Uploaded by Жасур Асадов

Laboratoriya ishi- 2

advertisement
№ 2 LABORATORIYA ISHI
KOMMUTATORDA PORT XAVFSIZLIGI (PORT SECURITY) NI
SOZLASH
Ishdan maqsad: Kommutatsiya jadvallari to`ldirilishiga yo`naltirilgan
hujumlardan, tarmoqni himoya qilish imkonini beruvchi kommutatorning “portsecurity” funksiyasini sozlash bo`yicha amaliy ko`nikmalarga ega bo’lish.
Qisqacha nazariy ma’lumotlar
Port-security funksiyasi kommutatorning biror bir porti orqali tarmoqqa
faqat ko`rsatilgan qurilmalar kirishini sozlashga imkon beradi. Ushbu portga
kirishga ruxsat berilgan qurilmalar MAC-manzillar bo`yicha aniqlanadi. MACmanzillar dinamik yoki tarmoq administrator tomonidan qo`lda sozlanishi mumkin.
Bundan tashqari Port-security funksiyasi portga ulanuvchi tugunlar sonini
cheklashga imkoniyat yaratadi, bu esa portga MAC-manzillar sonini ko`rsatish
orqali amalga oshiriladi. Yana bir funksiyasi MAC-manzillar jadvali to`ldirilishiga
yo`naltirilgan hujumlardan kommutatorni himoyalash hisoblanadi (2.1-rasm.).
2.1-rasm. Kommutatorda Port Security funksiyasining ishlash tartibi
MAC-manzillarga cheklov kiritishning ikkita usuli mavjud:
1. Statik – administrator qaysi manzillar kirishini ko`rsatadi (2.3-rasm);
2. Dinamik – administrator nechta manzil kirishini ko`rsatadi va kommutator
qaysi manzillar shu vaqtda ko`rsatilgan port orqali murojat qilayotganini
eslab qoladi ((2.3-rasm).
Windows OS da Ethernet adapterining MAC-manzilini ipconfig /all buyrug`i
yordamida aniqlanadi. Quyidagi 2.2-rasmga kompyuterning MAC-manzili 00-18DE-C7-F3-FB ko`rinishda keltirilgan.
2.2-rasm. Kompyuter qurilmasining MAC-manzilini ko`rish
Kommutator qurilmasining MAC-manzillar jadvalini ko`rish uchun show
mac-address-table buyrug`i orqali aniqlanadi (2.3-rasm).
2.3-rasm. Kommutator qurilmasining MAC-manzilini ko`rish
Kommutatorni himoya qilishning oddiy usullaridan biri bu – ishlatilmayotgan
portlarni o`chirib qo`yish hisoblanadi.
Ishlatilmayotgan portlarni o`chirish
Ishlatilmayotgan portlarni o`chirish – bu ko`pchilik administratorlar
foydalanadigan, tarmoqni ruxsatsiz kirishdan himoya qilishda oddiy usullardan
biri. Masalan, agar Catalyst 2960 kommutatori 24 portga ega va unda 3 ta
FastEthernet portlari ishlatilayotgan bo`lsa, qolgan 21 ta ishlatilmayotgan portlarni
o`chirib qo`yish tavsiya etiladi. Buni amalga oshirish uchun har bir
ishlatilmayotgan portga alohida kiritiladi va o`chirib qo`yish buyrug`i beriladi:
Cisco IOSda shutdown
Sw1(config)#interface range fastEthernet 0/5-24
Sw1(config-if-range)#shutdown
Agar keyinchalik portlarni yana ishga tushurish kerak bo`lsa, no shutdown
buyrug`idan foydalaniladi:
Sw1(config)#interface range fastEthernet 0/5-24
Sw1(config-if-range)#no shutdown
Cisco kommutatorlarida Port-security
Port-securityni sozlash
Port-security interfeysni sozlash kommutatorning port rejimlar orqali amalga
oshiriladi. Ko`pchilik Cisco kommutatorlarida portlar odatda dynamic auto
rejimida turadi, ushbu rejim port-security funksiyasiga to`g`ri kelmaydi. Shuning
uchun interfeysni trunk yoki access rejimiga o`tkazish kerak:
switch(config-if)# switchport mode <access | trunk>
Interfeysda port securityni ishga tushurish:
switch(config-if)# switchport port-security
Xavfsiz MAC-manzillarni sozlash
Manzillarni dinamik saqlash (sticky) buyrug`i orqali ishga tushurish:

switch(config-if)# switchport port-security mac-address sticky
Agar manzillarni statik tarzda kiritish kerak bo`lsa sticky buyrug`i o`rniga
manzillar yoziladi:

switch (config) # interface ethernet 0/1

switch (config-if) # switchport port-security mac- address 0050.3e8d.6400
Xavfsiz MAC-manzillarning maksimal soni
switchport port-security maximum N – bu bir vaqtda N sonli MAC-manzillar
interfeysda ishlashini anglatadi.
Masalan:

switch(config)# interface Fastethernet0/3

switch(config-if)# switchport mode access

switch(config-if)# switchport port-security maximum 3

switch(config-if)# switchport port-security
Xavfsizlik buzilishiga javob berish (реагирование) rejimini sozlash
Xavfsizlik buzilishiga javob berish ning uchta usuli mavjud:
switch(config-if)# switchport port-security violation <protect | restrict | shutdown>
switchport port-security violation restrict – buzilishga javob berish
rjimini ko`rsatish. Bunda, agar interfeysda uchinchi notanish MAC-manzil paydo
bo`lsa, undan keluvchi barcha paketlar qabul qilinmaydi. Undan tashqari syslog,
SNMP trap, violetion counter ka`bi jurnallashtiruvchilarga xabar jo`natiladi.
switchport port-security violation shutdown- buzilish aniqlanganda
interfeysni error-disabled holatiga o`tkazadi va o`chiradi. Undan tashqari syslog,
SNMP trap, violetion counter ka`bi jurnallashtiruvchilarga xabar jo`natiladi. Ushbu
holatdan chiqarish uchun shutdown va no shutdown buyruqlaridan foydalaniladi.
Agar interfeysga switchport port-security violation protect buyrug`i
kiritilgan bo`lsa, unda notanish MAC-manzil paketlari qabul qilinmaydi va xech
qanday xabar yaratilmaydi, hamda port shutdown holatiga o`tmaydi.
Ushbu usullardan switchport port-security violation restrict ko`pchilik
hollarda tavsiya etiladi.
MAC-manzillar jadvalini tozalash
Boshqa qurilmalar ulanishi uchun MAC-manzillar jadvalini tozalash:
switch# clear port-security [all|configured|dynamic|sticky] [address
<mac>|interface <int-id>]
switch #clear port-security all
switch #clear port-security configured
switch #clear port-security dynamic
switch #clear port-security sticky
Port-security sozlanishlari haqidagi ma’lumotlarni ko`rish
switch# show port-security
switch# show port-security interface fa0/3
switch# show port-security address
Topshiriq
 2.4-rasmda keltirilgan tarmoq topologiyasini Cisco Packet Tracer dasturida
tuzish talab qilinadi;
 Har bir kompyuter uchun IP manzilni sozlang va MAC manzillarni 2.2rasmda ko`rsatilgandek aniqlang;
 Kommutatorning har bir portlariga xavfsizlik ko`rsatkichlarini sozlang;
 2.1-jadvalga yuqorida keltirilgan topshiriqlarni kiriting.
2.4-rasm. Tarmoq topologiyasi.
2.1-jadval
Qurilma
IP-manzil
МАС-manzil
Interfeys
Port rejimlari
Laptop0
192.168.1.1
00E0.F902.D683
Fa0
n/a
Laptop1
192.168.1.2
000B.BE9B.EE4A
Fa0
n/a
Laptop2
192.168.1.3
00D0.5819.04E3
Fa0
n/a
Laptop3
192.168.1.4
0004.9AB9.DAC2
Fa0
n/a
Laptop4
192.168.1.5
00D0.BAC2.8C58
Fa0
n/a
Laptop5
192.168.1.6
0000.0C6E.01E0
Fa0
n/a
SW1
N/A
N/A
Fa0/1
sticky
SW1
N/A
N/A
Fa0/2
SW1
N/A
N/A
Fa0/3
violation protect
SW1
N/A
N/A
Fa0/5-24
Shutdown
SW2
N/A
N/A
Fa0/1
restrict
SW2
N/A
N/A
Fa0/2
restrict
SW2
N/A
N/A
Fa0/3
Protect
SW2
N/A
N/A
Fa0/4
maximum 4
mac-address
00D0.5819.04E3
Ishni bajarish tartibi
Switch>enable
Switch#configure terminal
Switch(config)#hostname Sw1
Sw1(config)#interface fa0/1
1. Portni access rejimiga o`zgartirish
Sw1(config-if)#switchport mode access
2. Portda port-securityni ishga tushurish
Sw1 (config-if)#switchport port-security
3. Secure-MAC ni dinamik aniqlashni ko`rsatish
Sw1 (config-if)#switchport port-security mac-address sticky
Sw1 (config-if)#exit
4. Secure-MAC ni statik aniqlashni ko`rsatish
Sw1(config)#interface fastEthernet 0/2
Sw1(config-if)#switchport mode access
Sw1(config-if)#switchport port-security
Sw1(config-if)#switchport port-security mac-address 000B.BE9B.EE4A
Sw1(config-if)#end
5. Xavfsizlik buzilishigi javob berish rejimini sozlash
Sw1(config)#interface fastEthernet 0/3
Sw1(config-if)#switchport mode access
Sw1(config-if)#switchport port-security
Sw1(config-if)#switchport port-security mac-address sticky
Sw1(config-if)#switchport port-security violation protect
Sw1(config-if)#end
6. Ishlatilmayotgan portlarni o`chirish
Sw1(config)#interface range fastEthernet 0/5-24
Sw1(config-if-range)#shutdown
7. Portda secure-MAC maksimal soni N ni ko`rsatish (Bu buyruq Sw2
kommutatorga tavsiya etiladi)
Switch>enable
Switch#configure terminal
Switch(config)#hostname Sw2
Sw2(config)#interface fa0/4
Sw2(config-if)#switchport mode trunk
Sw2(config-if)#switchport port-security maximum 4
Sw1(config-if)#switchport port-security violation restrict
8. Natijani tekshirish
Switch#show port-security interface fa 0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0001.63B4.E4A6:1
Security Violation Count : 0
9. Sozlamalarni saqlash
Switch#copy running-config startup-config
Topshiriq
Har bir talaba yuqorida keltirilgan ma’lumotlar bo`yicha Cisco Packet tracer
muhitida laboratoriya ishini bajaradi.
Nazorat savollari
1. MAC-manzil bu nima va qurilmalarda qanday aniqlanadi?
2. Kommutatorda port xavfsizligi funksiyasini nima uchun ishlatiladi?
3. Secure-MAC maksimal sonini N qaysi holatlarda ishlatiladi?
4. Port security asosiy atributalari keltiring.
5. Kommutatorning xavfsizligini ta`minlashning yana qanday chorlarini bilasiz ?
Download