Scribd
Upload
32 views8 pages

2-Amaliy Ish

The document discusses the configuration of port security on switches to protect networks from unauthorized access by controlling which devices can connect through specific ports based on their MAC addresses. It outlines methods for setting static and dynamic MAC addresses, limiting the number of allowed devices, and responding to security violations. Additionally, it provides practical commands for configuring port security and emphasizes the importance of disabling unused ports for enhanced security.

Uploaded by

obitopubgmx
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
32 views8 pages

2-Amaliy Ish

The document discusses the configuration of port security on switches to protect networks from unauthorized access by controlling which devices can connect through specific ports based on their MAC addresses. It outlines methods for setting static and dynamic MAC addresses, limiting the number of allowed devices, and responding to security violations. Additionally, it provides practical commands for configuring port security and emphasizes the importance of disabling unused ports for enhanced security.

Uploaded by

obitopubgmx
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

2 – Amaliy ish

Mavzu: Kommutatorda port xavfsizligi (port security) ni sozlash

Ishdan maqsad: Kommutatsiya jadvallari to`ldirilishiga yo`naltirilgan


hujumlardan, tarmoqni himoya qilish imkonini beruvchi kommutatorning “port-
security” funksiyasini sozlash bo`yicha amaliy ko`nikmalarga ega bo’lish.

Qisqacha nazariy ma’lumotlar


Port-security funksiyasi kommutatorning biror bir porti orqali tarmoqqa
faqat ko`rsatilgan qurilmalar kirishini sozlashga imkon beradi. Ushbu portga
kirishga ruxsat berilgan qurilmalar MAC-manzillar bo`yicha aniqlanadi. MAC-
manzillar dinamik yoki tarmoq administrator tomonidan qo`lda sozlanishi
mumkin. Bundan tashqari Port-security funksiyasi portga ulanuvchi tugunlar
sonini cheklashga imkoniyat yaratadi, bu esa portga MAC-manzillar sonini
ko`rsatish orqali amalga oshiriladi. Yana bir funksiyasi MAC-manzillar jadvali
to`ldirilishiga yo`naltirilgan hujumlardan kommutatorni himoyalash hisoblanadi
(2.1-rasm.).

2.1-rasm. Kommutatorda Port Security funksiyasining ishlash tartibi

MAC-manzillarga cheklov kiritishning ikkita usuli mavjud:


1. Statik – administrator qaysi manzillar kirishini ko`rsatadi (2.3-rasm);
2. Dinamik – administrator nechta manzil kirishini ko`rsatadi va kommutator
qaysi manzillar shu vaqtda ko`rsatilgan port orqali murojat qilayotganini
eslab qoladi (2.3-rasm).
Windows OS da Ethernet adapterining MAC-manzilini ipconfig /all buyrug`i
yordamida aniqlanadi. Quyidagi 2.2-rasmga kompyuterning MAC-manzili 00-18-
DE-C7-F3-FB ko`rinishda keltirilgan.

2.2-rasm. Kompyuter qurilmasining MAC-manzilini ko`rish

Kommutator qurilmasining MAC-manzillar jadvalini ko`rish uchun show


mac-address-table buyrug`i orqali aniqlanadi (2.3-rasm).

2.3-rasm. Kommutator qurilmasining MAC-manzilini ko`rish

Kommutatorni himoya qilishning oddiy usullaridan biri bu – ishlatilmayotgan


portlarni o`chirib qo`yish hisoblanadi.

