数据中心交换机安全部署最佳实践

¾MACSecurityMACSecurityMACport-securitymaxmaccountsecureSecurityMACMACSecurityMAC¾SecurityMACSecurityMACMACMACVLANSecurityMACVLANMACSecurityMACPort-SecurityMIBSecurityMACSecurityMACSecurityMACautolearn#[Quidway]port-securityenable#Ethernet1/0/1[Quidway]interfaceEthernet1/0/1#MAC80[Quidway-Ethernet1/0/1]port-securitymax-mac-count80#autolearn[Quidway-Ethernet1/0/1]port-securityport-modeautolearn#PC1MAC0001-0002-0003SecurityMACVLAN1[Quidway-Ethernet1/0/1]mac-addresssecurity0001-0002-0003vlan1(1)port-securityport-modeautolearnMACVoiceVLAN802.1x(2)port-securitymax-mac-countcount-valueMACmac-addressmax-mac-countcount2.MACMACMACMACMACMACMACMACMACMAC#MACVLAN[Quidway]mac-addressstatic00e0-fc35-dc71interfaceEthernet1/0/2vlan1#MAC500[Quidway]mac-addresstimeraging500#MAC[Quidway]displaymac-addressinterfaceEthernet1/0/2MACADDRVLANIDSTATEPORTINDEXAGINGTIME(s)00-e0-fc-35-dc-711StaticEthernet1/0/2NOAGED00-e0-fc-17-a7-d61LearnedEthernet1/0/2AGING00-e0-fc-5e-b1-fb1LearnedEthernet1/0/2AGING00-e0-fc-55-f1-161LearnedEthernet1/0/2AGING---4macaddress(es)foundonportEthernet1/0/2---[Quidway]mac-addressmax-mac-count1003.802.1X802.1xEAPRADIUS#802.1x[Quidway]dot1x#802.1x[Quidway-Ethernet1/0/1]dot1x#MAC[Quidway]dot1xport-methodmacbasedinterfaceEthernet1/0/1#RADIUSradius1[Quidway]radiusschemeradius1#/RADIUSIP[Quidway-radius-radius1]primaryauthentication10.11.1.1[Quidway-radius-radius1]primaryaccounting10.11.1.2#/RADIUSIP[Quidway-radius-radius1]secondaryauthentication10.11.1.2[Quidway-radius-radius1]secondaryaccounting10.11.1.1#RADIUS[Quidway-radius-radius1]keyauthenticationname#RADIUS[Quidway-radius-radius1]keyaccountingmoney#RADIUS[Quidway-radius-radius1]timer5[Quidway-radius-radius1]retry5#RADIUS[Quidway-radius-radius1]timerrealtime-accounting15#RADIUS[Quidway-radius-radius1]user-name-formatwithout-domain[Quidway-radius-radius1]quit#aabbcc.net[Quidway]domainaabbcc.net#radius1RADIUSRADIUS[Quidway-isp-aabbcc.net]schemeradius-schemeradius1local#30[Quidway-isp-aabbcc.net]access-limitenable30#[Quidway-isp-aabbcc.net]idle-cutenable202000[Quidway-isp-aabbcc.net]quit#aabbcc.net[Quidway]domaindefaultenableaabbcc.net#[Quidway]local-userlocaluser[Quidway-luser-localuser]service-typelan-access[Quidway-luser-localuser]passwordsimplelocalpass802.1xportsecurityMACMACportsecurity802.1xportsecurity1.2.2ARPARPARPARPARPARPARPARPIPIPARPIPARPIPIPARP[Quidway]arpstatic1.1.1.11234-1234-123410Ethernet1/0/1#ARP[Quidway]arpstatic1.1.1.11234-1234-1234[Quidway]arpstatic192.168.0.1#VLAN[Quidway]interfaceVlan-interface1#IP[Quidway-Vlan-interface1]ip-protectenableIPMACARPARPARP3851.2.3L2SpanningTreeProtocol(STP)STPBridgeProtocolDataUnits(BPDUs)BPDUs:STPSTP3STPSTPSTPzBPDUzRootzzTC-BPDUzBPDU1.BPDUPCBPDUBPDUSTP#BPDUQuidwaysystem-vie[Quidway]stpbpdu-protectionS3900BPDUMSTPBPDU2.RootRootRootDiscarding#Ethernet1/0/1RootQuidwaysystem-view[Quidway]stpinterfaceethernet1/0/1root-protectionQuidwaysystem-view[Quidway]interfaceethernet1/0/1[Quidway-Ethernet1/0/1]stproot-protection3.BPDUBPDUDiscardingDiscarding#Ethernet1/0/1Quidwaysystem-vie[Quidway]interfaceethernet1/0/1[Quidway-Ethernet1/0/1]stploop-protection4.TC-BPDUTC-BPDUMACARPTC-BPDUTC-BPDUTC-BPDUTC-BPDU10TC-BPDUTC-BPDUMACARP#TC-BPDUQuidwaysystem-view[Quidway]stptc-protectionenable5.BPDUSTPBPDUBPDUSTPCPUBPDUBPDUBPDUBPDUBPDUSTP#Ethernet1/0/1BPDUQuidwaysystem-view[Quidway]interfaceEthernet1/0/1[Quidway-Ethernet1/0/1]bpdu-dropanyRoot[Quidway]dhcp-snooping#Ethernet1/0/1[Quidway]interfaceEthernet1/0/1#[Quidway-Ethernet1/0/1]dhcp-snoopingtrust1.3IPRIPv2BGPOSPFIS-ISRIPOSPF1.3.1RIP-2RIP-2MD5MD5RFC1723RFC2082MD5MD5usualRFC1723nonstandardRFC2082[Quidway-Vlan-interface1]ripauthentication-modesimple123#RIPv2MD5[Quidway-Vlan-interface1]ripauthentication-modemd5rfc20821231231.3.2OSPFMD5authentication-modesimpleauthentication-modemd5MD5#[Quidway-ospf-1-area-0.0.0.0]authentication-modesimple#OSPF[Quidway-Vlan-interface1]ospfauthentication-modesimple123#MD5[Quidway-ospf-1-area-0.0.0.0]authentication-modemd5#OSPFMD5[Quidway-Vlan-interface1]ospfauthentication-modemd5123%^&1.41.Console/elnet/ModemConsoleTelnetModemConsoleCon