优兆科技itss审核v3.09.3服务报告管理yw-zybh008ipmac绑定v1

1、目录第一章 项目概述2项目概述2技术实现2第二章 实施规划3项目实施计划3三级区服务器统计表3三级汇聚交换机配置52.3.12.3.22.3.3配置示例5新增配置内容5最终配置72.4 新增设备绑定配置15项目概述1.1 项目概述根据前期风险评估以及差距分析结果，根据机柜出具的国家中药品种保护审评安全等级差距分析和国家中药品种保护审评安全等级中的，目前重要网段及服务器未进行 IP 地址和 MAC 地址绑定，因此针对及中之处，开展有效的等级保护工作；1.2 技术实现本次项目主要针对现有较为重要的网络区域（等保三级区域）实施网络 MAC 及IP 地址绑定，在现有三级区域汇聚交换机上配置端口安全相关

2、设置，端口安全功能适用于用户希望控制端口下接入用户的IP 和MAC 必须是管理员指定的合法用户才能使用网络，或者希望使用者能够在固定端口下上网而不能随意移动，变换 IP/MAC 或者端，或控制端口下的用户 MAC 数，防止 MAC 地址耗尽（发送持续变化的构造出来的 MAC 地址，导致交换机短时间内学习了大量无用的 MAC 地址，8K/16K 地址表满掉后无法学习合法用户的 MAC，导致通信异常）的场景。端口安全还可以配合 ARP-Check 可以实现静态 IP 环境下的防范 ARP。端口安全功能通过定义报文的源 MAC 地址来限定报文是否可以进入交换机的端口，可以静态设置特定的 MAC 地址

3、或者限定动态学习的 MAC 地址的个数来控制报文是否可以进入端口，使能端口安全功能的端口称为安全端口。只有源 MAC 地址为端口安全地址表中配置或者学习到的 MAC 地址的报可以进入交换机通信，其他报被丢弃。还可以设定端口安全地址绑定 IP+MAC，或者仅绑定 IP，用来限制必须符合绑定的以端口安全地址为源 MAC 地址的报能进入交换机通信。实施规划1.3 项目实施计划本次针对等级保护三级区域的 IP-MAC 地址绑定工作，主要工作内容如下：1.对本次等级保护工作中所涉及到三级区域服务器的 MAC 地址和 IP 地址进行有效的统计；2.根据统计结果核实 IP 地址和 MAC 地址的对应关系；3

4、.根据核实后的结果进行网络设备配置制作；4.利用非工作时间，对三级区汇聚交换机配置进行调整；5.完成IP-MAC 绑定后，验证业务系统的可用性；1.4 三级区服务器统计表根据现有三级区域虚拟化中所运行的虚拟机及物理主机进行综合统计，主要统计内容为虚拟机的 IP 地址、显示名称及MAC 地址：序号名称MAC 地址IP 地址1.admin_windows7_SE101_001000c.29b0.bf66192.168.30.12.zy_front_iis_SE131_196000c.295e.076b192.168.30.1963.zy_front_iis_SE131_1930050.56a4.1

5、c48192.168.30.1934.zy_front_iis_SE131_1970050.56a4.a72d192.168.30.1975.zy_front_iis_SE131_1940050.56a4.bc54192.168.30.1946.zy_sql2005_1_SE133_198000c.29c4.1073192.168.30.1987.hz_debian_tomcat_1_SE_221_006000c.29fe.3836192.168.30.68.site_fabric_1790050.56a4.c1d9192.168.30.1799.bj_proxy_1780050.56a4.9

6、192.168.30.17810._prox1_1610050.56a4.70d4192.168.30.16111._proxy_1750050.56a4.a5a4192.168.30.17512.hz_proxy_1770050.56a4.8913192.168.30.17713.zy_proxy_1760050.56a4.9b39192.168.30.17614._ap1_1620050.56a4.7819192.168.30.16215._app_1740050.56a4.a2ce192.168.30.17416._db1_1720050.56a4.0237192.168.30.1721