Ishlatilmayotgan portlarni o`chirish


Ishlatilmayotgan portlarni o`chirish – bu ko`pchilik administratorlar
foydalanadigan, tarmoqni ruxsatsiz kirishdan himoya qilishda oddiy usullardan
biri. Masalan, agar Catalyst 2960 kommutatori 24 portga ega va unda 3 ta
FastEthernet portlari ishlatilayotgan bo`lsa, qolgan 21 ta ishlatilmayotgan portlarni
o`chirib qo`yish tavsiya etiladi. Buni amalga oshirish uchun har bir
ishlatilmayotgan portga alohida kiritiladi va o`chirib qo`yish buyrug`i beriladi:
Cisco IOSda shutdown
Sw1(config)#interface range fastEthernet 0/5-24
Sw1(config-if-range)#shutdown
Agar keyinchalik portlarni yana ishga tushurish kerak bo`lsa, no shutdown
buyrug`idan foydalaniladi:
Sw1(config)#interface range fastEthernet 0/5-24
Sw1(config-if-range)#no shutdown

Cisco kommutatorlarida Port-security


Port-securityni sozlash
Port-security interfeysni sozlash kommutatorning port rejimlar orqali amalga
oshiriladi. Ko`pchilik Cisco kommutatorlarida portlar odatda dynamic auto
rejimida turadi, ushbu rejim port-security funksiyasiga to`g`ri kelmaydi. Shuning
uchun interfeysni trunk yoki access rejimiga o`tkazish kerak:

switch(config-if)# switchport mode <access | trunk>

Interfeysda port securityni ishga tushurish:

switch(config-if)# switchport port-security

Xavfsiz MAC-manzillarni sozlash


Manzillarni dinamik saqlash (sticky) buyrug`i orqali ishga tushurish:

 switch(config-if)# switchport port-security mac-address sticky

Agar manzillarni statik tarzda kiritish kerak bo`lsa sticky buyrug`i o`rniga
manzillar yoziladi:
 switch (config) # interface ethernet 0/1
 switch (config-if) # switchport port-security mac- address 0050.3e8d.6400

Xavfsiz MAC-manzillarning maksimal soni


switchport port-security maximum N – bu bir vaqtda N sonli MAC-manzillar
interfeysda ishlashini anglatadi.
Masalan:

 switch(config)# interface Fastethernet0/3


 switch(config-if)# switchport mode access
 switch(config-if)# switchport port-security maximum 3
 switch(config-if)# switchport port-security

Xavfsizlik buzilishiga javob berish (реагирование) rejimini sozlash


Xavfsizlik buzilishiga javob berish ning uchta usuli mavjud:

switch(config-if)# switchport port-security violation <protect | restrict | shutdown>

switchport port-security violation restrict – buzilishga javob berish


rejimini ko`rsatish. Bunda, agar interfeysda uchinchi notanish MAC-manzil paydo
bo`lsa, undan keluvchi barcha paketlar qabul qilinmaydi. Undan tashqari syslog,
SNMP trap, violetion counter ka`bi jurnallashtiruvchilarga xabar jo`natiladi.
switchport port-security violation shutdown- buzilish aniqlanganda
interfeysni error-disabled holatiga o`tkazadi va o`chiradi. Undan tashqari syslog,
SNMP trap, violetion counter ka`bi jurnallashtiruvchilarga xabar jo`natiladi. Ushbu
holatdan chiqarish uchun shutdown va no shutdown buyruqlaridan foydalaniladi.
Agar interfeysga switchport port-security violation protect buyrug`i
kiritilgan bo`lsa, unda notanish MAC-manzil paketlari qabul qilinmaydi va xech
qanday xabar yaratilmaydi, hamda port shutdown holatiga o`tmaydi.
Ushbu usullardan switchport port-security violation restrict ko`pchilik
hollarda tavsiya etiladi.

MAC-manzillar jadvalini tozalash


Boshqa qurilmalar ulanishi uchun MAC-manzillar jadvalini tozalash:

switch# clear port-security [all|configured|dynamic|sticky] [address <mac>|


interface <int-id>]
switch #clear port-security all
switch #clear port-security configured
switch #clear port-security dynamic
switch #clear port-security sticky

Port-security sozlanishlari haqidagi ma’lumotlarni ko`rish

switch# show port-security


switch# show port-security interface fa0/3
switch# show port-security address

Topshiriq
 2.4-rasmda keltirilgan tarmoq topologiyasini Cisco Packet Tracer dasturida
tuzish talab qilinadi;
 Har bir kompyuter uchun IP manzilni sozlang va MAC manzillarni 2.2-
rasmda ko`rsatilgandek aniqlang;
 Kommutatorning har bir portlariga xavfsizlik ko`rsatkichlarini sozlang;
 2.1-jadvalga yuqorida keltirilgan topshiriqlarni kiriting.
2.4-rasm. Tarmoq topologiyasi.

