manualshive.com logo in svg

Cisco Catalyst 2960-X, Security Configuration Manual

The Cisco Catalyst 2960-X is a high-performance switch designed for enterprise networks. To get started with its installation and setup, you can easily access the comprehensive Hardware Installation Manual. This manual is available for free download from manualshive.com, ensuring you have the necessary guidance for a seamless installation process.

Share
Download
background image

Restrictions for Configuring IPv4 Access Control Lists

General Network Security

The following are restrictions for configuring network security with ACLs:

Not all commands that accept a numbered ACL accept a named ACL. ACLs for packet filters and route
filters on interfaces can use a name. VLAN maps also accept a name.

A standard ACL and an extended ACL cannot have the same name.

Though visible in the command-line help strings,

appletalk

is not supported as a matching condition

for the

deny

and

permit

MAC access-list configuration mode commands.

ACL wildcard is not supported in downstream client policy.

IPv4 ACL Network Interfaces

The following restrictions apply to IPv4 ACLs to network interfaces:

When controlling access to an interface, you can use a named or numbered ACL.

If you apply an ACL to a Layer 2 interface that is a member of a VLAN, the Layer 2 (port) ACL takes
precedence over an input Layer 3 ACL applied to the VLAN interface or a VLAN map applied to the
VLAN.

If you apply an ACL to a Layer 3 interface and routing is not enabled on the switch, the ACL only filters
packets that are intended for the CPU, such as SNMP, Telnet, or web traffic.

You do not have to enable routing to apply ACLs to Layer 2 interfaces.

By default, the router sends Internet Control Message Protocol (ICMP) unreachable messages when a
packet is denied by an access group on a Layer 3 interface. These access-group denied packets are not
dropped in hardware but are bridged to the switch CPU so that it can generate the ICMP-unreachable
message. They do not generate ICMP unreachable messages. ICMP unreachable messages can be disabled
on router ACLs with the

no ip unreachables

interface command.

Note

MAC ACLs on a Layer 2 Interface

After you create a MAC ACL, you can apply it to a Layer 2 interface to filter non-IP traffic coming in that
interface. When you apply the MAC ACL, consider these guidelines:

You can apply no more than one IP access list and one MAC access list to the same Layer 2 interface.
The IP access list filters only IP packets, and the MAC access list filters non-IP packets.

A Layer 2 interface can have only one MAC access list. If you apply a MAC access list to a Layer 2
interface that has a MAC ACL configured, the new ACL replaces the previously configured one.

   Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX

140

OL-29048-01   

Configuring IPv4 ACLs

Restrictions for Configuring IPv4 Access Control Lists

Summary of Contents for Catalyst 2960-X

Page 1: ...ide Cisco IOS Release 15 0 2 EX First Published July 10 2013 Americas Headquarters Cisco Systems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Text Part Number OL 29048 01 ...

Page 2: ... IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE T...

Page 3: ... Use the CLI to Configure Features 6 Configuring the Command History 6 Changing the Command History Buffer Size 6 Recalling Commands 6 Disabling the Command History Feature 7 Enabling and Disabling Editing Features 7 Editing Commands Through Keystrokes 8 Editing Command Lines That Wrap 9 Searching and Filtering Output of show and more Commands 10 Accessing the CLI on a Switch Stack 11 Accessing th...

Page 4: ...Enable and Enable Secret Passwords with Encryption 24 Disabling Password Recovery 26 Setting a Telnet Password for a Terminal Line 27 Configuring Username and Password Pairs 29 Setting the Privilege Level for a Command 31 Changing the Default Privilege Level for Lines 33 Logging into and Exiting a Privilege Level 34 Monitoring Switch Access 35 Configuration Examples for Setting Passwords and Privi...

Page 5: ... 50 Starting TACACS Accounting 52 Establishing a Session with a Router if the AAA Server is Unreachable 53 Monitoring TACACS 54 Additional References 54 Feature Information for TACACS 55 C H A P T E R 6 Configuring RADIUS 57 Finding Feature Information 57 Prerequisites for Configuring RADIUS 57 Restrictions for Configuring RADIUS 58 Information about RADIUS 59 RADIUS and Switch Access 59 RADIUS Ov...

Page 6: ...e RADIUS Server Host 83 Configuring RADIUS Login Authentication 86 Defining AAA Server Groups 88 Configuring RADIUS Authorization for User Privileged Access and Network Services 90 Starting RADIUS Accounting 92 Establishing a Session with a Router if the AAA Server is Unreachable 93 Configuring Settings for All RADIUS Servers 93 Configuring the Switch to Use Vendor Specific RADIUS Attributes 95 Co...

Page 7: ...Finding Feature Information 113 Prerequisites for Configuring Secure Shell 113 Restrictions for Configuring Secure Shell 114 Information about SSH 114 SSH and Switch Access 115 SSH Servers Integrated Clients and Supported Versions 115 SSH Configuration Guidelines 115 Secure Copy Protocol Overview 116 Secure Copy Protocol 116 How to Configure SSH 117 Setting Up the Switch to Run SSH 117 Configuring...

Page 8: ...ng IPv4 Access Control Lists 140 Information about Network Security with ACLs 141 Cisco TrustSec and ACLs 141 ACL Overview 141 Access Control Entries 142 ACL Supported Types 142 Supported ACLs 142 ACL Precedence 142 Port ACLs 143 Router ACLs 144 VLAN Maps 145 ACEs and Fragmented and Unfragmented Traffic 145 ACEs and Fragmented and Unfragmented Traffic Examples 146 ACLs and Switch Stacks 146 Active...

Page 9: ...ACLs 163 Applying an IPv4 ACL to a Terminal Line 165 Applying an IPv4 ACL to an Interface 167 Creating Named MAC Extended ACLs 168 Applying a MAC ACL to a Layer 2 Interface 170 Configuring VLAN Maps 172 Creating a VLAN Map 174 Applying a VLAN Map to a VLAN 176 Configuring VACL Logging 177 Monitoring IPv4 ACLs 179 Configuration Examples for ACLs 180 Examples Using Time Ranges with ACLs 180 Examples...

Page 10: ...AN 190 Example Denying Access to a Server on Another VLAN 190 Configuration Examples of Router ACLs and VLAN Maps Applied to VLANs 191 Example ACLs and Switched Packets 191 Example ACLs and Bridged Packets 192 Example ACLs and Routed Packets 193 Example ACLs and Multicast Packets 193 Additional References 194 Feature Information for IPv4 Access Control Lists 195 C H A P T E R 1 1 Configuring IPv6 ...

Page 11: ...DHCP Server Database 226 Monitoring DHCP Snooping Information 226 Configuring DHCP Server Port Based Address Allocation 226 Information About Configuring DHCP Server Port Based Address Allocation 226 Default Port Based Address Allocation Configuration 227 Port Based Address Allocation Configuration Guidelines 227 Enabling the DHCP Snooping Binding Database Agent 227 Enabling DHCP Server Port Based...

Page 12: ...es 249 Configuring ARP ACLs for Non DHCP Environments 249 Configuring Dynamic ARP Inspection in DHCP Environments 252 Limiting the Rate of Incoming ARP Packets 255 Performing Dynamic ARP Inspection Validation Checks 257 Monitoring DAI 259 Verifying the DAI Configuration 260 Additional References 260 C H A P T E R 1 5 Configuring IEEE 802 1x Port Based Authentication 263 Finding Feature Information...

Page 13: ...N 283 802 1x Authentication with Restricted VLAN 284 802 1x Authentication with Inaccessible Authentication Bypass 285 Inaccessible Authentication Bypass Support on Multiple Authentication Ports 285 Inaccessible Authentication Bypass Authentication Results 286 Inaccessible Authentication Bypass Feature Interactions 286 802 1x Critical Voice VLAN 287 802 1x User Distribution 287 802 1x User Distrib...

Page 14: ...ch to RADIUS Server Communication 309 Configuring the Host Mode 311 Configuring Periodic Re Authentication 312 Changing the Quiet Period 313 Changing the Switch to Client Retransmission Time 314 Setting the Switch to Client Frame Retransmission Number 316 Setting the Re Authentication Number 317 Enabling MAC Move 318 Enabling MAC Replace 319 Configuring 802 1x Accounting 321 Configuring a Guest VL...

Page 15: ...ntication Configuration to the Default Values 355 Monitoring 802 1x Statistics and Status 356 Additional References 357 Feature Information for 802 1x Port Based Authentication 358 C H A P T E R 1 6 Configuring Web Based Authentication 359 Finding Feature Information 359 Web Based Authentication Overview 359 Device Roles 360 Host Detection 361 Session Creation 361 Authentication Process 362 Local ...

Page 16: ...sed Authentication without SVI 384 Configuring Web Based Authentication with VRF Aware 385 Removing Web Based Authentication Cache Entries 387 Monitoring Web Based Authentication Status 387 Feature Information for Web Based Authentication 388 C H A P T E R 1 7 Configuring Port Based Traffic Control 389 Overview of Port Based Traffic Control 390 Finding Feature Information 390 Information About Sto...

Page 17: ...6 Information About Port Security 406 Port Security 406 Types of Secure MAC Addresses 406 Sticky Secure MAC Addresses 407 Security Violations 407 Port Security Aging 408 Port Security and Switch Stacks 408 Default Port Security Configuration 409 Port Security Configuration Guidelines 409 Overview of Port Based Traffic Control 411 How to Configure Port Security 411 Enabling and Configuring Port Sec...

Page 18: ...king 429 How to Configure Port Blocking 429 Blocking Flooded Traffic on an Interface 429 Monitoring Port Blocking 431 Where to Go Next 431 Additional References 431 Feature Information 432 Configuration Examples for Port Security 432 Additional References 433 Finding Feature Information 434 Information About Protocol Storm Protection 434 Protocol Storm Protection 434 Default Protocol Storm Protect...

Page 19: ...Policy to a Layer 2 EtherChannel Interface 452 How to Attach an IPv6 Neighbor Discovery Inspection Policy to VLANs Globally 453 How to Configure an IPv6 Router Advertisement Guard Policy 454 How to Attach an IPv6 Router Advertisement Guard Policy to an Interface 456 How to Attach an IPv6 Router Advertisement Guard Policy to a Layer 2 EtherChannel Interface 458 How to Configure an IPv6 DHCP Guard P...

Page 20: ...Catalyst 2960 X Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX xx OL 29048 01 Contents ...

Page 21: ...ld font bold font Document titles new or emphasized terms and arguments for which you supply values are in italic font Italic font Terminal sessions and information the system displays appear in courier font Courier font Bold Courier font indicates text that the user must enter Bold Courier font Elements in square brackets are optional x An ellipsis three consecutive nonbolded periods without spac...

Page 22: ...Notes contain helpful suggestions or references to material not covered in the manual Note Means the following information will help you solve a problem Tip Means reader be careful In this situation you might do something that could result in equipment damage or loss of data Caution Means the described action saves time You can save time by performing the action described in the paragraph Timesave...

Page 23: ...hat s New in Cisco Product Documentation which also lists all new and revised Cisco technical documentation at http www cisco com c en us td docs general whatsnew whatsnew html Subscribe to the What s New in Cisco Product Documentation as a Really Simple Syndication RSS feed and set content to be delivered directly to your desktop using a reader application The RSS feeds are a free service and Cis...

Page 24: ...Catalyst 2960 X Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX xxiv OL 29048 01 Preface Obtaining Documentation and Submitting a Service Request ...

Page 25: ...ommands which show the current configuration status and clear commands which clear counters or interfaces The user EXEC commands are not saved when the switch reboots To have access to all commands you must enter privileged EXEC mode Normally you must enter a password to enter privileged EXEC mode From this mode you can enter any privileged EXEC command or enter global configuration mode Using the...

Page 26: ...ed EXEC mode enter the configure command Global configuration Use this mode to configure VLAN parameters When VTP mode is transparent you can create extended range VLANs VLAN IDs greater than 1005 and save configurations in the switch startup configuration file To exit to global configuration mode enter the exit command To return to privileged EXEC mode press Ctrl Z or enter end Switch config vlan...

Page 27: ...nds Almost every configuration command also has a no form In general use the no form to disable a feature or function or reverse the action of a command For example the no shutdown interface configuration command reverses the shutdown of an interface Use the command without the keyword no to reenable a disabled feature or to enable a feature that is disabled by default Configuration commands can a...

Page 28: ...and appear You entered the command incorrectly The caret marks the point of the error Invalid input detected at marker Configuration Logging You can log and view changes to the switch configuration You can use the Configuration Change Logging and Notification feature to track changes on a per session and per user basis The logger tracks each configuration command that is applied the user who enter...

Page 29: ...Completes a partial command name abbreviated command entry Tab Example Switch sh conf tab Switch show configuration Step 3 Lists all commands available for a particular command mode Example Switch Step 4 Lists the associated keywords for a command command Example Switch show Step 5 Lists the associated arguments for a keyword command keyword Example Switch config cdp holdtime 10 255 Length of time...

Page 30: ...ry size number of lines DETAILED STEPS Purpose Command or Action Changes the number of command lines that the switch records during the current terminal session in privileged EXEC mode You can configure the size from 0 to 256 terminal history size number of lines Example Switch terminal history size 200 Step 1 Recalling Commands To recall commands from the history buffer perform one of the actions...

Page 31: ...history global configuration command and the history line configuration command Disabling the Command History Feature The command history feature is automatically enabled You can disable it for the current terminal session or for the command line This procedure is optional SUMMARY STEPS 1 terminal no history DETAILED STEPS Purpose Command or Action Disables the feature during the current terminal ...

Page 32: ...g Commands Description Editing Commands Moves the cursor back one character Ctrl B or use the left arrow key Moves the cursor forward one character Ctrl F or use the right arrow key Moves the cursor to the beginning of the command line Ctrl A Moves the cursor to the end of the command line Ctrl E Moves the cursor back one word Esc B Moves the cursor forward one word Esc F Transposes the character ...

Page 33: ...ey Scrolls down one screen Space bar Redisplays the current command line if the switch suddenly sends a message to your screen Ctrl L or Ctrl R Editing Command Lines That Wrap You can use a wraparound feature for commands that extend beyond a single line on the screen When the cursor reaches the right margin the command line shifts ten spaces to the left You cannot see the first ten characters of ...

Page 34: ...ess list 101 permit tcp 10 15 22 25 255 255 255 0 10 15 2 The dollar sign appears at the end of the line to show that the line has been scrolled to the right Execute the commands Return key Step 3 The software assumes that you have a terminal screen that is 80 columns wide If you have a different width use the terminal width privileged EXEC command to set the width of your terminal Use line wrappi...

Page 35: ...witch stack Note If you want to configure a specific stack member port you must include the stack member number in the CLI command interface notation Accessing the CLI Through a Console Connection or Through Telnet Before you can access the CLI you must connect a terminal or a PC to the switch console or connect a PC to the Ethernet management port and then power on the switch as described in the ...

Page 36: ...H sessions After you connect through the console port through the Ethernet management port through a Telnet session or through an SSH session the user EXEC prompt appears on the management station Catalyst 2960 X Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX 12 OL 29048 01 Using the Command Line Interface Accessing the CLI Through a Console Connection or Through Telnet ...

Page 37: ...ticated using a web browser To use Web Authentication the switch must be running the LAN Base image Note Local Web Authentication Banner A custom banner or an image file displayed at a web authentication login screen IEEE 802 1x Authentication with ACLs and the RADIUS Filter Id Attribute To use Web Authentication the switch must be running the LAN Base image Note Password protected access read onl...

Page 38: ...y not relaying invalid ARP requests and responses to other ports in the same VLAN IEEE 802 1x port based authentication to prevent unauthorized devices clients from gaining access to the network These 802 1x features are supported Multidomain authentication MDA to allow both a data device and a voice device such as an IP phone Cisco or non Cisco to independently authenticate on the same IEEE 802 1...

Page 39: ...ice aware 802 1x authentication the switch must be running the LAN Base image Note MAC authentication bypass MAB to authorize clients based on the client MAC address To use MAC authentication bypass the switch must be running the LAN Base image Note Network Admission Control NAC Layer 2 802 1x validation of the antivirus condition or posture of endpoint systems or clients before granting the devic...

Page 40: ...tication and apply to the new policies IEEE 802 1x User Distribution to allow deployments with multiple VLANs for a group of users to improve scalability of the network by load balancing users across different VLANs Authorized users are assigned to the least populated VLAN in the group assigned by RADIUS server Support for critical VLAN with multiple host authentication so that when a port is conf...

Page 41: ... the network through a serial port or connect through a terminal or workstation from within the local network To prevent unauthorized access into your switch you should configure one or more of these security features At a minimum you should configure passwords and privileges at each switch port These passwords are locally stored on the switch When users attempt to access the switch through a port...

Page 42: ...ssful attempts are made For more information see the Cisco IOS Login Enhancements documentation Related Topics Configuring Username and Password Pairs on page 29 TACACS and Switch Access on page 41 Setting a Telnet Password for a Terminal Line on page 27 Catalyst 2960 X Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX 18 OL 29048 01 Preventing Unauthorized Access Preventing Unauthor...

Page 43: ...se To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not re...

Page 44: ...ional layer of security particularly for passwords that cross the network or that are stored on a Trivial File Transfer Protocol TFTP server you can use either the enable password or enable secret global configuration commands Both commands accomplish the same thing that is you can establish an encrypted password that users must enter to access privileged EXEC mode the default or any privilege lev...

Page 45: ... re enable password recovery use the service password recovery global configuration command Related Topics Disabling Password Recovery on page 26 Restrictions for Controlling Switch Access with Passwords and Privileges on page 19 Terminal Line Telnet Configuration When you power up your switch for the first time an automatic setup program runs to assign IP information and to create a default confi...

Page 46: ... level 2 security and distribute the level 2 password fairly widely But if you want more restricted access to the configure command you can assign it level 3 security and distribute that password to a more restricted group of users Command Privilege Levels When you set a command to a privilege level all commands whose syntax is a subset of that command are also set to that level For example if you...

Page 47: ...r password specify a string from 1 to 25 alphanumeric characters The string cannot start with a number is case sensitive and allows spaces but secret321 ignores leading spaces It can contain the question mark character if you precede the question mark with the key combination Crtl v when you create the password for example to create the password abc 123 do this 1 Enter abc 2 Enter Crtl v 3 Enter 1...

Page 48: ... these steps to establish an encrypted password that users must enter to access privileged EXEC mode the default or any privilege level you specify SUMMARY STEPS 1 enable 2 configure terminal 3 Use one of the following enable password level level password encryption type encrypted password enable secret level level password encryption type encrypted password 4 service password encryption 5 end 6 s...

Page 49: ... password example102 sensitive and allows spaces but ignores leading spaces By default no password is defined Optional For encryption type only type 5 a Cisco proprietary encryption algorithm is available If you specify or Switch config enable secret level 1 password secret123sample an encryption type you must provide an encrypted password an encrypted password that you copy from another switch co...

Page 50: ...recovery we recommend that you keep a backup copy of the configuration file on a secure server in case the end user interrupts the boot process and sets the system back to default values Do not keep a backup copy of the configuration file on the switch If the switch is operating in VTP transparent mode we recommend that you also keep a backup copy of the VLAN database file on a secure server When ...

Page 51: ...user recovery switch all Returns to privileged EXEC mode end Example Switch config end Step 4 What to Do Next To remove disable password recovery use the no system disable password recovery switch all global configuration command Related Topics Password Recovery on page 21 Restrictions for Controlling Switch Access with Passwords and Privileges on page 19 Setting a Telnet Password for a Terminal L...

Page 52: ...sessions lines and enters line configuration mode line vty 0 15 Example Switch config line vty 0 15 Step 3 There are 16 possible sessions on a command capable Switch The 0 and 15 mean that you are configuring all 16 possible Telnet sessions Sets a Telnet password for the line or lines password password Step 4 Example Switch config line password abcxyz543 For password specify a string from 1 to 25 ...

