cisco Security总笔记

CISCO网络设备的几个安全问题作者：SQL SQL@网站：我对CISCO的交换机和ROUTER并不是很熟悉，CISCO的功能实在是太强大了。

据说全球95%的网络设备都是采用CISCO的东西，我去了这么多客户的机房对这点是完全同意的。

今天就几个CISCO的安全问题来简单的谈谈，当然并不是说CISCO的东西不安全，只是我发现好多人对于网络设备的升级和打补丁好象并不像对NT/2000这种系统一样那么热衷很多CISCO的设备从买来以后IOS就再没有升过级很多都是长年累月的放在那里。

其实默认和配置不当的情况下CISCO还是有些不大不小的问题，今天我就主要讨论其中3个比较大的安全隐患。

先来说说最常见的SNMP的关键字强度不够这个问题好了，snmp-server community private RWsnmp-server community public ROsnmp-server community private@es0 RWsnmp-server community public@es0 RO很多CISCO的设备默认的配置就像上面这样，给public只读的权限给private的是可读可写的权限。

我不知道怎么去说SNMP这个网络管理协议，有兴趣的人可以参考相关的书籍毕竟不是一两句话说的清楚。

我这里简单的说就是SNMP是一个设备的管理接口，现在绝大多数的操作系统都是支持的，但像NT/2000这样的系统默认是没有可读可写这样的权限community出现的，community可以认为就是通过SNMP管理时系统跟我们要的口令，在这里public private就是两个不同级别的口令了。

这是包括CISCO设备在内的很多采用SNMP 设备的默认community。

但是CISCO默认情况下是否打开对SNMP的支持呢，我用的CISCO 并不是很多，在公司的SWITCH2900是默认就打开的，可有的人他们那里的设备是默认没有开的，这点我不能确认有经验的朋友可以来信告诉我下。

CCNA SECURITY笔记A）命令级别：a) . Privilege exec level 1 clear line *privilege configure all level 5 router”all”就是把全局配置模式下的router这个命令下面的所有命令给于5级别。

如果不加all，则只有router 后面的命令在5级别可以使用。

意思是把原来exec下面的【包括#和>下面的，不论是原来是什么级别的命令clear line *】移动到1级别去。

将高级别的命令放到级别的时候也要有先后顺序的：比如：你要把router 这个命令放到level 1下面去，但是你没有把configure terminal放过去，你是看不到router 命令的。

因为路由器觉得router是在全名模式下的命令，你必须要进入全局模式下才可以敲入router.如下图：R1(config)>routerR1(config)>router os 1R1(config-router)>network 192.168.1.1 0.0.0.0 a 0虽然进入到全名模式也是>这个符号，但是也要进入这种全局模式。

才有router命令。

b) .View 命令集:将命令做成一集合，然后授权给某个用户使用。

控制力度更强。

则此用户只能使用此命令集中的命令。

Root view 比15级别更强Aaa new-modeEablesecretwang/enble pass wang配置进入到root view下面的密码Root view 可以创建删除VIEW,但是15级别不可以。

Enable view (进入root view)Parser view y uan(创建一个view)Secret yeslabccies配置y uan这个子view下面的密码Commands exec include show version使用本地数据库绑定VIEW先去掉aaa new-model 只是为了演示，其实一般都是用AAA做VIEW的授权User yuan password yuanUser yuan view yuanB ) CISCO路由器的加密级别0,5,6,70 是不加密5 是MD56是在做VPN的时候加密的6: key config-key password-encrypt wang1245passwor encryption aescryptiskmap key 0 yuan add 192.168.1.1最后变成：cryptoisakmp key 6 ZFSN\VVKfdcf\cBKKBLZWDgVXGD address 192.168.1.17是开启了service password-encrytionC) chatper认证不能够使用enable secret 加密1.security passwords min-length2.no service password-recovery 【让你无法找回running-config】就是让用户在重启的时候无法进入ROMMON下面中破解密码。

关于console线（RS232转RJ45）的接线方法网上搜到一些关于交换机和路由器的console线的接线方法（RS232接口转RJ45接口）就是下图中这种线，按教程方法接线后，发现无法对设备进行配置，经过进一步测量发现，很多教程都是错的，现将自己测量结果发布供需要的朋友使用。

接线图如下：RJ45接口从左到右分别为1~8RS232接口编号如上图RJ45----RS2321---------------82---------------63---------------24---------------15---------------56---------------37---------------48---------------7空--------------9注：只要上面红色三组连接就可以正常使用了。

本人手头有两根不同的console线，其中一根测量结果与上面相符合。

但是另外一根中， RJ45的第四根与RS232的第一根并没有接通，（上面黄色标记的一组）其它的都一样。

但是在实际使用中，两根线都是可以对交换机进行配置的。

第二讲、网络体系结构与TCPIP协议1、几个特殊的IP地址主机号全0：表示网络号，不能分配给主机。

如192.168.4.0为网络地址，代表这个网络，而不代表某台计算，不能配转置到计算机上。

主机号全1：主机号为8个二进制1，表示向指定子网发广播。

如192.168.1.255表示向网络192.168.1.0这个网段发广播，即向这个网段的所有计算机发广播。

255.255.255.255：本子网内广播地址，即向本子网内的所有计算机发广播。

127.X.Y.Z：测试地址，不能配置给计算机。

2、公有IP是要申请的还要交纳一定的使用费。

私有IP是在一个封闭的局域网中，可以任意配置A、B、C三类IP。

INTERNIC保留的IP范围为：A类：10.0.0.1~10.255.255.254B类：172.16.0.1~172.31.255.254C类：192.168.0.1~192.168.255.2543、子网掩码：默认的子网是将IP地址网络位对应的子网掩码设为“1”，主机位对应的子网掩码设为“0”。

1 Alice 和Bob 使用数字签名来签署文档。

Alice 应使用以下哪种密钥签署文档，从而使Bob 确认该文档来自Alice？选择一项：Alice 的私钥2 一个团队正在对数据库服务执行风险分析。

收集的信息包括这些资产的初始值、资产面临的威胁以及这些威胁的影响。

该团队通过计算年化损失预期执行的是哪种类型的风险分析？选择一项：定量分析3 以下哪个实用程序使用Internet 控制消息协议(ICMP)？选择一项：ping4 以下哪种技术为同一密码创建不同的散列值？选择一项：加盐5 IT 部门需要实施一个系统，以控制用户在企业网络上可以执行的操作和不能执行的操作。

