思科华为交换设备安全配置命令对比
1.DHCP欺骗攻击防护命令
Cisco(config)#ip dhcp snooping //全局开启dhcp snooping开关
[Huawei]dhcp enable //全局使能DHCP功能
[Huawei]dhcp snooping enable //全局使能DHCP Snooping功能
Cisco(config)#ip dhcp snooping vlan 1 //基于vlan开启dhcp snooping
[Huawei-vlan10]dhcp snooping enable
[Huawei-GigabitEthernet0/0/1]dhcp snooping enable //使能接口的DHCP Snooping功能
[Huawei-vlan10]dhcp snooping trusted interface GigabitEthernet 0/0/1
Cisco(config-if)#ip dhcp snooping trust //在连接合法的dhcp服务器接口或去往合法DHCP服务器的所有接口设置为信任接口,默认为不信任接口
[Huawei-GigabitEthernet0/0/1]dhcp snooping trusted //配置接口为信任状态
Cisco#show ip dhcp snooping //查看DHCP snooping
[Huawei]display dhcp snooping //查看DHCP Snooping的运行信息
[Huawei]display dhcp snooping configuration //查看DHCP Snooping的配置信息
Cisco#show ip dhcp snooping binding //查看DHCP snooping绑定信息
[Huawei]display dhcp snooping user-bind all //查看DHCP Snooping绑定表信息
2.IPSG,IP源保护(防止用户私自设置IP地址)
Cisco(config)#ip dhcp snooping //必须开启
[Huawei]dhcp snooping enable //全局使能DHCP Snooping功能
Cisco(config-if)#ip verify source //untrust接口启用IP地址过滤
[Huawei-GigabitEthernet0/0/1]ip source check user-bind enable //使能接口的IP报文检查功能
Cisco#show ip verify source //验证IPSG配置
[Huawei]display ip source check user-bind interface g0/0/1 //查看接口下IPSG的配置信息
3.ARP欺骗:DAI,动态ARP检测,需结合DHCP Snooping一起使用
Cisco(config)#ip arp inspection vlan 1 //在vlan 1中启用ARP检查功能
[Huawei-GigabitEthernet0/0/1]arp anti-attack check user-bind check-item vlan
Cisco(config-if)#ip arp inspection trust //配置成DAI可信任端口,不做任何检查就转发,默认都是非信任端口
[Huawei-GigabitEthernet0/0/1]arp anti-attack check user-bind enable //使能动态ARP检测功能
4.使用安全的远程管理协议SSH
Cisco(config)#ip domain-name abc123.com //配置域名
Cisco(config)#crypto key generate rsa modulus 1024 //生成1024位的RSA密钥对
[LSW1]rsa local-key-pair create //生成本地密钥对
Cisco(config)#ip ssh version 2 //使用SSHv2
Cisco(config)#username abc123 password cisco //在设备本地认证数据库创建一条用户名和密码
[LSW1]aaa //创建SSH用户
[LSW1-aaa]local-user a1 password cipher abc123
[LSW1-aaa]local-user a1 privilege level 3
[LSW1-aaa]local-user a1 service-type ssh
[LSW1]ssh user a1 authentication-type password //认证方式为password
[LSW1]stelnet server enable //开启STelnet服务功能
[LSW1]ssh user a1 service-type stelnet //配置服务方式为STelnet
Cisco(config)#line vty 0 4
[LSW1]user-interface vty 0 4 //配置VTY用户
Cisco(config-line)#transport input ssh //允许使用SSH协议
[LSW1-ui-vty0-4]authentication-mode aaa
[LSW1-ui-vty0-4]protocol inbound ssh
Cisco(config-line)#login local //使用本地认证数据库进行身份认证,默认使用线下秘钥进行认证
Cisco#ssh -v 2 -1 abc123 100.1.1.2 //客户端进行测试