CCIE思科教育培训 CCIE培训

二层交换机的安全方案与实施

 

实验环境:

三个VLAN环境,VLAN 10 与VLAN 20 分别用于测试,VLAN 30 为服务器所在VLAN(DHCP服务器 一台,ACS服务器一台(radius);

DHCP服务器基于centos系统; ACS服务器基于windows server 2003 系统;

实验拓扑如下:

具体配置:

 

<Quidway>sys

<Quidway>system-view

System View: return to User View with Ctrl+Z.

[Quidway]sysname sw1

[sw1]vlan 10

[sw1-vlan10]port e1/0/10

[sw1-vlan10]vlan 20

[sw1-vlan20]port e1/0/20

[sw1-vlan20]vlan 30

[sw1-vlan30]port e1/0/24

[sw1-vlan30]q

[sw1]int Vlan-interface 1

[sw1-Vlan-interface1]

[sw1-Vlan-interface1]ip add 192.168.3.2 24

[sw1-Vlan-interface1]q

[sw1]int e1/0/1

[sw1-Ethernet1/0/1]port link-type trunk

[sw1-Ethernet1/0/1]port trunk permit vlan all

Please wait........................................... Done.

[sw1-Ethernet1/0/1]q

[sw1]ip route-static 0.0.0.0 0.0.0.0 192.168.3.1

[sw1]

[sw1]

 

 

<H3C>sys

<H3C>system-view

System View: return to User View with Ctrl+Z.

[H3C]sysname firewall

[firewall]int eth0/0.1

[firewall-Ethernet0/0.1]ip add 192.168.10.1 24

[firewall-Ethernet0/0.1]vlan-type dot1q vid 10

[firewall-Ethernet0/0.1]int eth0/0.2

[firewall-Ethernet0/0.2]vlan-type dot1q vid 20

[firewall-Ethernet0/0.2]ip add

[firewall-Ethernet0/0.2]ip address 192.168.20.1 24

[firewall-Ethernet0/0.2]int eth0/0.3

[firewall-Ethernet0/0.3]vlan-type dot1q vid 30

[firewall-Ethernet0/0.3]ip address 192.168.1.1 24

[firewall-Ethernet0/0.3]q

[firewall]int eth0/0

[firewall-Ethernet0/0]ip add 192.168.3.1 24

[firewall-Ethernet0/0]q

 

[firewall]firewall zone trust

[firewall-zone-trust]

[firewall-zone-trust]add int eth0/0.1

[firewall-zone-trust]add int eth0/0.2

[firewall-zone-trust]add int eth0/0.3

[firewall-zone-trust]q

[firewall]undo insulate

[firewall]

[firewall]dhcp ?

enable DHCP service enable

relay DHCP relay

select Specify process mode of DHCP packet

server DHCP server

 

[firewall]dhcp enable

DHCP task has already been started!

 

[firewall]dhcp select ?

global Global dhcp ip pool mode

interface Interface dhcp ip pool mode

relay Relay mode

 

[firewall]dhcp select relay interface eth0/0.1 to eth0/0.2

[firewall]int eth0/0.1

[firewall-Ethernet0/0.1]ip relay add 192.168.1.188

[firewall-Ethernet0/0.1]q

[firewall]int eth0/0.2

[firewall-Ethernet0/0.2]ip relay add 192.168.1.188

[firewall-Ethernet0/0.2]q

注意DHCP的配置步骤,不要忘了中继目标,这一点错了几次。。。

 

[firewall]radius ? 在此视图下怎加一个radius方案

client Radius Client config

nas-ip Specify RADIUS source ip address

scheme Add RADIUS scheme or modify radius-scheme attributes

trap Specify trap configuration

 

[firewall]radius scheme qw 并且指定方案的具体内容

[firewall-radius-qw]?

