スイッチでL2ネットワークを保護する

良い一日。 この記事では、ネットワーク機器に対するいくつかの可能な攻撃に焦点を当て、スイッチの正しい構成に対する保護に役立ちます。



すべての用語と設定コマンドは、暗黙の業界標準としてシスコのドキュメントに従ってリストされています。 各攻撃の説明の冒頭には、攻撃されたプロトコルの動作メカニズムの簡単な説明が含まれています。 この記事は、プロのネットワーキングよりも初心者を対象としています。



考慮されます：



•不正なDHCPサーバー

•DHCPの枯渇

•CAMテーブルのオーバーフロー

•VLANホッピング

•MACスプーフィング



CCNAセキュリティサイクルのビデオレッスンCBTナゲットに基づいています。

不正なDHCPサーバー

説明

DHCPプロトコルの簡略図は次のとおりです。



発見： IPアドレスを持たないクライアントは、アドレス255.255.255.255にブロードキャスト要求を送信し、ネットワーク上のDHCPサーバーに応答を要求します。

提供： DHCPサーバーは、構成パラメーター（IPアドレス、DNSサーバー、デフォルトゲートウェイ）を提供する応答を送信します。 応答はクライアントのMACアドレスに送信されます。

リクエスト：クライアントは（複数ある場合）どのサーバーを選択するか、アドレスリクエストを処理して送信する方が便利です。 この要求もブロードキャストされますが、特定のサーバーのIPアドレスは既にオプションの1つとして示されています。

確認：この時点で、要求はサーバーによって確認されます。 このパケットを受信した後、クライアントはネットワークパラメータを設定し、アドレスを取得するプロセスは完了したと見なすことができます。







この攻撃の目的は、DHCPサーバーをスプーフィングすることです。 2つのDHCPサーバーが同時にネットワーク内にあり、そのうちの1つが「敵」である場合、一部のクライアントは間違ったアドレスと他のネットワークの詳細を構成します。



デフォルトゲートウェイを置き換えることにより、不正なDHCPサーバーはすべてのクライアントトラフィックをリッスンし、後で宛先にパケットをリダイレクトできます。 したがって、MitM（Man in the Middle）タイプの攻撃の最も単純な実装があります。これは、ほとんどの最新のネットワークで実行できます。



多くの場合、DHCPサーバーを置換する攻撃は、攻撃そのものではないことに注意してください。 知らないうちに、DHCPサーバーが構成されたSOHOルーターがネットワークに接続され、LANポートに接続される場合がよくあります。 その後、彼からIPアドレスを取得することに成功したクライアントは、少なくともかなりの速度損失を被り、ほとんどの場合、ローカルおよびグローバルリソースを使用することはまったく不可能です。

セキュリティ方法

この種の攻撃から保護する最も簡単な方法は、すべてのスイッチでDHCPスヌーピングを有効にすることです。 次に、2種類のポートを定義する必要があります。



• 信頼済み -DHCPサーバーまたは別のスイッチが接続するスイッチのポート。

• 信頼できない-DHCPサーバーが見つからないクライアント接続用のポートですが、攻撃しているデバイスは見つかる可能性があります。



この場合、DHCPスヌーピングは、通過するDHCPオファーおよび確認パケットに注意を払い、これらのパケットが信頼できないポートから通過しないようにする必要があることをスイッチに伝えるために必要です。 また、クライアントからのブロードキャスト要求（検出および要求）は、信頼できるポートにのみリダイレクトされるようになりました。 トポロジは次のようになります。



DHCPスヌーピングを構成するには、以下を行う必要があります。



1）スイッチでオンにします：

SW(config)#ip dhcp snooping





2）パケットを監視するVLANを指定します。

SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust







, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access





2) port-security :

SW(config-if)#switchport port-security





3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>





5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>







IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate





.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999







, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface











, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access





SW(config-if)#switchport port-security





SW(config-if)#switchport port-security mac-address 0000.1111.1111







:







, MAC- Eth0/0. PC2, Eth0/1 , .









SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust







, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access





2) port-security :

SW(config-if)#switchport port-security





3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>





5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>







IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate





.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999







, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface











, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access





SW(config-if)#switchport port-security





SW(config-if)#switchport port-security mac-address 0000.1111.1111







:







, MAC- Eth0/0. PC2, Eth0/1 , .









SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust







, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access





2) port-security :

SW(config-if)#switchport port-security





3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>





5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>







IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate





.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999







, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface











, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access





SW(config-if)#switchport port-security





SW(config-if)#switchport port-security mac-address 0000.1111.1111







:







, MAC- Eth0/0. PC2, Eth0/1 , .









SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust







, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access





2) port-security :

SW(config-if)#switchport port-security





3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>





5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>







IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate





.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999







, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface











, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access





SW(config-if)#switchport port-security





SW(config-if)#switchport port-security mac-address 0000.1111.1111







:







, MAC- Eth0/0. PC2, Eth0/1 , .









SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust







, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access





2) port-security :

SW(config-if)#switchport port-security





3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>





5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>







IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate





.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999







, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface











, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access





SW(config-if)#switchport port-security





SW(config-if)#switchport port-security mac-address 0000.1111.1111







:







, MAC- Eth0/0. PC2, Eth0/1 , .









SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust







, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access





2) port-security :

SW(config-if)#switchport port-security





3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>





5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>







IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate





.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999







, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface











, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access





SW(config-if)#switchport port-security





SW(config-if)#switchport port-security mac-address 0000.1111.1111







:







, MAC- Eth0/0. PC2, Eth0/1 , .









SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust







, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access





2) port-security :

SW(config-if)#switchport port-security





3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>





5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>







IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate





.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999







, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface











, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access





SW(config-if)#switchport port-security





SW(config-if)#switchport port-security mac-address 0000.1111.1111







:







, MAC- Eth0/0. PC2, Eth0/1 , .









SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust







, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access





2) port-security :

SW(config-if)#switchport port-security





3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>





5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>







IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999







, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface











, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access





SW(config-if)#switchport port-security





SW(config-if)#switchport port-security mac-address 0000.1111.1111







:







, MAC- Eth0/0. PC2, Eth0/1 , .













SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust







, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access





2) port-security :

SW(config-if)#switchport port-security





3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>





5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>







IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999







, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface











, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access





SW(config-if)#switchport port-security





SW(config-if)#switchport port-security mac-address 0000.1111.1111







:







, MAC- Eth0/0. PC2, Eth0/1 , .













SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust







, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access





2) port-security :

SW(config-if)#switchport port-security





3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>





5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>







IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999







, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface











, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access





SW(config-if)#switchport port-security





SW(config-if)#switchport port-security mac-address 0000.1111.1111







:







, MAC- Eth0/0. PC2, Eth0/1 , .













SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust







, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access





2) port-security :

SW(config-if)#switchport port-security





3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>





5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>







IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999







, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface











, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access





SW(config-if)#switchport port-security





SW(config-if)#switchport port-security mac-address 0000.1111.1111







:







, MAC- Eth0/0. PC2, Eth0/1 , .













SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust







, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access





2) port-security :

SW(config-if)#switchport port-security





3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>





5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>







IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999







, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface











, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access





SW(config-if)#switchport port-security





SW(config-if)#switchport port-security mac-address 0000.1111.1111







:







, MAC- Eth0/0. PC2, Eth0/1 , .













SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust







, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access





2) port-security :

SW(config-if)#switchport port-security





3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>





5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>







IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999







, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface











, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access





SW(config-if)#switchport port-security





SW(config-if)#switchport port-security mac-address 0000.1111.1111







:







, MAC- Eth0/0. PC2, Eth0/1 , .













SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust







, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access





2) port-security :

SW(config-if)#switchport port-security





3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>





5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>







IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999







, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface











, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access





SW(config-if)#switchport port-security





SW(config-if)#switchport port-security mac-address 0000.1111.1111







:







, MAC- Eth0/0. PC2, Eth0/1 , .













SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust







, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access





2) port-security :

SW(config-if)#switchport port-security





3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>





5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>







IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999







, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface











, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access





SW(config-if)#switchport port-security





SW(config-if)#switchport port-security mac-address 0000.1111.1111







:







, MAC- Eth0/0. PC2, Eth0/1 , .













SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust







, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access





2) port-security :

SW(config-if)#switchport port-security





3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>





5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>







IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999







, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface











, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access





SW(config-if)#switchport port-security





SW(config-if)#switchport port-security mac-address 0000.1111.1111







:







, MAC- Eth0/0. PC2, Eth0/1 , .













SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust







, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access





2) port-security :

SW(config-if)#switchport port-security





3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>





5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>







IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999







, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface











, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access





SW(config-if)#switchport port-security





SW(config-if)#switchport port-security mac-address 0000.1111.1111







:







, MAC- Eth0/0. PC2, Eth0/1 , .













SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust







, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access





2) port-security :

SW(config-if)#switchport port-security





3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>





5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>







IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate

.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999







, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface











, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access





SW(config-if)#switchport port-security





SW(config-if)#switchport port-security mac-address 0000.1111.1111







:







, MAC- Eth0/0. PC2, Eth0/1 , .













SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust







, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access





2) port-security :

SW(config-if)#switchport port-security





3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>





5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>







IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate





.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999







, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface











, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access





SW(config-if)#switchport port-security





SW(config-if)#switchport port-security mac-address 0000.1111.1111







:







, MAC- Eth0/0. PC2, Eth0/1 , .









SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust







, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access





2) port-security :

SW(config-if)#switchport port-security





3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>





5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>







IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate





.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999







, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface











, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access





SW(config-if)#switchport port-security





SW(config-if)#switchport port-security mac-address 0000.1111.1111







:







, MAC- Eth0/0. PC2, Eth0/1 , .









SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust







, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access





2) port-security :

SW(config-if)#switchport port-security





3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>





5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>







IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate





.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999







, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface











, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access





SW(config-if)#switchport port-security





SW(config-if)#switchport port-security mac-address 0000.1111.1111







:







, MAC- Eth0/0. PC2, Eth0/1 , .









SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust







, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access





2) port-security :

SW(config-if)#switchport port-security





3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>





5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>







IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate





.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999







, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface











, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access





SW(config-if)#switchport port-security





SW(config-if)#switchport port-security mac-address 0000.1111.1111







:







, MAC- Eth0/0. PC2, Eth0/1 , .









SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust







, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access





2) port-security :

SW(config-if)#switchport port-security





3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>





5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>







IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate





.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999







, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface











, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access





SW(config-if)#switchport port-security





SW(config-if)#switchport port-security mac-address 0000.1111.1111







:







, MAC- Eth0/0. PC2, Eth0/1 , .









SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust







, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access





2) port-security :

SW(config-if)#switchport port-security





3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>





5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>







IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate





.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999







, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface











, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access





SW(config-if)#switchport port-security





SW(config-if)#switchport port-security mac-address 0000.1111.1111







:







, MAC- Eth0/0. PC2, Eth0/1 , .









SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust







, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access





2) port-security :

SW(config-if)#switchport port-security





3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>





5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>







IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate





.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999







, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface











, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access





SW(config-if)#switchport port-security





SW(config-if)#switchport port-security mac-address 0000.1111.1111







:







, MAC- Eth0/0. PC2, Eth0/1 , .









SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust







, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access





2) port-security :

SW(config-if)#switchport port-security





3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>





5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>







IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate





.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999







, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface











, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access





SW(config-if)#switchport port-security





SW(config-if)#switchport port-security mac-address 0000.1111.1111







:







, MAC- Eth0/0. PC2, Eth0/1 , .









SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust







, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access





2) port-security :

SW(config-if)#switchport port-security





3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>





5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>







IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate





.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999







, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface











, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access





SW(config-if)#switchport port-security





SW(config-if)#switchport port-security mac-address 0000.1111.1111







:







, MAC- Eth0/0. PC2, Eth0/1 , .









SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust







, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access





2) port-security :

SW(config-if)#switchport port-security





3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>





5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>







IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate





.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999







, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface











, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access





SW(config-if)#switchport port-security





SW(config-if)#switchport port-security mac-address 0000.1111.1111







:







, MAC- Eth0/0. PC2, Eth0/1 , .









SW(config)#ip dhcp snooping vlan

3) ( ):

SW(config-if)#ip dhcp snooping trust







, .



DHCP starvation



, DHCP. DHCP-, IP-, . , 253 ( 255.255.255.0). , DHCP starvation . :



1) IP- DHCP- ;

2) MAC- , IP-, ;

3) , IP- .



, , :



• . IP- , . , .

• DHCP-. DHCP starvation . DHCP- , , 100% DHCP-.





– MAC- . port-security:



1) access :

SW(config-if)#switchport mode access





2) port-security :

SW(config-if)#switchport port-security





3) MAC- :

SW(config-if)switchport port-security maximum

4) MAC- (, sticky): sticky , , sticky .

SW(config-if)#switchport port-security mac-address <mac-address | sticky>





5) MAC-:

protect – , MAC- .

restrict – , syslog SNMP.

shutdown – , .

SW(config-if)#switchport port-security violation <protect | restrict | shutdown>







IP- DHCP-, MAC-.



DHCP snooping,

SW(config-if)ip dhcp snooping limit rate



DHCP ( 100 pps), err-disable, . , , MAC- , .



AM-table overflow



, , , .





SW, PC1 (MAC 0000.1111.1111) PC2 (MAC 0000.2222.2222). IP- (10.0.0.1 10.0.0.2) . , . , :



1) PC1 PC2 IP-. MAC- PC2 , PC1 ARP. : « IP- 10.0.0.2, MAC- 10.0.0.1, ».

2) , MAC- (0000.1111.1111) , , , .

3) PC2 , , MAC- PC1. CAM- ( MAC-) : ( gig1/2 – MAC 0000.2222.2222). , , , . .



, CAM-, . – , , - .



. , MAC- . .



, . , , , VLAN, .



, , MAC- .





1) Port-security access- MAC-.

2) – , , , , .



VLAN hopping



- access trunk.



, access trunk :



, 802.1Q . , ethernet , ( VLAN Identifier, VID). , .







VID, , . , .



802.1Q - .

802.1Q.







1) PC1 access- fa2/1 SW1 10 VLAN'. , , 802.1Q header VLAN10.

2) SW1 SW2 trunk-.

3) SW2 , CAM- access-, 802.1Q .



:



• VLAN , 802.1Q access-;

• (access) VLAN ( Cisco);

• (trunk) , VLAN.

• native VLAN – trunk- , native VLAN. native VLAN' VLAN1 ().

, native VLAN access-, trunk- .



:



, VLAN hopping , . Cisco DTP (Dynamic Trunking Protocol). ( ) : dynamic auto, dynamic desirable, static access, static trunk. , , :







, , dynamic auto dynamic desirable trunk. , desirable trunk- VLAN', .



, Cisco auto. access/auto trunk/auto.





, .

SW(config-if)#switchport nonegotiate





.





VLAN hopping – native VLAN . , VLAN, native VLAN trunk-.







native VLAN, , fa2/1, VLAN1, trunk- , , PC1 , VLAN2 , .



, , .





:



trunk- VLAN native.

SW(config-if)# switchport trunk native vlan 999







, VLAN 999 access-.



MAC-Spoofing



MAC- , , , .



MAC- MAC- , source MAC. , , , CAM-, .



. :







SW:







, .. PC2 MAC Eth0/1, PC1 R SW :







, MAC- Eth0/0 MAC Eth0/1. :

SW# debug ethernet interface











, , IOU keepalive . , Eth0/1 , Eth0/0, , CAM- Eth0/1.



, .





– port-security :



SW(config-if)#switchport mode access





SW(config-if)#switchport port-security





SW(config-if)#switchport port-security mac-address 0000.1111.1111







:







, MAC- Eth0/0. PC2, Eth0/1 , .