BCMSN09_交换网络性能优化与安全PPT课件.ppt

资源描述

《BCMSN09_交换网络性能优化与安全PPT课件.ppt》由会员分享，可在线阅读，更多相关《BCMSN09_交换网络性能优化与安全PPT课件.ppt（37页珍藏版）》请在三一文库上搜索。

1、Optimizing and Securing Multilayer Switched Networks,Module 9,Optimizing Multilayer Switched Networks, 2003, Cisco Systems, Inc. All rights reserved.,BCMSN v2.09-2,Objectives,Upon completing this lesson, you will be able to: Describe techniques to enhance the performance of a multilayer switched net

2、work Monitor switch ports using SPAN and VSPAN Monitor switch ports using RSPAN Describe the features and operation of network analysis modules on Catalyst switches to improve network traffic management Verify and troubleshoot the operation of network analysis modules,Enhancing Network Performance,G

3、ather a baseline. Perform a what-if analysis. Perform exception reporting for capacity issues. Determine the network management overhead. Analyze the capacity information. Periodically review capacity information. Have upgrade or tuning procedures set up.,Switched Port Analyzer,Configuring SPAN,Swit

4、ch(config)#monitor session session_num source interface type/num | vlan num , | - | rx | tx |both,Configures a SPAN session to monitor traffic,Switch(config)#monitor session session_number destination interface type/num , | - | vlan num,Configures the destination for a SPAN session,Remote SPAN,Confi

5、guring RSPAN,Enters configuration mode for a specific VLAN,Switch(config)#vlan vlan-number,Enables RSPAN for the VLAN,Switch(config-vlan)#remote-span,Verifying SPAN and RSPAN,Switch#show monitor session session_number detail,Displays SPAN session information,Switch#show monitor session 2Session 2-Ty

6、pe : Remote Source SessionSource Ports: RX Only: Fa3/1 Dest RSPAN VLAN: 901,Switch#show monitor session 2 detailSession 2-Type : Remote Source SessionSource Ports: RX Only: Fa1/1-3 TX Only: None Both: NoneSource VLANs: RX Only: None TX Only: None Both: None Source RSPAN VLAN: None Destination Ports:

7、 None Filter VLANs: None Dest RSPAN VLAN: 901,Network Analysis Module,NAM Initial Configuration,Assign parameters IP address Subnet mask IP broadcast address IP host name Default gateway Domain name DNS name server SNMP (MIB variables, access control, system group settings) Start the web server,Conf

8、iguring NAM,Switch(config)#interface gi 8/0 Switch(config-if)#switchport access vlan 93 Switch(config-if)#endSwitch(config)#monitor session 1 destination interface gi 8/1 rootlocalhost#autostart addressmap enable,Enables a collection type,Rootlocalhost#autostart collection enable,Verifying NAM,Switc

9、h#show module,Displays information about installed modules,Switch#show moduleMod Ports Card Type Model Serial No.- - - - -2 2 Catalyst 6000 supervisor 2 (Active) WS-X6K-SUP2-2GE SAD0410050B3 48 48 port 10/100 mb RJ-45 ethernet WS-X6248-RJ-45 SAD030804855 2 Network Analysis Module WS-X6380-NAM SAD051

10、30AXB7 2 Intrusion Detection System WS-X6381-IDS SAD05100HPT,Switch#show interface GigabitEthernet slot/1 | 2,Displays NAM interface information,Summary,Performance management maintains internetwork performance at acceptable levels by measuring and managing various network performance variables. SPA

11、N selects and copies network traffic to send to a network analyzer. Remote SPAN is a variation of SPAN that sends monitored traffic through an intermediate switch rather than directly to the traffic analyzer. A NAM uses SNMP RMON information to monitor and analyze network traffic. Use the show comma

12、nds to verify NAM configuration.,Securing Multilayer Switched Networks, 2003, Cisco Systems, Inc. All rights reserved.,BCMSN v2.09-15,Objectives,Upon completing this lesson, you will be able to: Explain basic security concepts for the multilayer switched network Configure authentication, authorizati

13、on, and accounting on Catalyst switches Configure port security and port-based authentication with 802.1X Verify the network access security configuration Configure VLAN access lists Verify the VLAN access list security configuration,Recommended Switch Security,Set system passwords Configure basic A

14、CLs Secure physical access to the console Secure access to VTYs Configure system warning banners Disable unneeded services SSH,Trim CDP Disable the integrated HTTP daemon Configure basic logging Secure SNMP Limit trunking connections Secure the spanning-tree topology,AAA Network Configuration,Authen

15、tication Verifies a users identify Authorization Specifies the permitted tasks for the user Accounting Provides billing, auditing, and monitoring,Configuring Authentication,Switch(config)#aaa new-model,Enables AAA globally,Switch(config)#aaa authentication login default | list-name method1 method2.,

16、Creates a local authentication list,Switch(config)#line aux | console | tty | vty line-number ending-line-number,Enters line configuration mode,Switch(config-line)#login authentication default | list-name,Applies the authentication list to a line,Configuring Authorization,Switch(config)#aaa authoriz