实施以下哪一过程可以满足这一要求？选择一项：一组描述用户访问权限的属性6 有许多环境需要五个九的可用性，但这种环境可能成本过高。

以下哪一项是五个九环境可能由于成本过高的示例？选择一项：纽约证券交易所7 以下哪两项是事件响应的两个阶段？（选择两项。

）选择一项或多项：遏制和恢复检测和分析8 在发送数据进行分析之前，可使用以下哪种技术替换非生产环境中的敏感数据以保护基础信息？选择一项：数据掩码替换9 以下哪个无线标准强制使用AES 和CCM？选择一项：WPA210密码、口令及PIN 是以下哪个安全术语的示例？选择一项：身份验证11 在生物识别系统的对比中，什么是交叉错误率？选择一项：漏报率和误报率12 以下哪项陈述描述的是分布式拒绝服务攻击？选择一项：攻击者构建由僵尸计算机组成的僵尸网络。

13 在哪种情况下需要进行检测控制？选择一项：当组织需要查找禁止的活动时14在允许某台计算设备连接到园区网络之前，应使用哪种技术来实施安全策略，强制检查该设备是否安装了最新防病毒更新程序？选择一项：NAC15一家公司实施了防病毒软件。

该公司实施的是哪种类型的安全控制？选择一项：恢复控制16 用户报告网络访问缓慢。

在询问员工后，网络管理员得知一名员工下载了用于打印机的第三方扫描程序。

HardwareCisco 3800 Series Integrated Services Routers (ISR)Cisco 1800 Series Integrated Services Routers (ISR)Cisco Catalyst 3560 Series SwitchesCisco ASA 5500 Series Adaptive Security AppliancesCisco IPS Series 4200 Intrusion Prevention System sensorsCisco Secure Access Control Server for WindowsSoftwareCisco ISR Series running IOS Software Version 12.4T Advanced Enterprise Services feature set is used on all routersCisco Catalyst 3560 Series Switches running Cisco IOS Software Release 12.2(44)SE or aboveCisco ASA 5500 Series Adaptive Security Appliances OS Software Version 8.xCisco IPS Software Release 6.1.xCisco VPN Client Software for Windows, Release 5.xCisco Secure ACS for Windows Version 4.1V3 BlueprintI Implement secure networks using Cisco ASA FirewallsPerform basic firewall InitializationConfigure device managementConfigure address translation (nat, global, static)Configure ACLsConfigure IP routingConfigure object groupsConfigure VLANsConfigure filteringConfigure failoverConfigure Layer 2 Transparent FirewallConfigure security contexts (virtual firewall)Configure Modular Policy FrameworkConfigure Application-Aware InspectionConfigure high availability solutionsConfigure QoS policiesⅡImplement secure networks using Cisco IOS Firewalls Configure CBACConfigure Zone-Based FirewallConfigure AuditConfigure Auth ProxyConfigure PAMConfigure access controlConfigure performance tuningConfigure advanced IOS Firewall featuresⅢImplement secure networks using Cisco VPN solutions Configure IPsec LAN-to-LAN (IOS/ASA)Configure SSL VPN (IOS/ASA)Configure Dynamic Multipoint VPN (DMVPN) Configure Group Encrypted Transport (GET) VPNConfigure Easy VPN(IOS/ASA)Configure CA(PKI)Configure Remote Access VPNConfigure Cisco Unity ClientConfigure Clientless WebVPNConfigure AnyConnect VPNConfigure XAuth, Split-Tunnel, RRI, NAT-TConfigure High AvailabilityConfigure QoS for VPNConfigure GRE, mGREConfigure L2TPConfigure advanced Cisco VPN featuresIV Configure Cisco IPS to mitigate network threatsConfigure IPS 4200 Series Sensor ApplianceInitialize the Sensor ApplianceConfigure Sensor Appliance managementConfigure virtual Sensors on the Sensor ApplianceConfigure security policiesConfigure promiscuous and inline monitoring on the Sensor Appliance Configure and tune signatures on the Sensor ApplianceConfigure custom signatures on the Sensor ApplianceConfigure blocking on the Sensor ApplianceConfigure TCP resets on the Sensor ApplianceConfigure rate limiting on the Sensor ApplianceConfigure signature engines on the Sensor ApplianceUse IDM to configure the Sensor ApplianceConfigure event action on the Sensor ApplianceConfigure event monitoring on the Sensor ApplianceConfigure advanced features on the Sensor ApplianceConfigure and tune Cisco IOS IPSConfigure SPAN & RSPAN on Cisco switchesjfdk 来源：考试大思科认证考试V Implement Identity ManagementConfigure RADIUS and TACACS+ security protocolsConfigure LDAPConfigure Cisco Secure ACSConfigure certificate-based authenticationConfigure proxy authenticationConfigure 802. 1xConfigure advanced identity management featuresConfigure Cisco NAC FrameworkVI Implement Control Plane and Management Plane SecurityImplement routing plane security features (protocol authentication, route filtering)Configure Control Plane PolicingConfigure CP protection and management protectionConfigure broadcast control and switchport securityConfigure additional CPU protection mechanisms (options drop,logging interval)Disable unnecessary servicesControl device access (Telnet, HTTP, SSH, Privilege levels)Configure SNMP, Syslog, AAA, NTPConfigure service authentication (FTP, Telnet, HTTP, other)Configure RADIUS and TACACS+ security protocolsConfigure device management and securityVII Configure Advanced SecurityConfigure mitigation techniques to respond to network attacks Configure packet marking techniquesImplement security RFCs (RFC1918/3330,RFC2827/3704)Configure Black Hole and Sink Hole solutionsConfigure RTBH filtering (Remote Triggered Black Hole)Configure Traffic Filtering using Access-ListsConfigure IOS NATConfigure TCP InterceptConfigure uRPFConfigure CARConfigure NBARConfigure NetFlowConfigure Anti-Spoofing solutionsConfigure PolicingCapture and utilize packet capturesConfigure Transit Traffic Control and Congestion ManagementConfigure Cisco Catalyst ad vanced security featuresVⅢI Identify and Mitigate Network AttacksIdentify and protect against fragmentation attacksIdentify and protect against malicious IP option usageIdentify and protect against network reconnaissance attacksIdentify and protect against IP spoofing attacksIdentify and protect against MAC spoofing attacksIdentify and protect against ARP spoofing attacksIdentify and protect against Denial of Service (DoS) attacksIdentify and protect against Distributed Denial of Service(DDoS) attacksIdentify and protect against Man-in-the-Middle (MiM) attacksIdentify and protect against port redirection attacksIdentify and protect against DHCP attacksIdentify and protect against DNS attacksIdentify and protect against Smurf attacksIdentify and protect against SYN attacksIdentify and protect against MAC Flooding attacksIdentify and protect against VLAN hoping attacksIdentify and protect against various Layer2 and Layer3 attacks。

