3: . . , DES-3526 , ,
A |
B |
|
|
|
|
|
|
|
|
|
|
|
|
|
SYN |
DA B |
IP B |
|||||
|
|
|
|
|
|
|
|
||
|
|
|
|
|
|
SA C |
IP A |
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IMP
DHCP Snooping
• IMP (ARP ACL) ARP Spoofing
-
ARP ( Auto Recovery ..).
strict
. ARP
. ARP Spoofing-
.
• DHCP Snooping,
DHCP Snooping + IP Source Guard + dynamic ARP inspection. IP-MAC
.
•- MAC-
IP- c DHCP-.
Broadcast DHCP VLAN-
DHCP Relay.
IP-MAC-Port binding
ACL Mode
•ACL (. 1). « »
ACL, (, , deny)
(, permit)
• IP-MAC-Port binding ACL 2 (
) .
– IP-MAC-Port binding ,
ACL .
– IP-MAC-Port ACL mode ZoneDefense. ..
IP-MAC-Port , ,
ZoneDefense , .
Rule 1 (1st rule of Profile 1)
Rule 2 (2nd rule of Profile 1)
Rule 3 (1st rule of Profile 2)
Rule 4 (2nd rule of Profile 2)
......
Rule N (last rule of last Profile)
Top
Ex. Packet (Src_IP 192.168.0.1/24, Dst_TCP Port 23)
|
Deny Dst_TCP Port 23 |
|
Match |
Dropped |
|
|
|
|
|
Permit Src_IP 192.168.0.1/24
|
Permit Src_IP 192.168.0.1/24 |
|
Match |
Forwarded |
|
Deny Dst_TCP Port 23 |
|
|
|
|
|
|
Down
•: , , ACL ( 2)?
– “disable address_binding acl_mode” ( 3)
“enable address_binding acl_mode” ( 4)
Profile 1 |
|
Profile 1 |
|
Profile 1 |
|||||
Profile 2 |
|
Profile 2 |
|
Profile 2 |
|||||
IP-MAC-Port binding Profile 1 |
Disable |
|
Enable |
Profile 3 |
|||||
IP-MAC-Port binding Profile 2 |
|
IP-MAC-Port binding Profile 1 |
|||||||
|
|||||||||
|
|
|
|||||||
|
|
|
|
IP-MAC-Port binding Profile 2 |
|||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
IP-MAC-Port Binding ()
•: IP MAC-
•:
1) create address_binding ip_mac ipaddress 192.168.0.7 mac_address 00-03-25-05-5F-F3 ports 2
.
.
.
2) config address_binding ip_mac ports 2 state enable
.
.
.
IP-MAC-Port Binding ACL Mode
()
•: IP MAC-
•:
1) create address_binding ip_mac ipaddress 192.168.0.7 mac_address 00-03-25-05-5F-F3 ports 2 mode acl
.
.
.
2) config address_binding ip_mac ports 2 state enable
.
.
.
3) enable address_binding acl_mode
IP-MAC-Port Binding
DHCP Snooping Mode
()
•: IP MAC-
IP- DHCP
DHCP-.
•:
1) enable address_binding dhcp_snoop
.
.
.
2) config address_binding dhcp_snoop max_entry ports 1 limit 1
.
.
.
3) config address_binding ip_mac ports 1 state enable strict allow_zeroip enable
IP-MAC-Port Binding
DHCP Snooping Mode
()
•Max_entry … limit 1 – - MAC-,
IP-. 1-10 no_limit.
•Strict – ARP
. IMP.
loose.
•Allow_zero_ip –
IMP source_IP = 0.0.0.0.
DHCP.
• Relay Broadcast DHCP
VLAN-
forward_dhcppkt disable.
forward_dhcppkt enable.
ACL ()
o
L2/3/4 ACL ( Access Control List )
D-Link ACL,
.
,
.
ACL D-Link ,
|
|
|
: |
|
|
|
|
• ACL |
|
|
|
|
ICMP |
MSBLAST |
|||
|
|
|
|
|||||
|
|
|
|
|
|
|
|
|
MAC/ IP- |
|
|
SQL |
SQL Slammer |
|
|||
Ethernet/ |
|
|
|
|
|
|
||
VLAN |
|
|
|
|
• |
|
||
802.1p/ DSCP |
|
|
|
|
|
|||
TCP/ UDP- |
[ |
] |
|
|
• |
/ |
||
|
|
|
[ |
] |
|
|||
|
|
|
|
|
||||
|
|
|
|
Online- |
• |
|
||
|
|
|
|
|
|
•
•