在接口下,通过命令dot1x port-control来指定端口的授权状态,参数意义如下: . w7 _3 |/ I! V) ^4 B, w: ?dot1x port-control force-authorized: Disables 802.1x port-based authentication and causes the port to transition to the authorized state without any authentication exchange required. The port transmits and receives normal traffic without 802.1x-based authentication of the client. This is the default setting. / f5 f" b% \9 A. ?dot1x port-control force-unauthorized: Causes the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate. The switch cannot provide authentication services to the client through the interface. $ M/ Y. m4 P$ `- g1 L9 ydot1x port-control auto: Enables 802.1x port-based authentication and causes the port to begin in the unauthorized state, allowing only EAPOL frames to be sent and received through the port. 2 v# a W* R3 U g: h
- w4 I: y; f3 L& U& R" h
VLAN Attack: 9 U3 ^% G- \- y5 j7 \% E. o攻击者接入交换机后先设法将链路协商为trunk,继而对其它VLAN实施攻击; E v1 U& f8 D' H* v. W% f
解决方法:PVLAN(private VLAN):Primary VLAN,secondary VLAN(isolated vlan and community vlan)# G! d& p5 o6 y( P
从VLAN分两种,隔离VLAN和团体VLAN,属于隔离VLAN的端口称隔离端口,属于团体VLAN的端口称团体端口,属于主VLAN的端口称混杂端口。3 K. ~" w0 m' B7 N
混杂端口可跟所有端口通信,隔离端口只能跟混杂端口通信,团体端口可以跟混杂端口通信,还可以跟相同VLAN的团体端口通信。