Radius-template view commands:

accounting Specify accounting mode

data-flow-format Specify data flow format

display Display current system information

key Specify the shared encryption key of RADIUS server

nas-ip Specify RADIUS source ip address

nslookup Query Internet name servers

ping Ping function

primary Specify IP address of primary RADIUS server

quit Exit from current command view

retry Specify retransmission times

return Exit to User View

save Save current configuration

secondary Specify IP address of secondary RADIUS server

security-policy-server Specify security policy server's IP address

server-type Specify the type of RADIUS server

state Specify state of primary/secondary

authentication/accounting RADIUS server

stop-accounting-buffer Enable stop-accounting packet buffer

timer Specify timer parameters

tracert Trace route function

undo Cancel current setting

user-name-format Specify user-name format sent to RADIUS server

vrbd Show application version

 

[firewall-radius-qw]primary authentication 192.168.1.2

[firewall-radius-qw]server-type standard

[firewall-radius-qw]user-name-format without-domain

[firewall-radius-qw]accounting optional

[firewall-radius-qw]key authentication 123456

[firewall-radius-qw]q

[firewall] 并且还要在防火墙和交换机山新建一个域,并在此域应用刚才建立的radius方案

[firewall]domain 123.com

New Domain added.

[firewall-isp-123.com]radius-scheme qw

[firewall-isp-123.com]access-limit enable 20

[firewall-isp-123.com]accounting optional

[firewall-isp-123.com]q

[firewall]

 

 

接下来是二层交换机上启用dot1x验证,并在端口开启,同样也要制定radius方案,并在端口应用

 

<sw1>system-view

System View: return to User View with Ctrl+Z.

[sw1]dot1x

802.1X is enabled globally.

[sw1]int e1/0/10

[sw1-Ethernet1/0/10]dot1x

802.1X is enabled on port Ethernet1/0/10.

[sw1-Ethernet1/0/10]int e1/0/20

[sw1-Ethernet1/0/20]dot1x

802.1X is enabled on port Ethernet1/0/20.

[sw1-Ethernet1/0/20]q 并且要选择验证类型

[sw1]dot1x authentication-method pap

PAP authentication is enabled.

 

[sw1]radius scheme qw

New Radius scheme 方案内容如下,与防火墙类似

[sw1-radius-qw]primary authentication 192.168.1.2

[sw1-radius-qw]server-type standard

[sw1-radius-qw]accounting optional

[sw1-radius-qw]user-name-format without-domain

[sw1-radius-qw]key authentication 123456

[sw1-radius-qw]q

[sw1]domain acs.com

New Domain added.

[sw1-isp-acs.com]radius-scheme qw

[sw1-isp-acs.com]accounting op

[sw1-isp-acs.com]accounting optional

[sw1-isp-acs.com]q

 

 

 

设置telnet的有关属性,如果此时我们直接登录的话会出现如下界面,他表示登录是被允许的,但要验证口令,而口令没有被设置,所以直接被退了出来,而这只是口令验证,并不是我们要实现的身份验证,这时,我们有两种解决方案,一是在交换上配置超级用户密码,用于终端的身份切换,二是通过配置3A服务器端账户的私有属性(华为)来实现,我们要实现的是在radius服务器上的身份验证,所以我们要在交换机山做如下操作

 

 

 

[sw1]user-interface vty 0 4

[sw1-ui-vty0-4]authentication-mode ?

none Login without checking

password Use terminal interface password

scheme Use RADIUS scheme

[sw1-ui-vty0-4]authentication-mode scheme

[sw1]super ?

password Specify password

 

 

[sw1]super password level 3 cipher 123456

 

 

 

 

这时候我们要将防火墙和交换机的服务器类型该为扩展型或华为私有型

 

 

<firewall>system-view

System View: return to User View with Ctrl+Z.

[firewall]radius scheme qw

[firewall-radius-qw]ser

[firewall-radius-qw]server-type ?

extended Server based on RADIUS extensions

standard Server based on RFC protocol(s)

 

[firewall-radius-qw]server-type extended

[firewall-radius-qw]q

[firewall]

 

[sw1]radius sc

[sw1]radius scheme qw

[sw1-radius-qw]server-type ex

[sw1-radius-qw]server-type ?

huawei Server based on HUAWEI RADIUS extensions

standard Server based on RFC protocol(s)

 

[sw1-radius-qw]server-type hua

[sw1-radius-qw]server-type huawei

Such scheme is used by online user or stop-accounting buffer is not empty, can not be modified

 

注意此时如果设备上证在有用户使用,那么修改服务类型是不允许的所以,在用户退出后我们进行修改

 