7、7._db2_1710050.56a4.091b192.168.30.17118._files_1690050.56a4.4fec192.168.30.16919._haproxy_1730050.56a4.b036192.168.30.17320._mongodb_1450050.5694.ac0c192.168.30.14521._old1_1700050.56a4.91d6192.168.30.17022._submit_1670050.56a4.48b5192.168.30.16723.site_memcached_1680050.56a4.3ca4192.168.30.16824.s

8、ite_1630050.56a4.fc4c192.168.30.16325.site_other_1640050.56a4.fd2c192.168.30.16426._server_VM207_0870050.5694.18d4192.168.30.8727.bj_front_tomcat_1_SE301_201000c.293b.f38d192.168.30.20128.bj_front_tomcat_2_SE302_1360050.56a4.af57192.168.30.13629.bj_front_tomcat_3_SE303_1370050.56a4.acac192.168.30.13

9、730.bj_front_tomcat_4_SE303_1370050.56a4.7e33192.168.30.13831._rest_1260050.56b3.5bee192.168.30.12432._gearman_1250050.56b3.6086192.168.30.12533.site_app_1650050.56a4.9b2a192.168.30.16534.admin_windows7_SE402_002000c.29e0.1cf0192.168.30.235.bj_sql2000_1_SE411_120000c.2909.03ce192.168.30.12036.bj_sql

10、2000_1_SE412_121000c.291b.63fd192.168.30.12137.hzp_sql2005_1_SE421_195000c.291a.1470192.168.30.19538.vcenter_220000c.2970.c1ea192.168.30.22039.backup-server000c.2960.b779192.168.30.15140.物理主机 1f01f.af90.2ba1192.168.30.221f01f.af90.2ba2192.168.30.22141.物理主机 2f01f.af90.2baf192.168.30.222f01f.af90.2bae

11、192.168.30.22242.物理主机 3f01f.af90.2bbc192.168.30.223f01f.af90.2bbb192.168.30.2231.5 三级汇聚交换机配置由于本次所有物理服务器均为刀片服务器，刀箱上采用一个网络接口用于连接三级区域的汇聚交换机，所以本次交换机端主要对刀箱交换模块的上联端口进行基于端口的安全功能配置。1.5.1 配置示例IP 和 MAC 地址绑定配置示例：switchport port-security binding 【主机 MAC 地址】 【所属VLAN】 【IP 地址】RuijieenableRuijie#configure terminalR

12、uijie(config)#erface GigabitEthernet 0/1-进入交换机g0/1 接口Ruijie(config-if-GigabitEthernet 0/1)#switchport port-security binding 0021.CCCF.6F70vlan 10 192.168.1.1-把属于 vlan10 ，且mac 地址是 0021.CCCF.6F70 ，ip 地址192.168.1.1 的PC 绑定在交换机的第一个百兆接口上 Ruijie(config-if-GigabitEthernet 0/1)#switchport port-security能Ruiji

13、e(config-if-GigabitEthernet 0/1)#exit-开启端口安全功1.5.2 新增配置内容根据交换机端口安全功能配置，主要配置在交换机 G0/45 端口上新增安全功能配置内容如下：switchport port-security binding f01f.af90.2bc8 vlan 30 192.168.30.224switchport port-security binding f01f.af90.2bc9 vlan 30 192.168.30.224 switchport port-security binding f01f.af90.2bbb vlan 30 1

14、92.168.30.223 switchport port-security binding f01f.af90.2bbc vlan 30 192.168.30.223 switchport port-security binding f01f.af90.2bae vlan 30 192.168.30.222 switchport port-security binding f01f.af90.2baf vlan 30 192.168.30.222 switchport port-security binding f01f.af90.2ba2 vlan 30 192.168.30.221 sw