Page 53: ...t Password for a Terminal Line on page 36 Configuring Username and Password Pairs Follow these steps to configure username and password pairs SUMMARY STEPS 1 enable 2 configure terminal 3 username name privilege level password encryption type password 4 Use one of the following line console 0 line vty 0 15 5 login local 6 end 7 show running config 8 copy running config startup config Catalyst 2960...

Page 54: ...e level the user has after gaining access The range is 0 to 15 Level 15 gives privileged EXEC mode access Level 1 gives user EXEC mode access For encryption type enter 0 to specify that an unencrypted password will follow Enter 7 to specify that a hidden password will follow For password specify the password the user must enter to gain access to the Switch The password must be from 1 to 25 charact...

Page 55: ...p config Example Switch copy running config Step 8 startup config Related Topics Preventing Unauthorized Access on page 17 Username and Password Pairs on page 21 Setting the Privilege Level for a Command Follow these steps to set the privilege level for a command SUMMARY STEPS 1 enable 2 configure terminal 3 privilege mode level level command 4 enable password level level password 5 end 6 copy run...

Page 56: ...ommand to which you want to restrict access Specifies the password to enable the privilege level enable password level level password Step 4 Example Switch config enable password level For level the range is from 0 to 15 Level 1 is for normal user EXEC mode privileges For password specify a string from 1 to 25 alphanumeric characters The string cannot start with a number is case sensitive 14 Secre...

Page 57: ...tep 1 Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Selects the virtual terminal line on which to restrict access line vty line Example Switch config line vty 10 Step 3 Changes the default privilege level for the line privilege level level Step 4 Example Switch config privilege level 15 For level the range is from 0 to 15 Level 1 is for normal use...

Page 58: ... higher privilege level You might specify a high level or privilege level for your console line to restrict line usage Related Topics Privilege Levels on page 22 Logging into and Exiting a Privilege Level Beginning in user EXEC mode follow these steps to log into a specified privilege level and exit a specified privilege level SUMMARY STEPS 1 enable level 2 disable level DETAILED STEPS Purpose Com...

Page 59: ...ple shows how to change the enable password to l1u2c3k4y5 The password is not encrypted and provides access to level 15 traditional privileged EXEC mode access Switch config enable password l1u2c3k4y5 Related Topics Setting or Changing a Static Enable Password on page 22 Example Protecting Enable and Enable Secret Passwords with Encryption This example shows how to configure the encrypted password...

Page 60: ... to privilege level 14 and define SecretPswd14 as the password users must enter to use level 14 commands Switch config privilege exec level 14 configure Switch config enable password level 14 SecretPswd14 Related Topics Setting the Privilege Level for a Command on page 31 Privilege Levels on page 22 Additional References Error Message Decoder Link Description https www cisco com cgi bin Support Er...

Page 61: ...lving technical issues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Catal...

Page 62: ...Catalyst 2960 X Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX 38 OL 29048 01 Controlling Switch Access with Passwords and Privilege Levels Additional References ...

Page 63: ... in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Prerequisites for TACACS The following are the prerequisites for set up and configuration of s...

Page 64: ...define the method lists for TACACS authentication You can optionally define method lists for TACACS authorization and accounting The method list defines the types of authentication to be performed and the sequence in which they are performed it must be applied to a specific port before any of the defined authentication methods are performed The only exception is the default method list which by co...

Page 65: ... Versions on page 115 TACACS Overview TACACS is a security application that provides centralized validation of users attempting to gain access to your switch TACACS provides for separate and modular authentication authorization and accounting facilities TACACS allows for a single access control server the TACACS daemon to provide each service authentication authorization and accounting independent...

Page 66: ...d messages to user screens For example a message could notify users that their passwords must be changed because of the company s password aging policy Authorization Provides fine grained control over user capabilities for the duration of the user s session including but not limited to setting autocommands access control session duration or protocol support You can also enforce restrictions on wha...

Page 67: ...thorization begins at this time REJECT The user is not authenticated The user can be denied access or is prompted to retry the login sequence depending on the TACACS daemon ERROR An error occurred at some time during authentication with the daemon or in the network connection between the daemon and the switch If an ERROR response is received the switch typically tries to use an alternative method ...

Page 68: ...ion methods to be queried to authenticate a user You can designate one or more security protocols to be used for authentication thus ensuring a backup system for authentication in case the initial method fails The software uses the first method listed to authenticate users if that method fails to respond the software selects the next authentication method in the method list This process continues ...

Page 69: ...ult TACACS Configuration TACACS and AAA are disabled by default To prevent a lapse in security you cannot configure TACACS through a network management application When enabled TACACS can authenticate users accessing the switch through the CLI Although TACACS configuration is performed through the CLI the TACACS server authenticates HTTP connections that have been configured with a privilege level...

Page 70: ...imes to create a list of preferred tacacs server host hostname Example Switch config tacacs server host Step 3 hosts The software searches for hosts in the order in which you specify them For hostname specify the name or IP address of the host yourserver Enables AAA aaa new model Example Switch config aaa new model Step 4 Optional Defines the AAA server group with a group name aaa group server tac...

Page 71: ...TACACS Configuration Options on page 44 Configuring TACACS Login Authentication Follow these steps to configure TACACS login authentication Before You Begin To configure AAA authentication you define a named list of authentication methods and then apply that list to various ports To secure the switch for HTTP access by using AAA methods you must configure the switch with the ip http authentication...

Page 72: ... authentication login default list name method1 method2 Step 4 To create a default list that is used when a named list is not specified in the login authentication command use the default keyword followed Example Switch config aaa authentication by the methods that are to be used in default situations The default method list is automatically applied to all ports login default tacacs local For list...

Page 73: ...e database for authentication You must enter username information in the database by using the username name password global configuration command none Do not use any authentication for login Enters line configuration mode and configures the lines to which you want to apply the authentication list line console tty vty line number ending line number Example Switch config line 2 4 Step 5 Applies the...

Page 74: ...t restrict a user s network access to privileged EXEC mode Authorization is bypassed for authenticated users who log in through the CLI even if authorization has been configured Note Follow these steps to specify TACACS authorization for privileged EXEC access and network services SUMMARY STEPS 1 enable 2 configure terminal 3 aaa authorization network tacacs 4 aaa authorization exec tacacs 5 end 6...

Page 75: ...privileged EXEC access aaa authorization exec tacacs Example Switch config aaa authorization exec tacacs Step 4 The exec keyword might return user profile information such as autocommand information Returns to privileged EXEC mode end Example Switch config end Step 5 Verifies your entries show running config Example Switch show running config Step 6 Optional Saves your entries in the configuration...

Page 76: ... enable Example Switch enable Step 1 Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Enables TACACS accounting for all network related service requests aaa accounting network start stop tacacs Example Switch config aaa accounting network start stop Step 3 tacacs Enables TACACS accounting to send a start record accounting notice at the beginning of a...

Page 77: ...router if the AAA server is unreachable when the router reloads use the no aaa accounting system guarantee first command Related Topics TACACS Accounting on page 45 Establishing a Session with a Router if the AAA Server is Unreachable To establishing a session with a router if the AAA server is unreachable use the aaa accounting system guarantee first command It guarantees system accounting as the...

Page 78: ...r Session Aware networking Securing User Services Configuration Guide Library Cisco IOS XE Release 3SE Catalyst 3850 Switches http www cisco com en US docs ios xml ios security config_library xe 3se 3850 secuser xe 3se 3850 library html Configuring RADIUS TACACS Secure Shell 802 1X and AAA Error Message Decoder Link Description https www cisco com cgi bin Support Errordecoder index cgi To help you...

Page 79: ... Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Feature Information for TACACS Feature Information Release This feature was introduced Cisco IOS 15 0 2 EX The Per VRF for TACACS Servers feature allows per virtual route forwarding per VRF to b...

Page 80: ...Catalyst 2960 X Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX 56 OL 29048 01 Configuring TACACS Feature Information for TACACS ...

Page 81: ...elease To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is no...

Page 82: ...y the specified session For RADIUS operation Users must first successfully complete RADIUS authentication before proceeding to RADIUS authorization if it is enabled Related Topics RADIUS and Switch Access on page 59 RADIUS Operation on page 60 Restrictions for Configuring RADIUS This topic covers restrictions for controlling Switch access with RADIUS General To prevent a lapse in security you cann...

Page 83: ...customized to work with the Kerberos security system Turnkey network security environments in which applications support the RADIUS protocol such as in an access environment that uses a smart card access control system In one case RADIUS has been used with Enigma s security cards to validates users and to grant access to network resources Networks already using RADIUS You can add a Cisco Switch co...

Page 84: ...ollowing responses from the RADIUS server ACCEPT The user is authenticated REJECT The user is either not authenticated and is prompted to re enter the username and password or access is denied CHALLENGE A challenge requires additional data from the user CHALLENGE PASSWORD A response requests the user to select a new password The ACCEPT or REJECT response is bundled with additional data that is use...

Page 85: ... of sessions from external AAA or policy servers The switch supports these per session CoA requests Session reauthentication Session termination Session termination with port shutdown Session termination with port bounce This feature is integrated with Cisco Secure Access Control Server ACS 5 1 The RADIUS interface is enabled by default on Catalyst switches However some basic configuration is requ...

Page 86: ...subscriber command disable host port Disable host port Cisco Avpair subscriber command session query Session query Cisco Avpair subscriber command reauthenticate Cisco Avpair subscriber reauthenticate type last or Cisco Avpair subscriber reauthenticate type rerun Session reauthenticate This is a standard disconnect request and does not require a VSA Session terminate Cisco AVpair interface templat...

Page 87: ...able shows the possible values for the Error Cause attribute Table 9 Error Cause Values Explanation Value Residual Session Context Removed 201 Invalid EAP Packet Ignored 202 Unsupported Attribute 401 Missing Attribute 402 NAS Identification Mismatch 403 Invalid Request 404 Unsupported Service 405 Unsupported Extension 406 Invalid Attribute Value 407 Administratively Prohibited 501 Request Not Rout...

Page 88: ...ributes VSAs Related Topics CoA Request Commands on page 65 Session Identification For disconnect and CoA requests targeted at a particular session the switch locates the session based on one or more of the following attributes Acct Session Id IETF attribute 44 Audit Session Id Cisco VSA Calling Station Id IETF attribute 31 which contains the host MAC address IPv6 Attributes which can be one of th...

Page 89: ...Related Topics CoA Disconnect Request on page 67 CoA Request Disable Host Port on page 67 CoA Request Bounce Port on page 68 CoA ACK Response Code If the authorization state is changed successfully a positive acknowledgment ACK is sent The attributes returned within CoA ACK will vary based on the CoA Request and are discussed in individual CoA Commands CoA NAK Response Code A negative acknowledgme...

Page 90: ... for the initial successful authentication If session authentication is in progress when the switch receives the command the switch terminates the process and restarts the authentication sequence starting with the method configured to be attempted first If the session is not yet authorized or is authorized via guest VLAN or critical VLAN or similar policies the reauthentication message restarts th...

Page 91: ... is re sent from the client If the session is not found following re sending a Disconnect ACK is sent with the Session Context Not Found error code attribute Related Topics Session Identification on page 64 CoA Request Disable Host Port The RADIUS server CoA disable port command administratively shuts down the authentication port that is hosting a session resulting in session termination This comm...

Page 92: ...n is located the switch disables the hosting port for a period of 10 seconds re enables it port bounce and returns a CoA ACK If the switch fails before returning a CoA ACK to the client the process is repeated on the new active switch when the request is re sent from the client If the switch fails after returning a CoA ACK message to the client but before the operation has completed the operation ...

Page 93: ...the port is disabled after stack master change over based on the original command which is subsequently removed If the stack master fails before sending a CoA ACK message the new stack master treats the re sent command as a new command Default RADIUS Configuration RADIUS and AAA are disabled by default To prevent a lapse in security you cannot configure RADIUS through a network management applicat...

Page 94: ... methods are performed The only exception is the default method list The default method list is automatically applied to all ports except those that have a named method list explicitly defined A method list describes the sequence and authentication methods to be queried to authenticate a user You can designate one or more security protocols to be used for authentication thus ensuring a backup syst...

Page 95: ...vity to the RADIUS security server in the form of accounting records Each accounting record contains accounting attribute value AV pairs and is stored on the security server You can then analyze the data for network management client billing or auditing Related Topics Starting RADIUS Accounting on page 92 Vendor Specific RADIUS Attributes The Internet Engineering Task Force IETF draft standard spe...

Page 96: ...SAs see RFC 2138 Remote Authentication Dial In User Service RADIUS Attribute 26 contains the following three elements Type Length String also known as data Vendor Id Vendor Type Vendor Length Vendor Data The figure below shows the packet format for a VSA encapsulated behind attribute 26 Figure 3 VSA Encapsulated Behind Attribute 26 It is up to the vendor to specify the format of their VSA The Attr...

Page 97: ...bute Description of the attribute Description Table 12 Vendor Specific RADIUS IETF Attributes Description Attribute Sub Type Number Vendor Specific Company Code Number MS CHAP Attributes Contains the response value provided by a PPP MS CHAP user in response to the challenge It is only used in Access Request packets This attribute is identical to the PPP CHAP Identifier RFC 2548 MSCHAP Response 1 3...

Page 98: ...t when no data has been sent on a tunnel for the number of seconds configured here l2tp hello interval 1 9 26 When enabled sensitive AVPs in L2TP control messages are scrambled or hidden l2tp hidden avp 1 9 26 Specifies the number of seconds that a tunnel will stay active with no sessions before timing out and shutting down l2tp nosession timeout 1 9 26 Copies the IP ToS field from the IP header o...

Page 99: ...e id or the mmoip aaa send id commands Fax Account Id Origin 3 9 26 Indicates a unique fax message identification number assigned by Store and Forward Fax Fax Msg Id 4 9 26 Indicates the number of pages transmitted or received during this fax session This page count includes cover pages Fax Pages 5 9 26 Indicates whether or not a cover page was generated by the off ramp gateway for this fax sessio...

Page 100: ...he number of recipients for this fax transmission Until e mail servers support Session mode the number should be 1 Fax Recipient Count 9 9 26 Indicates that the fax session was aborted or successful True means that the session was aborted false means that the session was successful Fax Process Abort Flag 10 9 26 Indicates the address to which DSNs will be sent Fax Dsn Address 11 9 26 Indicates whe...

Page 101: ...fax mail message Email Server Address 16 9 26 Indicates that the on ramp gateway has received a positive acknowledgment from the e mail server accepting the fax mail message Email Server Ack Flag 17 9 26 Indicates the name of the gateway that processed the fax session The name appears in the following format hostname domain name Gateway Id 18 9 26 Describes the type of fax activity fax receive or ...

Page 102: ... the setup time for this connection in Coordinated Universal Time UTC formerly known as Greenwich Mean Time GMT and Zulu time Setup Time h323 setup time 25 9 26 Indicates the origin of the call relative to the gateway Possible values are originating and terminating answer Call Origin h323 call origin 26 9 26 Indicates call leg type Possible values are telephony and VoIP Call Type h323 call type 27...

Page 103: ...dialstring 1 9 26 No description available data service 1 9 26 Defines the number to dial dial number 1 9 26 Determines whether the network access server uses only the 56 K portion of a channel even when all 64 K appear to be available force 56 1 9 26 Allows the user profile to reference information configured in a map class of the same name on the network access server that dials out map class 1 ...

Page 104: ...ation but also for inbound authentication For a CHAP inbound case the NAS will use the name defined in preauth send name in the challenge packet to the caller box The send name attribute has changed over time Initially it performed the functions now provided by both the send name and remote name attributes Because the remote name attribute has been added the send name attribute is restricted to it...

Page 105: ...l be used in the response packet send secret 1 9 26 Provides the name of the remote host for use in large scale dial out Dialer checks that the large scale dial out remote name matches the authenticated name to protect against accidental user RADIUS misconfiguration For example dialing a valid phone number but connecting to the wrong device remote name 1 9 26 Miscellaneous Attributes Catalyst 2960...

Page 106: ...Accounting but may also be used in Authentication Access Request packets Note Cisco NAS Port 2 9 26 Sets the minimum number of links for MLP min links 1 9 26 Allows users to configure the downloadable user profiles dynamic ACLs by using the authentication proxy feature so that users can have the configured authorization to permit traffic going through the configured interfaces proxyacl n 1 9 26 Ca...

Page 107: ...RADIUS server some vendors have extended the RADIUS attribute set in a unique way Cisco IOS software supports a subset of vendor proprietary RADIUS attributes As mentioned earlier to configure RADIUS whether vendor proprietary or IETF draft compliant you must specify the host running the RADIUS server daemon and the secret text string it shares with the switch You specify the RADIUS host and secre...

Page 108: ...t retries key string 4 end 5 show running config 6 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Step 1 Example Switch enable Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Specifies the IP address or hostname of the remote RADIUS server host radius se...

Page 109: ...t the end of the key are used If you use spaces in your key do not enclose the key in quotation marks unless the quotation marks are part of the key Note To configure the Switch to recognize more than one host entry associated with a single IP address enter this command as many times as necessary making sure that each UDP port number is different The Switch software searches for hosts in the order...

Page 110: ...method2 5 line console tty vty line number ending line number 6 login authentication default list name 7 end 8 show running config 9 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Step 1 Example Switch enable Enters the global configuration mode configure terminal Example Switch configure terminal Step...

Page 111: ...u can use this authentication method you must define a line password Use the password password line configuration command local Use the local username database for authentication You must enter username information in the database Use the username name password global configuration command local case Use a case sensitive local username database for authentication You must enter username informatio...

Page 112: ...p server configuration command to associate a particular server with a defined group server You can either identify the server by its IP address or identify multiple host instances or entries by using the optional auth port and acct port keywords Follow these steps to define AAA server groups SUMMARY STEPS 1 enable 2 configure terminal 3 radius server name 4 address ipv4 ipv6 ip address hostname a...

Page 113: ...ing and authentication parameters address ipv4 ipv6 ip address hostname auth port port number acct port port number Example Switch config radius server address ipv4 Step 4 10 1 1 1 auth port 1645 acct port 1646 Specifies the authentication and encryption key for all RADIUS communications between the device and the RADIUS server key string Example Switch config radius server key cisco123 Step 5 Exi...

Page 114: ...n if authorization has been configured Note Follow these steps to configure RADIUS authorization for user priviledged access and network services SUMMARY STEPS 1 enable 2 configure terminal 3 aaa authorization network radius 4 aaa authorization exec radius 5 end 6 show running config 7 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter yo...

Page 115: ...your entries show running config Example Switch show running config Step 6 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 7 What to Do Next You can use the aaa authorization global configuration command with the radius keyword to set parameters that restrict a user s network access to privileged EXEC m...

Page 116: ...the global configuration mode configure terminal Example Switch configure terminal Step 2 Enables RADIUS accounting for all network related service requests aaa accounting network start stop radius Example Switch config aaa accounting network start stop Step 3 radius Enables RADIUS accounting to send a start record accounting notice at the beginning of a privileged EXEC process and a stop record a...

Page 117: ... is unreachable when the router reloads use the no aaa accounting system guarantee first command Related Topics RADIUS Accounting on page 71 Establishing a Session with a Router if the AAA Server is Unreachable The aaa accounting system guarantee first command guarantees system accounting as the first record which is the default condition In some situations users might be prevented from starting a...

Page 118: ..._server_key Switch config key your_server_key Specifies the number of times the switch sends each RADIUS request to the server before giving up The default is 3 the range 1 to 1000 radius server retransmit retries Example Switch config radius server retransmit Step 3 5 Specifies the number of seconds a switch waits for a reply to a RADIUS request before resending the request The default is 5 secon...

Page 119: ...page 69 Configuring the Switch to Use Vendor Specific RADIUS Attributes Follow these steps to configure the switch to use vendor specific RADIUS attributes SUMMARY STEPS 1 enable 2 configure terminal 3 radius server vsa send accounting authentication 4 end 5 show running config 6 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your pas...

Page 120: ...f recognized vendor specific attributes to only authentication attributes If you enter this command without keywords both accounting and authentication vendor specific attributes are used Returns to privileged EXEC mode end Example Switch config end Step 4 Verifies your entries show running config Example Switch show running config Step 5 Optional Saves your entries in the configuration file copy ...