泰克网络实验室学员笔记关于CISCO的SECRET密码之研究笔记总结R1:enable secret ciscoenable secret 5 $1$cp.P$XcHi1lzUlcte5m76dd/m X/enable secret 5 $1$GTcF$OA0kUroXwO8LxiaYoDW Hm.R2:enable secret ciscoenable secret 5 $1$u.ua$tW PABmRfVqehDBwUBL.YM1enable secret 5 $1$nO3V$dZyfp/fZv3rOYXpNRX K99.上面保存的，用的是md5的hash方法，hash是个单向函数，只能有几个输入得出一个定长的输出，相同的输入将会得到相同的输出，不能由输出来推导出某个输入参数，这就是单向函数的意思；1，在同一台路由器上，用相同的密要得出了不相同的输出，可以参见r1的上面的输出，那二个值都是m d5关于cisco的输出；由上面的m d5的输出，可以揄理，肯定会有多个输入，否则相同的输入（一个密要cisco)将会得出相同的输出；2，把r1上的enable secret 5 $1$cp.P$XcHi1lzUlcte5m76dd/mX/复制到r2上面，在r2上进入enable模式时，也是相同的密要cisco；由1知道，输入有多个，由2知道，多个输入参数不会是本地有效的，否则，r2如何知道r1的某个输入。

所以，只有一种情况，输入参数隐含在上面的m d5的那串值当中，这个输入参数，一般叫做初始化向量，IV .初始化向量是不需要被m d5 hash的，只是为了更加安全，可参见下面的m d5的图；由此，我们可以知道，为什么同一个密码，md5值是不一样的，而且，r1的m d5值放到r2上也是可以正常使用的原因了；。

91ri渗透笔记整理【渗透笔记】（壹）1.避免0day攻击的最好办法是实现启发式（Heuristic）或基于轮廓（Profile-based）的入侵检测系统。

2.常见的安全证书包括CCIE: Security、CEH、CISSP、CCSP、GIAC、OPSTA和Security+。

3.Nmap扫描主机开放端口，能够在运行IPSec的OpenBSD 2.7 系统上引发DOS攻击。

当使用-sO选项运行Nmap时，就会引起OpenBSD系统奔溃。

4.现在已知端口扫描能够在下述环境中引发DOS攻击：Efficient Networks Routers、pcAnywhere9.0、安装了Novell intraNetWare Client的Windows 95/98。

5.湿件（Wetware），湿件就是计算机中人类的因素。

6.被动侦查：用户组会议、Web网站上的信息、Edgars数据库、社工库、UUNet新闻组、商业伙伴、垃圾搜索、社会工程学;主动侦查：端口扫描、DNS查询、区域传输、ping 扫描、路由跟踪、OS特征检测.7.端口扫描的几种类型：TCP Connect（）扫描、SYN扫描、NULL扫描、FIN扫描、ACK扫描、Xmas-Tree扫描、Dumb扫描、Reverse Ident扫描8.灰箱测试（Gray-Box）：测试人员模拟内部雇员。

他们得到了一个内部网络的账号，并且拥有了访问网络的标准方法。

这项测试用于评估来自企业内部职员的攻击。

9.在netcat中，经常使用53端口监听的原因是：这个端口号是分配跟DNS使用的，通常防火墙开放这个端口。

如果选择其他不常用的端口，那么防火墙可能会阻断这些端口的流量。

10.盲注的核心语句：php?id=1 and (select ord(mid(group_concat(SCHEMA_NAME),20,1))from information_schema.schemata)>011.VLAN 跳跃攻击利用了DTP。

CISCO认证学习笔记总结第1章故障处理方法一、网络的复杂性一般网络包括路由、拨号、交换、视频、wan（isdn、帧中继、atm、…）、lan、vlan、…二、故障处理模型1、界定问题（define the problem）详细而精确地描述故障的症状和潜在的原因2、收集详细信息（gather facts）r>信息来源：关键用户、网络管理系统、路由器/交换机1）识别症状：2）重现故障：校验故障依然存在3）调查故障频率：4）确定故障的范围：有三种方法建立故障范围a由外到内故障处理（outside-in troubleshooting）：通常适用于有多个主机不能连接到一台服务器或服务器集b由内到外故障处理（inside-out troubleshooting）：c半分故障处理（divide-by-half troubleshooting）3、考虑可能情形（consider possibilities）考虑引起故障的可能原因4、建立一份行动计划（create the action plan）5、部署行动计划（implement the action plan）用于纠正网络故障原因。

从最象故障源处，想出处理方法每完成一个步骤，检查故障是否解决6、观察行动计划执行结果（observe results）7、如有行动计划不能解决问题，重复上述过程（iterate as needed）三、记录所做修改在通过行动计划解决问题后，建议把记录作为故障处理的一部分，记录所有的配置修改。

第2章网络文档一、网络基线解决网络问题的最简单途径是把当前配置和以前的配置相比较。

基线文档由不同的网络和系统文档组成，它包括：a网络配置表b网络拓扑图ces网络配置表des网络拓扑图创建网络的注意事项：1）确定文档覆盖的范围；2）保持一致：收集网络中所有设备的相同信息；3）明确目标：了解文档的用途；4）文档易于使用和访问；5）及时维护更新文档。

CCNP 路由笔一OSPF 篇：OSPF EIGRP 都是用 4 个逻辑分支 1 发现邻居（发送 hello 报文）2 建立邻居表（ two way ）3 建立拓扑表4 建立路由表（选择最佳路由）流程为down -nit- two way（建立邻居成功 DR BDR选举完成）-exstat （交换之前会选出主从关系确定谁先发送数据） -exchange （交换 DB 过程） loadiing （交换 lsu ） full （完成整个数据交换 ospf 真个过程建立完成）。

