We know the DHCP protocol and the protocol for managing network IP addresses. In the application of its server, we usually encounter related management knowledge. In terms of network security, DHCP is worth noting. Today, we will explain the vswitch security 802.1X, port-security, dhcp snoop, DAI, VACL, and span rspan.
Vswitch security 802.1X, port-security, dhcp snoop, DAI, VACL, SPAN RSPAN
Port bound to MAC: port-security
DHCP-based port and IP, MAC binding: ip source guard
DHCP-based ARP attack prevention: DAI
Prevent DHCP attacks: DHCP Snooping
All cisco LAN mitigation technologies are here!
Common Methods:
802.1X, port authentication, dot1x, also known as IBNS (Note: IBNS includes port-security): identity-based network security. Many names are annoying. when traffic comes to a port, it needs to interact with ACS and be authorized after authentication to access the network, provided that the CLIENT must support 802.1X mode, such as installing a software
Extensible Authentication Protocol Over Lan (EAPOL) uses this Protocol to transmit Authentication authorization information
Sample Configuration:
- Router # configure terminal
- Router (config) # aaa new-model
- Router (config) # aaa authentication dot1x default group radius
- Switch (config) # radius-server host 10.200.200.1 auth-port 1633 key radkey
- Router (config) # dot1x system-auth-control to use the DOT1X Function
- Router (config) # interface fa0/0
- Router (config-if) # dot1x port-control auto
AUTO is a common method for normal authentication and authorization.
Forced authorization method: no authentication is passed, always available
Force-disauthorize mode: basically, this interface is closed and always unavailable.
Optional Configuration:
- Switch(config)#interface fa0/3
- Switch(config-if)#dot1x reauthentication
- Switch(config-if)#dot1x timeout reauth-period 7200
Two hours later.
- Switch#dot1x re-authenticate interface fa0/3
Now authenticate again. Note: if the session has been established, this mode will continue to meet.
- Switch#dot1x initialize interface fa0/3
Initialize authentication and disconnect the session
- Switch(config)#interface fa0/3
- Switch(config-if)#dot1x timeout quiet-period 45
The next authentication request can be initiated after 45 seconds
- Switch (config) # interface fa0/3
- Switch (config-if) # dot1x timeout tx-period 90 is 30 S by default
- Switch (config-if) # dot1x max-req count 4
The client needs to enter authentication information to respond to the AAA Server through this port. If the switch does not receive this information from the user, the switch sends the re-transmission information to the client once every 30 seconds, four times in total.
- Switch#configure terminal
- Switch(config)#interface fastethernet0/3
- Switch(config-if)#dot1x port-control auto
- Switch(config-if)#dot1x host-mode multi-host
The default value is one host. When multiple host modes are used, AUTO authorization is required. When a host is successfully authorized, other hosts can access the network;
When authorization fails, such as re-authentication failure or log off, all hosts cannot use this port.
- Switch#configure terminal
- Switch(config)#dot1x guest-vlan supplicant
- Switch(config)#interface fa0/3
- Switch(config-if)#dot1x guest-vlan 2
Unauthorized access to VLAN2 provides flexibility