Page 121: ...y implementation of RADIUS radius server host hostname ip address non standard Example Switch config radius server host Step 3 172 20 30 15 non standard Specifies the shared secret text string used between the switch and the vendor proprietary RADIUS server The switch and the RADIUS radius server key string Example Switch config radius server key rad124 Step 4 server use this text string to encryp...

Page 122: ...ation file copy running config startup config Example Switch copy running config Step 7 startup config Related Topics Vendor Proprietary RADIUS Server Communication on page 83 Configuring CoA on the Switch Follow these steps to configure CoA on a switch This procedure is required Catalyst 2960 X Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX 98 OL 29048 01 Configuring RADIUS Confi...

Page 123: ...and or Action Enables privileged EXEC mode Enter your password if prompted enable Step 1 Example Switch enable Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Enables AAA aaa new model Example Switch config aaa new model Step 3 Configures the switch as an authentication authorization and accounting AAA server to facilitate interaction with an extern...

Page 124: ...Optional Configures the switch to ignore the server key ignore server key Step 10 Example Switch config sg radius ignore For more information about the ignore command see the Cisco IOS Intelligent Services Gateway Command Reference on Cisco com server key Optional Configures the switch to ignore a CoA request to temporarily disable the port hosting a session The purpose of authentication command b...

Page 125: ...DIUS servers in a server group For more information see the RADIUS Server Load Balancing chapter of the Cisco IOS Security Configuration Guide Release 12 4 Monitoring CoA Functionality Table 13 Privileged EXEC show Commands Purpose Command Displays AAA attributes of RADIUS commands show aaa attributes protocol radius Table 14 Global Troubleshooting Commands Purpose Command Displays information for...

Page 126: ...ation and accounting Switch config radius server host host1 Example Using Two Different RADIUS Group Servers In this example the switch is configured to recognize two different RADIUS group servers group1 and group2 Group1 has two different host entries on the same RADIUS server configured for the same services The second host entry acts as a fail over backup to the first entry Switch config radiu...

Page 127: ... duration of this connection cisco avpair ip inacl 1 deny ip 10 10 10 10 0 0 255 255 20 20 20 20 255 255 0 0 cisco avpair ip inacl 2 deny ip 10 10 10 10 0 0 255 255 any cisco avpair mac inacl 3 deny any any decnet iv This example shows how to apply an output ACL in ASCII format to an interface for the duration of this connection cisco avpair ip outacl 2 deny ip 10 10 10 10 0 0 255 255 any Example ...

Page 128: ...config_library xe 3se 3850 secuser xe 3se 3850 library html Configuring RADIUS TACACS Secure Shell 802 1X and AAA Error Message Decoder Link Description https www cisco com cgi bin Support Errordecoder index cgi To help you research and resolve system error messages in this release use the Error Message Decoder tool Standards and RFCs Title Standard RFC MIBs MIBs Link MIB To locate and download MI...

Page 129: ...isco IOS 15 0 2 EX The RADIUS Progress Codes feature adds additional progress codes to RADIUS attribute 196 Ascend Connect Progress which indicates a connection state before a call is disconnected through progress codes Cisco IOS 15 2 1 E The Enhanced Test Command feature allows a named user profile to be created with calling line ID CLID or Dialed Number Identification Service DNIS attribute valu...

Page 130: ...Catalyst 2960 X Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX 106 OL 29048 01 Configuring RADIUS Feature Information for RADIUS ...

Page 131: ...features documented in this module and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required How to Configure Local Aut...

Page 132: ...show running config 10 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Step 1 Example Switch enable Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Enables AAA aaa new model Example Switch config aaa new model Step 3 Sets the login authentication to use t...

Page 133: ...ege 1 password 7 secret567 Optional For level specify the privilege level the user has after gaining access The range is 0 to 15 Level 15 gives privileged EXEC mode access Level 0 gives user EXEC mode access For encryption type enter 0 to specify that an unencrypted password follows Enter 7 to specify that a hidden password follows For password specify the password the user must enter to gain acce...

Page 134: ...ion configuration use the show running config privileged EXEC command Additional References Error Message Decoder Link Description https www cisco com cgi bin Support Errordecoder index cgi To help you research and resolve system error messages in this release use the Error Message Decoder tool MIBs MIBs Link MIB To locate and download MIBs for selected platforms Cisco IOS releases and feature set...

Page 135: ...Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Feature Information for Local Authentication and Authorization Feature Information Release This feature was introduced Cisco IOS 15 0 2 EX Catalyst 2960 X Switch Security Configurat...

Page 136: ...lyst 2960 X Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX 112 OL 29048 01 Configuring Local Authentication and Authorization Feature Information for Local Authentication and Authorization ...

Page 137: ...each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Prerequisites for Configuring Secure Shell The following are the prerequisites for configuring the switc...

Page 138: ...ard DES 56 bit and 3DES 168 bit data encryption software In DES software images DES is the only encryption algorithm available In 3DES software images both DES and 3DES encryption algorithms are available The Switch supports the Advanced Encryption Standard AES encryption algorithm with a 128 bit key 192 bit key or 256 bit key However symmetric cipher AES to encrypt the keys is not supported This ...

Page 139: ... run on the switch The SSH server works with the SSH client supported in this release and with non Cisco SSH clients The SSH client works with publicly and commercially available SSH servers The SSH client supports the ciphers of Data Encryption Standard DES 3DES and password authentication The switch supports an SSHv1 or an SSHv2 server The switch supports an SSHv1 client The SSH client functiona...

Page 140: ...y r tools For SSH to work the switch needs an RSA public private key pair This is the same with SCP which relies on SSH for its secure transport Because SSH also relies on AAA authentication and SCP relies further on AAA authorization correct configuration is necessary Before enabling SCP you must correctly configure SSH authentication and authorization on the switch Because SCP relies on SSH for ...

Page 141: ...ning config 8 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Step 1 Example Switch enable Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Configures a hostname and IP domain name for your Switch hostname hostname Step 3 Example Switch config hostname you...

Page 142: ...akes longer to generate and to use Follow this procedure only if you are configuring the Switch as an SSH server Note Returns to privileged EXEC mode end Example Switch config end Step 6 Verifies your entries show running config Example Switch show running config Step 7 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config Step ...

Page 143: ...figure terminal Example Switch configure terminal Step 2 Optional Configures the Switch to run SSH Version 1 or SSH Version 2 ip ssh version 1 2 Example Switch config ip ssh version 1 Step 3 1 Configure the Switch to run SSH Version 1 2 Configure the Switch to run SSH Version 2 If you do not enter this command or do not specify a keyword the SSH server selects the latest SSH version supported by t...

Page 144: ...s Optional Configures the virtual terminal line settings Use one or both of the following Step 5 line vtyline_number ending_line_number Enters line configuration mode to configure the virtual terminal line settings For line_number and ending_line_number specify a pair of lines The range is 0 to 15 transport input ssh Specifies that the Switch prevent non SSH Telnet connections This limits the rout...

Page 145: ...ml Configuring Identity Control policies and Identity Service templates for Session Aware networking Securing User Services Configuration Guide Library Cisco IOS XE Release 3SE Catalyst 3850 Switches http www cisco com en US docs ios xml ios security config_library xe 3se 3850 secuser xe 3se 3850 library html Configuring RADIUS TACACS Secure Shell 802 1X and AAA Error Message Decoder Link Descript...

Page 146: ...nd Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Feature Information for SSH Feature Information Release This feature was introduced Cisco IOS 15 0 2 EX The Reverse SSH Enhancements feature which is supported for SSH Version 1 and 2 provides an alternative way to configure reverse Secure Shell SSH so that separate li...

Page 147: ...Catalyst 2960 X Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX OL 29048 01 123 Configuring Secure Shell SSH Feature Information for SSH ...

Page 148: ...Catalyst 2960 X Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX 124 OL 29048 01 Configuring Secure Shell SSH Feature Information for SSH ...

Page 149: ...e feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Information about Secure Sockets Layer SSL HTTP Secure HTTP Servers and Clients Overview On a secure HTTP connection data to and from an...

Page 150: ...notification that the certificate is self certified and the user has the opportunity to accept or reject the connection This option is useful for internal network topologies such as testing If you do not configure a CA trustpoint when you enable a secure HTTP connection either a temporary or a persistent self signed certificate for the secure HTTP server or client is automatically generated If the...

Page 151: ...ity Configuration Guide Release 12 4 CipherSuites A CipherSuite specifies the encryption algorithm and the digest algorithm to use on a SSL connection When connecting to the HTTPS server the client Web browser offers a list of supported CipherSuites and the client and server negotiate the best encryption algorithm to use from those on the list that are supported by both For example Netscape Commun...

Page 152: ...me do not support the four original cipher suites thus disallowing access to both web GUI and guest portals Note RSA in conjunction with the specified encryption and digest algorithm combinations is used for both key generation and authentication on SSL connections This usage is independent of whether or not a CA trustpoint is configured Default SSL Configuration The standard HTTP server is enable...

Page 153: ... end DETAILED STEPS Purpose Command or Action Enters the global configuration mode configure terminal Example Switch configure terminal Step 1 Specifies the hostname of the switch required only if you have not previously configured a hostname The hostname is required for security keys and certificates hostname hostname Example Switch config hostname your_hostname Step 2 Specifies the IP domain nam...

Page 154: ...r enrollment http proxy host name port number Example Switch ca trustpoint enrollment Step 7 For host name specify the proxy server used to get the CA For port number specify the port number used to access the CA http proxy your_host 49 Configures the switch to request a certificate revocation list CRL to ensure that the certificate of the peer has not been revoked crl query url Example Switch ca ...

Page 155: ...rocedure to configure the CA trustpoint on the switch before enabling the HTTP server If you have not configured a CA trustpoint a self signed certificate is generated the first time that you enable the secure HTTP server After you have configured the server you can configure options path access list to apply maximum number of connections or timeout policy that apply to both standard and secure HT...

Page 156: ...in the output HTTP secure server capability Present show ip http server status Example Switch show ip http server status Step 1 or HTTP secure server capability Not present Enters global configuration mode configure terminal Example Switch configure terminal Step 2 Enables the HTTPS server if it has been disabled The HTTPS server is enabled by default ip http secure server Example Switch config ip...

Page 157: ...tep 7 Use of this command assumes you have already configured a CA trustpoint according to the previous procedure Note secure trustpoint your_trustpoint Optional Sets a base HTTP path for HTML files The path specifies the location of the HTTP server files on the local system usually located in system flash memory ip http path path name Example Switch config ip http path Step 8 your_server 80 Optio...

Page 158: ...P Client Beginning in privileged EXEC mode follow these steps to configure a secure HTTP client Before You Begin The standard HTTP client and secure HTTP client are always enabled A certificate authority is required for secure HTTP client certification This procedure assumes that you have previously configured a CA trustpoint on the switch If a CA trustpoint is not configured and the remote HTTPS ...

Page 159: ... des cbc sha Step 3 a reason to specify a particular CipherSuite you should allow the server and client to negotiate a CipherSuite that they both support This is the default Example Switch config ip http client secure ciphersuite rc4 128 md5 Returns to privileged EXEC mode end Example Switch config end Step 4 Monitoring Secure HTTP Server and Client Status To monitor the SSL secure server and clie...

Page 160: ...brary xe 3se 3850 secuser xe 3se 3850 library html Configuring RADIUS TACACS Secure Shell 802 1X and AAA Error Message Decoder Link Description https www cisco com cgi bin Support Errordecoder index cgi To help you research and resolve system error messages in this release use the Error Message Decoder tool Standards and RFCs Title Standard RFC MIBs MIBs Link MIB To locate and download MIBs for se...

Page 161: ...services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Feature Information for Secure Socket Layer HTTP Feature Information Release This feature was introduced Cisco IOS 15 0 2 EX Catalyst 2960 X Switch Security Con...

Page 162: ...Catalyst 2960 X Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX 138 OL 29048 01 Configuring Secure Socket Layer HTTP Feature Information for Secure Socket Layer HTTP ...

Page 163: ...ee Bug Search Tool and the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Featur...

Page 164: ... such as SNMP Telnet or web traffic You do not have to enable routing to apply ACLs to Layer 2 interfaces By default the router sends Internet Control Message Protocol ICMP unreachable messages when a packet is denied by an access group on a Layer 3 interface These access group denied packets are not dropped in hardware but are bridged to the switch CPU so that it can generate the ICMP unreachable...

Page 165: ...upported on the Catalyst 3850 switches ACL Overview Packet filtering can help limit network traffic and restrict network use by certain users or devices ACLs filter traffic as it passes through a router or switch and permit or deny packets crossing specified interfaces or VLANs An ACL is a sequential collection of permit and deny conditions that apply to packets When a packet is received on an int...

Page 166: ...d and routed You can use VLAN maps to filter traffic between devices in the same VLAN VLAN maps are configured to provide access control based on Layer 3 addresses for IPv4 Unsupported protocols are access controlled through MAC addresses using Ethernet ACEs After a VLAN map is applied to a VLAN all packets routed or bridged entering the VLAN are checked against the VLAN map Packets can either ent...

Page 167: ...g IPv4 Access Control Lists on page 140 Port ACLs Port ACLs are ACLs that are applied to Layer 2 interfaces on a switch Port ACLs are supported only on physical interfaces and not on EtherChannel interfaces Port ACLs can be applied to the interface only in inbound direction The following access lists are supported Standard IP access lists using source addresses Extended IP access lists using sourc...

Page 168: ...terface If an IP access list or MAC access list is already configured on a Layer 2 interface and you apply a new IP access list or MAC access list to the interface the new ACL replaces the previously configured one Note Router ACLs You can apply router ACLs on switch virtual interfaces SVIs which are Layer 3 interfaces to VLANs on physical Layer 3 interfaces and on Layer 3 EtherChannel interfaces ...

Page 169: ... connected to this switch With VLAN maps forwarding of packets is permitted or denied based on the action specified in the map This shows how a VLAN map is applied to prevent a specific type of traffic from Host A in VLAN 10 from being forwarded You can apply only one VLAN map to a VLAN Figure 5 Using VLAN Maps to Control Traffic ACEs and Fragmented and Unfragmented Traffic IP packets can be fragm...

Page 170: ...packet is fragmented the first fragment matches the second ACE a deny because all Layer 3 and Layer 4 information is present The remaining fragments in the packet do not match the second ACE because they are missing Layer 4 information Instead they match the third ACE a permit Because the first fragment was denied host 10 1 1 2 cannot reassemble a complete packet so packet B is effectively denied ...

Page 171: ...ection of permit and deny conditions One by one the switch tests packets against the conditions in an access list The first match determines whether the switch accepts or rejects the packet Because the switch stops testing after the first match the order of the conditions is critical If no conditions match the switch denies the packet The software supports these types of ACLs or access lists for I...

Page 172: ... MAC address access list 700 799 No IPX standard access list 800 899 No IPX extended access list 900 999 No IPX SAP access list 1000 1099 No Extended 48 bit MAC address access list 1100 1199 No IPX summary address access list 1200 1299 Yes IP standard access list expanded range 1300 1999 Yes IP extended access list expanded range 2000 2699 In addition to numbered standard and extended ACLs you can...

Page 173: ... are creating ACEs in numbered extended access lists remember that after you create the ACL any additions are placed at the end of the list You cannot reorder the list or selectively add or remove ACEs from a numbered list The switch does not support dynamic or reflexive access lists It also does not support filtering based on the type of service ToS minimize monetary cost bit Some protocols also ...

Page 174: ...tional logging message about the packet to be sent to the console The level of messages logged to the console is controlled by the logging console commands controlling the syslog messages Because routing is done in hardware and logging is done in software if a large number of packets match a permit or deny ACE containing a log keyword the software might not be able to match the hardware processing...

Page 175: ...rolled in hardware Use the show platform acl counters hardware privileged EXEC command to obtain some basic hardware ACL statistics for switched and routed packets Router ACLs function as follows The hardware controls permit and deny actions of standard and extended ACLs input and output for security access control If log has not been specified the flows that match a deny statement in a security A...

Page 176: ... can define a VLAN map to access control the bridged traffic If a packet flow matches a VLAN map deny clause in the ACL regardless of the router ACL configuration the packet flow is denied When you use router ACLs with VLAN maps packets that require logging on the router ACLs are not logged if they are denied by a VLAN map Note If the VLAN map has a match clause for the type of packet IP or MAC an...

Page 177: ...umbered extended ACL task tables These are some benefits of using time ranges You have more control over permitting or denying a user access to resources such as an application identified by an IP address mask pair and a port number You can control logging messages ACL entries can be set to log traffic only at certain times of the day Therefore you can simply deny access without needing to analyze...

Page 178: ...ly an undefined ACL to an interface the switch acts as if the ACL has not been applied to the interface and permits all packets Remember this behavior if you use undefined ACLs for network security Related Topics Applying an IPv4 ACL to an Interface on page 167 Restrictions for Configuring IPv4 Access Control Lists on page 140 How to Configure ACLs Configuring IPv4 ACLs These are the steps to use ...

Page 179: ...nter deny or permit to specify whether to deny or permit access if conditions are matched The source is the source address of the network or host from which the packet is being sent specified as your_host The 32 bit quantity in dotted decimal format The keyword any as an abbreviation for source and source wildcard of 0 0 0 0 255 255 255 255 You do not need to enter a source wildcard The keyword ho...

Page 180: ...es in the configuration file copy running config startup config Example Switch copy running config Step 6 startup config Related Topics Configuring VLAN Maps on page 172 Creating a Numbered Extended ACL Follow these steps to create a numbered extended ACL Catalyst 2960 X Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX 156 OL 29048 01 Configuring IPv4 ACLs Creating a Numbered Extend...

Page 181: ...figure terminal Example Switch configure terminal Step 1 Defines an extended IPv4 access list and the access conditions access list access list number deny permit protocol source source wildcard Step 2 The access list number is a decimal number from 100 to 199 or 2000 to 2699 destination destination wildcard precedence Enter deny or permit to specify whether to deny or permit the packet if conditi...

Page 182: ...access list and the access conditions access list access list number deny permit tcp source source wildcard operator port Step 3 The parameters are the same as those described for an extended IPv4 ACL with these exceptions destination destination wildcard operator port established precedence precedence Optional Enter an operator and port to compare source if positioned after source source wildcard...

Page 183: ...ce tos tos icmp type Enter to filter by ICMP message type a number from 0 to 255 fragments time range time range name dscp dscp Example Switch config access list 101 permit icmp code Enter to filter ICMP packets that are filtered by the ICMP message code type a number from 0 to 255 icmp message Enter to filter ICMP packets by the ICMP message type name or the ICMP message type and code name icmp a...

Page 184: ...nable Example Switch enable Step 1 Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Defines a standard IPv4 access list using a name and enter access list configuration mode ip access list standard name Example Switch config ip access list standard 20 Step 3 The name can be a number from 1 to 99 In access list configuration mode specify one or more c...

Page 185: ... 0 0 0 Returns to privileged EXEC mode end Example Switch config std nacl end Step 5 Verifies your entries show running config Example Switch show running config Step 6 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 7 Creating Extended Named ACLs Follow these steps to create an extended ACL using names...

Page 186: ...ame Example Switch config ip access list extended 150 Step 3 The name can be a number from 100 to 199 In access list configuration mode specify the conditions allowed or denied Use the log keyword to get access list logging messages including violations deny permit protocol source source wildcard host source any destination destination wildcard host destination any precedence precedence tos tos es...

Page 187: ...P host address access list specification 0 0 0 0 is assumed to be the mask After you create an ACL any additions are placed at the end of the list You cannot selectively add ACL entries to a specific ACL However you can use no permit and no deny access list configuration mode commands to remove entries from a named ACL Being able to selectively remove lines from a named ACL is one reason you might...

Page 188: ...time range configuration time range time range name Example Switch config time range workhours Step 3 mode The name cannot contain a space or quotation mark and must begin with a letter Specifies when the function it will be applied to is operational Use one of the following Step 4 absolute start time date end time date You can use only one absolute statement in the time range If you configure mor...

