Designs and configures VLAN-based network segmentation on managed switches like Cisco Catalyst to isolate zones (corporate, servers, DMZ, guest, IoT) and restrict lateral movement.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
- 将企业网络分割为隔离的安全区域(企业、服务器、DMZ、访客、物联网)
Configures VLANs on managed switches like Cisco Catalyst to segment enterprise networks into isolated zones (corporate, servers, DMZ, IoT) and enforce access controls.
Designs VLAN architectures and configures managed switches like Cisco Catalyst for network segmentation, isolating zones (corporate, servers, DMZ, IoT) to limit lateral movement and meet compliance.
Designs and implements network segmentation using firewall security zones, VLANs, ACLs, and microsegmentation to restrict lateral movement and enforce least-privilege network access.
Share bugs, ideas, or general feedback.
不适用于:将 VLAN 作为无三层过滤的唯一安全控制、用于需要物理隔离的网络,或未针对 VLAN 跳跃(VLAN hopping)攻击进行适当交换机加固的场景。
# 根据安全区域和功能定义 VLAN
VLAN 规划:
VLAN 10 - CORPORATE (10.10.10.0/24) - 员工工作站
VLAN 20 - SERVERS (10.10.20.0/24) - 内部服务器
VLAN 30 - DMZ (10.10.30.0/24) - 面向互联网的服务器
VLAN 40 - GUEST (10.10.40.0/24) - 访客 WiFi
VLAN 50 - IOT (10.10.50.0/24) - IoT/OT 设备
VLAN 60 - VOIP (10.10.60.0/24) - VoIP 电话
VLAN 100 - MANAGEMENT (10.10.100.0/24) - 交换机/AP 管理
VLAN 999 - QUARANTINE (10.10.99.0/24) - 隔离/受攻陷主机
VLAN 998 - NATIVE_UNUSED - 本征 VLAN(无流量)
# 流量流向矩阵:
# CORPORATE -> SERVERS: 允许(特定端口)
# CORPORATE -> DMZ: 允许(仅 HTTP/HTTPS)
# CORPORATE -> GUEST: 拒绝
# CORPORATE -> IOT: 拒绝
# GUEST -> 任何内部: 拒绝
# IOT -> SERVERS: 允许(仅特定主机的特定端口)
# DMZ -> SERVERS: 允许(仅数据库端口)
# MANAGEMENT -> 所有: 允许(仅来自管理工作站)
! 进入配置模式
enable
configure terminal
! 创建 VLAN
vlan 10
name CORPORATE
exit
vlan 20
name SERVERS
exit
vlan 30
name DMZ
exit
vlan 40
name GUEST
exit
vlan 50
name IOT
exit
vlan 60
name VOIP
exit
vlan 100
name MANAGEMENT
exit
vlan 998
name NATIVE_UNUSED
exit
vlan 999
name QUARANTINE
exit
! 为工作站配置接入端口(VLAN 10)
interface range GigabitEthernet1/0/1-24
switchport mode access
switchport access vlan 10
switchport nonegotiate
spanning-tree portfast
spanning-tree bpduguard enable
no shutdown
exit
! 为服务器配置接入端口(VLAN 20)
interface range GigabitEthernet1/0/25-36
switchport mode access
switchport access vlan 20
switchport nonegotiate
spanning-tree portfast
spanning-tree bpduguard enable
no shutdown
exit
! 配置到其他交换机的中继端口
interface GigabitEthernet1/0/48
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk native vlan 998
switchport trunk allowed vlan 10,20,30,40,50,60,100
switchport nonegotiate
no shutdown
exit
! 配置到防火墙/路由器的中继
interface GigabitEthernet1/0/47
switchport mode trunk
switchport trunk encapsulation dot1q
switchport trunk native vlan 998
switchport trunk allowed vlan 10,20,30,40,50,60,100