基础知识1. ABR （至少有一个接口与另外两个 OSPF 区域相连）骨干路由器（至少有一个接口在 AREA 0 区域内）内部路由器（所有接口都再这个区域内）指定路由器DR （在交换数据链路LSA时不是每个路由器都相互转发而是通过DR/BDR 进行 2. DRother 向 DR,BDR 发送 DD,LSA request 或者 LSA UPdate 时目标地址是 AllDRouter（224.0.0.6）; 或者理解为： DR 侦听 224.0.0.6DR,BDR 向 DRother 发送 DD,LSA Request 或者 LSA Update 时目标地址是AllSPFRouter（224.0.0.5）; 或者理解为： DRother 侦听 224.0.0.5并且所有的 DROTHER 与 DR 只会形成 TWOWAY 邻居关系但是不会形成 full只有 DR 或 BDR 出现故障才回重新选举，即使加进来的优先级或者 RID 再打也不会重新选举，如果 DR 出现故障那么 BDR 接替，如果 BDR 出现故障重新选举 BDR,DR 保持不变LSA^9誓通名称1SffiS ISA■斑茁踊庄罢都创冊1芸LSA.壬亍充逹站的曲个寰N材疋目己在国芳斎串器中，毎丁艺减的LSDBBLgg-Tl S ISA EJEiiiT当IGRS田畚昭罔口和所宵損□的IP芯址.1貝LSA込嘉于确还裳节弼燈2 I两殆LSA毎卞中精駅虽一亍・田子屠中阳D復创It・H还了子购及厦摄SJ霞孕网的JS田墓接口3強第汇总LSA 1 ®IO 2 LSA .戡週吿期舅—亍区増.它■出了汹撻居K昭fiW f子卿）和幵情.归不暫塞柘卄戳据4ASBR U LSA畫魁于3 LSA.只屋谢害一翹銅于前柱ASBR的主机匪由5AS外圈LSA S AS6R 用于搭逹豪注心OSPF胸3外由6迟昵员商空LSA)S»?9 MOSPF SAW. Cisco IOS 不贡持亘7NSSA 外茁LSA冥幅于5笑LSA” RgBNSSA^^内的ASBR包周B外那■性LSA实册匹9—1一-不Q明用ft運崔LWA”朝万诞睾棗护展03P餐洌如”内直梅胡RLS遼■工螺0改了1QS LSA 地址ABR会有很多1类LSA，每个区域的LSA都会在ABR中列出'。

cisco网络安全认证Cisco网络安全认证（Cisco Certified Network Associate Security，简称CCNA Security）是由思科官方提供的网络安全认证。

该认证是针对拥有一定的网络知识和技能的网络工程师、网络管理员和网络技术支持人员设计的，旨在通过培养掌握网络安全基本概念、了解安全技术和解决方案的专业人才，提高网络安全防护能力。

CCNA Security认证的主要内容包括网络安全原则、安全威胁和防范措施、安全设备和技术、安全策略和管理等方面的知识。

认证的核心内容包括：1. 网络安全基础知识：了解网络安全的基本概念、原则和方法，包括网络攻击类型、安全威胁、攻击检测与防御等。

2. 安全设备和技术：掌握常用的网络安全设备和技术，如防火墙、入侵检测系统（IDS）、防病毒软件和虚拟专用网络（VPN）等。

3. 安全策略和管理：学习制定和实施有效的安全策略，包括安全策略制定、安全策略的执行和管理、安全事件和风险管理等。

CCNA Security认证考试采用单项选择题和实验题相结合的形式，考察考生在实际应用中对安全技术的理解和应用能力。

除了通过考试，考生还需要参加实验室实践，验证和应用所学的知识和技能。

获得CCNA Security认证后，考生能够独立进行网络安全的评估和保护工作，具备构建安全网络的能力，能够掌握安全配置、安全策略和安全管理等技能，提高网络的安全性，保护网络免受各种网络攻击。

总结起来，CCNA Security认证是一种权威的网络安全认证，对于网络工程师、网络管理员和网络技术支持人员来说，具有重要的意义。

除了拥有CCNA Security认证，还可以进一步深入学习和研究网络安全领域的知识，从事网络安全相关的工作，为企业和组织提供更加安全可靠的网络环境。

思科ASA防火墙笔记防火墙命令1、可以在config下面直接show run int，而路由器是do show run int2、查看路由表show route 而路由器是show ip route3、查看接口状态show int ip b 而路由器是show ip int b4、防火墙检测是a、初始化状态化检测b、access-list c、默认防火墙策略MPF模块化策略框架class-map match -----> policy-map class inspect -----> service-policy5、Icmp包中的id和序列号，一般是把id当做端口号6、可以在config下面clear config all 清除running-configure 或者叫做出厂重置，wr erase清空start-config而路由器不能清除running-configure7、网管telnet23 ssh22 snmp(get set trap ) asdm（ASA设备管理，java程序，通过https443）在configure模式下telnet 0 0 inside 表示从inside进来的所有的源允许telnet，注意telnet不能从接口级别最低的接口AAA authentication telnet console LOCAL8、SSH 路由器需要hostname+domain-name，而防火墙不需要9、Managerment-only把防火墙的任何接口都变成纯网管管理接口，不能穿越ASA10、redundant冗余接口不能起子接口11、channel捆绑接口带宽叠加ON LACP( ACTIVE PASSIVE)公有PAgp私有捆绑接口根据源MAC做HASH 可以起子接口12、静态路由route nameif 前缀掩码next-hop13、防火墙所有的都是正掩码比如是255.255.255.0 255.255.255.22414、SLA(service-level Aggrement服务等级协议探测probe线路是否可用，依托ipicmpecho 即ping包测试) ECMP (equal cost mutil path等价开销多路径)15、防火墙配置PBR解决浮动静态路由(调整管理距离)问题，既主备又流量分担的问题。