Page 189: ...at to Do Next Repeat the steps if you have multiple items that you want in effect at different times Related Topics Time Ranges for ACLs on page 153 Applying an IPv4 ACL to a Terminal Line You can use numbered ACLs to control access to one or more terminal lines You cannot apply named ACLs to lines You must set identical restrictions on all the virtual terminal lines because a user can attempt to ...

Page 190: ...ne console 0 Step 3 console Specifies the console terminal line The console port is DCE vty Specifies a virtual terminal for remote console access The line number is the first line number in a contiguous group that you want to configure when the line type is specified The range is from 0 to 16 Restricts incoming and outgoing connections between a particular virtual terminal line into a device and ...

Page 191: ... interface interface id 3 ip access group access list number name in out 4 end 5 show running config 6 copy running config startup config DETAILED STEPS Purpose Command or Action Enters the global configuration mode configure terminal Example Switch configure terminal Step 1 Identifies a specific interface for configuration and enter interface configuration mode interface interface id Example Swit...

Page 192: ...p config Example Switch copy running config startup config Step 6 Related Topics IPv4 ACL Interface Considerations on page 153 Restrictions for Configuring IPv4 Access Control Lists on page 140 Creating Named MAC Extended ACLs You can filter non IPv4 traffic on a VLAN or on a Layer 2 interface by using MAC addresses and named MAC extended ACLs The procedure is similar to that of configuring other ...

Page 193: ...nded MAC access list configuration mode specifies to permit or deny any source MAC address a source MAC address deny permit any host source MAC address source MAC address mask any host destination Step 4 with a mask or a specific host source MAC address and any MAC address destination MAC address mask type destination MAC address destination MAC address with a mask or a specific destination MAC ad...

Page 194: ... EXEC mode end Example Switch config ext macl end Step 5 Verifies your entries show running config Example Switch show running config Step 6 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 7 Related Topics Restrictions for Configuring IPv4 Access Control Lists on page 140 Configuring VLAN Maps on page 1...

Page 195: ...s a specific interface and enter interface configuration mode The interface must be a physical Layer 2 interface port ACL interface interface id Example Switch config interface gigabitethernet1 0 2 Step 3 Controls access to the specified interface by using the MAC access list mac access group name in out Example Switch config if mac access group mac1 in Step 4 Port ACLs are supported in the outbou...

Page 196: ...permits it the switch continues to process the packet If the ACL rejects the packet the switch discards it When you apply an undefined ACL to an interface the switch acts as if the ACL has not been applied and permits all packets Remember this behavior if you use undefined ACLs for network security Related Topics Restrictions for Configuring IPv4 Access Control Lists on page 140 Configuring VLAN M...

Page 197: ...he action to drop A permit in the ACL counts as a match A deny in the ACL means no match Entering this command changes to access map configuration mode Match the packet using either the IP or MAC address against one or more standard or extended access lists Note that packets are only matched against match ip mac address name number name number Step 2 access lists of the correct protocol type IP pa...

Page 198: ...4 Creating a Numbered Extended ACL on page 156 Creating Named MAC Extended ACLs on page 168 Creating a VLAN Map on page 174 Applying a VLAN Map to a VLAN on page 176 Creating a VLAN Map Each VLAN map consists of an ordered series of entries Beginning in privileged EXEC mode follow these steps to create add to or delete a VLAN map entry SUMMARY STEPS 1 configure terminal 2 vlan access map name numb...

Page 199: ...o match Entering this command changes to access map configuration mode Match the packet using either the IP or MAC address against one or more standard or extended access lists Note that packets are only matched match ip mac address name number name number Step 3 against access lists of the correct protocol type IP packets are matched Example Switch config access map match ip against standard or e...

Page 200: ... terminal 3 vlan filter mapname vlan list list 4 end 5 show running config 6 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Example Switch enable Step 1 Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Applies the VLAN map to one or more VLAN IDs vlan fil...

Page 201: ... running config Step 5 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 6 Related Topics Configuring VLAN Maps on page 172 Configuring VACL Logging Beginning in privileged EXEC mode SUMMARY STEPS 1 configure terminal 2 vlan access map name number 3 action drop log 4 exit 5 vlan access log maxflow max_num...

Page 202: ...s map action Step 3 drop log Exits the VLAN access map configuration mode and return to the global configuration mode exit Example Switch config access map exit Step 4 Configures the VACL logging parameters vlan access log maxflow max_number threshold pkt_count Step 5 maxflow max_number Sets the log table size The content of the log table can be deleted by setting the maxflow to 0 When the log tab...

Page 203: ...ccess list numbered or named show access lists number name Displays the contents of all current IP access lists or a specific IP access list numbered or named show ip access lists number name Displays detailed configuration and status of an interface If IP is enabled on the interface and ACLs have been applied by using the ip access group interface configuration command the access groups are inclu...

Page 204: ...ny any time range new_year_day_2006 Switch config ext nacl exit Switch config ip access list extended may_access Switch config ext nacl permit tcp any any time range workhours Switch config ext nacl end Switch show ip access lists Extended IP access list lpip_default 10 permit ip any any Extended IP access list deny_access 10 deny tcp any any time range new_year_day_2006 inactive Extended IP acces...

Page 205: ... lt or range on TCP UDP or SCTP port numbers Use one of these workarounds Modify the ACL configuration to use fewer resources Rename the ACL with a name or number that alphanumerically precedes the ACL names or numbers To determine the specialized hardware resources enter the show platform layer4 acl map privileged EXEC command If the switch does not have available resources the output shows that ...

Page 206: ...tailed information about compiling ACLs see the Cisco IOS Security Configuration Guide Release 12 4 and to the Configuring IP Services section in the IP Addressing and Services chapter of the Cisco IOS IP Configuration Guide Release 12 4 ACLs in a Small Networked Office This shows a small networked office environment with routed Port 2 connected to Server A containing benefits and other informatio...

Page 207: ...ended IP access list 106 10 permit ip any 172 20 128 64 0 0 0 31 Switch config interface gigabitethernet1 0 1 Switch config if ip access group 106 in Example Numbered ACLs In this example network 36 0 0 0 is a Class A network whose second octet specifies a subnet that is its subnet mask is 255 255 0 0 The third and fourth octets of a network 36 0 0 0 address specify a particular host Using access ...

Page 208: ...gram has the ACK or RST bits set which show that the packet belongs to an existing connection Gigabit Ethernet interface 1 on stack member 1 is the interface that connects the router to the Internet Switch config access list 102 permit tcp any 128 88 0 0 0 0 255 255 established Switch config access list 102 permit tcp any host 128 88 1 2 eq 25 Switch config interface gigabitethernet1 0 1 Switch co...

Page 209: ... config ext nacl permit udp any any time range udp yes Switch config ext nacl exit Switch config interface gigabitethernet2 0 1 Switch config if ip access group strict in Examples Configuring Commented IP ACL Entries In this example of a numbered ACL the workstation that belongs to Jones is allowed access and the workstation that belongs to Smith is not allowed access Switch config access list 1 r...

Page 210: ...logging level debugging 39 message lines logged Log Buffer 4096 bytes 00 00 48 NTP authentication delay calculation problems output truncated 00 09 34 SEC 6 IPACCESSLOGS list stan1 permitted 0 0 0 0 1 packet 00 09 59 SEC 6 IPACCESSLOGS list stan1 denied 10 1 1 15 1 packet 00 10 11 SEC 6 IPACCESSLOGS list stan1 permitted 0 0 0 0 1 packet This example is a named extended access list ext1 that permit...

Page 211: ...1 10 Switch config access map match ip address ip1 Switch config access map action drop Example Creating an ACL and a VLAN Map to Permit a Packet This example shows how to create a VLAN map to permit a packet ACL ip2 permits UDP packets and any packets that match the ip2 ACL are forwarded In this map any IP packets that did not match any of the previous ACLs that is packets that are not TCP packet...

Page 212: ...00 0c00 0211 Forward MAC packets with decnet iv or vines ip protocols Drop all other non IP packets Forward all IP packets Switch config mac access list extended good hosts Switch config ext macl permit host 000 0c00 0111 any Switch config ext macl permit host 000 0c00 0211 any Switch config ext nacl exit Switch config action forward Switch config ext macl mac access list extended good protocols S...

Page 213: ...connected to wiring closet switches A and C Traffic from Host X to Host Y is eventually being routed by Switch B a Layer 3 switch with routing enabled Traffic from Host X to Host Y can be access controlled at the traffic entry point Switch A Figure 7 Wiring Closet Configuration If you do not want HTTP traffic switched from Host X to Host Y you can configure a VLAN map on Switch A to drop all HTTP ...

Page 214: ...stricting Access to a Server on Another VLAN You can restrict access to a server on another VLAN For example server 10 1 1 100 in VLAN 10 needs to have access denied to these hosts Hosts in subnet 10 1 2 0 8 in VLAN 20 should not have access Hosts 10 1 1 4 and 10 1 1 8 in VLAN 10 should not have access Figure 8 Restricting Access to a Server on Another VLAN Example Denying Access to a Server on An...

Page 215: ...N 10 Switch config vlan filter SERVER1_MAP vlan list 10 Configuration Examples of Router ACLs and VLAN Maps Applied to VLANs This section gives examples of applying router ACLs and VLAN maps to a VLAN for switched bridged routed and multicast packets Although the following illustrations show packets being forwarded to their destination each time the packet s path crosses a line indicating a VLAN m...

Page 216: ...or bridged packets only Layer 2 ACLs are applied to the input VLAN Only non IP non ARP packets can be fallback bridged Figure 10 Applying ACLs on Bridged Packets Catalyst 2960 X Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX 192 OL 29048 01 Configuring IPv4 ACLs Configuration Examples of Router ACLs and VLAN Maps Applied to VLANs ...

Page 217: ... VLAN and another for each of the destinations that are in other VLANs to which the packet has been routed The packet might be routed to more than one output VLAN in which case a different router output ACL and VLAN map would apply for each destination VLAN The final result is that the packet might be permitted in some of the output VLANs and not in others A copy of the packet is forwarded to thos...

Page 218: ...ml ios security config_library xe 3se 3850 secdata xe 3se 3850 library html IPv4 Access Control List topics Error Message Decoder Link Description https www cisco com cgi bin Support Errordecoder index cgi To help you research and resolve system error messages in this release use the Error Message Decoder tool Catalyst 2960 X Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX 194 OL 2...

Page 219: ... a Cisco com user ID and password Feature Information for IPv4 Access Control Lists Feature Information Release IPv4 Access Control Lists perform packet filtering to control which packets move through the network and where Such control provides security by helping to limit network traffic restrict the access of users and devices to the network and prevent traffic from leaving a network This featur...

Page 220: ... to this feature users could add access list entries to the end of an access list only therefore needing to add statements anywhere except the end required reconfiguring the access list entirely The following commands were introduced or modified deny IP ip access list resequence deny IP permit IP Cisco IOS 15 2 2 E Catalyst 2960 X Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX 196...

Page 221: ...e and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required IPv6 ACLs Overview You can filter IP Version 6 IPv6 traffic...

Page 222: ... The member switches sync up the configuration distributed by the new active switch and flush out entries that are not required When an ACL is modified attached to or detached from an interface the active switch distributes the change to all stack members Interactions with Other Features and Switches If an IPv6 router ACL is configured to deny a packet the packet is not routed A copy of the packet...

Page 223: ...pplied to an interface and you attempt to add an access control entry ACE with an unsupported keyword the switch does not allow the ACE to be added to the ACL that is currently attached to the interface IPv6 ACLs on the switch have these characteristics Fragmented frames the fragments keyword as in IPv4 are supported The same statistics supported in IPv4 are supported for IPv6 ACLs If the switch r...

Page 224: ...tocol rst routing sequence value syn time range name urg 6 deny permit udp source ipv6 prefix prefix length any host source ipv6 address operator port number destination ipv6 prefix prefix length any host destination ipv6 address operator port number dscp value log log input neq port protocol range port protocol routing sequence value time range name 7 deny permit icmp source ipv6 prefix prefix le...

Page 225: ...t source ipv6 address or destination ipv6 address enter the source or destination IPv6 host address for which to set deny or permit conditions specified in hexadecimal using 16 bit values between colons Optional For operator specify an operand that compares the source or destination ports of the specified protocol Operands are lt less than gt greater than eq equal neq not equal and range If the op...

Page 226: ...ush function bit set range port protocol Matches only packets in the port number range rst Reset bit set syn Synchronize bit set urg Urgent pointer bit set Optional Define a UDP access list and the access conditions deny permit udp source ipv6 prefix prefix length any host Step 6 Enter udp for the User Datagram Protocol The UDP parameters are the same as those described for TCP except that the ope...

Page 227: ...onfiguration show ipv6 access list Step 9 Verifies your entries show running config Example Switch show running config Step 10 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config Step 11 startup config What to Do Next Attach the IPv6 ACL to an Interface Attaching an IPv6 ACL to an Interface You can apply an ACL to outbound or ...

Page 228: ...s on which to apply an access list and enter interface configuration mode interface interface id Step 3 If applying a router ACL this changes the interface from Layer 2 mode the default to Layer 3 mode no switchport Step 4 Configure an IPv6 address on a Layer 3 interface for router ACLs ipv6 address ipv6 address Step 5 Apply the access list to incoming or outgoing traffic on the interface ipv6 tra...

Page 229: ... between VACLs and VLANs show vlan filter access mapaccess map vlanvlan id This is an example of the output from the show access lists privileged EXEC command The output shows all access lists that are configured on the switch or switch stack Switch show access lists Extended IP access list hello 10 permit ip any any IPv6 access list ipv6 permit ipv6 any any sequence 10 This is an example of the o...

Page 230: ...erence Cisco IOS XE Release 3SE Catalyst 3850 Switches http www cisco com en US docs ios xml ios ipv6 command ipv6 xe 3se 3850 cr book html IPv6 command reference Error Message Decoder Link Description https www cisco com cgi bin Support Errordecoder index cgi To help you research and resolve system error messages in this release use the Error Message Decoder tool MIBs MIBs Link MIB To locate and ...

Page 231: ...ecurity and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Catalyst 2960 X Switch Security Configuration Guide Cisco IOS Release 15 0 2 ...

Page 232: ...Catalyst 2960 X Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX 208 OL 29048 01 Configuring IPv6 ACLs Additional References ...

Page 233: ...upport To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Information About DHCP DHCP Server The DHCP server assigns IP addresses from specified address pools on a switch or router to DHCP clients and manages them If the DHCP server cannot give the DHCP client the requested configuration parameters from its database it forwards the request to ...

Page 234: ...nfigure as trusted is one connected to a port on a device in the same network An example of an untrusted interface is one that is connected to an untrusted interface in the network or to an interface on a device that is not in the network When a switch receives a packet on an untrusted interface and the interface belongs to a VLAN in which DHCP snooping is enabled the switch compares the source MA...

Page 235: ...CP OFFER DHCP ACK and DHCP NACK messages The ip dhcp snooping wireless bootp broadcast enable can be used to revert this behavior When the wireless BOOTP broadcast is enabled the broadcast DHCP packets from server are forwarded to wireless clients without changing the destination MAC address Related Topics Prerequisites for Configuring DHCP Snooping and Option 82 on page 221 Option 82 Data Inserti...

Page 236: ... packet If the server is option 82 capable it can use the remote ID the circuit ID or both to assign IP addresses and implement policies such as restricting the number of IP addresses that can be assigned to a single remote ID or circuit ID Then the DHCP server echoes the option 82 field in the DHCP reply The DHCP server unicasts the reply to the switch if the request was relayed to the server by ...

Page 237: ...h uses the packet formats when you globally enable DHCP snooping and enter the ip dhcp snooping information option global configuration command Figure 14 Suboption Packet Formats The illustration User Configured Suboption Packet Formats shows the packet formats for user configured remote ID and circuit ID suboptions The switch uses these packet formats when DHCP snooping is globally enabled and wh...

Page 238: ...atabase You can manually assign the client IP address or the DHCP server can allocate an IP address from a DHCP address pool For more information about manual and automatic address bindings see the Configuring DHCP chapter of the Cisco IOS IP Configuration Guide Release 12 4 For procedures to enable and configure the Cisco IOS DHCP server database see the DHCP Configuration Task List section in th...

Page 239: ... a specified time set by the write delay and abort timeout values the update stops This is the format of the file with bindings initial checksum TYPE DHCP SNOOPING VERSION 1 BEGIN entry 1 checksum 1 entry 2 checksum 1 2 entry n checksum 1 2 n END Each entry in the file is tagged with a checksum value that the switch uses to verify the entries when it reads the file The initial checksum entry on th...

Page 240: ...sing the new incoming DHCP packets How to Configure DHCP Features Default DHCP Snooping Configuration Table 19 Default DHCP Configuration Default Setting Feature Enabled in Cisco IOS software requires configuration2 DHCP server Enabled3 DHCP relay agent None configured DHCP packet forwarding address Enabled invalid messages are dropped Checking the relay agent information Replace the existing rela...

Page 241: ...tics by entering the show ip dhcp snooping statistics user EXEC command and you can clear the snooping statistics counters by entering the clear ip dhcp snooping statistics privileged EXEC command Configuring the DHCP Server The switch can act as a DHCP server For procedures to configure the switch as a DHCP server see the Configuring DHCP section of the IP addressing and Services section of the C...

Page 242: ...le Step 1 Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Enables the DHCP server and relay agent on your switch By default this feature is enabled service dhcp Example Switch config service dhcp Step 3 Returns to privileged EXEC mode end Example Switch config end Step 4 Verifies your entries show running config Example Switch show running config St...

Page 243: ...n the Layer 3 interface closest to the client The address used in the ip helper address command can be a specific DHCP server IP address or it can be the network address if other DHCP servers are on the destination network segment Using the network address enables any DHCP server to respond to requests Beginning in privileged EXEC mode follow these steps to specify the packet forwarding address SU...

Page 244: ...helper address can be a specific DHCP server address or it can be the network address if other DHCP servers are on the destination network segment Using the network address enables other servers to respond to DHCP requests If you have multiple servers you can configure one helper address for each server Returns to global configuration mode end Example Switch config if end Step 6 Configures multipl...

Page 245: ...y enable DHCP snooping on the switch Before globally enabling DHCP snooping on the switch make sure that the devices acting as the DHCP server and the DHCP relay agent are configured and enabled If you want the switch to respond to DHCP requests it must be configured as a DHCP server Before configuring the DHCP snooping information option on your switch be sure to configure the device that is acti...

Page 246: ...recommend that you enable and configure Network Time Protocol NTP If NTP is configured the switch writes binding changes to the binding file only when the switch system clock is synchronized with NTP Before configuring the DHCP relay agent on your switch make sure to configure the device that is acting as the DHCP server You must specify the IP addresses that the DHCP server can assign or exclude ...

Page 247: ...ivileged EXEC mode Enter your password if prompted enable Step 1 Example Switch enable Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Enables DHCP snooping globally ip dhcp snooping Example Switch config ip dhcp snooping Step 3 Enables DHCP snooping on a VLAN or range of VLANs The range is 1 to 4094 You can enter a single VLAN ID identified by VLAN...

Page 248: ...e switch to accept incoming DHCP snooping packets with option 82 information from the edge switch ip dhcp snooping information option allow untrusted Example Switch config ip dhcp snooping information option allow untrusted Step 7 The default setting is disabled Enter this command only on aggregation switches that are connected to trusted devices Note Specifies the interface to be configured and e...

Page 249: ...to more than one VLAN with DHCP snooping Note Returns to global configuration mode exit Example Switch config if exit Step 12 Optional Configures the switch to verify that the source MAC address in a DHCP packet received on untrusted ports matches the client ip dhcp snooping verify mac address Example Switch config ip dhcp snooping verify mac address Step 13 hardware address in the packet The defa...