switchport nonegotiate
no shutdown
exit
! 关闭未使用的端口
interface range GigabitEthernet1/0/37-46
shutdown
switchport mode access
switchport access vlan 999
exit
! 在所有端口上禁用 DTP(防止交换机欺骗)
interface range GigabitEthernet1/0/1-46
switchport nonegotiate
exit
! 在所有中继端口上将本征 VLAN 设置为未使用的 VLAN
interface range GigabitEthernet1/0/47-48
switchport trunk native vlan 998
exit
! 启用 DHCP 嗅探(DHCP Snooping)
ip dhcp snooping
ip dhcp snooping vlan 10,20,30,40,50,60
interface GigabitEthernet1/0/47
ip dhcp snooping trust
exit
! 启用动态 ARP 检测(Dynamic ARP Inspection)
ip arp inspection vlan 10,20,30,40,50,60
interface GigabitEthernet1/0/47
ip arp inspection trust
exit
! 启用 IP 源防护(防止 IP 欺骗)
interface range GigabitEthernet1/0/1-36
ip verify source
exit
! 启用端口安全
interface range GigabitEthernet1/0/1-24
switchport port-security
switchport port-security maximum 2
switchport port-security violation restrict
switchport port-security aging time 60
exit
! 将 VTP 设置为透明模式(防止 VTP 攻击)
vtp mode transparent
! 全局启用 BPDU 防护
spanning-tree portfast bpduguard default
! 启用风暴控制
interface range GigabitEthernet1/0/1-36
storm-control broadcast level 10
storm-control multicast level 10
storm-control action shutdown
exit
! 在三层交换机或防火墙上,配置交换机虚拟接口(SVI)
interface Vlan10
ip address 10.10.10.1 255.255.255.0
no shutdown
exit
interface Vlan20
ip address 10.10.20.1 255.255.255.0
no shutdown
exit
interface Vlan30
ip address 10.10.30.1 255.255.255.0
no shutdown
exit
interface Vlan40
ip address 10.10.40.1 255.255.255.0
no shutdown
exit
interface Vlan50
ip address 10.10.50.1 255.255.255.0
no shutdown
exit
! ACL:企业网到服务器(允许特定服务)
ip access-list extended CORP-TO-SERVERS
permit tcp 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 80
permit tcp 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 443
permit tcp 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 445
permit udp 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255 eq 53
permit icmp 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255 echo
deny ip any any log
exit
! ACL:访客网仅访问互联网(拒绝所有内部)
ip access-list extended GUEST-OUTBOUND
deny ip 10.10.40.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 10.10.40.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 10.10.40.0 0.0.0.255 192.168.0.0 0.0.255.255
permit tcp 10.10.40.0 0.0.0.255 any eq 80
permit tcp 10.10.40.0 0.0.0.255 any eq 443
permit udp 10.10.40.0 0.0.0.255 any eq 53
deny ip any any log
exit
! ACL:IoT 受限访问
ip access-list extended IOT-OUTBOUND
permit tcp 10.10.50.0 0.0.0.255 host 10.10.20.10 eq 443
permit tcp 10.10.50.0 0.0.0.255 any eq 443
permit udp 10.10.50.0 0.0.0.255 host 10.10.20.1 eq 53
deny ip 10.10.50.0 0.0.0.255 10.10.50.0 0.0.0.255 log
deny ip any any log