Chapter 3. Cisco IOS Specifics and SecurityExam Topics in This Chapterz Cisco IOS specificsz Routing and switching security features: IE MAC address controls, port security, DHCP snoopz Security policy best practicesYou can find a list of all of the exam topics in the introduction to this book. For the latest updates on exam topics, visit .This chapter covers the CCIE Cisco IOS specifics topic area. Unfortunately, the blueprint does not detail the exact requirements, and "Cisco IOS" in general could mean the entire range of topics. Thus, this chapter covers topics that are actually possible topics on the written exam and that are common to the routing and switching blueprint. This chapter covers routing and switching blueprint objectives together with the security blueprint objectives. The CCIE technical teams generally gather the test questions from a common pool available to any CCIE track. This chapter covers the following topics:z Cisco Hardware Covers the hardware components on a Cisco router, namely the System Flash, nonvolatile RAM (NVRAM), and how files are saved to and from a TFTP server.z show and debug Commands Presents the most common show and debug commands used on Cisco routers to manage an IP network.z Password Recovery Describes how password recovery is completed on Cisco IOS routers.z Basic Security on Cisco Routers Reviews some commands used to ensure that Cisco routers are secured with basic passwords.z IP Access Lists Covers both standard and extended IP access lists and their formats.z Layer 2 Switching Security Introduces MAC address controls, port security on Cisco switches, and Dynamic Host Configuration Protocol (DHCP) security options.z Security Policy Best Practices: A Cisco View Takes a brief look at Cisco-recommended best practices for developing a security policy."Do I Know This Already?" QuizThe purpose of this assessment quiz is to help you determine how to spend your limited study time.If you can answer most or all of these questions, you might want to skim the "Foundation Topics" section and return to it later, as necessary. Review the "Foundation Summary" section and answer the questions at the end of the chapter to ensure that you have a strong grasp of the material covered.If you already intend to read the entire chapter, you do not necessarily need to answer these questions now. If you find these assessment questions difficult, read through the entire "Foundation Topics" section and review it until you feel comfortable with your ability to answer all of these and the "Q & A" questions at the end of the chapter.Answers to these questions can be found in Appendix A, "Answers to Quiz Questions."1.What IOS command will display the System Flash?a.show flashb.show system flashc.show memoryd.show process flash2.The network administrator has forgotten the enable password, and all passwords are encrypted. What should the networkadministrator do to recover the password without losing the current configuration?a.Call the TAC and ask for a special backdoor password.b.Call the TAC and raise a case to supply the engineering password.c.Reboot the router, press the Break key after the reload, and enter ROM mode and change the configuration register.d.Reboot the router, press the Break key during the reload, enter ROM mode and change the configuration register, andwhen the router reloads, remove the old configuration.3.What is the enable password for the following router?enable password Simona.More data is required.b.Simon.c.simon or Simon.d.You cannot set the password to a word; it must also contain digits.4.If the configuration register is set to 0x2101, where is the IOS image booted from?a.slot0:b.slot1:c.Flashd.ROMe.TFTP server5.What IOS command will copy the running configuration to a TFTP server?a.copy running-config to tftpb.write networkc.copy running-config tftpd.write erase6.What debug command allows an administrator to debug only packets from the network 131.108.0.0/16?a.debug ip packetb.terminal monitorc.debug ip packet 1access-list 1 permit 131.108.0.0d.debug ip packet 1access-list 1 permit 131.108.0.0 0.0.255.255e.debug ip packet 1access-list 1 permit 131.108.0.0 255.255.0.07.After entering debug ip packet, no messages appear on your Telnet session. What is the likely cause?a.OSPF routing is required.b.The console port does not support debug output.c.The terminal monitor command is required.d.IP packets are not supported with the debug command.8.To change the configuration register to 0x2141, what is the correct IOS command?a.copy running-config registerb.configuration 0x2141c.config 0x2141 registerd.config-register 0x2142e.config-register 0x21419.Where is the startup configuration stored on a Cisco router?a.In the CAM tableb.NVRAMc.RAMd.Flashe.slot0:10.Which of the following statements is true?a.The enable secret command overrides the enable password command.b.The enable command overrides the enable secret password command.c.Enable passwords cannot be used when the secret password is used.d.Both a and c are true.11. A Cisco router has the following configuration:line vty 0 4loginWhat will happen when you telnet to the router?a.You will be prompted for the login password.b.You will enter EXEC mode immediately.c.You will not be able to access the router without the password set.d.More configuration is required.12. A Cisco router has the following configuration:line vty 0 4no loginpassword cIscOWhen a Telnet user tries to establish a remote Telnet session to this router, what will happen?a.The Telnet user will be prompted for the login password, which is set to cIscO.b.The Telnet user will enter EXEC mode immediately.c.The Telnet user will not be able to access the router without the password set.d.More configuration is required.e.The Telnet user will be prompted for the login password; password case does not matter.13. A Cisco router has the following configuration:line vty 0 1no loginpassword ciscoline vty 2 4loginpassword ciScoWhen a third Telnet session is established to a remote router with the preceding configuration, what will happen?a.You will be prompted for the login password, which is set to cisco.b.You will be prompted for the login password, which is set to ciSco.c.You will enter EXEC mode immediately.d.You will not be able to access the router without the password set.e.More configuration is required.14.Which of the following access lists will deny any IP packets sourced from network 131.108.1.0/24 and destined for network131.108.2.0/24 and permit all other IP-based traffic?a.access-list 1 deny 131.108.1.0b.access-list 1 deny 131.108.1.0 0.0.0.255c.access-list 100 permit/deny ip 131.108.1.0 0.0.0.255 131.108.2.0 0.0.0.255d.access-list 100 deny ip 131.108.1.0 0.0.0.255 131.108.2.0 0.0.0.255access-list 100 permit ip any any15.Which of the following secure protocols are available to manage Cisco IOS software? (Choose the best three answers.)a.Telnetb.SSHc.HTTPSd.HTTPe.IPSec-ESPf.IPSec-AH16.What types of attacks can intruders use to enable them to attack VLANs on a Layer 2 switched network?a.CAM table overflowb.VLAN manipulation or hoppingc.BPDU manipulationd.MAC address spoofinge.DHCP starvationf.All of these17.What information is stored in the CAM table?a.IP-to-MAC address informationb.BPDU detailsc.The CAM table is only used on routersd.MAC information mapped to port interfaces18.How can the CAM table be exploited by intruders?a.It cannot be exploited.b.CAM tables can be used to forward all packets to certain interfaces by flooding the switch with the MAC address'ssource by one or more interfaces.c.It can be used to gain Telnet access.d.It can be used to cause a memory leak attack.19.What is VLAN hopping?ing a trunk port to access all VLANs, thus bypassing an access control deviceb.Modifying the 802.1p field to an IP packet, causing the switch to put the attacker's port in a different VLANc.Sniffing a Layer 2 port to determine the DSCP fieldsd.None of these20.How is a DHCP starvation attack achieved?a.Freeing IP packets so that they can traverse the network endlesslyb.Broadcasting DHCP requests with spoofed MAC addressesc.Intercepting DHCP offer packets and performing a DOS attack on the DHCP serverd.None of these21.When preparing a security policy, what are the three core requirements?a.Define a password list.b.Create acceptable-usage policy statements.c.Conduct a risk analysis.d.Establish a security team structure.e.None of these.22.An administrator notices a router's CPU utilization has jumped from 2 percent to 100 percent, and that a CCIE engineer wasdebugging. What IOS command can the network administrator enter to stop all debugging output to the console and vty lines without affecting users on the connected router?a.no logging console debuggingb.undebug allc.line vty 0 4d.no terminal monitor (term no monitor)e.reload the routerFoundation TopicsCisco HardwareCisco routers consist of many hardware components. The main components of a Cisco router include the following: z RAMz NVRAMz Flashz CPUz ROMz Configuration registersz InterfacesFigure 3-1 illustrates the hardware components on Cisco routers.Figure 3-1. Components of a Cisco RouterEach hardware component is vital for Cisco routers to operate properly. To help you prepare for the CCIE Security written exam, the next few sections present the main concepts you