Page 250: ...Address Allocation DHCP server port based address allocation is a feature that enables DHCP to maintain the same IP address on an Ethernet switch port regardless of the attached device client identifier or client hardware address When Ethernet switches are deployed in the network they offer connectivity to the directly connected devices In some environments such as on a factory floor if a device f...

Page 251: ...o preconfigured reservations unreserved addresses are not offered to the client and other clients are not served by the pool you can enter the reserved only DHCP pool configuration command Enabling the DHCP Snooping Binding Database Agent Beginning in privileged EXEC mode follow these steps to enable and configure the DHCP snooping binding database agent on the switch SUMMARY STEPS 1 enable 2 conf...

Page 252: ...ame password hostname host ip directory image name tar rcp user host filename tftp host filename Specifies in seconds how long to wait for the database transfer process to finish before stopping the process ip dhcp snooping database timeout seconds Example Switch config ip dhcp snooping database timeout 300 Step 4 The default is 300 seconds The range is 0 to 86400 Use 0 to define an infinite durat...

Page 253: ...detail Step 8 Verifies your entries show running config Example Switch show running config Step 9 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 10 Enabling DHCP Server Port Based Address Allocation Follow these steps to globally enable port based address allocation and to automatically generate a subs...

Page 254: ...ce name Step 4 A subscriber identifier configured on a specific interface takes precedence over this command Specifies the interface to be configured and enter interface configuration mode interface interface id Example Switch config interface gigabitethernet1 0 1 Step 5 Configures the DHCP server to use the subscriber identifier as the client identifier on all incoming DHCP messages on the interf...

Page 255: ... Information Purpose Command Displays the status and configuration of a specific interface show interface interface id Displays the DHCP address pools show ip dhcp pool Displays address bindings on the Cisco IOS DHCP server show ip dhcp binding Additional References Related Documents Document Title Related Topic IP Addressing DHCP Configuration Guide Cisco IOS XE Release 3S http www cisco com en U...

Page 256: ... including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco ...

Page 257: ... command for displaying DHCP snooping statistics clear ip dhcp snooping statistics privileged EXEC command for clearing the snooping statistics counters Catalyst 2960 X Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX OL 29048 01 233 Configuring DHCP Feature Information for DHCP Snooping and Option 82 ...

Page 258: ...Catalyst 2960 X Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX 234 OL 29048 01 Configuring DHCP Feature Information for DHCP Snooping and Option 82 ...

Page 259: ...oftware release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco ...

Page 260: ...y at Layer 3 IPSG for static hosts also supports dynamic hosts If a dynamic host receives a DHCP assigned IP address that is available in the IP DHCP snooping table the same entry is learned by the IP device tracking table In a stacked environment when the master failover occurs the IP source guard entries for static hosts attached to member ports are retained When you enter the show ip device tra...

Page 261: ...ard smart logging packets with a source address other than the specified address or an address learned by DHCP are denied and the packet contents are sent to a NetFlow collector If you configure this feature make sure that smart logging is globally enabled In a switch stack if IP source guard is configured on a stack member interface and you remove the the configuration of that switch by entering ...

Page 262: ...1 Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Specifies the interface to be configured and enters interface configuration mode interface interface id Example Switch config interface gigabitethernet 1 0 1 Step 3 Enables IP source guard with source IP address filtering ip verify source mac check Step 4 Example Switch config if ip verify source Opt...

Page 263: ...ies in the configuration file copy running config startup config Example Switch copy running config startup config Step 9 Configuring IP Source Guard for Static Hosts on a Layer 2 Access Port You must configure the ip device tracking maximum limit number interface configuration command globally for IPSG for static hosts to work If you only configure this command on a port without enabling IP devic...

Page 264: ...igure terminal Example Switch configure terminal Step 2 Turns on the IP host table and globally enables IP device tracking ip device tracking Example Switch config ip device tracking Step 3 Enters interface configuration mode interface interface id Example Switch config interface gigabitethernet Step 4 1 0 1 Configures a port as access switchport mode access Example Switch config if switchport mod...

Page 265: ... ip device tracking maximum number Example Switch config if ip device tracking Step 8 You must configure the ip device tracking maximum limit number interface configuration command Note maximum 8 Returns to privileged EXEC mode end Example Switch config end Step 9 Monitoring IP Source Guard Table 22 Privileged EXEC show Commands Purpose Command Displays the IP source guard configuration on the swi...

Page 266: ...s release Technical Assistance Link Description http www cisco com support The Cisco Support website provides extensive online resources including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool access...

Page 267: ...tion Your software release may not support all the features documented in this module For the latest caveats and feature information see Bug Search Tool and the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the feature information table at the end of this...

Page 268: ...rately on each switch in a switch stack For a cross stack EtherChannel this means that the actual rate limit might be higher than the configured value For example if you set the rate limit to 30 pps on an EtherChannel that has one port on switch 1 and one port on switch 2 each port can receive packets at 29 pps without causing the EtherChannel to become error disabled The operating rate for the po...

Page 269: ...own in parentheses for example Host A uses IP address IA and MAC address MA When Host A needs to communicate to Host B at the IP layer it broadcasts an ARP request for the MAC address associated with IP address IB When the switch and Host B receive the ARP request they populate their ARP caches with an ARP binding for a host with the IP address IA and a MAC address MA for example IP address IA is ...

Page 270: ...fied in the Ethernet header Use the ip arp inspection validate src mac dst mac ip global configuration command Interface Trust States and Network Security Dynamic ARP inspection associates a trust state with each interface on the switch Packets arriving on trusted interfaces bypass all dynamic ARP inspection validation checks and those arriving on untrusted interfaces undergo the dynamic ARP inspe...

Page 271: ... packets from nondynamic ARP inspection switches configure the switch running dynamic ARP inspection with ARP ACLs When you cannot determine such bindings at Layer 3 isolate switches running dynamic ARP inspection from switches not running dynamic ARP inspection switches Depending on the setup of the DHCP server and the network it might not be possible to validate a given ARP packet on all switche...

Page 272: ...enerated the switch clears the entry from the log buffer Each log entry contains flow information such as the receiving VLAN the port number the source and destination IP addresses and the source and destination MAC addresses You use the ip arp inspection log buffer global configuration command to configure the number of entries in the buffer and the number of entries needed in the specified inter...

Page 273: ...n the database populated by DHCP snooping Configuring ARP ACLs for Non DHCP Environments This procedure shows how to configure dynamic ARP inspection when Switch B shown in Figure 2 does not support dynamic ARP inspection or DHCP snooping If you configure port 1 on Switch A as trusted a security hole is created because both Switch A and Host 1 could be attacked by either Switch B or Host 2 To prev...

Page 274: ...prompted enable Step 1 Example Switch enable Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Defines an ARP ACL and enters ARP access list configuration mode By default no ARP access lists are defined arp access list acl name Step 3 At the end of the ARP access list there is an implicit deny ip any mac any command Note Permits ARP packets from the s...

Page 275: ...e compared against the ACL Packets are permitted only if the access list permits them Specifies Switch A interface that is connected to Switch B and enters the interface configuration mode interface interface id Step 7 Configures Switch A interface that is connected to Switch B as untrusted no ip arp inspection trust Step 8 By default all interfaces are untrusted For untrusted interfaces the switc...

Page 276: ...A DHCP server is connected to Switch A Both hosts acquire their IP addresses from the same DHCP server Therefore Switch A has the bindings for Host 1 and Host 2 and Switch B has the binding for Host 2 Dynamic ARP inspection depends on the entries in the DHCP snooping binding database to verify IP to MAC address bindings in incoming ARP requests and ARP responses Make sure to enable DHCP snooping t...

Page 277: ... neighbors Example Switch config if show cdp neighbors Step 2 Enters the global configuration mode configure terminal Example Switch configure terminal Step 3 Enable dynamic ARP inspection on a per VLAN basis By default dynamic ARP inspection is disabled on all VLANs For vlan range ip arp inspection vlan vlan range Example Switch config ip arp inspection vlan 1 Step 4 specify a single VLAN identif...

Page 278: ...ing to the logging configuration specified with the ip arp inspection vlan logging global configuration command Returns to privileged EXEC mode end Example Switch config if end Step 7 Verifies the dynamic ARP inspection configuration on interfaces show ip arp inspection interfaces Example Step 8 Verifies the dynamic ARP inspection configuration on VLAN show ip arp inspection vlan vlan range Exampl...

Page 279: ...orts automatically emerge from this state after a specified timeout period Unless you configure a rate limit on an interface changing the trust state of the interface also changes its rate limit to the default value for that trust state After you configure the rate limit the interface retains the rate limit even when its trust state is changed If you enter the no ip arp inspection limit interface ...

Page 280: ...ters the global configuration mode configure terminal Example Switch configure terminal Step 2 Specifies the interface to be rate limited and enter interface configuration mode interface interface id Step 3 Limits the rate of incoming ARP requests and responses on the interface The default rate is 15 pps on untrusted interfaces and unlimited on trusted interfaces The burst interval is 1 second ip ...

Page 281: ...e The range is 30 to 86400 Returns to privileged EXEC mode exit Step 7 Verifies your settings Use the following show commands Step 8 show ip arp inspection interfaces show errdisable recovery Verifies your entries show running config Example Switch show running config Step 9 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config ...

Page 282: ...re classified as invalid and are dropped For dst mac check the destination MAC address in the Ethernet header against the target MAC address in ARP body This check is performed for ARP responses When enabled packets with different MAC addresses are classified as invalid and are dropped For ip check the ARP body for invalid and unexpected IP addresses Addresses include 0 0 0 0 255 255 255 255 and a...

Page 283: ...VLAN If no VLANs are specified or if a range is specified displays information only for VLANs with dynamic ARP inspection enabled active show ip arp inspection statistics vlan vlan range Clears the dynamic ARP inspection log buffer clear ip arp inspection log Displays the configuration and contents of the dynamic ARP inspection log buffer show ip arp inspection log For the show ip arp inspection s...

Page 284: ...nformation only for VLANs with dynamic ARP inspection enabled active show ip arp inspection vlan vlan range Additional References Error Message Decoder Link Description https www cisco com cgi bin Support Errordecoder index cgi To help you research and resolve system error messages in this release use the Error Message Decoder tool MIBs MIBs Link MIB To locate and download MIBs for selected platfo...

Page 285: ...y and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Catalyst 2960 X Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX OL ...

Page 286: ...Catalyst 2960 X Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX 262 OL 29048 01 Configuring Dynamic ARP Inspection Additional References ...

Page 287: ... Search Tool and the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navi...

Page 288: ...ation times out while waiting for an EAPOL message exchange and MAC authentication bypass is enabled the switch can use the client MAC address for authorization If the client MAC address is valid and the authorization succeeds the switch grants the client access to the network If the client MAC address is invalid and the authorization fails the switch assigns the client to a guest VLAN that provid...

Page 289: ...e Attribute 27 specifies the time after which re authentication occurs The Termination Action RADIUS attribute Attribute 29 specifies the action to take during re authentication The actions are Initialize and ReAuthenticate When the Initialize action is set the attribute value is DEFAULT the 802 1x session ends and connectivity is lost during re authentication When the ReAuthenticate action is set...

Page 290: ...es not receive an EAP request identity frame after three attempts to start authentication the client sends frames as if the port is in the authorized state A port in the authorized state effectively means that the client has been successfully authenticated Note When the client supplies its identity the switch begins its role as the intermediary passing EAP frames between the client and the authent...

Page 291: ...rization is successful the port becomes authorized If authorization fails and a guest VLAN is specified the switch assigns the port to the guest VLAN If the switch detects an EAPOL packet while waiting for an Ethernet packet the switch stops the MAC authentication bypass process and starts 802 1x authentication This figure shows the message exchange during MAC authentication bypass Figure 20 Messa...

Page 292: ...able ACL Redirect URL MAC authentication bypass Proxy ACL Filter Id attribute downloadable ACL Standalone web authentication Filter Id attribute Downloadable ACL Redirect URL Filter Id attribute Downloadable ACL Redirect URL Filter Id attribute Downloadable ACL Redirect URL Filter Id attribute Downloadable ACL Redirect URL NAC Layer 2 IP validation Proxy ACL Filter Id attribute Downloadable ACL Pr...

Page 293: ...mands include the authentication host mode authentication violation and authentication timer interface configuration commands 802 1x specific commands begin with the dot1x keyword For example the authentication port control auto interface configuration command enables authentication on an interface However the dot1x system authentication control global configuration command only globally enables o...

Page 294: ...flexibility to define the order of authentication methods to be used mab authentication order Enable periodic re authentication of the client dot1x reauthentication authentication periodic Enable manual control of the authorization state of the port dot1x port control auto force authorized force unauthorized authentication port control auto force authorized force un authorized Set the 802 1x timer...

Page 295: ...hrough the port The authentication process begins when the link state of the port changes from down to up or when an EAPOL start frame is received The switch requests the identity of the client and begins relaying authentication messages between the client and the authentication server Each client attempting to access the network is uniquely identified by the switch by using the client MAC address...

Page 296: ...an configure an 802 1x port for single host or for multiple hosts mode In single host mode only one client can be connected to the 802 1x enabled switch port The switch detects the client by sending an EAPOL frame when the port link state changes to the up state If a client leaves or is replaced with another client the switch changes the port link state to down and the port returns to the unauthor...

Page 297: ...authorized with a VLAN that matches the operational VLAN A host is authorized on the port with no VLAN assignment and subsequent hosts either have no VLAN assignment or their VLAN information matches the operational VLAN The first host authorized on the port has a group VLAN assignment and subsequent hosts either have no VLAN assignment or their group VLAN matches the group VLAN on the port Subseq...

Page 298: ...s connected and gets authorized without explicit vlan policy H2 is expected to use the configured VLAN V0 that is restored on the port A ll egress traffic going out of two operational VLANs VLAN V0 and VLAN V1 are untagged If host H2 is logged out or the session is removed due to some reason then the configured VLAN V0 is removed from the port and VLAN V1 becomes the only operational VLAN on the p...

Page 299: ... There are situations where a MAC address might need to move from one port to another on the same switch For example when there is another device for example a hub or an IP phone between an authenticated host and a switch port you might want to disconnect the host from the device and connect it directly to another port on the same switch You can globally enable MAC move so the device is reauthenti...

Page 300: ...ication fails The switch does not log 802 1x accounting information Instead it sends this information to the RADIUS server which must be configured to log accounting messages 802 1x Accounting Attribute Value Pairs The information sent to the RADIUS server is represented in the form of Attribute Value AV pairs These AV pairs provide data for different applications For example a billing application...

Page 301: ...Always Acct Authentic Attribute 45 Always Always Never Acct Session Time Attribute 46 Always Never Never Acct Terminate Cause Attribute 49 Always Always Always NAS Port Type Attribute 61 7 The Framed IP Address AV pair is sent when a valid static IP address is configured or w when a Dynamic Host Control Protocol DHCP binding exists for the host in the DHCP snooping bindings table 802 1x Readiness ...

Page 302: ...ADIUS server returned an authorized VLAN the voice VLAN on the port is configured to send and receive packets on the assigned voice VLAN Voice VLAN assignment behaves the same as data VLAN assignment on multidomain authentication MDA enabled ports When configured on the switch and the RADIUS server 802 1x authentication with VLAN assignment has these characteristics If no VLAN is supplied by the R...

Page 303: ...se exceptions If the VLAN configuration change of one device results in matching the other device configured or assigned VLAN authorization of all devices on the port is terminated and multidomain host mode is disabled until a valid configuration is restored where data and voice device configured VLANs no longer match If a voice device is authorized and is using a downloaded voice VLAN the removal...

Page 304: ...ring format and are passed to the switch during the authentication process The VSAs used for per user ACLs are inacl n for the ingress direction and outacl n for the egress direction MAC ACLs are supported only in the ingress direction The switch supports VSAs only in the ingress direction It does not support port ACLs in the egress direction on Layer 2 ports Use only the extended ACL syntax style...

Page 305: ...s list extended auth default acl global configuration command The auth default ACL does not support Cisco Discovery Protocol CDP bypass in the single host mode You must configure a static ACL on the interface to support CDP bypass Note The 802 1x and MAB authentication methods support two authentication modes open and closed If there is no static ACL on a port in closed authentication mode An auth...

Page 306: ...url redirect is the HTTP or HTTPS URL url redirect acl is the switch ACL name or number The switch uses the CiscoSecure defined ACL attribute value pair to intercept an HTTP or HTTPS request from the end point The switch then forwards the client web browser to the specified redirect address The url redirect AV pair on the Cisco Secure ACS contains the URL to which the web browser is redirected The...

Page 307: ... The ACS server ignores the sent VLAN IDs for new hosts and only authenticates based on the MAC address Note 802 1x Authentication with Guest VLAN You can configure a guest VLAN for each 802 1x port on the switch to provide limited services to clients such as downloading the 802 1x client These clients might be upgrading their system for 802 1x authentication and some hosts such as Windows 98 syst...

Page 308: ...with a username and password based on the MAC address If authorization succeeds the switch grants the client access to the network If authorization fails the switch assigns the port to the guest VLAN if one is specified 802 1x Authentication with Restricted VLAN You can configure a restricted VLAN also referred to as an authentication failed VLAN for each IEEE 802 1x port on a switch stack or a sw...

Page 309: ... the switch cannot reach the configured RADIUS servers and new hosts cannot be authenticated You can configure the switch to connect those hosts to critical ports When a new host tries to connect to the critical port that host is moved to a user specified access VLAN the critical VLAN The administrator gives limited authentication to the hosts When the switch tries to authenticate a host connected...

Page 310: ...h does not receive a response to its EAP request identity frame or when EAPOL packets are not sent by the client If all the RADIUS servers are not available and the client is connected to a critical port the switch authenticates the client and puts the critical port in the critical authentication state in the RADIUS configured or user specified access VLAN If all the RADIUS servers are not availab...

Page 311: ...he network and puts the port in the critical authentication state in the RADIUS configured or the user specified access VLAN When the switch cannot reach the configured RADIUS servers and new hosts cannot be authenticated the switch connects those hosts to critical ports A new host trying to connect to the critical port is moved to a user specified access VLAN the critical VLAN and granted limited...

Page 312: ...ve VLANs are mapped to the group When you clear a VLAN group none of the ports or users that are in the authenticated state in any VLAN within the group are cleared but the VLAN mappings to the VLAN group are cleared IEEE 802 1x Authentication with Voice VLAN Ports A voice VLAN port is a special access port associated with two VLAN identifiers VVID to carry voice traffic to and from the IP phone T...

Page 313: ...ou can use this feature in environments where administrators need to connect to systems that have been powered down When a host that uses WoL is attached through an IEEE 802 1x port and the host powers off the IEEE 802 1x port becomes unauthorized The port can only receive and send EAPOL packets and WoL magic packets cannot reach the host When the PC is powered off it is not authorized and the swi...

Page 314: ...upplicant the switch does not unauthorize the client connected to the port When re authentication occurs the switch uses the authentication or re authentication methods configured on the port if the previous session ended because the Termination Action RADIUS attribute value is DEFAULT Clients that were authorized with MAC authentication bypass can be re authenticated The re authentication process...

Page 315: ... or VLAN group name as the value of the Tunnel Preference Attribute 83 If you do not configure the Tunnel Preference the first Tunnel Group Private ID Attribute 81 attribute is picked up from the list View the NAC posture token which shows the posture of the client by using the show authentication privileged EXEC command Configure secondary private VLANs as guest VLANs Configuring NAC Layer 2 IEEE...

Page 316: ...he data domain are allowed Multiple hosts mode with open authentication Any host can access the network Multiple authentication mode with open authentication Similar to MDA except multiple hosts can be authenticated If open authentication is configured it takes precedence over other authentication controls This means that if you use the authentication open interface configuration command the port ...

Page 317: ...tain an IP address and acquire the voice VLAN information After the voice device starts sending on the voice VLAN its access to the data VLAN is blocked A voice device MAC address that is binding on the data VLAN is not counted towards the port security MAC address limit MDA can use MAC authentication bypass as a fallback mechanism to allow the switch port to connect to devices that do not support...