19、 method list and enables accounting,Switch(config)#interface interface-type interface-number,Enters interface configuration mode,Switch(config-if)#ppp accounting default | list-name,Applies the named accounting method list to the interface,Port security is a MAC address lockdown that disables the po

20、rt if the MAC address is not valid.,Network Access Port Security,Enabling Port Security,Switch(config-if)#switchport port-security maximum value violation protect | restrict | shutdown,Enables port security and specifies the maximum number of MAC addresses that can be supported by this port,802.1X P

21、ort-Based Authentication,Restricts unauthorized clients from connecting to a LAN through publicly accessible ports,Configuring 802.1X Port-Based Authentication,Switch(config)#aaa authentication dot1x default method1 method2.,Creates an 802.1X port-based authentication method list,Switch(config)#dot1

22、x system-auth-control,Globally enables 802.1X port-based authentication,Switch(config)#interface type slot/port,Enters interface configuration mode,Switch(config-if)#dot1x port-control auto,Enables 802.1X port-based authentication on the interface,Verifying Port Security,Switch#show port-security,Di

23、splays security information for all interfaces,Switch#show port-securitySecure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count)- Fa5/1 11 11 0 ShutdownFa5/5 15 5 0 RestrictFa5/11 5 4 0 Protect-Total Addresses in System: 21Max Addresses limit in System: 128,Ver

24、ifying Port Security (Cont.),Switch#show port-security interface interface x/y,Displays security information for a specific interface,Switch#show port-security interface fastethernet 5/1Port Security: EnabledPort status: SecureUpViolation mode: ShutdownMaximum MAC Addresses: 11Total MAC Addresses: 1

25、1Configured MAC Addresses: 3Aging time: 20 minsAging type: InactivitySecureStatic address aging: EnabledSecurity Violation count: 0,Verifying Port Security (Cont.),Switch#show port-security address,Displays MAC address table security information,Switch#show port-security address Secure Mac Address T

26、able-Vlan Mac Address Type Ports Remaining Age (mins)- - - - -1 0001.0001.0001 SecureDynamic Fa5/1 15 (I)1 0001.0001.0002 SecureDynamic Fa5/1 15 (I)1 0001.0001.1111 SecureConfigured Fa5/1 16 (I)1 0001.0001.1112 SecureConfigured Fa5/1 -1 0001.0001.1113 SecureConfigured Fa5/1 -1 0005.0005.0001 SecureC

27、onfigured Fa5/5 231 0005.0005.0002 SecureConfigured Fa5/5 231 0005.0005.0003 SecureConfigured Fa5/5 231 0011.0011.0001 SecureConfigured Fa5/11 25 (I)1 0011.0011.0002 SecureConfigured Fa5/11 25 (I)-Total Addresses in System: 10Max Addresses limit in System: 128,Types of ACLs,Configuring VACLs,Switch(

29、d capture | redirect type slot/port | port-channel channel_id,Configures the action clause in a VLAN access map sequence,Switch(config)#vlan filter map_name vlan_list list,Applies the VLAN access map to the specified VLANs,Customer VLAN Requirements,ISP customers require Internet access for multiple

30、 servers Isolation from other customers Communication between servers Traditional solution: one VLAN and IP subnet per customer High resource requirements Limited scalability High management complexity,Private VLANs,PVLAN Ports and Types,Private VLAN ports: Promiscuous: Can communicate with all othe

31、r ports Isolated: Can only communicate with promiscuous ports Community: Can communicate with other members of community and all promiscuous ports Private VLAN types: Primary: Used by promiscuous ports to communicate with all other ports in the private VLAN Isolated: Used by isolated ports to commun

32、icate with promiscuous ports Community: Used by community ports to communicate with each other and promiscuous ports,Configuring Private VLANs,Switch(config-vlan)#private-vlan primary | isolated | community,Configures a VLAN as a private VLAN,Switch(config-vlan)#private-vlan association secondary_vl

33、an_list | add svl | remove svl,Associates secondary VLANs with the primary VLAN,Switch#show vlan private-vlan type,Verifies private VLAN configuration,Configuring Private VLAN Ports,Switch(config-if)#switchport mode private-vlan host | promiscuous,Configures an interface as a private VLAN port,Switc

34、h(config-if)#switchport private-vlan host-association primary_vlan_ID secondary_vlan_ID,Associates an isolated or community port with a private VLAN,Switch(config-if)#private-vlan mapping primary_vlan_ID secondary_vlan_list | add svl | remove svl,Maps a promiscuous PVLAN port to a private VLAN,Switc

35、h#show interfaces private-vlan mapping,Verifies private VLAN port configuration,Summary,Cisco recommends tasks you should complete to secure your switched network from attack. AAA network security services provide the primary framework through which you set up access control on a switch. Network acc

36、ess security is provided by port security and port-based authentication (802.1X). Use show commands to verify the configuration of port security. ACLs are useful for controlling access in a multilayer switched network. Private VLANs provide Layer 2 isolation between ports within the same private VLAN.,个人观点供参考，欢迎讨论,

展开阅读全文