need to know about Cisco hardware components.Random-Access MemoryRouters use RAM to store the current configuration file and other important data collected by the router (such as Cisco Express Forwarding [CEF] tables and Address Resolution Protocol [ARP] entries, to name a few). This data includes the IP routing table and buffer information. Buffers temporarily store packets before they are processed. All Cisco IOS processes, such as routing algorithms (Open Shortest Path First [OSPF] and Border Gateway Protocol [BGP], for example), also run in RAM.RAM information is lost if the router power cycles (when a router loses and regains power) or is restarted by an administrator. To view a router's current configuration, use the show running-config IOS command. Before Cisco IOS version 10.3, administrators used the write terminal command to show a router's configuration. The write terminal command is still valid in today's Cisco IOS releases, although Cisco IOS releases 12.2T and above now provide a warning to use the new commands only.Cisco IOS software is hardware-specific, and the image loaded on various router platforms varies from platform to platform. For example, the image on a Cisco 4500 (end of sale in 2004) will not run on a Cisco 3600, nor will an image designed for an 1800 run on the 3800. Also, IOS images contain certain features, such as Internetwork Packet Exchange (IPX) or Data Encryption Standard (DES) encryption. For example, you can load only Cisco IOS software that supports IP or IP plus DES encryption, and so forth.Visit the following Cisco website for more details on Cisco IOS images and platform requirements: /public/sw-center/sw-ios.shtml.Nonvolatile RAMNVRAM stores a copy of the router's configuration file. The NVRAM storage area is retained by the router in the event of a power cycle. When the router powers up from a power cycle or a reboot (reload command), the Cisco IOS software copies the stored configuration file from the NVRAM to RAM. To view the configuration file stored in NVRAM, issue the show startup-config command. In earlier versions of Cisco IOS software (before version 10.3), the show config command was used to view the configuration file stored in NVRAM. In Cisco IOS versions 11.0 and above, both the show config and show startup-config commands will work. The crypto keys are also stored in NVRAM.System FlashThe System Flash is erasable and programmable memory used to store the router's IOS image. Although Flash memory is always limited in size, it can contain multiple versions of Cisco IOS software. Therefore, you can delete, retrieve, and store new versions of Cisco IOS software in the Flash memory system. To view the Flash memory on a Cisco router, use the show flash IOS command. Example 3-1 displays the Flash filename on a router named R1.NoteOn a high-performance router, such as Cisco 3800 series or 7500 series routers, you can make the Flash system look like a file system and store many versions of Cisco IOS software. The IOS command to partition the System Flash is partition flash number-of-partition size-of-each-partition. Even on a low-end router, such as the 2500, the Flash can be partitioned.Example 3-1. show flash CommandR1>show flashSystem flash directory:File Length Name/status1 9558976 c2500-ajs40-l.12-17.bin[9559040 bytes used, 7218176 available, 16777216 total]16384K bytes of processor board System flashExample 3-1 shows that the IOS image, c2500-ajs40-l.12-17.bin, is currently stored on the router's on-board System Flash.The Cisco IOS series routers, such as the 7500 or 3800 series, provide the option of installing additional PCMCIA Flash memory. If this additional memory is installed, the dir slot0: IOS command displays the IOS image stored in slot0.NoteCisco recently renamed all of its IOS images to permit a total of only eight possible trains. Visit /kobayashi/sw-center/sw-ios.shtml for more details. This link requires a Cisco CCO account.Central Processing UnitThe CPU is the heart of a router, and every Cisco router has a CPU. A CPU manages all the router's processes, such as IP routing, and new routing entries, such as remote IP networks learned through a dynamic routing protocol.To view a CPU's status, use the show process IOS command.Example 3-2 shows a sample display taken from a Cisco IOS router.Example 3-2. (Truncated) show process CommandR1>show processCPU utilization for five seconds: 9%/7%; one minute: 9%;five minutes: 10%PID QTy PC Runtime (ms) Invoked uSecs Stacks TTY Proc1 Csp 318F396 24456 1043 234 732/1000 0 Load Meter2 M* 0 28 28 1000 3268/4000 0 EXEC3 Lst 317D1FC 1304 175 5257 1724/2000 0 Check heap...The show process command displays the router utilization within the past 5 seconds, the past 1 minute, as well as the average over the last 5 minutes. Details about specific processes follow the CPU utilization statistics.Read-Only MemoryROM stores a scaled-down version of a router's IOS image in the event that the Flash system becomes corrupted or no current IOS image is stored in Flash. ROM also contains the bootstrap program (sometimes referred to as the rxboot image in Cisco documentation) and a device's power-up diagnostics. You can perform a software upgrade (that is, perform a software image upgrade on ROM) only by replacing ROM chips, because ROM is not programmable.The bootstrap program enables you to isolate or rule out hardware issues. For example, suppose that you have a faulty Flash memory card and, subsequently, the router cannot boot the IOS image. The power diagnostics program tests all the hardware interfaces on the router. ROM mode contains a limited number of IOS commands, which enable the administrator or the Technical Assistance Center (TAC) to help troubleshoot and ascertain any hardware or configuration issues on a Cisco router. Cisco TAC is available 24 hours a day, 7 days a week. You must pay Cisco for this service and have a valid contract number to open any cases.Unfortunately, not all Cisco routers have the same ROM code, so the commands might vary, but the principle remains the same. You can always issue the ? command in ROM mode to identify the available commands used to troubleshoot a Cisco IOSbased router. Newer Cisco hardware models now contain a new boot program stored in boot Flash rather than in ROM. The program is a little more user-friendly. Menu-driven options are available to change the configuration register, for example.Example 3-3 provides all the available options on a Cisco 3800 router when the ? command is used in ROM mode.Example 3-3. ? Command Used When in ROM ModeSystem Bootstrap, Version 12.0(3)T, RELEASE SOFTWARE (fc1)Copyright 1999 by cisco Systems, Inc.C1700 platform with 49152 Kbytes of main memoryrommon 1 > ?alias set and display aliases commandboot boot up an external processbreak set/show/clear the breakpointconfreg configuration register utilitycont continue executing a downloaded imagecontext display the context of a loaded imagecookie display contents of cookie PROM in hexI Initializedev list the device tableunalias unset an aliasunset unset a monitor variablexmodem x/ymodem image downloadThe options in Example 3-3 include the ability to initialize a router with the i command after you have finished ROM mode. ROM mode enables you to recover lost passwords by altering the configuration registers (covered in the "Password Recovery f:\xmlint " section, later in this chapter).Configuration RegistersThe configuration register is a 16-bit number that defines how a router operates on a power cycle. These options include whether the IOS image will be loaded from Flash or ROM. Configuration registers advise the CPU to load the configuration file from the NVRAM or to ignore the configuration file stored in memory, for example. The default configuration register is displayed as 0x2102. Table 3-1 lists the binary conversion from 0x2102.Visit /en/US/products/hw/routers/ps282/products_installation_guide_chapter09186a008007dfd0.html#wp1010336 for more details on the Configuration Register Settings.The bits are numbered from right to left. In the preceding example, the value is displayed as 0x2102 (0010.0001.0000.0010). The function of the configuration register bits is determined by their position, as follows:z Bits 0 through 3 Determines whether the router loads the IOS from the Flash. Possible values are 00 - stays at the ROM monitor on a reload or power cycle, 01 - boots the first image in CompactFlash memory as a system image, or 02 - F enables default booting from CompactFlash memory. In Hexadecimal the range is 0x0000-0x000F.z Bit 4 Reserved.z Bit 5 Reserved.z Bit 6 Tells the router to load the configuration from NVRAM if set to 1 and to ignore the NVRAM if set to 0.z Bit 7 Referred to as the original equipment manufacturer (OEM) bit in Cisco documentation and is not used.z Bit 8 Specifies whether to enter ROM mode without power cycling the router. If bit 8 is set to 1 and the Break key is issued while the router is up and running normally, the router will go into ROM mode. This is a dangerous scenario, because if this occurs, your router immediately stops functioning.z Bit 9Causes the system to use the secondary bootstrap. This bit is typically not used and is set to 0.z Bit 10 Specifies the broadcast address to use, where 1 equals the use of all 0s for broadcast at boot (in conjunction with bit 14). Bit 10 interacts with bit 14.z Bits 11 and 12 Set the console port's baud rate. For example, if bits 11 and 12 are set to 00, the baud rate is 9600 bps. A baud rate of 4800 bps can be set when these bits are set to 01. 