Page 318: ...e VLAN for the trunk port after successful authentication In the default state when you connect a supplicant switch to an authenticator switch that has BPDU guard enabled the authenticator port could be error disabled if it receives a Spanning Tree Protocol STP bridge protocol data unit BPDU packets before the supplicant switch has authenticated Beginning with Cisco IOS Release 15 0 1 SE you can c...

Page 319: ...oset 2 Workstations clients 1 Access control server ACS 4 Authenticator switch 3 Trunk port 5 The switchport nonegotiate command is not supported on supplicant and authenticator switches with NEAT This command should not be configured at the supplicant side of the topology If configured on the authenticator side the internal macros will automatically remove this command from the port Note Voice Aw...

Page 320: ...MAC Address Method Domain Status Session ID Fa4 0 4 0000 0000 0203 mab DATA Authz Success 160000050000000B288508E5 This is an example of how the session ID appears in the syslog output The session ID in this example is also160000050000000B288508E5 1w0d AUTHMGR 5 START Starting mab for client 0000 0000 0203 on Interface Fa4 0 4 AuditSessionID 160000050000000B288508E5 1w0d MAB 5 SUCCESS Authenticati...

Page 321: ...er of seconds that the switch remains in the quiet state following a failed authentication exchange with the client Quiet period 30 seconds number of seconds that the switch should wait for a response to an EAP request identity frame from the client before resending the request Retransmission time 2 times number of times that the switch will send an EAP request identity frame before restarting the...

Page 322: ...AN and is then assigned to a different VLAN after re authentication If the VLAN to which an 802 1x port is assigned to shut down disabled or removed the port becomes unauthorized For example the port is unauthorized after the access VLAN to which a port is assigned shuts down or is removed The 802 1x protocol is supported on Layer 2 static access ports voice VLAN ports and Layer 3 routed ports but...

Page 323: ...or restarting the 802 1x authentication process on the switch before the DHCP process on the client times out and tries to get a host IP address from the DHCP server Decrease the settings for the 802 1x authentication process authentication timer inactivity and authentication timer reauthentication interface configuration commands The amount to decrease the settings depends on the connected 802 1x...

Page 324: ...that are connected by MAC authentication bypass but are inactive The range is 1to 65535 seconds Maximum Number of Allowed Devices Per Port This is the maximum number of devices allowed on an 802 1x enabled port In single host mode only one device is allowed on the access VLAN If the port is also configured with a voice VLAN an unlimited number of Cisco IP phones can send and receive traffic throug...

Page 325: ...ity When the client responds with a notification packet it is 802 1x capable A syslog message is generated if the client responds within the timeout period If the client does not respond to the query the client is not 802 1x capable No syslog message is generated The readiness check can be sent on a port that handles multiple hosts for example a PC that is connected to an IP phone A syslog message...

Page 326: ...your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 7 Related Topics 802 1x Readiness Check on page 277 Configuring Voice Aware 802 1x Security To use voice aware IEEE 802 1x authentication the switch must be running the LAN base image Note You use the voice aware 802 1x security feature on the switch to disable only the ...

Page 327: ...rity SUMMARY STEPS 1 configure terminal 2 errdisable detect cause security violation shutdown vlan 3 errdisable recovery cause security violation 4 clear errdisable interfaceinterface id vlan vlan list 5 Enter the following shutdown no shutdown 6 end 7 show errdisable detect DETAILED STEPS Purpose Command or Action Enter global configuration mode configure terminal Step 1 Shut down any VLAN on whi...

Page 328: ...rivileged EXEC command Related Topics Voice Aware 802 1x Security on page 295 Configuring 802 1x Violation Modes You can configure an 802 1x port so that it shuts down generates a syslog error or discards packets from a new device when a device connects to an 802 1x enabled port the maximum number of allowed about devices have been authenticated on the port Beginning in privileged EXEC mode follow...

Page 329: ...entication Specifies the port connected to the client that is to be enabled for IEEE 802 1x authentication and enter interface configuration mode interface interface id Example Switch config interface Step 4 gigabitethernet1 0 4 Sets the port to access mode switchport mode access Example Switch config if switchport mode access Step 5 Configures the violation mode The keywords have these meanings a...

Page 330: ...d as appropriate based on the RADIUS server configuration 4 The switch sends a start message to an accounting server 5 Re authentication is performed as necessary 6 The switch sends an interim accounting update to the accounting server that is based on the result of re authentication 7 The user disconnects from the port 8 The switch sends a stop message to the accounting server DETAILED STEPS Purp...

Page 331: ...rol 5 aaa authorization network default group radius 6 radius server host ip address 7 radius server key string 8 interface interface id 9 switchport mode access 10 authentication port control auto 11 dot1x pae authenticator 12 end DETAILED STEPS Purpose Command or Action Enters the global configuration mode configure terminal Example Switch configure terminal Step 1 Enables AAA aaa new model Exam...

Page 332: ... all network related service requests such as per user ACLs or VLAN assignment aaa authorization network default group radius Example Switch config aaa authorization network Step 5 default group radius Optional Specifies the IP address of the RADIUS server radius server host ip address Example Switch config radius server host Step 6 124 2 2 12 Optional Specifies the authentication and encryption k...

Page 333: ...adius server host global configuration command If you want to configure these options on a per server basis use the radius server timeout the radius server retransmit and the radius server key global configuration commands You also need to configure some settings on the RADIUS server These settings include the IP address of the switch and the key string to be shared by both the server and the swit...

Page 334: ... key string specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server The key is a text string that must match the encryption key used on the RADIUS server 125 5 5 43 auth port 1645 key rad123 Always configure the key as the last item in the radius server host command syntax because leading spaces are ignored but spaces within and at t...

Page 335: ...rt to which multiple hosts are indirectly attached and enter interface configuration mode interface interface id Example Switch config interface Step 2 gigabitethernet2 0 1 Allows multiple hosts clients on an 802 1x authorized port authentication host mode multi auth multi domain multi host single host Step 3 The keywords have these meanings Example Switch config if authentication multi auth Allow...

Page 336: ...ow these steps to enable periodic re authentication of the client and to configure the number of seconds between re authentication attempts This procedure is optional SUMMARY STEPS 1 configure terminal 2 interface interface id 3 authentication periodic 4 authentication timer inactivity reauthenticate restart value 5 end DETAILED STEPS Purpose Command or Action Enters the global configuration mode ...

Page 337: ...authenticate an unauthorized port This command affects the behavior of the switch only if periodic re authentication is enabled Returns to privileged EXEC mode end Example Switch config if end Step 5 Changing the Quiet Period When the switch cannot authenticate the client the switch remains idle for a set period of time and then tries again The authentication timer inactivity interface configurati...

Page 338: ...ample Switch config if end Step 4 Verifies your entries show authentication sessions interface interface id Example Switch show authentication sessions interface Step 5 gigabitethernet2 0 1 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 6 Changing the Switch to Client Retransmission Time The client res...

Page 339: ... terminal Step 1 Specifies the port to be configured and enter interface configuration mode interface interface id Example Switch config interface gigabitethernet2 0 1 Step 2 Sets the number of seconds that the switch waits for a response to an EAP request identity frame from the client before resending the request authentication timer reauthenticate seconds Example Switch config if authentication...

Page 340: ...ble links or specific behavioral problems with certain clients and authentication servers Note Beginning in privileged EXEC mode follow these steps to set the switch to client frame retransmission number This procedure is optional SUMMARY STEPS 1 configure terminal 2 interface interface id 3 dot1x max reauth req count 4 end DETAILED STEPS Purpose Command or Action Enters the global configuration m...

Page 341: ...thentication process before the port changes to the unauthorized state You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers Note Beginning in privileged EXEC mode follow these steps to set the re authentication number This procedure is optional SUMMARY ST...

Page 342: ...es that the switch restarts the authentication process before the port changes to the unauthorized state The range is 0 to 10 the default is 2 dot1x max req count Example Switch config if dot1x max req 4 Step 4 Returns to privileged EXEC mode end Example Switch config if end Step 5 Enabling MAC Move MAC move allows an authenticated host to move from one port on the switch to another Beginning in p...

Page 343: ...eny To enable Mac Move in Session Aware Networking use the no access session mac move global configuration command permit Returns to privileged EXEC mode end Example Switch config end Step 3 Verifies your entries show running config Example Switch show running config Step 4 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config s...

Page 344: ...he replace keyword to enable MAC replace on the interface The port removes the current session and initiates authentication with the new host authentication violation protect replace restrict shutdown Example Switch config if authentication violation Step 3 The other keywords have these effects protect the port drops packets with unexpected MAC addresses without generating a system message replace...

Page 345: ...ccounting request this system message appears Accounting message s for session s failed to receive Accounting Response When the stop message is not sent successfully this message appears 00 09 55 RADIUS 4 RADIUS_DEAD RADIUS server 172 20 246 201 1645 1646 is not responding You must configure the RADIUS server to perform accounting tasks such as logging start stop and interim update messages and ti...

Page 346: ...les 802 1x accounting using the list of all RADIUS servers aaa accounting dot1x default start stop group radius Example Switch config if aaa accounting dot1x default Step 3 start stop group radius Optional Enables system accounting using the list of all RADIUS servers and generates system aaa accounting system default start stop group radius Example Switch config if aaa accounting system default S...

Page 347: ...t granted network access The switch supports guest VLANs in single host or multiple hosts mode Beginning in privileged EXEC mode follow these steps to configure a guest VLAN This procedure is optional SUMMARY STEPS 1 configure terminal 2 interface interface id 3 Use one of the following switchport mode access switchport mode private vlan host 4 authentication event no response action authorize vla...

Page 348: ...figure any active VLAN except an internal VLAN routed port an RSPAN VLAN or a voice VLAN as an 802 1x guest VLAN no response action authorize vlan 2 Returns to privileged EXEC mode end Example Switch config if end Step 5 Configuring a Restricted VLAN When you configure a restricted VLAN on a switch stack or a switch clients that are IEEE 802 1x compliant are moved into the restricted VLAN when the...

Page 349: ...configuration mode interface interface id Example Switch config interface gigabitethernet2 0 2 Step 2 Use one of the following Step 3 Sets the port to access mode Configures the Layer 2 port as a private VLAN host port switchport mode access switchport mode private vlan host Example Switch config if switchport mode access Enables 802 1x authentication on the port authentication port control auto E...

Page 350: ...igned to the restricted VLAN by using the authentication event retry retry count interface configuration command The range of allowable authentication attempts is 1 to 3 The default is 3 attempts Beginning in privileged EXEC mode follow these steps to configure the maximum number of allowed authentication attempts This procedure is optional SUMMARY STEPS 1 configure terminal 2 interface interface ...

Page 351: ...h config if authentication port control Step 4 auto Specifies an active VLAN as an 802 1x restricted VLAN The range is 1 to 4094 authentication event fail action authorize vlan vlan id Example Switch config if authentication event fail Step 5 You can configure any active VLAN except an internal VLAN routed port an RSPAN VLAN or a voice VLAN as an 802 1x restricted VLAN action authorize vlan 8 Spec...

Page 352: ...me name idle time time ignore acct port ignore auth port key string 6 dot1x critical eapol recovery delay milliseconds 7 interface interface id 8 authentication event server dead action authorize reinitialize vlan vlan id 9 switchport voice vlan vlan id 10 authentication event server dead action authorize voice 11 show authentication interface interface id 12 copy running config startup config DET...

Page 353: ...5536 The default is 1646 ignore acct port ignore auth port key string Example Switch config radius server host auth portudp port Specify the UDP port for the RADIUS authentication server The range for the UDP port number is from 0 to 65536 The default is 1645 1 1 1 2 acct port 1550 auth port 1560 test username user1 idle time 30 You should configure the UDP port for the RADIUS accounting server an...

Page 354: ...port when a RADIUS config dot1x critical recovery delay 2000 server that was unavailable becomes available The range is from 1 to 10000 milliseconds The default is 1000 milliseconds a port can be re initialized every second Specify the port to be configured and enter interface configuration mode interface interface id Example Switch config interface gigabitethernet 1 0 1 Step 7 Use these keywords ...

Page 355: ... dead action interface configuration command To disable critical voice VLAN use the no authentication event server dead action authorize voice interface configuration command Example of Configuring Inaccessible Authentication Bypass This example shows how to configure the inaccessible authentication bypass feature Switch config radius server dead criteria time 30 tries 20 Switch config radius serv...

Page 356: ...Switch config interface gigabitethernet2 0 3 Step 2 Enables 802 1x authentication with WoL on the port and use these keywords to configure the port as bidirectional or unidirectional authentication control direction both in Example Switch config if authentication Step 3 both Sets the port as bidirectional The port cannot receive packets from or send packets to the host By default the port is bidir...

Page 357: ...thentication bypass This procedure is optional SUMMARY STEPS 1 configure terminal 2 interface interface id 3 authentication port control auto 4 mab eap 5 end DETAILED STEPS Purpose Command or Action Enters the global configuration mode configure terminal Example Switch configure terminal Step 1 Specifies the port to be configured and enter interface configuration mode interface interface id Exampl...

Page 358: ...tication server The username and password are usually the MAC address of the client Some authentication server configurations require the password to be different from the username Beginning in privileged EXEC mode follow these steps to format MAC authentication bypass username and passwords SUMMARY STEPS 1 configure terminal 2 mab request format attribute 1 groupsize 1 2 4 12 separator lowercase ...

Page 359: ...bute in MAB generated Access Request packets mab request format attribute2 0 7 text Example Switch config mab request format Step 3 0 Specifies a cleartext password to follow 7 Specifies an encrypted password to follow attribute 2 7 A02f44E18B12 text Specifies the password to be used in the User Password attribute When you send configuration information in e mail remove type 7 password information...

Page 360: ...onfiguring VLAN Groups This example shows how to configure the VLAN groups to map the VLANs to the groups to and verify the VLAN group configurations and mapping to the specified VLANs Switch config vlan group eng dept vlan list 10 Switch config show vlan group group name eng dept Group Name Vlans Mapped eng dept 10 Switch config show dot1x vlan group all Group Name Vlans Mapped eng dept 10 hr dep...

Page 361: ... NAC Layer 2 802 1x validation which is also referred to as 802 1x authentication with a RADIUS server Beginning in privileged EXEC mode follow these steps to configure NAC Layer 2 802 1x validation The procedure is optional SUMMARY STEPS 1 configure terminal 2 interface interface id 3 switchport mode access 4 authentication event no response action authorize vlan vlan id 5 authentication periodic...

Page 362: ...action authorize vlan 8 Enables periodic re authentication of the client which is disabled by default authentication periodic Example Switch config if authentication periodic Step 5 Sets re authentication attempt for the client set to one hour authentication timer reauthenticate Example Switch config if authentication timer Step 6 This command affects the behavior of the switch only if periodic re...

Page 363: ...de enable Example Device enable Step 1 Enter your password if prompted Enters global configuration mode configure terminal Example Device configure terminal Step 2 Enables the authentication authorization and accounting AAA access control model aaa new model Example Device config aaa new model Step 3 Sets the authentication authorization and accounting AAA authentication by using the default authe...

Page 364: ...the blocked local user clear aaa local user blocked username username Example Device clear aaa local user blocked username user1 Step 8 The following is sample output from the show aaa local user blocked command Device show aaa local user blocked Local user State user1 Watched till 11 34 42 IST Feb 5 2015 Configuring an Authenticator Switch with NEAT Configuring this feature requires that one swit...

Page 365: ...xample Switch config cisp enable Step 2 Specifies the port to be configured and enter interface configuration mode interface interface id Example Switch config interface gigabitethernet2 0 1 Step 3 Sets the port mode to access switchport mode access Example Switch config if switchport mode access Step 4 Sets the port authentication mode to auto authentication port control auto Example Switch confi...

Page 366: ...Verifies your configuration show running config interface interface id Example Switch show running config interface Step 9 gigabitethernet2 0 1 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 10 Configuring a Supplicant Switch with NEAT Beginning in privileged EXEC mode follow these steps to configure a...

Page 367: ...D STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Switch configure terminal Step 1 Enables CISP cisp enable Example Switch config cisp enable Step 2 Creates 802 1x credentials profile This must be attached to the port that is configured as supplicant dot1x credentials profile Example Switch config dot1x credentials test Step 3 Creates a username username...

Page 368: ... trunk mode switchport trunk encapsulation dot1q Example Switch config if switchport trunk Step 8 encapsulation dot1q Configures the interface as a VLAN trunk port switchport mode trunk Example Switch config if switchport mode trunk Step 9 Configures the interface as a port access entity PAE supplicant dot1x pae supplicant Example Switch config if dot1x pae supplicant Step 10 Attaches the 802 1x c...

Page 369: ...ed to configure the ACS For more information see the Configuration Guide for Cisco Secure ACS 4 2 http www cisco com en US docs net_mgmt cisco_secure_access_control_server_for_windows 4 2 configuration guide acs_config pdf You must configure a downloadable ACL on the ACS before downloading it to the switch Note After authentication on the port you can use the show ip access list privileged EXEC co...

Page 370: ...g Step 2 Enables AAA aaa new model Example Switch config aaa new model Step 3 Sets the authorization method to local To remove the authorization method use the no aaa authorization network default local group radius command aaa authorization network default local group radius Example Switch config aaa authorization network default Step 4 local group radius Configures the radius vsa send authentica...

Page 371: ...entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 9 Configuring a Downloadable Policy Beginning in privileged EXEC mode SUMMARY STEPS 1 configure terminal 2 access list access list number deny permit hostname any host log 3 interface interface id 4 ip access group acl id in 5 exit 6 aaa new model 7 aaa authorization network ...

Page 372: ... source wildcard value host The keyword host as an abbreviation for source and source wildcard of source 0 0 0 0 Optional Applies the source wildcard wildcard bits to the source Optional Enters log to cause an informational logging message about the packet that matches the entry to be sent to the console Enters interface configuration mode interface interface id Example Switch config interface Ste...

Page 373: ...the switch sends the ARP probe The range is from 1 to 5 The default is 3 Example Switch config ip device tracking interval interval Sets the number of seconds that the switch waits for a response before resending the ARP probe The range is from 30 to 300 seconds The default is 30 seconds probe count use svi Uses the switch virtual interface SVI IP address as source of ARP probes Configures the net...

Page 374: ...nfiguring Flexible Authentication Ordering The examples used in the instructions below changes the order of Flexible Authentication Ordering so that MAB is attempted before IEEE 802 1X authentication dot1x MAB is configured as the first authentication method so MAB will have priority over all other authentication methods Before changing the default order and priority of these authentication method...

Page 375: ...eviously configured the RADIUS server switchport mode access Example Switch config if switchport mode access Step 3 Optional Sets the order of authentication methods used on a port authentication order dot1x mab webauth Example Switch config if authentication order mab dot1x Step 4 Optional Adds an authentication method to the port priority list authentication priority dot1x mab webauth Example Sw...

Page 376: ...on periodic 10 authentication port control auto force authorized force un authorized 11 end DETAILED STEPS Purpose Command or Action Enters the global configuration mode configure terminal Example Switch configure terminal Step 1 Specifies the port to be configured and enter interface configuration mode interface interface id Example Switch config interface gigabitethernet 1 0 1 Step 2 Sets the po...

Page 377: ...Step 6 multi auth Optional Enables or disable open access on a port authentication open Example Switch config if authentication open Step 7 Optional Sets the order of authentication methods used on a port authentication order dot1x mab webauth Example Switch config if authentication order dot1x Step 8 webauth Optional Enables or disable reauthentication on a port authentication periodic Example Sw...

Page 378: ...s optional SUMMARY STEPS 1 configure terminal 2 interface interface id 3 switchport mode access 4 no dot1x pae authenticator 5 end DETAILED STEPS Purpose Command or Action Enters the global configuration mode configure terminal Example Switch configure terminal Step 1 Specifies the port to be configured and enter interface configuration mode interface interface id Example Switch config interface g...

