other and promiscuous ports,Configuring Private VLANs,Switch(config-vlan)#private-vlan primary | isolated | community,Configures a VLAN as a private VLAN,Switch(c
33、onfig-vlan)#private-vlan association secondary_vlan_list | add svl | remove svl,Associates secondary VLANs with the primary VLAN,Switch#show vlan private-vlan type,Verifies private VLAN configuration,Configuring Private VLAN Ports,Switch(config-if)#switchport mode private-vlan host | promiscuous,Con
34、figures an interface as a private VLAN port,Switch(config-if)#switchport private-vlan host-association primary_vlan_ID secondary_vlan_ID,Associates an isolated or community port with a private VLAN,Switch(config-if)#private-vlan mapping primary_vlan_ID secondary_vlan_list | add svl | remove svl,Maps
35、 a promiscuous PVLAN port to a private VLAN,Switch#show interfaces private-vlan mapping,Verifies private VLAN port configuration,Summary,Cisco recommends tasks you should complete to secure your switched network from attack. AAA network security services provide the primary framework through which y
36、ou set up access control on a switch. Network access security is provided by port security and port-based authentication (802.1X). Use show commands to verify the configuration of port security. ACLs are useful for controlling access in a multilayer switched network. Private VLANs provide Layer 2 isolation between ports within the same private VLAN.,