10 sets the baud rate to 2400 bps, and 11 sets the baud rate to 1200 bps.z Bit 13 Tells the router to boot from ROM if the Flash cannot boot from a network, such as a TFTP server. If bit 13 is set to 0 and no IOS image is found, the router will hang. If bit 13 is set to 1 and no IOS image is found, the router boots from ROM.z Bit 14 Interacts with bit 10 to define the broadcast address.zBit 15 Specifies whether to enable diagnostics display on startup and ignore the NVRAM.To view the current configuration register, use the show version IOS command.Example 3-4 displays the configuration register of a router, R1 (taken from a 7500 series router).Example 3-4. (Truncated) show version CommandRouter1> show versionCisco Internetwork Operating System SoftwareIOS (tm) 7200 Software (C7200-J-M), Experimental Version 11.3(19970915:164752) [hampton-nitro-baseline 249]Table 3-1. x2102 Binary Conversion Bit Number Value 15014013112011010090817060504030201100Copyright 1986-1997 by cisco Systems, Inc.Compiled Wed 08-Oct-97 06:39 by hamptonImage text-base: 0x60008900, data-base: 0x60B98000ROM: System Bootstrap, Version 11.1(11855) [beta 2], INTERIM SOFTWAREBOOTFLASH: 7200 Software (C7200-BOOT-M), Version 11.1(472), RELEASE SOFTWARE (fc1)Router1 uptime is 23 hours, 33 minutesSystem restarted by abort at PC 0x6022322C at 10:50:55 PDT Tue Oct 21 1997System image file is "tftp://171.69.1.129/hampton/nitro/c7200-j-mz"cisco 7206 (NPE150) processor with 57344K/8192K bytes of memory.R4700 processor, Implementation 33, Revision 1.0 (512KB Level 2 Cache)Last reset from power-onBridging software.X.25 software, Version 3.0.0.SuperLAT software copyright 1990 by Meridian Technology Corp).TN3270 Emulation software.8 Ethernet/IEEE 802.3 interface(s)2 FastEthernet/IEEE 802.3 interface(s)4 Token Ring/IEEE 802.5 interface(s)4 Serial network interface(s)1 FDDI network interface(s)125K bytes of non-volatile configuration memory.1024K bytes of packet SRAM memory.20480K bytes of Flash PCMCIA card at slot 0 (Sector size 128K).20480K bytes of Flash PCMCIA card at slot 1 (Sector size 128K).4096K bytes of Flash internal SIMM (Sector size 256K).Configuration register is 0x2102The output from Example 3-4 displays the configuration register as 0x2102. The show version command also displays other useful router information, such as the router's uptime, the IOS image in use, and the hardware configuration. To change the configuration register, use the global configuration command, configure-register register-value. When a configuration register is changed, use the show version command to ensure that the register has been changed to the new value.Table 3-2 displays common configuration register values you can use in day-to-day troubleshooting of Cisco IOS routers.Table 3-2. Common RegistersRegister Value Description0x2100Boots the router using the system bootstrap found inROM.0x2102Boots the router using Flash and NVRAM. This is thedefault setting.0x2142Boots the router using Flash and ignores NVRAM. Thisvalue is used to recover passwords or modifyconfiguration parameters.Cisco InterfacesInterfaces provide connections to a network. Interfaces include LANs, WANs, and management ports (that is, console and auxiliary ports).To view the current LAN or WAN interfaces, issue the show interface command, which displays all LAN and WAN interfaces. To display information regarding console or auxiliary ports, use the show line command. Figure 3-2 summarizes the available IOS commands that administrators can use to view a router's current configuration.Figure 3-2. Interface IOS CommandsNow that you have reviewed Cisco router hardware basics, it is time to review how routers operate. In addition to router operation, this chapter covers how administrators can manage Cisco routers by saving and loading files to and from a TFTP server.NoteCisco routers can operate in a number of modes. Cisco defines them as follows:z ROM boot mode When the router is in boot mode and loaded with a subset of the IOS image, only a limited number of commands are available.z Configuration mode Where you make configuration changes. An example prompt is Router1(config)#.z Interface configuration mode Where you make configuration changes to interfaces such as the Ethernet or Serial connections. An example prompt is Router1(config-if)#.z Initial configuration mode When a router first boots up out of the box with no initial configuration, you are prompted for basic system configuration details, such as name and IP address assignment. The prompt looks like this:Would you like to answer the initial configuration dialog? [yes/no]z User EXEC mode Basic IOS commands are permitted from the command-line interface (CLI). An example prompt is R1>.z Privileged EXEC mode (also referred to as enabled mode) Advance IOS commands are permitted when the enable password or secret password is entered from the CLI. An example prompt is R1#.Saving and Loading FilesThe configuration file can reside on the router's NVRAM or RAM, or on a TFTP server. When a router boots with the default configuration register (0x2102), the configuration file is copied from NVRAM to RAM.Network administrators typically save the configuration files to a TFTP server as a backup, in case of a router failure.To save a configuration file from RAM to NVRAM (after configuration changes are made), the IOS command is copy running-config startup-config. The write memory (legacy IOS command, removed in 12.2T versions) command will also copy the running configuration to startup configuration. The write command is a legacy command from earlier releases of IOS that is still valid in today's versions of Cisco IOS software.Example 3-5 displays a successful configuration change on Ethernet 0/0, followed by a network administrator in PRIV EXEC (privileged EXEC mode) mode saving the new configuration file to NVRAM.Example 3-5. Saving Cisco IOS Configuration FilesR1#configure terminalEnter configuration commands, one per line. End with CNTL/Z.R1(config)#interface ethernet 0/0R1(config-if)#ip address 131.108.1.1 255.255.255.0R1(config-if)#exitR1(config)#exitR1#copy running-config startup-configDestination filename [startup-config]?Building configuration...[OK]R1#Table 3-3 summarizes the configuration file manipulation that can be performed on Cisco IOS routers.Table 3-3. Cisco IOS File ManipulationsCisco IOS Command Meaningcopy running-configstartup-configCopies the configuration file from RAM to NVRAM.write memory Copies the running configuration to NVRAM.(Superseded by the new command, copy running-config startup-config.)copy startup-configrunning-configCopies the configuration file from NVRAM to RAM.write terminal Displays the current configuration file in RAM.(Superseded by the new command, show running-config.)show config Displays the current configuration file in NVRAM.(Superseded by the new command, show startup-config.)copy running-config tftp Copies the configuration file stored in RAM to a TFTP server. Can also be copied to an FTP or Remote Copy (RCP) server.copy tftp running-config Copies a configuration file from a TFTP server to the running configuration.write memory Copies the running configuration to NVRAM.write erase Clears the NVRAM.show and debug CommandsCisco IOS CLI has an enormous number of show and debug commands available to the privileged EXEC user. This section covers the show and debug commands most often used to manage Cisco IOS devices.Router CLICisco IOS routers give network administrators access to a wide range of show and debug commands. The show command displays various information about the router's state of play, such as the Ethernet collisions on a particular interface or a router's configuration file. Only a subset of show commands is available when in user EXEC mode. The full range is available when in PRIV EXEC mode.The debug command is a more advanced IOS command that allows the administrator to view the router's analyses of packets or buffering mechanisms and is used only to troubleshoot a device or a complete network. The debug command is very CPU-intensive.show CommandsThe best method to appreciate the use of show commands is to display sample output from a Cisco IOS router.Example 3-6 displays a list of truncated show commands available from the CLI on a Cisco router in PRIV EXEC mode. (Version 12.2 was used to supply this output.)Example 3-6. show CommandsR1#show ?access-expression List access expressionaccess-lists List access listsaccounting Accounting data for active sessionsadjacency Adjacent nodesaliases Display alias commandsarp ARP tableasync Information on terminal lines used as routerinterfacesbackup Backup statusbgp BGP informationbridge Bridge Forwarding/Filtering Database [verbose]buffers Buffer pool statisticscaller Display information about dialup connectionscef Cisco Express Forwardingclass-map Show QoS Class Mapclock Display the system clockconfiguration Contents of Non-Volatile memoryconnection Show Connectioncontext Show context informationcontrollers Interface controller status。