15、itchport port-security binding f01f.af90.2ba1 vlan 30 192.168.30.221 switchport port-security binding 000c.2960.b779 vlan 30 192.168.30.15143.物理主机 4f01f.af90.2bc9192.168.30.224f01f.af90.2bc8192.168.30.224switchport port-security binding 000c.2970.c1ea vlan 30 192.168.30.220 switchport port-security

16、binding 000c.291a.1470 vlan 30 192.168.30.195 switchport port-security binding 000c.291b.63fd vlan 30 192.168.30.121 switchport port-security binding 000c.2909.03ce vlan 30 192.168.30.120 switchport port-security binding 000c.29e0.1cf0 vlan 30 192.168.30.2 switchport port-security binding 0050.56a4.

17、9b2a vlan 30 192.168.30.165 switchport port-security binding 0050.56b3.6086 vlan 30 192.168.30.125 switchport port-security binding 0050.56b3.5bee vlan 30 192.168.30.124 switchport port-security binding 0050.56a4.7e33 vlan 30 192.168.30.138 switchport port-security binding 0050.56a4.acac vlan 30 192

18、.168.30.137 switchport port-security binding 0050.56a4.af57 vlan 30 192.168.30.136 switchport port-security binding 000c.293b.f38d vlan 30 192.168.30.201 switchport port-security binding 0050.5694.18d4 vlan 30 192.168.30.87 switchport port-security binding 0050.56a4.fd2c vlan 30 192.168.30.164 switc

19、hport port-security binding 0050.56a4.fc4c vlan 30 192.168.30.163 switchport port-security binding 0050.56a4.3ca4 vlan 30 192.168.30.168 switchport port-security binding 0050.56a4.48b5 vlan 30 192.168.30.167 switchport port-security binding 0050.56a4.91d6 vlan 30 192.168.30.170 switchport port-secur

20、ity binding 0050.5694.ac0c vlan 30 192.168.30.145 switchport port-security binding 0050.56a4.b036 vlan 30 192.168.30.173 switchport port-security binding 0050.56a4.4fec vlan 30 192.168.30.169 switchport port-security binding 0050.56a4.091b vlan 30 192.168.30.171 switchport port-security binding 0050

21、.56a4.0237 vlan 30 192.168.30.172 switchport port-security binding 0050.56a4.a2ce vlan 30 192.168.30.174 switchport port-security binding 0050.56a4.7819 vlan 30 192.168.30.162 switchport port-security binding 0050.56a4.9b39 vlan 30 192.168.30.176 switchport port-security binding 0050.56a4.8913 vlan

22、30 192.168.30.177 switchport port-security binding 0050.56a4.a5a4 vlan 30 192.168.30.175 switchport port-security binding 0050.56a4.70d4 vlan 30 192.168.30.161switchport port-security binding 0050.56a4.9 vlan 30 192.168.30.178switchport port-security binding 0050.56a4.c1d9 vlan 30 192.168.30.179swit

23、chport port-security binding 000c.29fe.3836 vlan 30 192.168.30.6 switchport port-security binding 000c.29c4.1073 vlan 30 192.168.30.198 switchport port-security binding 0050.56a4.bc54 vlan 30 192.168.30.194 switchport port-security binding 0050.56a4.a72d vlan 30 192.168.30.197 switchport port-securi

24、ty binding 0050.56a4.1c48 vlan 30 192.168.30.193 switchport port-security binding 000c.295e.076b vlan 30 192.168.30.196 switchport port-security binding 000c.29b0.bf66 vlan 30 192.168.30.1 switchport port-security violation restrictswitchport port-security1.5.3 最终配置完成本次三级区域所有服务器的 IP-MAC 绑定后的最终交换机配置如

25、下：level3-SW-2#sh runBuilding configuration.Current configuration : 8590 bytes!verRGOS 10.4(3b16)p1 Release(162455)(Fri Jun 28 16:23:27 CST 2013 -ngcf64)hostname level3-SW-2!redundancyauto-sync time-period 3600 auto-sync standard switchover timeout 4000!nfpp!vlan 1!vlan 30name server-gw!vlan 110name

