标签:apr def cli ann mode hacker mit sys hack
一、实验拓扑:
ESW1(config)#vtp domain pl
ESW1(config)#vtp mode server
ESW2(config)#int range f1/0 - 1
ESW2(config-if-range)#no shutdown
ESW2(config-if-range)#switchport trunk encapsulation dot1q
ESW2(config-if-range)#switchport mode trunk
ESW2(config)#vtp domain pl
ESW2(config)#vtp mode client
ESW3(config)#int range f1/0 - 1
ESW3(config-if-range)#no shutdown
ESW3(config-if-range)#switchport trunk encapsulation dot1q
ESW3(config-if-range)#switchport mode trunk
ESW3(config)#vtp domain pl
ESW3(config)#vtp mode client
ESW3(config)#int f1/2
ESW3(config-if)#no shutdown
ESW3(config-if)#switchport mode access
2、部署BPDUfilter
全局部署BPDUfilter:
IOU3(config)#spanning-tree portfast bpdufilter default
IOU3#show spanning-tree summary totals
Switch is in pvst mode
Root bridge for: none
Extended system ID is enabled
Portfast Default is disabled
PortFast BPDU Guard Default is disabled
Portfast BPDU Filter Default is enabled
Hacker#debug spanning-tree bpdu receive
Spanning Tree BPDU Received debugging is on
Hacker#
*Apr 26 03:34:17.966: STP: VLAN0001 rx BPDU: config protocol = ieee, packet from Ethernet1/0 , linktype IEEE_SPANNING , enctype 2, encsize 17
IOU3#debug spanning-tree bpdu transmit
Spanning Tree BPDU Transmitted debugging is on
IOU3#
*Apr 26 03:38:05.537: STP: VLAN0001 Et0/0 tx BPDU: config protocol=ieee
Data : 0000 00 00 00 8001AABBCC000100 00000064 8001AABBCC000300 8001 0100 1400 0200 0F00
接口下部署BPDUfilter:
IOU3(config)#int e1/2
IOU3(config-if)#spanning-tree bpdufilter enable
IOU3#show spanning-tree summary totals
Switch is in pvst mode
Root bridge for: none
Extended system ID is enabled
Portfast Default is disabled
PortFast BPDU Guard Default is disabled
Portfast BPDU Filter Default is enabled
IOU3#debug spanning-tree bpdu transmit
Spanning Tree BPDU Transmitted debugging is on
IOU3#
*Apr 26 04:28:40.190: STP: VLAN0001 Et0/0 tx BPDU: config protocol=ieee
Data : 0000 00 00 00 8001AABBCC000100 00000064 8001AABBCC000300 8001 0100 1400 0200 0F00
IOU3#debug spanning-tree bpdu receive
Spanning Tree BPDU Received debugging is on
IOU3#
*Apr 26 04:30:14.396: STP: VLAN0001 rx BPDU: config protocol = ieee, packet from Ethernet1/1 , linktype IEEE_SPANNING , enctype 2, encsize 17
Hacker#debug spanning-tree bpdu receive
Spanning Tree BPDU Received debugging is on
然后看不到有任何包出现。
IOU3(config-if)#no spanning-tree bpdufilter enable
Hacker#
*Apr 26 04:36:14.565: STP: VLAN0001 rx BPDU: config protocol = ieee, packet from Ethernet1/0 , linktype IEEE_SPANNING , enctype 2, encsize 17
no掉以后Hacker又会有Receive包出现
3、部署BPDUGuard和回复机制
全局部署:
IOU3(config)#spanning-tree portfast bpduguard default
Switch is in pvst mode
Root bridge for: none
Extended system ID is enabled
Portfast Default is disabled
PortFast BPDU Guard Default is enabled
Portfast BPDU Filter Default is disabled
Loopguard Default is disabled
EtherChannel misconfig guard is enabled
IOU3#show int e1/2
Ethernet1/2 is down, line protocol is down (err-disabled)
成功了!!
接口部署:
IOU3(config-if)#spanning-tree bpduguard enable
IOU3#show spanning-tree summary totals
Switch is in pvst mode
Root bridge for: none
Extended system ID is enabled
Portfast Default is disabled
PortFast BPDU Guard Default is disabled
Portfast BPDU Filter Default is disabled
Loopguard Default is disabled
EtherChannel misconfig guard is enabled
IOU3(config)#int e1/2
IOU3(config-if)#shutdown
IOU3(config-if)#no shutdown
Hacker(config)#int e1/0
Hacker(config-if)#shutdown
Hacker(config-if)#no shutdown
IOU3#show int e1/2
Ethernet1/2 is down, line protocol is down (err-disabled)
接口成功!!!
IOU3(config)#errdisable recovery cause bpduguard
IOU3(config)#errdisable recovery interval 30
24-BPDU Filter和BPDU Guard(BPDU过滤和防护) //IOU模拟
标签:apr def cli ann mode hacker mit sys hack
原文地址:http://blog.51cto.com/13856092/2137447
