پیکربندی سویچ برای بالا بردن امنیت در لایه 2

Configure Your Catalyst for a More Secure Layer 2

 IP Source Guard and Port Security

 Using just DHCP snooping, you have stopped untrusted devices from acting as a DHCP server; which is important in an environment where people think it's a good idea to bring in their Linksys access point to better cover the office with wireless. Port Security can also help to stop more than one MAC from being seen on a port, making it impossible to connect hubs and other network-extending devices.

 Now, to stop malicious people from using IP addresses that weren't assigned to them, we use IP source guard. Even better, we can also stop clients from forging their MAC address. MAC address filtering makes flooding the switch impossible. Flooding is a technique by which an attacker sends so many MAC addresses from their port that the switch's MAC table overflows. Then the switch has no choice but to flood all Ethernet frames out of every single port, since it doesn't know what MAC is connected where, allowing an attacker to see all the traffic across the switch. Some viruses have been known to do this as well.

 

تفاوت VLan بین سیسکو و جونیپر

VLAN Difference between Juniper and Cisco Switches

 A VLAN (Virtual Local Area Network) is a logical LAN segment which have unique broadcast domain. Basically, VLAN divides one physical switch to multiple logical switch. You can configure hundreds of VLANs in one EX series switch. No matter if its EX4200, EX3200 or EX2200. Today I will show you VLAN difference between Juniper and Cisco switches.

Transparent Cisco IOS Firewall(ترجمه فارسی بزودی در همین وبلاگ)

Transparent Cisco IOS Firewall

Cisco IOS routers can be configured as a layer 2 bridges, this means that you can configure two or more interfaces to be in the same layer 2 domain and that traffic will be switched instead of routed. Another feature that has been added since IOS 12.3(7)T is the transparent Cisco IOS Firewall. This allows traffic filtering and stateful inspection using CBAC for the layer 2 bridge.

When you configure the router as a transparent firewall it will not do any routing and will only learn the MAC addresses on the interfaces and switch frames between the interfaces. The advantage of a transparent firewall is that you can place it at any location in your network without having to change any IP addresses or networking settings like default gateways.

To demonstrate this feature I will use the following topology:

 

پیکربندی Zone Base Firewall(ترجمه فارسی بزودی در همین وبلاگ)

Zone Based Firewall Configuration Example

Zone Based Firewall is the most advanced method of a stateful firewall that is available on Cisco IOS routers. The idea behind ZBF is that we don’t assign access-lists to interfaces but we will create different zones. Interfaces will be assigned to the different zones and security policies will be assigned to traffic between zones. To show you why ZBF is useful, let me show you a picture:

پیکربندی SNMP v3 روی روترهای سیسکو

SNMP v3 شبیه SNMP v2 و SNMP v1 می باشد اما مدل امنیتی کاملا متفاوتی دارد. SNMP v1 و SNMP v2 از community-string به عنوان پسورد بدون  Authentication و Encryption استفاده می کنند.

SNMP v3 قابلیت استفاده از Authentication و Encryption دارد و مدل امنیتی جدیدی دارد که به Userها ، Groupها و levelهای امنیتی دیگر کار می کند.user ها درون گروه هایی قرار می گیرند که بسته به نوع کاربری آنها می توانید policy هایی را برای آنها تعریف کنید بطور مثال به برخی کاربران دسترسی Read  یا Read-write بدهید واینکه چه MIB (Management Information Base) هایی باید قابل دسترسی باشند را مشخص کنید.