|
Xavfsizlik buzilishiga javob berish (реагирование) rejimini sozlash
|
| bet | 8/8 | | Sana | 16.01.2024 | | Hajmi | 1,49 Mb. | | #138769 |
Bog'liq 1-3 laboratoriya ishi Shakarov
Xavfsizlik buzilishiga javob berish ning uchta usuli mavjud:
switch(config-if)# switchport port-security violation
switchport port-security violation restrict – buzilishga javob berish rjimini ko`rsatish. Bunda, agar interfeysda uchinchi notanish MAC-manzil paydo bo`lsa, undan keluvchi barcha paketlar qabul qilinmaydi. Undan tashqari syslog, SNMP trap, violetion counter ka`bi jurnallashtiruvchilarga xabar jo`natiladi.
switchport port-security violation shutdown- buzilish aniqlanganda interfeysni error-disabled holatiga o`tkazadi va o`chiradi. Undan tashqari syslog, SNMP trap, violetion counter ka`bi jurnallashtiruvchilarga xabar jo`natiladi. Ushbu holatdan chiqarish uchun shutdown va no shutdown buyruqlaridan foydalaniladi.
Agar interfeysga switchport port-security violation protect buyrug`i kiritilgan bo`lsa, unda notanish MAC-manzil paketlari qabul qilinmaydi va xech qanday xabar yaratilmaydi, hamda port shutdown holatiga o`tmaydi.
Ushbu usullardan switchport port-security violation restrict ko`pchilik hollarda tavsiya etiladi.
MAC-manzillar jadvalini tozalash
Boshqa qurilmalar ulanishi uchun MAC-manzillar jadvalini tozalash:
switch# clear port-security [all|configured|dynamic|sticky] [address |interface ]
switch #clear port-security all
switch #clear port-security configured
switch #clear port-security dynamic
switch #clear port-security sticky
Port-security sozlanishlari haqidagi ma’lumotlarni ko`rish
switch# show port-security
switch# show port-security interface fa0/3
switch# show port-security address
Topshiriq
2.4-rasmda keltirilgan tarmoq topologiyasini Cisco Packet Tracer dasturida tuzish talab qilinadi;
Har bir kompyuter uchun IP manzilni sozlang va MAC manzillarni 2.2-rasmda ko`rsatilgandek aniqlang;
Kommutatorning har bir portlariga xavfsizlik ko`rsatkichlarini sozlang;
2.1-jadvalga yuqorida keltirilgan topshiriqlarni kiriting.
2.4-rasm. Tarmoq topologiyasi.
2.1-jadval
Qurilma
|
IP-manzil
|
МАС-manzil
|
Interfeys
|
Port rejimlari
|
Laptop0
|
192.168.1.1
|
00E0.F902.D683
|
Fa0
|
n/a
|
Laptop1
|
192.168.1.2
|
000B.BE9B.EE4A
|
Fa0
|
n/a
|
Laptop2
|
192.168.1.3
|
00D0.5819.04E3
|
Fa0
|
n/a
|
Laptop3
|
192.168.1.4
|
0004.9AB9.DAC2
|
Fa0
|
n/a
|
Laptop4
|
192.168.1.5
|
00D0.BAC2.8C58
|
Fa0
|
n/a
|
Laptop5
|
192.168.1.6
|
0000.0C6E.01E0
|
Fa0
|
n/a
|
SW1
|
N/A
|
N/A
|
Fa0/1
|
sticky
|
SW1
|
N/A
|
N/A
|
Fa0/2
|
mac-address
00D0.5819.04E3
|
SW1
|
N/A
|
N/A
|
Fa0/3
|
violation protect
|
SW1
|
N/A
|
N/A
|
Fa0/5-24
|
Shutdown
|
SW2
|
N/A
|
N/A
|
Fa0/1
|
restrict
|
SW2
|
N/A
|
N/A
|
Fa0/2
|
restrict
|
SW2
|
N/A
|
N/A
|
Fa0/3
|
Protect
|
SW2
|
N/A
|
N/A
|
Fa0/4
|
maximum 4
|
Ishni bajarish tartibi
Switch>enable
Switch#configure terminal
Switch(config)#hostname Sw1
Sw1(config)#interface fa0/1
1. Portni access rejimiga o`zgartirish
Sw1(config-if)#switchport mode access
2. Portda port-securityni ishga tushurish
Sw1 (config-if)#switchport port-security
3. Secure-MAC ni dinamik aniqlashni ko`rsatish
Sw1 (config-if)#switchport port-security mac-address sticky
Sw1 (config-if)#exit
4. Secure-MAC ni statik aniqlashni ko`rsatish
Sw1(config)#interface fastEthernet 0/2
Sw1(config-if)#switchport mode access
Sw1(config-if)#switchport port-security