26、to-level3FW!username admin password 7 1428480725537a7d50 username admin privilege 15username auditor password 7 0279413d1c476f527a username auditor privilege 2username sysadmin password 7 05220434076e444372 username sysadmin privilege 3privilege exec level 2 showprivilege exec level 2 show running-c

27、onfig privilege exec level 2 show ipprivilege exec level 2 show ip route privilege exec level 2 show startup-config privilege exec level 3 configureprivilege exec all level 15 vlan privilege exec all level 2 reloadprivilege config level 3erfaceprivilege config level 3 vlan service password-encryptio

28、nip ssh ver!2ip acs-list standard 90remark Hosts allowed to SSH in10 permit host 192.168.2.205!enable secret level 1 5 $1$d11v$153u8w1F79B88u9w enable secret 5 $1$F87J$D69v08yzAyEz9r4yenable servi!sh-server!spanning-treeerface GigabitEthernet 0/1switchport acs vlan 110!erface GigabitEthernet 0/2swit

29、chport acs vlan 30!erface GigabitEthernet 0/3switchport acs vlan 30!erface GigabitEthernet 0/4switchport acs vlan 30!erface GigabitEthernet 0/5switchport acs vlan 30!erface GigabitEthernet 0/6switchport acs vlan 30!erface GigabitEthernet 0/7switchport acs vlan 30!erface GigabitEthernet 0/8switchport

30、 acs vlan 30!erface GigabitEthernet 0/9switchport acs vlan 30!erface GigabitEthernet 0/10switchport acs vlan 30!erface GigabitEthernet 0/11switchport acs vlan 30!erface GigabitEthernet 0/12switchport acs vlan 30!erface GigabitEthernet 0/13switchport acs vlan 30!erface GigabitEthernet 0/14switchport

31、acs vlan 30!erface GigabitEthernet 0/15switchport acs vlan 30!erface GigabitEthernet 0/16switchport acs vlan 30!erface GigabitEthernet 0/17switchport acs vlan 30!erface GigabitEthernet 0/18switchport acs vlan 30!erface GigabitEthernet 0/19switchport acs vlan 30!erface GigabitEthernet 0/20switchport

32、acs vlan 30!erface GigabitEthernet 0/21switchport acs vlan 30!erface GigabitEthernet 0/22switchport acs vlan 30!erface GigabitEthernet 0/23switchport acs vlan 30!erface GigabitEthernet 0/24switchport acs vlan 30!erface GigabitEthernet 0/25switchport acs vlan 30!erface GigabitEthernet 0/26switchport

33、acs vlan 30!erface GigabitEthernet 0/27switchport acs vlan 30!erface GigabitEthernet 0/28switchport acs vlan 30!erface GigabitEthernet 0/29switchport acs vlan 30!erface GigabitEthernet 0/30switchport acs vlan 30!erface GigabitEthernet 0/31switchport acs vlan 30!erface GigabitEthernet 0/32switchport

34、acs vlan 30!erface GigabitEthernet 0/33switchport acs vlan 30!erface GigabitEthernet 0/34switchport acs vlan 30!erface GigabitEthernet 0/35switchport acs vlan 30!erface GigabitEthernet 0/36switchport acs vlan 30!erface GigabitEthernet 0/37switchport acs vlan 30!erface GigabitEthernet 0/38switchport

35、acs vlan 30!erface GigabitEthernet 0/39switchport acs vlan 30!erface GigabitEthernet 0/40switchport acs vlan 30!erface GigabitEthernet 0/41switchport acs vlan 30!erface GigabitEthernet 0/42switchport acs vlan 30!erface GigabitEthernet 0/43switchport acs vlan 30!erface GigabitEthernet 0/44switchport