exit
! 将 ACL 应用到 VLAN 接口
interface Vlan10
ip access-group CORP-TO-SERVERS out
exit
interface Vlan40
ip access-group GUEST-OUTBOUND in
exit
interface Vlan50
ip access-group IOT-OUTBOUND in
exit
! 每个 VLAN 的 DHCP 地址池
ip dhcp pool CORPORATE
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.10.20.10
domain-name corp.example.com
lease 1
exit
ip dhcp pool GUEST
network 10.10.40.0 255.255.255.0
default-router 10.10.40.1
dns-server 1.1.1.1 8.8.8.8
lease 0 4
exit
ip dhcp pool IOT
network 10.10.50.0 255.255.255.0
default-router 10.10.50.1
dns-server 10.10.20.10
lease 7
exit
! 从 DHCP 地址池中排除网关和服务器 IP
ip dhcp excluded-address 10.10.10.1 10.10.10.10
ip dhcp excluded-address 10.10.40.1 10.10.40.10
ip dhcp excluded-address 10.10.50.1 10.10.50.10
# 从 VLAN 10(企业网)的工作站:
# 应该成功:
ping 10.10.20.10 # 服务器访问
curl https://10.10.20.10 # HTTPS 到服务器
# 应该失败:
ping 10.10.40.100 # 访客 VLAN - 应被阻止
ping 10.10.50.100 # IoT VLAN - 应被阻止
# 从 VLAN 40(访客网)的设备:
# 应该成功:
ping 8.8.8.8 # 互联网访问
curl https://www.google.com
# 应该失败:
ping 10.10.10.1 # 企业网网关 - 被阻止
ping 10.10.20.10 # 服务器 - 被阻止
# 验证交换机配置
show vlan brief
show interfaces trunk
show ip arp inspection statistics
show ip dhcp snooping binding
show port-security
show ip access-lists
# 运行 VLAN 跳跃测试(来自授权渗透测试)
# 如果加固正确,以下测试均应失败:
# 1. DTP 协商 - 应失败(nonegotiate)
# 2. 双重标记 - 应失败(本征 VLAN 998)
# 3. ARP 欺骗 - 应失败(已启用 DAI)
| 术语 | 定义 |
|---|---|
| VLAN(虚拟局域网) | 二层网络逻辑分区,将交换机端口归组到隔离的广播域,无论物理位置如何 |
| 802.1Q 中继 | VLAN 标记的 IEEE 标准,在以太网帧上添加 4 字节头部,在中继链路上标识帧所属的 VLAN |
| VLAN 间路由 | 使用路由器、三层交换机或防火墙(配有访问控制列表)在 VLAN 之间进行三层流量转发 |
| 本征 VLAN(Native VLAN) | 分配给中继端口上未标记帧的 VLAN;应设置为未使用的 VLAN,以防止 VLAN 跳跃攻击 |
| DHCP 嗅探 | 交换机功能,验证 DHCP 消息并建立 IP-MAC-端口映射的绑定表,防止流氓 DHCP 服务器 |
| 端口安全 | 交换机功能,限制每个端口的 MAC 地址数量,并在违规时采取行动(关闭、限制) |
场景背景:一家连锁零售商必须将支付卡处理系统与通用企业网络隔离,以满足 PCI-DSS 要求。当前的扁平网络将销售终端(POS)、员工工作站、库存服务器和访客 WiFi 都置于单个 VLAN 中。环境使用 Cisco Catalyst 9300 交换机。
方法:
常见陷阱:
## 网络分段实施报告
**网络**: 零售店 #42
**交换机平台**: Cisco Catalyst 9300
**已配置 VLAN 数**: 8
### VLAN 摘要
| VLAN ID | 名称 | 子网 | 端口 | 用途 |
|---------|------|--------|-------|---------|
| 10 | CORPORATE | 10.10.10.0/24 | Gi1/0/1-24 | 员工工作站 |
| 20 | SERVERS | 10.10.20.0/24 | Gi1/0/25-36 | 内部服务器 |
| 30 | DMZ | 10.10.30.0/24 | Gi2/0/1-4 | 面向互联网 |
| 40 | GUEST | 10.10.40.0/24 | WiFi AP 中继 | 访客 WiFi |
| 50 | CDE | 10.10.50.0/24 | Gi2/0/5-12 | POS 终端 |
| 100 | MGMT | 10.10.100.0/24 | Gi1/0/48 | 交换机管理 |
| 998 | NATIVE | 不适用 | 仅中继 | 未使用本征 |
| 999 | QUARANTINE | 10.10.99.0/24 | 未使用端口 | 隔离 |
### 安全加固状态
| 控制项 | 状态 |
|---------|--------|
| DTP 已禁用(nonegotiate) | 所有端口 |
| 本征 VLAN(998) | 所有中继 |
| DHCP 嗅探 | VLAN 10,20,40,50 |
| 动态 ARP 检测 | VLAN 10,20,40,50 |
| 端口安全 | 接入端口 |
| BPDU 防护 | 接入端口 |
| 未使用端口已关闭 | VLAN 999 中 10 个端口 |
| VTP 透明模式 | 已启用 |