Page 379: ...onfiguration to the Default Values Beginning in privileged EXEC mode follow these steps to reset the 802 1x authentication configuration to the default values This procedure is optional SUMMARY STEPS 1 configure terminal 2 interface interface id 3 dot1x default 4 end DETAILED STEPS Purpose Command or Action Enters the global configuration mode configure terminal Example Switch configure terminal S...

Page 380: ... for a specific port show dot1x interface interface id statistics Displays the 802 1x administrative and operational status for a switch show dot1x all count details statistics summary Displays the 802 1x administrative and operational status for a specific port show dot1x interface interface id Table 29 Global Configuration Commands Purpose Command Filters verbose 802 1x authentication messages b...

Page 381: ...ty config_library xe 3se 3850 secuser xe 3se 3850 library html Configuring RADIUS TACACS Secure Shell 802 1X and AAA Error Message Decoder Link Description https www cisco com cgi bin Support Errordecoder index cgi To help you research and resolve system error messages in this release use the Error Message Decoder tool MIBs MIBs Link MIB To locate and download MIBs for selected platforms Cisco IOS...

Page 382: ...Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Feature Information for 802 1x Port Based Authentication Feature Information Release This feature was introduced Cisco IOS 15 0 2 EX Supports the use of same authorization methods on all the Catalyst switches in a network Supports filtering verbose system m...

Page 383: ... supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Web Based Authentication Overview Use the web based authentication feature known as web authentication proxy to authent...

Page 384: ...eceive when webauth client tries to do authentication does not have any performance or behavioral impact It happens rarely when the context for which FFM replied back to EPM for ACL application is already dequeued possibly due to timer expiry and the session becomes unauthorized Note Device Roles With web based authentication the devices in the network have these specific roles Client The device w...

Page 385: ... a DHCP binding entry for the host Session Creation When web based authentication detects a new host it creates a session as follows Reviews the exception list If the host IP is included in the exception list the policy from the exception list entry is applied and the session is established Reviews for authorization bypass If the host IP is not on the exception list web based authentication sends ...

Page 386: ... within the idle timeout on a Layer 3 interface The feature applies the downloaded timeout or the locally configured session timeout Beginning with Cisco IOS XE Denali 16 1 1 and later the default session timeout value for web based authentication on WLC is 1800 seconds The default session timeout value was infinite seconds prior to Cisco IOS XE Denali 16 1 1 Note If the terminate action is RADIUS...

Page 387: ...ssage such as switch router or company name to the banner Legacy mode Use the ip admission auth proxy banner http banner textglobal configuration command New style mode Use the parameter map type webauth global bannerglobal configuration command Add a logo or text file to the banner Legacy mode Use the ip admission auth proxy banner http file path global configuration command Catalyst 2960 X Switc...

Page 388: ...ebauth global banner global configuration command Figure 25 Customized Web Banner Catalyst 2960 X Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX 364 OL 29048 01 Configuring Web Based Authentication Local Web Authentication Banner ...

Page 389: ...eb Pages During the web based authentication process the switch internal HTTP server hosts four HTML pages to deliver to an authenticating client The server uses these pages to notify you of these four authentication process states Login Your credentials are requested Success The login was successful Fail The login failed Expire The login session has expired because of excessive login failures Gui...

Page 390: ...tered and then the command configuring web pages is entered the CLI command redirecting users to a specific URL does not take effect Configured web pages can be copied to the switch boot flash or flash On stackable switches configured pages can be accessed from the flash on the stack master or members The login page can be on one flash and the success and failure pages can be another flash for exa...

Page 391: ...n an accessible HTTP server Configure an intercept ACL within the admission rule Any external link from a custom page requires configuration of an intercept ACL within the admission rule To access a valid DNS server any name resolution required for external links or images requires configuration of an intercept ACL within the admission rule If the custom web pages feature is enabled a configured a...

Page 392: ...ut http then the redirection URL on successful authentication might cause page not found or similar errors on a web browser Related Topics Specifying a Redirection URL for Successful Login on page 380 Web based Authentication Interactions with Other Features Port Security You can configure web based authentication and port security on the same port Web based authentication authenticates the port a...

Page 393: ... the session even if there is no ACL configured on the port You cannot configure a MAC ACL and web based authentication on the same interface You cannot configure web based authentication on a port whose access VLAN is configured for VACL capture Context Based Access Control Web based authentication cannot be configured on a Layer 2 port if context based access control CBAC is configured on the La...

Page 394: ...age to the host Hosts that are more than one hop away might experience traffic disruption if an STP topology change results in the host traffic arriving on a different port This occurs because the ARP and DHCP updates might not be sent after a Layer 2 STP topology change Web based authentication does not support VLAN assignment as a downloadable host policy Web based authentication supports IPv6 i...

Page 395: ...e encryption used on the RADIUS daemon You can globally configure the timeout retransmission and encryption key values for all RADIUS servers by using with the radius server host global configuration command If you want to configure these options on a per server basis use the radius server timeout radius server transmit and the radius server key global configuration commands For more information s...

Page 396: ... for web based authorization ip admission name name proxy http Example Switch config ip admission name webauth1 proxy Step 3 http Enters interface configuration mode and specifies the ingress Layer 2 or Layer 3 interface to be enabled for web based authentication interface type slot port Example Switch config interface gigabitEthernet1 0 1 Step 4 type can be fastethernet gigabit ethernet or tengig...

Page 397: ...ple Switch show ip admission status Step 9 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 10 Configuring AAA Authentication Follow these steps to configure AAA authentication Use default list for AAA authorization if you are planning to use features such as dACL Note Catalyst 2960 X Switch Security Con...

Page 398: ... mode configure terminal Example Switch configure terminal Step 2 Enables AAA functionality aaa new model Example Switch config aaa new model Step 3 Defines the list of authentication methods at login aaa authentication login default group tacacs radius Example Switch config aaa authentication login default Step 4 group tacacs Creates an authorization method list for web based authorization aaa au...

Page 399: ...end Example Switch config end Step 8 Verifies your entries show running config Example Switch show running config Step 9 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 10 Configuring Switch to RADIUS Server Communication Follow these steps to configure the RADIUS server parameters Catalyst 2960 X Switc...

Page 400: ... or IP address of the remote RADIUS server radius server host hostname ip address test username username Step 4 The test username username option enables automated testing of the RADIUS server connection The specified username does not need to be a valid user name Example Switch config radius server host The key option specifies an authentication and encryption key to use between the switch and th...

Page 401: ...ch You can enable the server for either HTTP or HTTPS The Apple psuedo browser will not open if you configure only the ip http secure server command You should also configure the ip http server command Note Follow these steps to enable the server for either HTTP or HTTPS SUMMARY STEPS 1 enable 2 configure terminal 3 ip http server 4 ip http secure server 5 end DETAILED STEPS Purpose Command or Act...

Page 402: ...rivileged EXEC mode end Example Switch config end Step 5 Customizing the Authentication Proxy Web Pages You can configure web authentication to display four substitute HTML pages to the user in place of the Switch default HTML pages during web based authentication For the equivalent Session Aware Networking configuration example for this feature see the section Configuring a Parameter Map for Web ...

Page 403: ...f the default login page The device is flash memory ip admission proxy http login page file device login filename Example Switch config ip admission proxy http login page Step 3 file disk1 login htm Specifies the location of the custom HTML file to use in place of the default login success page ip admission proxy http success page file device success filename Example Switch config ip admission pro...

Page 404: ...ines on page 367 Specifying a Redirection URL for Successful Login Follow these steps to specify a URL to which the user is redirected after authentication effectively replacing the internal Success HTML page SUMMARY STEPS 1 enable 2 configure terminal 3 ip admission proxy http success redirect url string 4 end DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your passwo...

Page 405: ... Step 4 Related Topics Redirection URL for Successful Login Guidelines on page 368 Configuring the Web Based Authentication Parameters Follow these steps to configure the maximum number of failed login attempts before the client is placed in a watch list for a waiting period SUMMARY STEPS 1 enable 2 configure terminal 3 ip admission max login attempts number 4 end 5 show running config 6 copy runn...

Page 406: ...3 10 Returns to privileged EXEC mode end Example Switch config end Step 4 Verifies your entries show running config Example Switch show running config Step 5 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 6 Configuring a Web Based Authentication Local Banner Follow these steps to configure a local bann...

Page 407: ...h proxy banner http banner text file path Step 3 Optional Create a custom banner by entering C banner text C where C is a delimiting character or Example Switch config ip admission auth proxy banner file path that indicates a file for example a logo or text file that appears in the banner http C My Switch C Returns to privileged EXEC mode end Example Switch config end Step 4 Verifies your entries ...

Page 408: ...S Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Example Switch enable Step 1 Enters the global configuration mode configure terminal Example Switch configure terminal Step 2 Creates a parameter map and enters parameter map webauth configuration mode The specific configuration commands parameter map type webauth global Example Switch config parameter ...

Page 409: ...tartup config Example Switch copy running config startup config Step 7 Configuring Web Based Authentication with VRF Aware You configure the web based authentication with VRF aware to redirect the HTML login page to the client These steps are optional SUMMARY STEPS 1 enable 2 configure terminal 3 parameter map type webauth global 4 webauth vrf aware 5 end 6 show running config 7 copy running confi...

Page 410: ... the commands supported for a named parameter map defined with the parameter map name argument Enables the web based authentication VRF aware feature on SVI webauth vrf aware Example Switch config params parameter map webauth vrf aware Step 4 Returns to privileged EXEC mode end Example Switch config end Step 5 Verifies your entries show running config Example Switch show running config Step 6 Opti...

Page 411: ...5 Delete authentication proxy entries Use an asterisk to delete all cache entries Enter a specific IP address to delete the entry for a single host clear ip admission cache host ip address Example Switch clear ip admission cache 192 168 4 5 Step 3 Monitoring Web Based Authentication Status Use the commands in this topic to display the web based authentication settings for all interfaces or for spe...

Page 412: ...ess session interface command show authentication sessions interface type slot port details Feature Information for Web Based Authentication Feature Information Release This feature is introduced Cisco IOS 15 0 2 EX Catalyst 2960 X Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX 388 OL 29048 01 Configuring Web Based Authentication Feature Information for Web Based Authentication ...

Page 413: ...erences page 400 Feature Information page 401 Finding Feature Information page 401 Information About Port Blocking page 402 How to Configure Port Blocking page 402 Monitoring Port Blocking page 404 Where to Go Next page 404 Additional References page 404 Feature Information page 405 Prerequisites for Port Security page 406 Restrictions for Port Security page 406 Information About Port Security pag...

Page 414: ...see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Information About Storm Control Storm Control Storm control prevents traffic on a LAN from being disrupted by a broadcast multicas...

Page 415: ...he rising suppression level In general the higher the level the less effective the protection against broadcast storms When the storm control threshold for multicast traffic is reached all multicast traffic except control traffic such as bridge protocol data unit BDPU and Cisco Discovery Protocol CDP frames are blocked However the switch does not differentiate between routing updates such as OSPF ...

Page 416: ...eshold level that you want to be used for a particular type of traffic However because of hardware limitations and the way in which packets of different sizes are counted threshold percentages are approximations Depending on the sizes of the packets making up the incoming traffic the actual enforced threshold might differ from the configured level by several percentage points Storm control is supp...

Page 417: ...isabled storm control broadcast multicast unicast level level level low bps bps bps low pps pps pps low Step 4 The keywords have these meanings Example Switch config if storm control unicast level 87 65 For level specifies the rising threshold level for broadcast multicast or unicast traffic as a percentage up to two decimal places of the bandwidth The port blocks traffic when the rising threshold...

Page 418: ...per second up to one decimal place It can be less than or equal to the rising threshold level The port forwards traffic when traffic drops below this level The range is 0 0 to 10000000000 0 For BPS and PPS settings you can use metric suffixes such as k m and g for large number thresholds Specifies the action to be taken when a storm is detected The default is to filter out the traffic and not to s...

Page 419: ...ler than the minimum size and arriving at a specified rate the threshold are dropped since the port is error disabled SUMMARY STEPS 1 enable 2 configure terminal 3 errdisable detect cause small frame 4 errdisable recovery interval interval 5 errdisable recovery cause small frame 6 interface interface id 7 small frame violation rate pps 8 end 9 show interfaces interface id 10 show running config 11...

Page 420: ...e Step 5 Storm control is supported on physical interfaces You can also configure storm control on an EtherChannel When storm small frame control is configured on an EtherChannel the storm control settings propagate to the EtherChannel physical interfaces Enters interface configuration mode and specify the interface to be configured interface interface id Example Switch config interface Step 6 gig...

Page 421: ...le Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Information About Protected Ports Protected Ports Some applications require that no traffic be forwarded at Layer 2 between ports on the same switch so that one neighbor does not see the ...

Page 422: ...ted Ports Guidelines You can configure protected ports on a physical interface for example Gigabit Ethernet port 1 or an EtherChannel group for example port channel 5 When you enable protected ports for a port channel it is enabled for all ports in the port channel group How to Configure Protected Ports Configuring a Protected Port Before You Begin Protected ports are not pre defined This is the t...

Page 423: ...et1 0 1 Step 3 Configures the interface to be a protected port switchport protected Example Switch config if switchport protected Step 4 Returns to privileged EXEC mode end Example Switch config end Step 5 Verifies your entries show interfaces interface id switchport Example Switch show interfaces gigabitethernet1 0 1 Step 6 switchport Verifies your entries show running config Example Switch show ...

Page 424: ...ng nonrouting ports or the specified port including port blocking and port protection settings show interfaces interface id switchport Where to Go Next Additional References Error Message Decoder Link Description https www cisco com cgi bin Support Errordecoder index cgi To help you research and resolve system error messages in this release use the Error Message Decoder tool Catalyst 2960 X Switch...

Page 425: ...pport website requires a Cisco com user ID and password Feature Information Feature Information Release This feature was introduced Cisco IOS 15 0 2 EX Finding Feature Information Your software release may not support all the features documented in this module For the latest caveats and feature information see Bug Search Tool and the release notes for your platform and software release To find inf...

Page 426: ...kets that contain IPv4 or IPv6 information in the header are not blocked Note How to Configure Port Blocking Blocking Flooded Traffic on an Interface Before You Begin The interface can be a physical interface or an EtherChannel group When you block multicast or unicast traffic for a port channel it is blocked on all ports in the port channel group SUMMARY STEPS 1 enable 2 configure terminal 3 inte...

Page 427: ...e Switch config if switchport block multicast Only pure Layer 2 multicast traffic is blocked Multicast packets that contain IPv4 or IPv6 information in the header are not blocked Note Blocks unknown unicast forwarding out of the port switchport block unicast Example Switch config if switchport block unicast Step 5 Returns to privileged EXEC mode end Example Switch config end Step 6 Verifies your e...

Page 428: ... for Displaying Port Blocking Settings Purpose Command Displays the administrative and operational status of all switching nonrouting ports or the specified port including port blocking and port protection settings show interfaces interface id switchport Where to Go Next Additional References Related Documents Document Title Related Topic Catalyst 2960 X Switch Security Configuration Guide Cisco I...

Page 429: ...nsive online resources including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to mo...

Page 430: ...esses If you limit the number of secure MAC addresses to one and assign a single secure MAC address the workstation attached to that port is assured the full bandwidth of the port If a port is configured as a secure port and the maximum number of secure MAC addresses is reached when the MAC address of a station attempting to access the port is different from any of the identified secure MAC addres...

Page 431: ...ecurity violation when one of these situations occurs The maximum number of secure MAC addresses have been added to the address table and a station whose MAC address is not in the address table attempts to access the interface An address learned or configured on one secure interface is seen on another secure interface in the same VLAN You can configure the interface for one of three violation mode...

Page 432: ...s Yes No No No No shutdown No 10 Yes No Yes No No shutdown vlan 8 Packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses 9 The switch returns an error message if you manually configure an address that would cause a security violation 10 Shuts down only the VLAN on which the violation occurred Port Security Aging You can use port security agin...

Page 433: ...VLAN is only supported on access ports and not on trunk ports even though the configuration is allowed Note When you enable port security on an interface that is also configured with a voice VLAN set the maximum allowed secure addresses on the port to two When the port is connected to a Cisco IP phone the IP phone requires one MAC address The Cisco IP phone address is learned on the voice VLAN but...

Page 434: ...Features Compatible with Port Security Type of Port or Feature on Port No DTP 11 port 12 Yes Trunk port No Dynamic access port 13 No Routed port Yes SPAN source port No SPAN destination port Yes EtherChannel Yes Tunneling port Yes Protected port Yes IEEE 802 1x port Yes Voice VLAN port 14 Yes IP source guard Yes Dynamic Address Resolution Protocol ARP inspection Yes Flex Links 11 DTP Dynamic Trunk...

Page 435: ...ons allowed to access the port SUMMARY STEPS 1 enable 2 configure terminal 3 interface interface id 4 switchport mode access trunk 5 switchport voice vlan vlan id 6 switchport port security 7 switchport port security maximum value vlan vlan list access voice 8 switchport port security violation protect restrict shutdown shutdown vlan 9 switchport port security mac address mac address vlan vlan id ...

Page 436: ...affic voice vlan 22 Enable port security on the interface switchport port security Example Switch config if switchport Step 6 port security Optional Sets the maximum number of secure MAC addresses for the interface The maximum number of secure MAC addresses that you can configure on a switchport port security maximum value vlan vlan list access voice Step 7 switch or switch stack is set by the max...

Page 437: ...sables learning when any VLAN reaches its maximum limit even if the port has not reached its maximum limit Note restrict When the number of secure MAC addresses reaches the limit allowed on the port packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses An SNMP trap is sent a syslog messag...

Page 438: ...f switchport port security mac address sticky Optional Enters a sticky secure MAC address repeating the command as many times as necessary If you configure fewer secure MAC addresses than the switchport port security mac address sticky mac address vlan vlan id access voice Step 11 maximum the remaining MAC addresses are dynamically learned are converted to sticky secure MAC addresses and are added...

Page 439: ...onfig Related Topics Port Security on page 368 Port Security on page 406 Configuration Examples for Port Security on page 432 Enabling and Configuring Port Security Aging Use this feature to remove and add devices on a secure port without manually deleting the existing secure MAC addresses and to still limit the number of secure addresses on a port You can enable or disable the aging of secure add...

Page 440: ...isable static aging for the secure port or set the aging time or type switchport port security aging static time time type absolute inactivity Step 4 Example Switch config if switchport The switch does not support port security aging of sticky secure addresses Note Enter static to enable aging for statically configured secure addresses on this port port security aging time 120 For time specifies t...

Page 441: ...ep 8 Related Topics Port Security Aging on page 408 Finding Feature Information Your software release may not support all the features documented in this module For the latest caveats and feature information see Bug Search Tool and the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which eac...

Page 442: ... multicast or unicast packets are received Traffic rate in bits per second at which broadcast multicast or unicast packets are received Traffic rate in packets per second and for small frames This feature is enabled globally The threshold for small frames is configured for each interface With each method the port blocks traffic when the rising threshold is reached The port remains blocked until th...

Page 443: ...raffic A value of 0 0 means that all broadcast multicast or unicast traffic on that port is blocked Because packets do not arrive at uniform intervals the 1 second time interval during which traffic activity is measured can affect the behavior of storm control Note You use the storm control interface configuration commands to set the threshold value for each traffic type How to Configure Storm Con...

Page 444: ...face id 4 storm control broadcast multicast unicast level level level low bps bps bps low pps pps pps low 5 storm control action shutdown trap 6 end 7 show storm control interface id broadcast multicast unicast 8 copy running config startup config DETAILED STEPS Purpose Command or Action Enables privileged EXEC mode Enter your password if prompted enable Step 1 Example Switch enable Enters the glo...

Page 445: ...t blocks traffic when the rising threshold is reached The range is 0 0 to 10000000000 0 Optional For bps low specifies the falling threshold level in bits per second up to one decimal place It can be less than or equal to the rising threshold level The port forwards traffic when traffic drops below this level The range is 0 0 to 10000000000 0 For pps pps specifies the rising threshold level for br...