 

[sw1-radius-qw]

%Apr 2 01:51:14:485 2000 sw1 SHELL/5/LOGOUT:- 1 - user2@acs.com(192.168.20.2) in unit1 logout

[sw1-radius-qw]server-type huawei

 

[sw1-radius-qw]dis radius sch

[sw1-radius-qw]dis radius scheme

------------------------------------------------------------------

SchemeName =system Index=0 Type=huawei

Primary Auth IP =127.0.0.1 Port=1645

Primary Acct IP =127.0.0.1 Port=1646

Second Auth IP =0.0.0.0 Port=1812

Second Acct IP =0.0.0.0 Port=1813

Auth Server Encryption Key= Not configured

Acct Server Encryption Key= Not configured

Accounting method = required

Accounting-On packet disable, send times = 15 , interval = 3s

TimeOutValue(in second)=3 RetryTimes=3 RealtimeACCT(in minute)=12

Permitted send realtime PKT failed counts =5

Retry sending times of noresponse acct-stop-PKT =500

Quiet-interval(min) =5

Username format =without-domain

Data flow unit =Byte

Packet unit =1

unit 1 :

Primary Auth State=active, Second Auth State=block

Primary Acc State=active, Second Acc State=block

 

 

------------------------------------------------------------------

SchemeName =qw Index=1 Type=huawei

Primary Auth IP =192.168.1.2 Port=1812

Primary Acct IP =0.0.0.0 Port=1813

Second Auth IP =0.0.0.0 Port=1812

Second Acct IP =0.0.0.0 Port=1813

Auth Server Encryption Key= 123456

Acct Server Encryption Key= Not configured

Accounting method = optional

Accounting-On packet disable, send times = 15 , interval = 3s

TimeOutValue(in second)=3 RetryTimes=3 RealtimeACCT(in minute)=12

Permitted send realtime PKT failed counts =5

Retry sending times of noresponse acct-stop-PKT =500

Quiet-interval(min) =5

Username format =without-domain

Data flow unit =Byte

Packet unit =1

unit 1 :

Primary Auth State=active, Second Auth State=block

Primary Acc State=block , Second Acc State=block

 

 

------------------------------------------------------------------

Total 2 RADIUS scheme(s). 2 listed

 

[sw1-radius-qw]

 

全局配置后

 

<sw1>dis cu

#

sysname sw1

#

super password level 3 cipher OUM!K%F<+$[Q=^Q`MAF4<1!!