2.1-jadval
Qurilma IP-manzil МАС-manzil Interfeys Port rejimlari
Laptop0 192.168.1.1 00E0.F902.D683 Fa0 n/a
Laptop1 192.168.1.2 000B.BE9B.EE4 Fa0 n/a
A
Laptop2 192.168.1.3 00D0.5819.04E3 Fa0 n/a
Laptop3 192.168.1.4 0004.9AB9.DAC2 Fa0 n/a
Laptop4 192.168.1.5 00D0.BAC2.8C58 Fa0 n/a
Laptop5 192.168.1.6 0000.0C6E.01E0 Fa0 n/a
SW1 N/A N/A Fa0/1 sticky
mac-address
SW1 N/A N/A Fa0/2
00D0.5819.04E3
SW1 N/A N/A Fa0/3 violation protect
SW1 N/A N/A Fa0/5-24 Shutdown
SW2 N/A N/A Fa0/1 restrict
SW2 N/A N/A Fa0/2 restrict
SW2 N/A N/A Fa0/3 Protect
SW2 N/A N/A Fa0/4 maximum 4

Ishni bajarish tartibi


Switch>enable
Switch#configure terminal
Switch(config)#hostname Sw1
Sw1(config)#interface fa0/1
1. Portni access rejimiga o`zgartirish
Sw1(config-if)#switchport mode access
2. Portda port-securityni ishga tushurish
Sw1 (config-if)#switchport port-security
3. Secure-MAC ni dinamik aniqlashni ko`rsatish
Sw1 (config-if)#switchport port-security mac-address sticky
Sw1 (config-if)#exit

4. Secure-MAC ni statik aniqlashni ko`rsatish


Sw1(config)#interface fastEthernet 0/2
Sw1(config-if)#switchport mode access
Sw1(config-if)#switchport port-security
Sw1(config-if)#switchport port-security mac-address 000B.BE9B.EE4A
Sw1(config-if)#end

5. Xavfsizlik buzilishigi javob berish rejimini sozlash

Sw1(config)#interface fastEthernet 0/3


Sw1(config-if)#switchport mode access
Sw1(config-if)#switchport port-security
Sw1(config-if)#switchport port-security mac-address sticky
Sw1(config-if)#switchport port-security violation protect
Sw1(config-if)#end

6. Ishlatilmayotgan portlarni o`chirish

Sw1(config)#interface range fastEthernet 0/5-24


Sw1(config-if-range)#shutdown

7. Portda secure-MAC maksimal soni N ni ko`rsatish (Bu buyruq Sw2


kommutatorga tavsiya etiladi)
Switch>enable
Switch#configure terminal
Switch(config)#hostname Sw2
Sw2(config)#interface fa0/4
Sw2(config-if)#switchport mode trunk
Sw2(config-if)#switchport port-security maximum 4
Sw1(config-if)#switchport port-security violation restrict

8. Natijani tekshirish
Switch#show port-security interface fa 0/1
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0001.63B4.E4A6:1
Security Violation Count : 0

9. Sozlamalarni saqlash

Switch#copy running-config startup-config

Topshiriq
Har bir talaba yuqorida keltirilgan ma’lumotlar bo`yicha Cisco Packet tracer
muhitida laboratoriya ishini bajaradi.
Nazorat savollari
1. MAC-manzil bu nima va qurilmalarda qanday aniqlanadi?
2. Kommutatorda port xavfsizligi funksiyasini nima uchun ishlatiladi?
3. Secure-MAC maksimal sonini N qaysi holatlarda ishlatiladi?
4. Port security asosiy atributalari keltiring.
Kommutatorning xavfsizligini ta`minlashning yana qanday chorlarini bilasiz ?

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy