1. Новости
Заметки пользователей
15.02.2013 08:30
PDF
5554
3

Коммутаторы SNR-S2900 на доступе

Коммутаторы Ethernet серии SNR-S2940, S2950, S2960 на доступе
 

Уровень доступа одного провайдера некоторого города. В наличии сеть в нескольких городах. В городе "Город" основная сеть, терминация абонентов организована по принципу L3-dynamic CLIPS. В городах спутниках сети меньше, например, в городе "Город N" сеть организована по принципу Q-in-Q termination.

Коммутаторы SNR-S2900 на доступе

Настройка уровня доступа для схемы с Q-in-Q-туннелями.

Абоненты подключаются по схеме VLAN-per-User. Используем коммутаторы SNR-S2940-8G и SNR-S2950-24G, как самый оптимальный вариант в соотношении цена/качество/надежность.
Абонентские порты в режиме access, каждый в своем VLAN. Функционал dhcp-snooping option 82 контролирует идентификацию пользователя по порту.

SNR-S2940-8G(config)#show run
!
no service password-encryption
!
hostname SNR-S2940-8G
sysLocation Ak.Vonsovskogo str. 1-118, Ekaterinburg, Russia
sysContact support@nag.ru
!
!
!
clock timezone Ykt add 6 0
!
logging executed-commands enable
!
ssh-server enable
!
no ip http server
!
service dhcp
!
ip dhcp snooping enable
ip dhcp snooping binding enable
## включение привязки абонента к порту
!
ip dhcp snooping information enable
## включение opt.82
ip dhcp snooping information option subscriber-id format vs-hp ## формат vs-hp, так же может быть asci или hex
!
!
!
!
!
!
!
vlan 1;101-108
!
Interface Ethernet1/1
switchport access vlan 101
ip dhcp snooping binding user-control
## включение привязки на порту
ip dhcp snooping binding user-control max-user 1
!
Interface Ethernet1/2
switchport access vlan 102
ip dhcp snooping binding user-control
ip dhcp snooping binding user-control max-user 1
!
Interface Ethernet1/3
switchport access vlan 103
ip dhcp snooping binding user-control
ip dhcp snooping binding user-control max-user 1
!
Interface Ethernet1/4
switchport access vlan 104
ip dhcp snooping binding user-control
ip dhcp snooping binding user-control max-user 1
!
Interface Ethernet1/5
switchport access vlan 105
ip dhcp snooping binding user-control
ip dhcp snooping binding user-control max-user 1
!
Interface Ethernet1/6
switchport access vlan 106
ip dhcp snooping binding user-control
ip dhcp snooping binding user-control max-user 1
!
Interface Ethernet1/7
switchport access vlan 107
ip dhcp snooping binding user-control
ip dhcp snooping binding user-control max-user 1
!
Interface Ethernet1/8
switchport access vlan 108
ip dhcp snooping binding user-control
ip dhcp snooping binding user-control max-user 1
!
Interface Ethernet1/9
switchport mode trunk
switchport trunk allowed vlan 1;101-108
ip dhcp snooping trust
## порт в сторону DHCP-сервера
!
interface Vlan1
description mgmt
ip address 192.168.0.12 255.255.255.0
!
ip default-gateway 192.168.0.1
!
!
no login
!
!
end


Настройка уровня доступа для схемы Dynamic CLIPS over L3. 

Абоненты коммутатора изолированы в собственном vlan (vlan-per-switch). Для идентификации используется механизм dhcp snooping with opt.82.
SNR-S2940-8G#sho run
!
no service password-encryption
!
hostname SNR-S2940-8G
sysLocation Ak.Vonsovskogo str. 1-118, Ekaterinburg, Russia
sysContact support@nag.ru
!
!
!
!
clock timezone Ykt add 6 0
!
logging executed-commands enable
!
ssh-server enable
!
no ip http server
!
service dhcp
!
ip dhcp snooping enable
ip dhcp snooping binding enable
!
ip dhcp snooping information enable
ip dhcp snooping information option subscriber-id format vs-hp
!

!
!
!
!
!
vlan 1
!
vlan 201
name Users_vlan
!
Interface Ethernet1/1
switchport access vlan 201
ip dhcp snooping binding user-control
ip dhcp snooping binding user-control max-user 1
!
Interface Ethernet1/2
switchport access vlan 201
ip dhcp snooping binding user-control
ip dhcp snooping binding user-control max-user 1
!
Interface Ethernet1/3
switchport access vlan 201
ip dhcp snooping binding user-control
ip dhcp snooping binding user-control max-user 1
!
Interface Ethernet1/4
switchport access vlan 201
ip dhcp snooping binding user-control
!
Interface Ethernet1/5
switchport access vlan 201
ip dhcp snooping binding user-control
!
Interface Ethernet1/6
switchport access vlan 201
ip dhcp snooping binding user-control
!
Interface Ethernet1/7
switchport access vlan 201
ip dhcp snooping binding user-control
!
Interface Ethernet1/8
switchport access vlan 201
ip dhcp snooping binding user-control
!
Interface Ethernet1/9
switchport mode trunk
switchport trunk allowed vlan 1;201
ip dhcp snooping trust
!
interface Vlan1
description mgmt vlan
ip address 192.168.0.10 255.255.255.0
!
ip default-gateway 192.168.0.1
!
!
no login
!
!
end


ip dhcp snooping enable
Коммутатор мониторит процесс получения IP-адреса DHCP-клиентом по DHCP-протоколу. Это предотвращает появление нелегальных DHCP-серверов. Это достигается путем задания доверенных портов, с которых отвечает легальный DHCP-сервер, и недоверенные порты, к которым подключены DHCP-клиенты. Команда для задания доверенных портов выглядит как:
ip dhcp snooping trust

ip dhcp snooping binding enable
Производится сохранение данных dhcp-запросов в коммутаторе (есть возможность записи на бэкап-сервер для бэкапа).

ip dhcp snooping binding user-control
DHCP Snooping будет рассматривать захваченные сведения о привязке в качестве доверенных пользователей, имеющих право доступа ко всем ресурсам.

ip dhcp snooping information enable
Добавляется информация option 82 в DHCP-сообщения на этапе аутентификации пользователя.

ip dhcp snooping action shutdown/blackhole [recovery <sec>]
shutdown - если обнаружен фейковый dhcp-сервер порт выключается
blackhole - если обнаружен фейковый dhcp-сервер, трафик с его MAC-адреса блокируется
sec - время действия защиты в секундах

ip dhcp snooping limit-rate <pps>
Количество dhcp-запросов в минуту

Пример расширенной настройки коммутатора Ethernet.

Включение защиты от arp-spoof
!
anti-arpscan enable
anti-arpscan recovery time 60 ## интервал восстановления состояния порта
!


Раскрашивание трафика на доступе.
Выделим различные типы трафика по ACL.
!
access-list 110 permit ip any-source any-destination
access-list 111 permit tcp any-source s-port 80 any-destination
access-list 111 permit tcp any-source any-destination d-port 80
access-list 111 permit tcp any-source s-port 8080 any-destination
access-list 111 permit tcp any-source any-destination d-port 8080
access-list 111 permit tcp any-source s-port 143 any-destination
access-list 111 permit tcp any-source any-destination d-port 143
access-list 111 permit tcp any-source s-port 220 any-destination
access-list 111 permit tcp any-source any-destination d-port 220
access-list 111 permit tcp any-source s-port 585 any-destination
access-list 111 permit tcp any-source any-destination d-port 585
access-list 111 permit tcp any-source s-port 993 any-destination
access-list 111 permit tcp any-source any-destination d-port 993
access-list 111 permit tcp any-source s-port 25 any-destination
access-list 111 permit tcp any-source any-destination d-port 25
access-list 111 permit tcp any-source s-port 110 any-destination
access-list 111 permit tcp any-source any-destination d-port 110
access-list 111 permit tcp any-source s-port 4590 any-destination
access-list 111 permit tcp any-source any-destination d-port 4590
access-list 111 permit tcp any-source s-port 1723 any-destination
access-list 111 permit tcp any-source any-destination d-port 1723
access-list 111 permit tcp any-source s-port 5190 any-destination
access-list 111 permit tcp any-source any-destination d-port 5190
access-list 111 permit tcp any-source s-port 5222 any-destination
access-list 111 permit tcp any-source any-destination d-port 5222
access-list 111 permit tcp any-source s-port 443 any-destination
access-list 111 permit tcp any-source any-destination d-port 443
access-list 111 permit tcp any-source s-port 5223 any-destination
access-list 111 permit tcp any-source any-destination d-port 5223
access-list 112 permit tcp any-source s-port 5800 any-destination
access-list 112 permit tcp any-source any-destination d-port 5800
access-list 112 permit tcp any-source s-port 5801 any-destination
access-list 112 permit tcp any-source any-destination d-port 5801
access-list 112 permit tcp any-source s-port 5900 any-destination
access-list 112 permit tcp any-source any-destination d-port 5900
access-list 112 permit tcp any-source s-port 5901 any-destination
access-list 112 permit tcp any-source any-destination d-port 5901
access-list 112 permit tcp any-source s-port 5902 any-destination
access-list 112 permit tcp any-source any-destination d-port 5902
access-list 112 permit tcp any-source s-port 3389 any-destination
access-list 112 permit tcp any-source any-destination d-port 3389
access-list 112 permit tcp any-source s-port 516 any-destination
access-list 112 permit tcp any-source any-destination d-port 516
access-list 112 permit tcp any-source s-port 583 any-destination
access-list 112 permit tcp any-source any-destination d-port 583
access-list 112 permit tcp any-source s-port 1398 any-destination
access-list 112 permit tcp any-source any-destination d-port 1398
access-list 112 permit tcp any-source s-port 1518 any-destination
access-list 112 permit tcp any-source any-destination d-port 1518
access-list 112 permit tcp any-source s-port 1519 any-destination
access-list 112 permit tcp any-source any-destination d-port 1519
access-list 112 permit tcp any-source s-port 1566 any-destination
access-list 112 permit tcp any-source any-destination d-port 1566
access-list 112 permit tcp any-source s-port 2232 any-destination
access-list 112 permit tcp any-source any-destination d-port 2232
access-list 112 permit tcp any-source s-port 4444 any-destination
access-list 112 permit tcp any-source any-destination d-port 4444
access-list 112 permit tcp any-source s-port 5714 any-destination
access-list 112 permit tcp any-source any-destination d-port 5714
access-list 112 permit tcp any-source s-port 7648 any-destination
access-list 112 permit tcp any-source any-destination d-port 7648
access-list 112 permit tcp any-source s-port 7649 any-destination
access-list 112 permit tcp any-source any-destination d-port 7649
access-list 112 permit tcp any-source s-port 7650 any-destination
access-list 112 permit tcp any-source any-destination d-port 7650
access-list 112 permit tcp any-source s-port 7651 any-destination
access-list 112 permit tcp any-source any-destination d-port 7651
access-list 112 permit tcp any-source s-port 22 any-destination
access-list 112 permit tcp any-source any-destination d-port 22
access-list 112 permit tcp any-source s-port 23 any-destination
access-list 112 permit tcp any-source any-destination d-port 23
access-list 112 permit tcp any-source s-port 21 any-destination
access-list 112 permit tcp any-source any-destination d-port 21
access-list 112 permit tcp any-source s-port 2000 any-destination
access-list 112 permit tcp any-source any-destination d-port 2000
access-list 112 permit tcp any-source s-port 2003 any-destination
access-list 112 permit tcp any-source any-destination d-port 2003
access-list 112 permit tcp any-source s-port 2106 any-destination
access-list 112 permit tcp any-source any-destination d-port 2106
access-list 112 permit tcp any-source s-port 2009 any-destination
access-list 112 permit tcp any-source any-destination d-port 2009
access-list 112 permit tcp any-source s-port 7777 any-destination
access-list 112 permit tcp any-source any-destination d-port 7777
access-list 112 permit tcp any-source s-port 1119 any-destination
access-list 112 permit tcp any-source any-destination d-port 1119
access-list 112 permit tcp any-source s-port 3724 any-destination
access-list 112 permit tcp any-source any-destination d-port 3724
access-list 112 permit tcp any-source s-port 4000 any-destination
access-list 112 permit tcp any-source any-destination d-port 4000
access-list 112 permit tcp any-source s-port 6112 any-destination
access-list 112 permit tcp any-source any-destination d-port 6112
access-list 112 permit tcp any-source s-port 6113 any-destination
access-list 112 permit tcp any-source any-destination d-port 6113
access-list 112 permit tcp any-source s-port 6114 any-destination
access-list 112 permit tcp any-source any-destination d-port 6114
access-list 112 permit tcp any-source s-port 3074 any-destination
access-list 112 permit tcp any-source any-destination d-port 3074
access-list 112 permit tcp any-source s-port 28960 any-destination
access-list 112 permit tcp any-source any-destination d-port 28960
access-list 114 permit udp any-source 239.255.2.0 0.0.1.255
access-list 115 permit tcp any-source s-port 1025 any-destination
access-list 115 permit tcp any-source s-port 1720 any-destination
access-list 115 permit tcp any-source any-destination d-port 1025
access-list 115 permit tcp any-source any-destination d-port 1720
access-list 115 permit tcp any-source s-port 1045 any-destination
access-list 115 permit tcp any-source s-port 1027 any-destination
access-list 115 permit tcp any-source any-destination d-port 1045
access-list 115 permit tcp any-source any-destination d-port 1027
access-list 115 permit udp any-source s-port 1024 any-destination
access-list 115 permit udp any-source any-destination d-port 1024
access-list 116 permit tcp any-source s-port 37 any-destination
access-list 116 permit tcp any-source any-destination d-port 37
access-list 116 permit udp any-source s-port 68 any-destination
access-list 116 permit udp any-source any-destination d-port 67
access-list 116 permit udp any-source s-port 53 any-destination
access-list 116 permit udp any-source any-destination d-port 53
access-list 116 permit icmp any-source any-destination
access-list 116 permit tcp any-source s-port 161 any-destination
access-list 116 permit tcp any-source s-port 162 any-destination
access-list 116 permit tcp any-source any-destination d-port 161
access-list 116 permit tcp any-source any-destination d-port 162
access-list 116 permit udp any-source s-port 161 any-destination
access-list 116 permit udp any-source s-port 162 any-destination
access-list 116 permit udp any-source any-destination d-port 161
access-list 116 permit udp any-source any-destination d-port 162
access-list 116 permit tcp any-source s-port 179 any-destination
access-list 116 permit udp any-source s-port 179 any-destination
access-list 116 permit tcp any-source any-destination d-port 179
access-list 116 permit udp any-source any-destination d-port 179
access-list 116 permit tcp any-source s-port 1812 any-destination
access-list 116 permit tcp any-source s-port 1813 any-destination
access-list 116 permit tcp any-source any-destination d-port 1812
access-list 116 permit tcp any-source any-destination d-port 1813
access-list 116 permit udp any-source s-port 1812 any-destination
access-list 116 permit udp any-source s-port 1813 any-destination
access-list 116 permit udp any-source any-destination d-port 1812
access-list 116 permit udp any-source any-destination d-port 1813
!

Зададим приоритеты классам.
!
mls qos
wrr-queue bandwidth 1 4 32 0
wrr-queue cos-map 1 7
wrr-queue cos-map 2 1
wrr-queue cos-map 4 5
!

Назначим каждому классу тип трафика.
!
class-map cl_0
match access-group 110
!
class-map cl_1
match access-group 111
!
class-map cl_2
match access-group 112
!
class-map cl_4
match access-group 114
!
class-map cl_5
match access-group 115
!
class-map cl_6
match access-group 116
!

Зададим метки каждому классу.
!
policy-map dscp_map
class cl_6
set ip dscp 48
exit
class cl_5
set ip dscp 40
exit
class cl_4
set ip dscp 32
exit
class cl_2
set ip dscp 16
exit
class cl_1
set ip dscp 8
exit
class cl_0
set ip dscp 0
exit
!

Вешаем на порт всю конструкцию.
!
Interface Ethernet1/1
service-policy input dscp_map
switchport access vlan 15


Ограничение доступа на порту по MAC-адресу.
firewall enable
!
access-list 150 permit host-source-mac mm-mm-mm-mm-mm-mm
access-list 150 deny any-source-mac
!
Interface Ethernet1/1
switchport access vlan 15
mac access-group 150 in
!

Также можно, например, добавить ограничение по времени суток и т.п.
!
time-range daily_acl
periodic daily 08:00:00 to 22:00:00
!
access-list 150 permit host-source-mac mm-mm-mm-mm-mm-mm time-range daily_acl
access-list 150 deny any-source-mac

Указанный нами MAC-адрес имеет доступ к сети с 8:00 до 22:00, это может быть например компьютер ребенка.
Ограничение доступа по MAC-адресу так же может быть организовано через функционал port-security, в том числе и на транковом порту.
Interface Ethernet1/1
switchport access vlan 12
switchport port-security
switchport port-security mac-address nn-nn-nn-nn-nn-nn
!
Interface Ethernet1/9
switchport mode trunk
switchport trunk allowed vlan 10,12
switchport port-security
switchport port-security mac-address nn-nn-nn-nn-nn-nn vlan 12


Еще один способ для ограничения доступа по IP-MAC - использование функционала Access Managment, аналог IP-Port-MAC binding D-Link`а.
!
am enable
!
Interface Ethernet1/1
switchport access vlan 12
am port
am mac-ip-pool nn-nn-nn-nn-nn-nn 10.10.10. 20

3 комментариев
Оставлять комментарии могут только авторизованные пользователи
Robot_NagNews
Robot_NagNews

Материал:

Продолжаем делится практическим опытом - заметка из серии "how to". Примеры типовых конфигураций коммутаторов SNR уровня доступа.

 

Полный текст

mcdemon
mcdemon

коммутаторы не очень удобные

Navu
Navu

М.б. конкретизируете?