思科交换机端口安全（Port-Security）配置方法详解思科交换机端口安全(Port-Security)Cisco Catalyst交换机端口安全（Port-Security）1、Cisco29系列交换机可以做基于2层的端口安全，即mac地址与端口进行绑定。

2、Cisco3550以上交换机均可做基于2层和3层的端口安全，即mac地址与端口绑定以及mac地址与ip地址绑定。

3、以cisco3550交换机为例做mac地址与端口绑定的可以实现两种应用：a、设定一端口只接受第一次连接该端口的计算机mac地址，当该端口第一次获得某计算机mac地址后，其他计算机接入到此端口所发送的数据包则认为非法，做丢弃处理。

b、设定一端口只接受某一特定计算机mac地址，其他计算机均无法接入到此端口。

4、破解方法：网上前辈所讲的破解方法有很多，主要是通过更改新接入计算机网卡的mac地址来实现，但本人认为，此方法实际应用中基本没有什么作用，原因很简单，如果不是网管，其他一般人员平时根本不可能去注意合法计算机的mac地址，一般情况也无法进入合法计算机去获得mac地址，除非其本身就是该局域网的用户。

5、实现方法：针对第3条的两种应用，分别不同的实现方法a、接受第一次接入该端口计算机的mac地址：Switch#config terminalSwitch(config)#inte**ce inte**ce-id 进入需要配置的端口Switch(config-if)#switchport mode access 设置为交换模式Switch(config-if)#switchport port-security 打开端口安全模式Switch(config-if)#switchport port-security violation {protect | restrict | shutdown }//针对非法接入计算机，端口处理模式{丢弃数据包，不发警告| 丢弃数据包，在console发警告 | 关闭端口为err-disable状态，除非管理员手工激活，否则该端口失效。

Cisco Security Agent 概述摘自CSA 客户端Help 文件Cisco Security Agent 概述 (1)状态 (2)安装软件更新 (3)轮询新配置 (3)安全性设置 (3)安全级别 (3)阻止新的网络连接 (4)检测到安装/卸载 (4)个人防火墙 (5)防病毒保护 (6)更新特征码数据库 (6)上次扫描的文件 (6)按需扫描 (6)已隔离的文件选项卡 (7)已恢复的文件选项卡 (7)文件保护 (8)选择要保护的文件 (8)输入要保护的文件和文件夹 (8)删除文件保护 (8)禁用文件保护 (9)文件保护语法 (9)不可靠的应用程序 (9)用户询问应答 (10)应答弹出式询问框 (10)记住和缓存询问应答 (10)撤消或删除对询问的应答 (11)事件 (11)Cisco Security Agent 概述Cisco Security Agent 可通过提供基于行为的主机安全，抵御在网络间扩散的攻击。

Cisco Security Agent 产品包含下列组件：Cisco Security Agent (CSA)。

CSA 执行网络管理员指定给计算机的安全策略。

CSA 代理面板记录用户的安全消息及用户对查询的应答；您也可以对它进行配置，以向用户提供从本地控制安全管理的权限。

Windows 系统中，您可以从“开始”菜单或CSA 快捷菜单启动 CSA 代理面板。

Cisco Security Agent 会按照代理下载的系统管理员自定义策略控制系统操作，从而对您的系统提供保护。

当计算机上的某个进程请求访问系统资源时，代理将根据策略允许或拒绝此操作。

在不需要请求您执行输入的情况下，代理的操作完全透明，不会明显影响系统性能。

代理现在正在系统上运行，并在系统托盘中显示代理标志图标。

∙Cisco Security Agent 管理中心 (CSA MC)。

CSA MC 安装在中心服务器上，由网络管理员管理。