GZ032 信息安全管理与评估赛项参考答案-模块1任务二-2023年全国职业院校技能大赛赛项正式赛卷.docx

1 .SW和AC开启telnet登录功能，telnet登录账户仅包含“ABC4321”,密码为明文“ABC4321”,采用telnet方式登录设备时需要输入enable密码，密码设置为明文“12345”o（4分）说明：admin账号没有删除扣1分，ABC4321用户的PriVilege值设置为15扣3分SWsw#ShoWrunning-config|includeusernamepasswordnoSerViceDaSSWordonenablepasswordlevel15O12345USernameabc4321privilege14PaSSWOrdOabc4321ACAC#showrunning-configincludeusernamepasswordnoservicepassword-encryptionenablePaSSiVOrdIeVeI15O12345USernameABC4321Drivileae14DaSSWordOabc43212 .北京总公司和南京分公司租用了运营商两条裸光纤，实现内部办公互通。一条裸光纤承载公司财务部门业务，一条裸光纤承载其他内部业务。使用相关技术实现总公司财务段路由表与公司其它业务网段路由表隔离，财务业务位于VPN实例名称CW内，总公司财务和分公司财务能够通信，财务部门总公司和分公司之间采用RlP路由实现互相访问。（5分）若SW上showiproutevrfCW和AC上showiprouterip结果错误，本题O分。sw：SW(COnfig)#ShoWiproutevrfCWCodes:K-kernel,C-connected,S-static,R-RIP,B-BGPO-OSPF,IA-OSPFinterareaNl-OSPFNSSAexternaltype1,N2-OSPFNSSAexternaltype2El-OSPFexternaltype1,E2-OSPFexternaltype2i-IS-IS,Ll-IS-ISlevel-1,L2-IS-ISlevel-2,ia-IS-ISinterarea*-candidatedefaultC20.1.0.4/30isdirectlyconnected,Vlan30tag:0C20.1.3.0/?Sisdirprtlvcon11pctpd.Vlarl31ta:0R20.1.3.12¾2120/2via20.1.0.6,Vlan30.00:03:02taq:0Toldlroutesdre3Ifenl(三)一sw(config)#|AC：R201.3.0/25120/2via20.1.0.5,VlanBO,00:06:30taq:0Totalfotesar'e:1ten(,s)AC(config)#!3 .尽可能加大总公司核心和出口BC之间的带宽。（4分）每设备2分，SW上看端是否千兆全双工及配置端口聚合;SWinterfaceEthernetl/0/18speed-duplexforcelg-fullswitchportaccessvlan25port-group2modeonIinterfaceEthernetl/0/19speed-duplexforcelg-fullswitchportaccessvlan25port-group2modeon0 tstt<s>中 MOW*Iq MtMdI«ma I 网睛 I 惬精含vtAN»a I tf¾19cBCttRK¾pgM三M口w£»呛爆,法I1CG1ISoOth1,e<h2-词4 .为防止终端产生MAC地址泛洪攻击，请配置端口安全，已划分VLAN41的端口最多学习到5个MAC地址，发生违规阻止后续违规流量通过，不影响已有流量并产生LoG日志；连接PCI的接口为专用接口，限定只允许PCl的MAC地址可以连接.（5分）7口配置2分，其它3个口1分，mac地址可变。interfaceEthernetl/0/6service-policyinputplswitchportaccessvlan41switchportport-securityswitchportport-securitymaximum5switchportport-securityviolationrestrictIinterfaceEthernetl/0/7switchportaccessvlan41switchportport-securityswitchportport-securitymaximum5switchportport-securityviolationrestrictswitchportport-securitymac-addressO2-13-23-3f-11-22interfaceEthernetl/0/8access-groupacl2redirecttointerfaceethernet1/0/9switchport port-securityswitchport port-security maximum 5switchport port-security violation restrict IswitchportaccessVlan41interfaceEthernetl/0/9service-policyinputp2SwitchDortaccessVIan4工switchportport-securityswitchportport-securitymaximum5switchportport-securityviolationrestrict5 .