#

dot1x

dot1x authentication-method pap

#

radius scheme system

radius scheme qw

server-type huawei

primary authentication 192.168.1.2

accounting optional

key authentication 123456

user-name-format without-domain

#

domain acs.com

scheme radius-scheme qw

access-limit enable 20

accounting optional

domain system

#

vlan 1

#

vlan 10

#

vlan 20

#

vlan 30

#

interface Vlan-interface1

ip address 192.168.3.2 255.255.255.0

#

interface Aux1/0/0

#

interface Ethernet1/0/1

port link-type trunk

port trunk permit vlan all

#

interface Ethernet1/0/2

#

interface Ethernet1/0/3

#

interface Ethernet1/0/4

#

interface Ethernet1/0/5

#

interface Ethernet1/0/6

#

interface Ethernet1/0/7

#

interface Ethernet1/0/8

#

interface Ethernet1/0/9

#

interface Ethernet1/0/10

port access vlan 10

dot1x

#

interface Ethernet1/0/11

#

interface Ethernet1/0/12

#

interface Ethernet1/0/13

#

interface Ethernet1/0/14

#

interface Ethernet1/0/15

port access vlan 10

#

interface Ethernet1/0/16

#

interface Ethernet1/0/17

#

interface Ethernet1/0/18

#

interface Ethernet1/0/19

#

interface Ethernet1/0/20

port access vlan 20

dot1x

#

interface Ethernet1/0/21

#

interface Ethernet1/0/22

#

interface Ethernet1/0/23

#

interface Ethernet1/0/24

port access vlan 30

#

interface NULL0

#

ip route-static 0.0.0.0 0.0.0.0 192.168.3.1 preference 60

#

user-interface aux 0

user-interface vty 0 4

authentication-mode scheme

#

return

<sw1>

<firewall>

%Jan 16 16:49:05:505 2014 firewall SHELL/4/LOGIN: Console login from con0

<firewall>dis cu

#

sysname firewall

#

firewall packet-filter enable

firewall packet-filter default permit

#

undo insulate

#

firewall statistic system enable

#

radius scheme system

server-type extended

radius scheme qw

server-type extended

primary authentication 192.168.1.2

accounting optional

key authentication 123456

user-name-format without-domain

#

domain 123.com

scheme radius-scheme qw

access-limit enable 20

accounting optional

domain system

#

local-user admin

password cipher .]@USE=B,53Q=^Q`MAF4<1!!

service-type telnet terminal

level 3

service-type ftp

#

interface Aux0

async mode flow

#

interface Ethernet0/0

ip address 192.168.3.1 255.255.255.0

#

interface Ethernet0/0.1

ip address 192.168.10.1 255.255.255.0

ip relay address 192.168.1.188

dhcp select relay

vlan-type dot1q vid 10

#

interface Ethernet0/0.2

ip address 192.168.20.1 255.255.255.0

ip relay address 192.168.1.188

dhcp select relay

vlan-type dot1q vid 20

#

interface Ethernet0/0.3

ip address 192.168.1.1 255.255.255.0

vlan-type dot1q vid 30

#

interface Ethernet0/4

#

interface Encrypt1/0

#

interface NULL0

#

firewall zone local

set priority 100

#

firewall zone trust

add interface Ethernet0/0

add interface Ethernet0/0.1

add interface Ethernet0/0.2

add interface Ethernet0/0.3

set priority 85

#

firewall zone untrust

set priority 5

#

firewall zone DMZ

set priority 50

#

firewall interzone local trust

#

firewall interzone local untrust

#

firewall interzone local DMZ

#

firewall interzone trust untrust

#

firewall interzone trust DMZ

#

firewall interzone DMZ untrust

#

FTP server enable

#

ip route-static 0.0.0.0 0.0.0.0 192.168.3.2 preference 60

#

user-interface con 0

user-interface aux 0

user-interface vty 0 4

authentication-mode scheme

#

return

 

 

<sw1>dis cu

#

sysname sw1

#

super password level 3 cipher OUM!K%F<+$[Q=^Q`MAF4<1!!

#

dot1x

dot1x authentication-method pap

#

radius scheme system

radius scheme qw

server-type huawei

primary authentication 192.168.1.2

accounting optional

key authentication 123456

user-name-format without-domain

#

domain acs.com

scheme radius-scheme qw

access-limit enable 20

accounting optional

domain system

#

vlan 1

#

vlan 10

#

vlan 20

#

vlan 30

#

interface Vlan-interface1

ip address 192.168.3.2 255.255.255.0

#

interface Aux1/0/0

#

interface Ethernet1/0/1

port link-type trunk

port trunk permit vlan all

#

interface Ethernet1/0/2

#

interface Ethernet1/0/3

#

interface Ethernet1/0/4

#

interface Ethernet1/0/5

#

interface Ethernet1/0/6

#

interface Ethernet1/0/7

#

interface Ethernet1/0/8

#

interface Ethernet1/0/9

#

interface Ethernet1/0/10

port access vlan 10

dot1x

#

interface Ethernet1/0/11

#

interface Ethernet1/0/12

#

interface Ethernet1/0/13

#

interface Ethernet1/0/14

#

interface Ethernet1/0/15

port access vlan 10

#

interface Ethernet1/0/16

#

interface Ethernet1/0/17

#

interface Ethernet1/0/18

#

interface Ethernet1/0/19

#

interface Ethernet1/0/20

port access vlan 20

dot1x

#

interface Ethernet1/0/21

#

interface Ethernet1/0/22

#

interface Ethernet1/0/23

#

interface Ethernet1/0/24

port access vlan 30

#

interface NULL0

#

ip route-static 0.0.0.0 0.0.0.0 192.168.3.1 preference 60

#

user-interface aux 0

user-interface vty 0 4

authentication-mode scheme

#

return

 


Tags:

发布: admin 分类: CCIE思科 评论: 0 浏览: 67
留言列表
发表留言
◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。