36、acs vlan 30!erface GigabitEthernet 0/45switchport acs vlan 30switchport port-security binding f01f.af90.2bc8 vlan 30 192.168.30.224 switchport port-security binding f01f.af90.2bc9 vlan 30 192.168.30.224 switchport port-security binding f01f.af90.2bbb vlan 30 192.168.30.223 switchport port-security b

37、inding f01f.af90.2bbc vlan 30 192.168.30.223 switchport port-security binding f01f.af90.2bae vlan 30 192.168.30.222 switchport port-security binding f01f.af90.2baf vlan 30 192.168.30.222 switchport port-security binding f01f.af90.2ba2 vlan 30 192.168.30.221 switchport port-security binding f01f.af90

38、.2ba1 vlan 30 192.168.30.221 switchport port-security binding 000c.2960.b779 vlan 30 192.168.30.151 switchport port-security binding 000c.2970.c1ea vlan 30 192.168.30.220 switchport port-security binding 000c.291a.1470 vlan 30 192.168.30.195 switchport port-security binding 000c.291b.63fd vlan 30 19

39、2.168.30.121 switchport port-security binding 000c.2909.03ce vlan 30 192.168.30.120 switchport port-security binding 000c.29e0.1cf0 vlan 30 192.168.30.2 switchport port-security binding 0050.56a4.9b2a vlan 30 192.168.30.165 switchport port-security binding 0050.56b3.6086 vlan 30 192.168.30.125 switc

40、hport port-security binding 0050.56b3.5bee vlan 30 192.168.30.124 switchport port-security binding 0050.56a4.7e33 vlan 30 192.168.30.138 switchport port-security binding 0050.56a4.acac vlan 30 192.168.30.137 switchport port-security binding 0050.56a4.af57 vlan 30 192.168.30.136 switchport port-secur

41、ity binding 000c.293b.f38d vlan 30 192.168.30.201 switchport port-security binding 0050.5694.18d4 vlan 30 192.168.30.87 switchport port-security binding 0050.56a4.fd2c vlan 30 192.168.30.164 switchport port-security binding 0050.56a4.fc4c vlan 30 192.168.30.163switchport port-security binding 0050.5

42、6a4.3ca4 vlan 30 192.168.30.168 switchport port-security binding 0050.56a4.48b5 vlan 30 192.168.30.167 switchport port-security binding 0050.56a4.91d6 vlan 30 192.168.30.170 switchport port-security binding 0050.5694.ac0c vlan 30 192.168.30.145 switchport port-security binding 0050.56a4.b036 vlan 30

43、 192.168.30.173 switchport port-security binding 0050.56a4.4fec vlan 30 192.168.30.169 switchport port-security binding 0050.56a4.091b vlan 30 192.168.30.171 switchport port-security binding 0050.56a4.0237 vlan 30 192.168.30.172 switchport port-security binding 0050.56a4.a2ce vlan 30 192.168.30.174

44、switchport port-security binding 0050.56a4.7819 vlan 30 192.168.30.162 switchport port-security binding 0050.56a4.9b39 vlan 30 192.168.30.176 switchport port-security binding 0050.56a4.8913 vlan 30 192.168.30.177 switchport port-security binding 0050.56a4.a5a4 vlan 30 192.168.30.175 switchport port-

45、security binding 0050.56a4.70d4 vlan 30 192.168.30.161switchport port-security binding 0050.56a4.9 vlan 30 192.168.30.178switchport port-security binding 0050.56a4.c1d9 vlan 30 192.168.30.179switchport port-security binding 000c.29fe.3836 vlan 30 192.168.30.6 switchport port-security binding 000c.29c4.1073 vlan 30 192.168.30.198 switchport port-security binding 0050.56a4.bc54 vlan 30 192.168.30.194 switchport port-security binding 0050.56a4.a72d vlan 30 192.168.30.197 switchport port-security binding 0050.56a4.1c48 vlan 30 192.168.30.193 switchport port-security binding 000c.295e.076b v