스위치 보안정리 2

==VRRP== 

master 1(active) (tracking 기능 없음)
backup (standby)
224.0.0.18

interface vlan 10
ip address 172.16.10.32 255.255.255.0
vrrp 10 ip 10.1.10.1
vrrp 10 priority 150
vrrp 10 timers advertise 4 (default 1sec skew time) :

=vrrp skew time=
(256-priority/256)

ex) priority 200  -> (256-200)/256 = 0.2sec : total 3.2초후에 master 선언

==GLBP==
HSRP를 보완한 표준 프로토콜 : Gateway Loadbalancing routing protocol

 

 

 

 

 

 

===========================HSRP====================================
active  1
standby 1
224.0.0.2

show ip arp  (mac,ip address mapping table)
show standby brief
debug standby events

interface vlan 10
ip address 172.16.10.32 255.255.255.0
standby 1 priority 150   (default 100) (1 ~ 255)
standby 1 ip 172.16.10.110
standby 1 preempt  
standby 1 timers 5 15   (default hello 3sec hold 10 sec)
standby 1 track serial 0 50

standby 1 timers msec 200 msec 750
standby 1 preempt delay minimum 180

======multiple HSRP Group(on the same segment)===========
----sw1----
interface vlan 10
ip address 172.16.10.32 255.255.255.0
standby 1 priority 150
standby 1 ip 172.16.10.110
standby 2 priority 50
standby 2 ip 172.16.10.120

----sw2-----
interface vlan 10
ip address 172.16.10.33 255.255.255.0
standby 1 priority 50
standby 1 ip 172.16.10.110
standby 2 priority 150
standby 2 ip 172.16.10.120

=======multiple HSRP Group(different ip subnet)============

----sw1----
interface vlan 10
ip address 172.16.10.32 255.255.255.0
standby 1 priority 150
standby 1 ip 172.16.10.110

interface vlan 20
ip address 172.16.20.32 255.255.255.0
standby 1 priority 50
standby 1 ip 172.16.20.120

----sw2-----
interface vlan 10
ip address 172.16.10.33 255.255.255.0
standby 1 priority 50
standby 1 ip 172.16.10.110

interface vlan 20
ip address 172.16.20.33 255.255.255.0
standby 1 priority 150
standby 1 ip 172.16.20.120

===========================VRRP====================================
master
backup
224.0.0.18

interface vlan 10
ip address 172.16.10.32 255.255.255.0
vrrp 10 ip 10.1.10.1
vrrp 10 priority 150
vrrp 10 timers advertise 4 (default 1sec skew time)

=vrrp skew time=
(256-priority/256)

B의경우 (256-200)/256 = 0.2sec total 3.2
C의경우 (256-100)/256 = 0.6sec total 3.6

===========================GLBP====================================
HSRP와의 차이점 : 하나의 가상IP와 여러개의 가상 MAC을 가짐
별도의 설정을 하지 않아도 load balancing이 가능
모든 라우터의 리소스를 전부다 사용 가능
ARP를 요청하게 되면 응답할시 생성한 모든 가상 MAC을 전달

AVG=active virtual gateway  => Active, VMAC
AVF=active virtual forwarder  => VMAC
224.0.0.102

interface vlan 10
ip address 172.16.10.32 255.255.255.0
glbp 7 ip 10.1.7.1
glbp 7 priority 150  (default 100)
glbp 7 timers msec 250 msec 750 (default hello 3sec hold 10 sec)

 

P3R3#pingg
Protocol [ip]:
Target IP address: 200.1.1.1
Repeat count [5]: 1000
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]:

P3R4#traceroute 200.1.1.1

show standby brie

 

== Modul 8 ==
==MAC Flooding attack==
존재하지 않는 MAC address를 스위치에 보냄, 스위치의 Mac 테이블을 가득 채워서, 브로드캐스트 발생하게 함
==Port Security
허용된 MAC에서만 MAC테이블 기록하게 함
Port-security
interface fa0/1
  switchport mode access
  switch  switchport port-security
  switch  switchport port-security maximum 1
  switch  switchport port-security mac-address 0001.1111.1111
  switch  switchport port-security violation (protect, restrict, shut)
  -> protect : 사용불가, restrict : 사용불가+access log 기록,  shut : 사용불가+port shutdown(err-disable)

==port status==
1. admin down(shut)
2. up
3. notconnected
4. err-disable(원인 제거후 no shut => UP)

 

== 실습 ==
sw1
interface vlan 1
ip add 1.1.1.2 255.255.255.0
R1
interface fa0/
ip add 1.1.1.1 255.255.255.0

ping test

sw1
interface fa0/1
shut
switchport mode access
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address 0001.0000.1111
switchport port-security violation restrict (log)
or
switchport port-security violation shutdown

↓dynamic하게 배운 mac을 static으로 설정한것처럼 처리
switchport port-security maximum 3
switchport port-security mac-address sticky
↑ 먼저 접속된 3개의 MAC만을 access 허용

===AAA(authentication, Authorization, Accounting===
: 접속한 유저를 인증하는 설정
RADIUS - 표준
TACACS - CISCO

aaa new-model (add enable)
aaa authentication login TELNETLOGIN(default로 대체 가능, 모든 라인에 적용) group tacacs+ local none // ?
tacacs-server host 1.1.1.100
line vty 0 4
  login authentication TELNETLOGIN

hostname cisco pri 15 password cisco

line con 0
password itbank
login

sh mac-address-table
sh int status
sh port-security
sh port-security address

sh line  // 접속된 라인

== 2장 ==
'사용하지 않는 포트는 access나 특정한 Vlan으로 설정

==============access-list======================
access-list 11 permit 10.1.1.0 0.0.0.255 (source)
 : 10.1.1.0네트워크만 허용해주겠다
access-list 111 permit tcp 10.1.1.0 0.0.0.255 any eq telnet
( source, destination, protocol, port)
 : 10.1.1.0네트워크중 tcp telnet 서비스만 허용해 주겠다.

===============prefix-list== : 가장 효과적인 방법
prefix 개별적으로 삭제 가능
ip prefix-list NET22 seq 3 permit 11.11.11.0/24
ip prefix-list NET22 seq 5 permit 22.22.22.0/24
 :같은 이름에 여러개를 seq로 나눠서 걸 수 있다.

==============named-access-list==================
ip access-list extended BGP_ROUTE_MAP
    permit tcp 10.1.1.0 0.0.0.255 any eq telnet
    deny   tcp 10.1.2.0 0.0.0.255 any eq telnet

ex) access-list 100 deny ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

 

 

Multilayer switch
interface vlan10
ip access-group 100 in

==VACL==
// 같은 네트워크내에서 ACL 적용
Racl(1.1.1.1 => 2.2.2.2)
interface vlan 10
  ip access-group 100 in
access-list 100 deny ip host 1.1.1.1 host 2.2.2.2

 

vacl(1.1.1.1 => 2.2.2.2)
vlan access-map TEST 10
  match ip add 100
  action drop

vlan access-map TEST 20
  match ip add 101
  action drop

vlan filter TEST vlan-list 10

access-list 100 permit ip host 1.1.1.1 host 1.1.1.2
access-list 101 permit ip any any eq 5000