Page 446: ... frames They are forwarded by the switch but they do not cause the switch storm control counters to increment You globally enable the small frame arrival feature on the switch and then configure the small frame threshold for packets on each interface Packets smaller than the minimum size and arriving at a specified rate the threshold are dropped since the port is error disabled SUMMARY STEPS 1 ena...

Page 447: ...l frames errdisable recovery cause small frame Example Switch config errdisable recovery cause Step 5 Storm control is supported on physical interfaces You can also configure storm control on an EtherChannel When storm small frame control is configured on an EtherChannel the storm control settings propagate to the EtherChannel physical interfaces Enters interface configuration mode and specify the...

Page 448: ...res documented in this module and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Information About Protected Por...

Page 449: ...fferent switches in the stack Default Protected Port Configuration The default is to have no protected ports defined Protected Ports Guidelines You can configure protected ports on a physical interface for example Gigabit Ethernet port 1 or an EtherChannel group for example port channel 5 When you enable protected ports for a port channel it is enabled for all ports in the port channel group How t...

Page 450: ...1 0 1 Step 3 Configures the interface to be a protected port switchport protected Example Switch config if switchport protected Step 4 Returns to privileged EXEC mode end Example Switch config end Step 5 Verifies your entries show interfaces interface id switchport Example Switch show interfaces gigabitethernet1 0 1 Step 6 switchport Verifies your entries show running config Example Switch show ru...

Page 451: ...ng nonrouting ports or the specified port including port blocking and port protection settings show interfaces interface id switchport Where to Go Next Additional References Error Message Decoder Link Description https www cisco com cgi bin Support Errordecoder index cgi To help you research and resolve system error messages in this release use the Error Message Decoder tool Catalyst 2960 X Switch...

Page 452: ...pport website requires a Cisco com user ID and password Feature Information Feature Information Release This feature was introduced Cisco IOS 15 0 2 EX Finding Feature Information Your software release may not support all the features documented in this module For the latest caveats and feature information see Bug Search Tool and the release notes for your platform and software release To find inf...

Page 453: ...ked Note How to Configure Port Blocking Blocking Flooded Traffic on an Interface Before You Begin The interface can be a physical interface or an EtherChannel group When you block multicast or unicast traffic for a port channel it is blocked on all ports in the port channel group SUMMARY STEPS 1 enable 2 configure terminal 3 interface interface id 4 switchport block multicast 5 switchport block un...

Page 454: ... not blocked Note Blocks unknown unicast forwarding out of the port switchport block unicast Example Switch config if switchport block unicast Step 5 Returns to privileged EXEC mode end Example Switch config end Step 6 Verifies your entries show interfaces interface id switchport Example Switch show interfaces gigabitethernet1 0 1 Step 7 switchport Verifies your entries show running config Example...

Page 455: ...hport Where to Go Next Additional References Related Documents Document Title Related Topic Error Message Decoder Link Description https www cisco com cgi bin Support Errordecoder index cgi To help you research and resolve system error messages in this release use the Error Message Decoder tool Standards and RFCs Title Standard RFC Catalyst 2960 X Switch Security Configuration Guide Cisco IOS Rele...

Page 456: ...ion RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Feature Information Feature Information Release This feature was introduced Cisco IOS 15 0 2 EX Configuration Examples for Port Security This example shows how to enable port security on a port and to set the maximum number of secure addresses to 50 The violation mode is the default no static ...

Page 457: ... if switchport port security mac address sticky 0000 0000 0002 Switch config if switchport port security mac address 0000 0000 0003 Switch config if switchport port security mac address sticky 0000 0000 0001 vlan voice Switch config if switchport port security mac address 0000 0000 0004 vlan voice Switch config if switchport port security maximum 10 vlan access Switch config if switchport port sec...

Page 458: ...d of this module Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Information About Protocol Storm Protection Protocol Storm Protection When a switch is flooded with Address Resolution Protocol ARP or control packets high CPU utilization c...

Page 459: ...el and Flexlink interfaces Note Default Protocol Storm Protection Configuration Protocol storm protection is disabled by default When it is enabled auto recovery of the virtual port is disabled by default How to Configure Protocol Storm Protection Enabling Protocol Storm Protection SUMMARY STEPS 1 enable 2 configure terminal 3 psp arp dhcp igmp pps value 4 errdisable detect cause psp 5 errdisable ...

Page 460: ...nfig errdisable detect cause Step 4 If this feature is disabled the port drops excess packets without error disabling the port psp Optional Configures an auto recovery time in seconds for error disabled virtual ports When a virtual port is error disabled the errdisable recovery interval time Example Switch Step 5 switch auto recovers after this time The range is from 30 to 86400 seconds Returns to...

Page 461: ...cisco com support The Cisco Support website provides extensive online resources including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies To receive security and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsle...

Page 462: ...Catalyst 2960 X Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX 438 OL 29048 01 Configuring Port Based Traffic Control Additional References ...

Page 463: ...e release may not support all the features documented in this module For the latest caveats and feature information see Bug Search Tool and the release notes for your platform and software release To find information about the features documented in this module and to see a list of the releases in which each feature is supported see the feature information table at the end of this module Use Cisco...

Page 464: ...he IPv4 or IPv6 address and prefix binding of the neighbors to prevent spoofing and redirect attacks IPv6 Neighbor Discovery Inspection IPv6 ND inspection learns and secures bindings for stateless autoconfiguration addresses in Layer 2 neighbor tables IPv6 ND inspection analyzes neighbor discovery messages in order to build a trusted binding table database and IPv6 neighbor discovery messages that...

Page 465: ...VLAN It is supported only at the interface level You cannot use IPv6 Source Guard and Prefix Guard together When you attach the policy to an interface it should be validate address or validate prefix but not both PVLAN and Source Prefix Guard cannot be applied together For more information on IPv6 Source Guard see the IPv6 Source Guard chapter of the Cisco IOS IPv6 Configuration Guide Library on C...

Page 466: ...A is used to insert relay agent options in DHCP version 6 DHCPv6 message exchanges primarily to identify client facing interfaces LDRA functionality can be enabled on an interface and on a VLAN For more information about DHCPv6 Relay See the DHCPv6 Relay Lightweight DHCPv6 Relay Agent section of the IP Addressing DHCP Configuration Guide Cisco IOS Release 15 1SG How to Configure an IPv6 Snooping P...

Page 467: ...witch config ipv6 snooping trusted port Optional security level glean guard inspect Specifies the level of security enforced by the feature Default is guard glean Gleans addresses from messages and populates the binding table without any verification guard Gleans addresses and inspects messages In addition it rejects RA and DHCP server messages This is the default option inspect Gleans addresses v...

Page 468: ...ype stack module port Example Switch config interface gigabitethernet 1 1 4 Step 2 Enters the Switchport mode switchport Step 3 Example Switch config if switchport To configure Layer 2 parameters if the interface is in Layer 3 mode you must enter the switchport interface configuration command without any parameters to put the interface into Layer 2 mode This shuts down the interface and then re en...

Page 469: ...6 snooping attach policy example_policy vlan 111 112 Verifies that the policy is attached to the specified interface without exiting the interface configuration mode do show running config Example Switch config if do show running config Step 5 How to Attach an IPv6 Snooping Policy to a Layer 2 EtherChannel Interface Beginning in privileged EXEC mode follow these steps to attach an IPv6 Snooping po...

Page 470: ...lan_ids all vlan vlan_ids add vlan_ids exceptvlan_ids none remove vlan_ids all Step 3 Example Switch config if range ipv6 snooping attach policy example_policy or Switch config if range ipv6 snooping attach policy example_policy vlan 222 223 224 or Switch config if range ipv6 snooping vlan 222 223 224 Confirms that the policy is attached to the specified interface without exiting the configuration...

Page 471: ...lt policy is attached if ipv6 snooping attach policy policy_name Example Switch config vlan config ipv6 snooping attach policy example_policy Step 3 the attach policy option is not used The default policy is security level guard device role node protocol ndp and dhcp Verifies that the policy is attached to the specified VLANs without exiting the interface configuration mode do show running config ...

Page 472: ...ack module port hw_address reachable lifetimevalue seconds default infinite tracking default disable Step 2 reachable lifetimevalue seconds default infinite enable reachable lifetimevalue seconds default infinite retry interval seconds default reachable lifetimevalue seconds default infinite Example Switch config ipv6 neighbor binding Specifies the maximum number of entries that are allowed to be ...

Page 473: ...no device role drop unsecure limit address count sec level minimum tracking trusted port validate source mac 11 default device role drop unsecure limit address count sec level minimum tracking trusted port validate source mac 12 do show ipv6 nd inspection policy policy_name DETAILED STEPS Purpose Command or Action Enters the global configuration mode configure terminal Example Switch configure ter...

Page 474: ...fig nd inspection tracking disable stale lifetime infinite Configures a port to become a trusted port trusted port Example Switch config nd inspection trusted port Step 8 Checks the source media access control MAC address against the link layer address validate source mac Example Switch config nd inspection validate source mac Step 9 Remove the current configuration of a parameter with the no form...

Page 475: ...global configuration mode configure terminal Example Switch configure terminal Step 1 Specifies an interface type and identifier enters the interface configuration mode interface Interface_type stack module port Example Switch config interface gigabitethernet 1 1 4 Step 2 Attaches the Neighbor Discovery Inspection policy to the interface or the specified VLANs on that ipv6 nd inspection attach pol...

Page 476: ...d vlan_ids except vlan_ids none remove vlan_ids all vlan vlan_ids add vlan_ids exceptvlan_ids none remove vlan_ids all 4 do show running config interfaceportchannel_interface_name DETAILED STEPS Purpose Command or Action Enters the global configuration mode configure terminal Example Switch configure terminal Step 1 Specify the port channel interface name assigned when the EtherChannel was created...

Page 477: ...ied interface without exiting the configuration mode do show running config interfaceportchannel_interface_name Example Switch config if range do show running config int po11 Step 4 HowtoAttachanIPv6NeighborDiscoveryInspectionPolicytoVLANsGlobally Beginning in privileged EXEC mode follow these steps to attach an IPv6 ND Inspection policy to VLANs across multiple interfaces SUMMARY STEPS 1 configur...

Page 478: ...nfiguration mode do show running config Example Switch config if do show running config Step 4 How to Configure an IPv6 Router Advertisement Guard Policy Beginning in privileged EXEC mode follow these steps to configure an IPv6 Router Advertisement policy SUMMARY STEPS 1 configure terminal 2 no ipv6 nd raguard policy policy name 3 no device role host monitor router switch 4 no hop limit maximum mi...

Page 479: ...An RA message with an unspecified Hop Limit value is blocked If not configured this filter is disabled Configure minimum to block RA messages with Hop Limit values lower than the value you specify Configure maximumto block RA messages with Hop Limit values greater than the value you specify Enables filtering of Router Advertisement messages by the Managed Address Configuration or M flag field A ro...

Page 480: ... set to medium and high When configured as a trusted port all attached devices are trusted and no further message verification is performed no trusted port Example Switch config nd raguard trusted port Step 9 Restores a command to its default value default device role hop limit maximum minimum managed config flag match ipv6 Step 10 access list ra prefix list other config flag router preference max...

Page 481: ...he specified VLANs on that ipv6 nd raguard attach policy policy_name vlan vlan_ids add vlan_ids except vlan_ids none remove vlan_ids all Step 3 interface The default policy is attached if the attach policy option is not used vlan vlan_ids add vlan_ids exceptvlan_ids none remove vlan_ids all Example Switch config if ipv6 nd raguard attach policy example_policy or Switch config if ipv6 nd raguard at...

Page 482: ...range configuration mode interface range Interface_name Example Switch config interface Po11 Step 2 Enter the do show interfaces summary command for quick reference to interface names and types Tip Attaches the RA Guard policy to the interface or the specified VLANs on that interface The default policy is attached if the attach policy option is not used ipv6 nd raguard attach policy policy_name vl...

Page 483: ...port 9 do show ipv6 dhcp guard policy policy_name DETAILED STEPS Purpose Command or Action Enters the global configuration mode configure terminal Example Switch configure terminal Step 1 Specifies the DHCPv6 Guard policy name and enters DHCPv6 Guard Policy configuration mode no ipv6 dhcp guard policy policy name Example Switch config ipv6 dhcp guard policy example_policy Step 2 Optional Filters o...

Page 484: ...CHPv6 Guard to match prefix Switch config dhcp guard match reply prefix list my_prefix Configure max and min when device role is serverto filter DCHPv6 server advertisements by the server preference value The defaults permit all advertisements no preference max limit min limit Example Switch config dhcp guard preference max 250 Switch config dhcp guard preference min 150 Step 6 max limit 0 to 255 ...

Page 485: ...an add 1 vlan 1 ipv6 dhcp guard attach policy pol1 show ipv6 dhcp guard policy pol1 How to Attach an IPv6 DHCP Guard Policy to an Interface or a VLAN on an Interface Beginning in privileged EXEC mode follow these steps to configure IPv6 Binding Table Content SUMMARY STEPS 1 configure terminal 2 interface Interface_type stack module port 3 ipv6 dhcp guard attach policy policy_name vlan vlan_ids add...

Page 486: ...3 224 Confirms that the policy is attached to the specified interface without exiting the configuration mode do show running config interface Interface_type stack module port Example Switch config if do show running config gig 1 1 4 Step 4 How to Attach an IPv6 DHCP Guard Policy to a Layer 2 EtherChannel Interface Beginning in privileged EXEC mode follow these steps to attach an IPv6 DHCP Guard po...

Page 487: ... all vlan vlan_ids add vlan_ids exceptvlan_ids none remove vlan_ids all Step 3 Example Switch config if range ipv6 dhcp guard attach policy example_policy or Switch config if range ipv6 dhcp guard attach policy example_policy vlan 222 223 224 or Switch config if range ipv6 dhcp guard vlan 222 223 224 Confirms that the policy is attached to the specified interface without exiting the configuration ...

Page 488: ...hcp guard attach policy policy_name Example Switch config vlan config ipv6 dhcp guard attach policy example_policy Step 3 is attached if the attach policy option is not used The default policy is device role client no trusted port Confirms that the policy is attached to the specified VLANs without exiting the configuration mode do show running config Example Switch config if do show running config...

Page 489: ...itch config sisf sourceguard deny global autoconf global addresses on a link are DHCP assigned and the administrator wants to block hosts with self configured addresses to send traffic permit link local Allows all data traffic that is sourced by a link local address Trusted option under source guard policy is not supported Note Exits out of IPv6 Source Guard policy configuration mode end Example S...

Page 490: ...n mode interface Interface_type stack module port Example Switch config interface gigabitethernet 1 1 4 Step 3 Attaches the IPv6 Source Guard policy to the interface The default policy is attached if the attach policy option is not used ipv6 source guard attach policy policy_name Example Switch config if ipv6 source guard attach policy example_policy Step 4 Shows the policy configuration and all t...

Page 491: ... html IPv6 network management and security topics IPv6 Command Reference Cisco IOS XE Release 3SE Catalyst 3850 Switches http www cisco com en US docs ios xml ios ipv6 command ipv6 xe 3se 3850 cr book html IPv6 Command Reference Error Message Decoder Link Description https www cisco com cgi bin Support Errordecoder index cgi To help you research and resolve system error messages in this release us...

Page 492: ... and technical information about your products you can subscribe to various services such as the Product Alert Tool accessed from Field Notices the Cisco Technical Services Newsletter and Really Simple Syndication RSS Feeds Access to most tools on the Cisco Support website requires a Cisco com user ID and password Catalyst 2960 X Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX 468 ...

Page 493: ...ACLs continued IPv4 147 148 153 165 167 applying to interfaces 167 creating 147 interfaces 153 matching criteria 147 numbers 148 terminal lines setting on 165 unsupported features 147 Layer 4 information in 153 logging messages 150 matching 154 monitoring 179 port 142 precedence of 142 router 142 router ACLs and VLAN map configuration guidelines 152 standard IPv4 147 154 creating 154 matching crit...

Page 494: ...cation global 83 93 communication per server 83 login authentication 47 multiple UDP ports 83 configuring a secure HTTP client 134 configuring a secure HTTP server 131 Configuring the Switch for Vendor Proprietary RADIUS Server Communication 103 Example command 103 Configuring the Switch to Use Vendor Specific RADIUS Attributes 103 Examples command 103 Configuring VACL Logging 177 customizeable we...

Page 495: ...ifying the server 45 83 IP ACLs 150 named 150 IP source guard 235 237 238 239 802 1x 237 binding configuration 235 automatic 235 manual 235 binding table 235 configuration guidelines 237 described 235 DHCP snooping 235 enabling 238 239 EtherChannels 237 port security 237 routed ports 237 static bindings 238 239 adding 238 239 static hosts 239 TCAM entries 237 trunk interfaces 237 VRF 237 IPv4 ACLs...

Page 496: ... default for lines 33 privilege levels continued exiting 34 logging into 34 overview 22 setting a command with 31 Protecting Enable and Enable Secret Passwords with Encryption 35 Example command 35 R RADIUS 59 60 69 83 86 88 90 92 93 95 97 101 103 server load balancing 101 attributes 95 97 103 vendor proprietary 97 103 vendor specific 95 configuring 83 86 90 92 93 accounting 92 authentication 86 a...

Page 497: ...ork environments 59 SVIs 144 and router ACLs 144 Switch Access 35 displaying 35 switched packets ACLs on 191 T TACACS 41 43 45 47 50 52 54 accounting defined 41 authentication defined 41 authorization defined 41 configuring 45 47 50 52 accounting 52 authentication key 45 authorization 50 login authentication 47 default configuration 45 defined 41 displaying 54 identifying the server 45 key 45 limi...

Page 498: ... permitting packets 173 175 VRF 237 W web based authentication 359 365 customizeable web pages 365 description 359 web based authentication interactions with other features 368 with RADIUS 86 90 92 with TACACS 41 47 50 52 with usernames 29 Catalyst 2960 X Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX IN 6 OL 29048 01 Index ...

Reviews:

No comments

Related manuals for Catalyst 2960-X

JCG Q5 Quick Installation Manual preview
Q5
Brand: JCG Pages: 3
Ubiquiti U5-24-500W Quick Start Manual preview
U5-24-500W
Brand: Ubiquiti Pages: 23
H3C S12500R-2L Installation Manual preview
S12500R-2L
Brand: H3C Pages: 77
Cromemco 32K Bytesaver Instruction Manual preview
32K Bytesaver
Brand: Cromemco Pages: 46
Verizon Wireless PC 3220 Owner'S Manual preview
PC 3220
Brand: Verizon Wireless Pages: 39
IDT Tsi310TM User Manual preview
Tsi310TM
Brand: IDT Pages: 207
eWON 2101CD Installation Manual preview
2101CD
Brand: eWON Pages: 34
Promise Technology VTrak J310S Quick Start Manual preview
VTrak J310S
Brand: Promise Technology Pages: 26
Solwise 3GWIFIMRD User Manual preview
3GWIFIMRD
Brand: Solwise Pages: 231
TP-Link Deco XE200 User Manual preview
Deco XE200
Brand: TP-Link Pages: 57
Xantech IR-X10 Installation Instructions Manual preview
IR-X10
Brand: Xantech Pages: 16
Crown PIP-AF Owner'S Manual preview
PIP-AF
Brand: Crown Pages: 7
Cayman Systems 2E-H-W User Manual preview
2E-H-W
Brand: Cayman Systems Pages: 170
SilverStone SDP12 Quick Start Manual preview
SDP12
Brand: SilverStone Pages: 2
ADLINK Technology EOS-1200 User Manual preview
EOS-1200
Brand: ADLINK Technology Pages: 108
ActionTec GE344000-01 User Manual preview
GE344000-01
Brand: ActionTec Pages: 87
SMC Networks SMCGS10P-Smart Installation Manual preview
SMCGS10P-Smart
Brand: SMC Networks Pages: 68
Kontron PC/104-PCMCIA-1 User Manual preview
PC/104-PCMCIA-1
Brand: Kontron Pages: 20

Brands by name

Popular brands

Load more brands