HCIP Day 16

Expand your knowledge ：
1、 Port Mirror SPAN
[r1]observe-port interface GigabitEthernet 0/0/2 Monitoring interface

[r1]interface GigabitEthernet 0/0/0
[r1-GigabitEthernet0/0/0]mirror to observe-port inbound Interface for traffic capture
[r1-GigabitEthernet0/0/0]int g0/0/1
[r1-GigabitEthernet0/0/1]mirror to observe-port inbound
G0/0/0 And G0/0/1 All traffic between interfaces , All mirror to G0/0/2 One copy ; You can connect G0/0/2 Data analysis software is used for data analysis on the equipment ;

C1 Corresponding source flow ,b1 Corresponding monitoring interface ,p1 Yes, it will c1 and b1 Form a strategy , Call on the final interface p1 Strategy ;

2、DHCP Dynamic Host Configuration Protocol Unified distribution management IP Address

Huawei servers use unicast to reply ,cisco Or Microsoft reply based on broadcast ;
Huawei's unicast use is prepared for the client ip Address as the target of unicast reply ip Address , Mainly based on MAC Reply to the address ;

【1】 DHCP relay

notes :dhcp server The equipment must be unicast reachable with the relay point , Can be used DHCP Relay effect ;

【2】 DHCP snooping -- prevent dhcp attack
prevent DHCP Fake ：
[r1]dhcp enable Switch on dhcp service
[r1]dhcp snooping enable Open first under global DHCP snooping function
[r1]interface GigabitEthernet 0/0/1
[r1-GigabitEthernet0/0/1]dhcp snooping enable All access layer interfaces are configured
After the configuration , All interfaces are untrusted , All untrusted interfaces can only DHCP Request , Unable to implement reply ;
After that, you need to connect DHCP Configure trust on the interface of the server , Otherwise dhcp The server is not working ;
[r1-GigabitEthernet0/0/10]dhcp snooping trusted
Be careful ： After the above operation is completed , A record list will be generated in the switch ; Record all interfaces ip Access to address ;
example ：SW1 Of g0/0/1 Connect PC1, stay SW1 Open the DHCP snooping After function , once PC1 obtain ip Address success ; So in SW1 A list of records will appear ----PC1 Of mac, Acquired ip Address ,vlan ….
The greatest significance of this record list is to prevent ARP Deceptive attack ：
[r1]arp dhcp-snooping-detect enable Turn on ARP Deception defense
When... Under an interface pc Conduct ARP Response time , If the source in the reply packet ip Address and MAC Address and dhcp snooping The record list of is inconsistent and will not be forwarded ;
Source address protection
[r1-GigabitEthernet0/0/10]ip source check user-bind enable -- All data packets sent by the interface are from the source ip Address and dhcp snooping Inconsistent records will not be forwarded ;
[Huawei]display dhcp snooping user-bind all see dhcp snooping Bind record table
【3】 Port security — Solve replacement MAC Come and keep asking ip Address , Lead to DHCP The pond dried up ;
It can also prevent MAC Address attack ;
Switches exist mac Address table , There is a limit on the number of entries , There is aging time （ Default 5min）
PC And other terminal devices are stored by default ARP The form is 180s—2h; But if the switch's cache overflows or times out , When forwarding the unicast traffic of the terminal , An unknown unicast frame problem occurred — Treatment scheme flooding
Therefore, if the terminal equipment keeps modifying mac Address to cause switch cache overflow mac Address attack
Rely on port security for protection ：
Port security
[sw-Ethernet0/0/4]port-security enable Open port security
[sw-Ethernet0/0/4]port-security max-mac-num 1 Now? MAC Number of addresses
[sw-Ethernet0/0/4]port-security protect-action ?
protect Discard packets discarded – No alarm
restrict Discard packets and warning discarded — The alarm （ Default ）
shutdown Shutdown discarded – Close interface – It must be opened manually by the administrator
[sw-Ethernet0/0/4]port-security aging-time 300 Aging time
After the above actions are completed , The corresponding interface will automatically record the source in the first data frame passing through the interface mac Address ;
other mac Will not pass ; if 300s Inside , This record mac I have not passed through this interface again , The record will be refreshed ;
The record will also be refreshed when the device is restarted or the interface is turned off and then turned on ;
[sw-Ethernet0/0/4]port-security mac-address sticky Sticky MAC（ No aging ）
Automatically record the information transmitted through this interface mac Address , But the record will never be deleted
It can also be filled in manually
[sw-Ethernet0/0/4]port-security mac-address sticky aaaa-aaaa-aaaa vlan 1

【4】 SSH — Safe Telnet Behavior ;
Telnet Remote login — be based on tcp Of 23 Port number works ; Data is transmitted in clear text ;
SSH It's also a remote login — be based on TCP Of 22 Port number works , Packet security transmission ;
There are versions V1/V2 Two kinds of - The actual version number is greater than 1 Less than 2 Are all V2;

encryption algorithm （ Protect data privacy ）
– There must be a secret key You can reverse calculate （ Decrypt ） The source data increases
Symmetric encryption – The same secret key for encryption and decryption DES 3DES AES

Asymmetric encryption – There are two keys A encryption B Decrypt — RSA DH（IPSEC vpn special ）
The current secret key length needs to be greater than 1024 Is relatively safe ;

The biggest disadvantage of asymmetric algorithm over symmetric algorithm ： After encryption, the amount of source data increases greatly ; Encrypted computing is slow ;

Check algorithm （ Guarantee the integrity of data ） -- No secret key Cannot reverse calculate Unequal length input , Equal length output –
Hash function summary algorithm
Avalanche effect — Small changes in source data lead to great changes in calculation results
MD -MD5-128 SHA-SHA-1 -128 -256 -521

[R2]stelnet server enable Turn on ssh
[R2]rsa local-key-pair create The secret key generated
[R2]ssh user openlab authentication-type password Definition ssh Encryption and decryption based on secret key

login information
[R2]aaa
[R2-aaa]local-user openlab password cipher huawei
[R2-aaa]local-user openlab service-type ssh

[R2]user-interface vty 0 4
[R2-ui-vty0-4]authentication-mode aaa
[R2-ui-vty0-4]protocol inbound ssh    Only allowed SSH Sign in 

If Huawei equipment is used as terminal equipment , adopt ssh Log in to other systems , Need to open ssh Client function
[r1]ssh client first-time enable
[Huawei]stelnet 99.1.1.1

【5】 Port isolation
[sw]interface Eth0/0/5
[sw-Ethernet0/0/5]port-isolate enable group 1 Interfaces between the same configurations are isolated