Sw1(config-if)#switchport port-security mac-address 000B.BE9B.EE4A
Sw1(config-if)#end
5. Xavfsizlik buzilishigi javob berish rejimini sozlash
Sw1(config)#interface fastEthernet 0/3
Sw1(config-if)#switchport mode access
Sw1(config-if)#switchport port-security
Sw1(config-if)#switchport port-security mac-address sticky
Sw1(config-if)#switchport port-security violation protect
Sw1(config-if)#end
6. Ishlatilmayotgan portlarni o`chirish
Sw1(config)#interface range fastEthernet 0/5-24
Sw1(config-if-range)#shutdown
7. Portda secure-MAC maksimal soni N ni ko`rsatish (Bu buyruq Sw2 kommutatorga tavsiya etiladi)
Switch>enable
Switch#configure terminal
Switch(config)#hostname Sw2
Sw2(config)#interface fa0/4
Sw2(config-if)#switchport mode trunk
Sw2(config-if)#switchport port-security maximum 4
Sw1(config-if)#switchport port-security violation restrict
8. Natijani tekshirish
Switch#show port-security interface fa 0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0001.63B4.E4A6:1
Security Violation Count : 0
9. Sozlamalarni saqlash
Switch#copy running-config startup-config
Nazorat savollari
MAC-manzil bu nima va qurilmalarda qanday aniqlanadi?
Kommutatorda port xavfsizligi funksiyasini nima uchun ishlatiladi?
Secure-MAC maksimal sonini Nqaysi holatlarda ishlatiladi?
Port security asosiy atributalari keltiring.
Kommutatorning xavfsizligini ta`minlashning yana qanday chorlarini bilasiz ?
Javoblar :
1
2
3
4
3-laboratoriya ishi
Mavzu: Tarmoq qurilmalari xavfsizligini tahlil qilish Ishdan maqsad:
Cisco kommutatorlarida va marshrutizatorlarida parolni olib tashlash (сброс) bo`yicha amaliy ko`nikmalar olish
Qisqacha nazariy ma`lumotlar :
Qurilma sozlamalariga kirish uchun kerak bo`ladigan parolning yo`qotilishi yoki unutilish holatlari tez-tez uchrab turadi. Ushbu laboratoriya ishida Cisco kommutatorlari va marshrutizatorlarida parollarni olib tashlash (Сброс) jarayoni ko`rib chiqiladi. Quyida keltiriladigan usullar qurilmaga to`g`ridan-to`g`ri konsol kabel orqali ulanishni ko`zda tutadi. Shuning uchun ham qurilma joylashgan xonaga faqat kirish huquqiga ega foydalanuvchilar kirishi, xavfsizlik nuqtai nazaridan e`tiborga olinishi kerak. Ushbu metodikalarning mohiyati quyidagicha: paroli unutilgan yoki yo`qolgan konfiguratsion faylsiz qurilmaning sozlamalariga imtiyozli rejimda (Privileged EXEC) kirish va konfiguratsion faylni almashtirish orqali barcha parollarni o`zgartirish.
Routerni o’chirib yoqamiz Cltr+C ni bosamiz roman rejimiga o’tadi:
ROMMON (ROM monitor) rejimiga kiriladi. Bu yerda konfiguratsiya registri confreg 0x2142 buyrug`i bilan o`zgartiriladi, natiyjada marshrutizator Flash xotiraga yozilgan konfiguratsion faylni ishga tushirilishida ishlatmaydi. Bundan keyin reset buyrug`ini kiritish orqali marshrutizator qayta ishga tushiriladi
Bundan keyin paroli unutilgan eski konfiguratsiya qo`yiladi, lekin bu yerda imtiyozli rejimda turganligi uchun eski parolni yangisiga o`zgartirsa bo`ladi.
Router#conf t
Router(config)#enable password cisco
Router(config)#enable secret cisco
Router(config)#line vty 0 4
Router(config-line)#password cisco
Router(config-line)#login
Router(config-line)#exit
Router(config)#line console 0
Router(config-line)#password cisco
Router(config-line)#login
Parollar o`zgartirildi, endi konfiguratsion registrning eski qiymatini qayta joyiga qo`yish kerak, buning uchun config-register 0x2102 buyrug`i kiritiladi
|
| |