在总部核心交换机端口ethernet1/0/6±,将属于网段20.L4L0内的报文带宽限制为IOM比特/秒，突发值设为4M字节，超过带宽的该网段内的报文一律丢弃。（5分）policy-map配置2分，其余每框1分，（acl名称、ClaSS-InaP名称、PoliCy-map名字可变，嵌套关系需要对应)sw#ShOWaccess-】istsipaccess-liststandardacll(used1time(s)1rule(s)rule工D1:Pennit20.1.41.0O.O.O.255sw#ShOWCIaSS-mapclassmapname:cl,usedby1time(s)matchaclname:acl1sw#ShoWpolicy-mapPolicyMappl,usedby1time(s)ClassMapname:clpolicyCIR:10000CBS：4000exceed-action:dropInterfaceEthernetl/0/6service-policyinputpl-SWitchportaccessvlan41switchportport-securityswitchportport-securitymaximum5switchportport-securityviolationrestrict6 .在SW上配置办公用户在上班时间（周一到周五9:00-17:00）禁止访问外网，内部网络正常访问。（2分）showClOCk时间需在开始竞赛时间范围内，否则本题。分;ISw#ShoWCIoCkICUrTenttimeisMonJUl3110:04:042023UTC7 .总公司SW交换机模拟因特网交换机，通过某种技术实现本地路由和因特网路由进行隔离，因特网路由实例名internet。（2分）8 .对SW上VLAN50开启以下安全机制。业务内部终端相互二层隔离；14口启用环路检测，环路检测的时间间隔为10s,发现环路以后关闭该端口，恢复时间为30分钟，如私设DHCP服务器关闭该端口，同时开启防止ARP网关欺骗攻击。6分，端口隔离1分，arp-guard配置正确1分，环路检测配置正确2分、dhcpsnooping正确2分。isolate-portapply12isolate-portgroup1switchportinterfaceEthernetl/0/14isolate-portgroup1switchportinterfaceEthernetl/0/13loopback-detectioninterval-time1010iooPbaCk-detectionContrO1-recoverytimeout1800interfaceEthernetl/0/141oopback-detectionspecified-vlan50llogpb?Ck-detectic;rCorItqOlShUtdoWnswitchportmac-addressdynamicmaximum20-switchportarpdynamicmaximum20switchportnddynamicmaximum50larp-guardip20.1.50.1-ipdEcpSnOOPingactionShUtdOWnipdhcpsnoopingenableInterfaceEthernetl/0/5sw"chportaccessVIan40IipdhcpSnOOPingtrust19 .配置使北京公司内网用户通过总公司出口BC访问因特网，分公司内网用户通过分公司出口FW访问因特网，要求总公司核心交换机9口VLAN41业务的用户访问因特网的流量往反数据流经过防火墙在通过BC访问因特网；防火墙untrustl和trustl开启安全防护，参数采用默认参数。要求有测试结果（14分）开启安全防护2分，tracert结果12分，如果结果错误，本题O分；FWFW#showadzonetrustlstatistiesstatisticscounteronzonetrustl:AttackdefensetypecounterStateTearDropOonIPSpoofing8onLandAttackOonIPOptionOonIPFragmentOonipdirectedbroadcastOonWinnukeOonPortscanOonsourceSYNFloodOonDestinationSYNFlood(ip-based)OonDestinationSYNFlood(port-based)OonSYNProxyOoffSYNcookieOoffTCPAnomalyOoffICMPFloodOonAddressSweepOonPingofDeathOonHugeICMPPacketOoffsourceUDPFloodOonDestinationUDPFloodOondnsqueryfloodOoffdnsrecursivequeryfloodOoffARPspoofingIPnumberperMACOoffARPspoofingreversequeryOoffndspoofingIPnumberperMACOoffNDspoofingreversequeryOoffTCPsplitHandshakeO