利用二層端口安全防止兩個三層交換機長距離光纖1^1個三層交換機長距離光纖1^1線路被亂接測試2013-11-0916:15:23我來說兩句收藏:我要投稿在論壇上看到有人想問通過什么方式來防止長距離的光纖線路被竊聽，或連到其它非法交換機上，如是相同通過端口安全來實現(xiàn)防止亂接，于是登錄機架進行測試，將測試結果記錄下來。論壇提問的鏈接：/thread-1080361-1.html 光纖線路，如果中間沒有被惡意接入其他設備，應該很難竊聽，因此覺得防竊聽可以從防亂接方向入手。基本思路：假定交換機為三層交換機如果兩個交換機用三層口相連，并綁定對端IP所對應的mac,雖然可以防止接入三層設備，但是無法防止中間串接二層設備進行竊聽。通過主機之間的ipsec來加密流量,除非接線兩端為路由器,否則兩端連接交換機的主機太多的話,每臺主機去配置IPsec不大可行。 高端的交換機沒有玩過,一般普通的三層交換機貌似無法配置ipsecvpn數(shù)據(jù)加密雖然是防竊聽的最好方式，但是目前這種情況，貌似加密不容易實現(xiàn)通過二層的安全來防止亂接：---交換機相連的口采用access口，并且兩端都配置VLAN的svi---每個交換機保證用于互聯(lián)的vlan只有一個互聯(lián)接口---三層交換機要開啟路由轉發(fā)，兩個三層交換機互指路由（靜態(tài)或默認），來實現(xiàn)交換機兩邊的PC互訪---配置互聯(lián)端口的端口安全，只允許學習到2個mac，這樣只有中間線路沒有其他二層設備，當接入其他二層設備時，端口就會down，防止被監(jiān)聽---本實驗只是驗證可行性，實際工作如果可能的話，還是建議用路由器互聯(lián)，并配叨?置ipsec。測試拓撲：F0/20￥i-Oin基本配置：R4：interfaceFastEthernet0/0ipaddressnoshutnoiproutingipdefault-gatewaySW1:iproutinginterfaceFastEthernet0/4switchportaccessvlan20switchportmodeaccessinterfaceFastEthernet0/20switchportaccessvlan10switchportmodeaccessswitchportport-securitymaximum2switchportport-securityswitchportport-securitymac-addressstickyinterfaceVlan10ipaddress52interfaceVlan20ipaddressiprouteSW2:iproutinginterfaceFastEthernet0/5switchportaccessvlan30switchportmodeaccessinterfaceFastEthernet0/20switchportaccessvlan10switchportmodeaccessswitchportport-securitymaximum2switchportport-securityswitchportport-securitymac-addressstickyinterfaceVlan30ipaddressinterfaceVlan100ipaddress52iprouteR5:interfaceFastEthernet0/1ipaddressnoshutnoiproutingipdefault-gateway驗證：R4#pingTypeescapesequencetoabort.Sending5,100-byteICMPEchosto,timeoutis2seconds:!!!!!Successrateis100percent(5/5)round-tripmin/avg/max=1/1/4msR4#R5#pingTypeescapesequencetoabort.Sending5,100-byteICMPEchosto,timeoutis2seconds:!!!!!Successrateis100percent(5/5)round-tripmin/avg/max=1/2/4msR5#sw1#showrunning-configinterfacef0/20Buildingconfiguration...Currentconfiguration:336bytesinterfaceFastEthernet0/20switchportaccessvlan10switchportmodeaccessswitchportport-securitymaximum2switchportport-securityswitchportport-securitymac-addressstickyswitchportport-securitymac-addresssticky0014.a80a.f716vlanaccessswitchportport-securitymac-addresssticky0014.a80a.f741vlanaccessendsw2#showintf0/20|inHardwareHardwareisFastEthernet,addressis0014.a80a.f716(bia0014.a80a.f716)sw2#showintvlan10|inHardwareHardwareisEtherSVI,addressis0014.a80a.f741(bia0014.a80a.f741)sw1#showmacaddress-table|in0/20100014.a80a.f716STATICFa0/20100014.a80a.f741STATICFa0/20sw1#sw2#showrunning-configintf0/20Buildingconfiguration...Currentconfiguration:312bytes!interfaceFastEthernet0/20switchportaccessvlan10switchportmodeaccessswitchportport-securitymaximum2switchportport-securityswitchportport-securitymac-addressstickyswitchportport-securitymac-addresssticky001a.a164.b216switchportport-securitymac-addresssticky001a.a164.b241endsw1#showintf0/20|inHardwareHardwareisFastEthernet,addressis001a.a164.b216(bia001a.a164.b216)sw1#showintvlan10|inHardwareHardwareisEtherSVI,addressis001a.a164.b241(bia