manualshive.com logo in svg

Cisco Catalyst 2960-XR, Security Configuration Manual

The Cisco Catalyst 2960-XR is a high-performance network switch designed for enterprise-level networking solutions. For detailed instructions on its usage and configurations, a comprehensive user manual is available for free download. Access it on manualshive.com to unleash the full potential of this cutting-edge product effortlessly.

Share
Download
background image

The

mac access-group

interface configuration command is only valid when applied to a physical Layer 2

interface. You cannot use the command on EtherChannel port channels.

Note

Related Topics

Applying an IPv4 ACL to an Interface, on page 130

IPv4 ACL Interface Considerations, on page 119

Creating Named MAC Extended ACLs, on page 132

Applying a MAC ACL to a Layer 2 Interface, on page 133

Information about Network Security with ACLs

This chapter describes how to configure network security on the switch by using access control lists (ACLs),
which in commands and tables are also referred to as access lists.

ACL Overview

Packet filtering can help limit network traffic and restrict network use by certain users or devices. ACLs filter
traffic as it passes through a router or switch and permit or deny packets crossing specified interfaces or
VLANs. An ACL is a sequential collection of permit and deny conditions that apply to packets. When a packet
is received on an interface, the switch compares the fields in the packet against any applied ACLs to verify
that the packet has the required permissions to be forwarded, based on the criteria specified in the access lists.
One by one, it tests packets against the conditions in an access list. The first match decides whether the switch
accepts or rejects the packets. Because the switch stops testing after the first match, the order of conditions
in the list is critical. If no conditions match, the switch rejects the packet. If there are no restrictions, the switch
forwards the packet; otherwise, the switch drops the packet. The switch can use ACLs on all packets it forwards,
including packets bridged within a VLAN.

You configure access lists on a router or Layer 3 switch to provide basic security for your network. If you do
not configure ACLs, all packets passing through the switch could be allowed onto all parts of the network.
You can use ACLs to control which hosts can access different parts of a network or to decide which types of
traffic are forwarded or blocked at router interfaces. For example, you can allow e-mail traffic to be forwarded
but not Telnet traffic. ACLs can be configured to block inbound traffic, outbound traffic, or both.

Access Control Entries

An ACL contains an ordered list of access control entries (ACEs). Each ACE specifies

permit

or

deny

and a

set of conditions the packet must satisfy in order to match the ACE. The meaning of

permit

or

deny

depends

on the context in which the ACL is used.

ACL Supported Types

The switch supports IP ACLs and Ethernet (MAC) ACLs:

IP ACLs filter IPv4 traffic, including TCP, User Datagram Protocol (UDP), Internet Group Management
Protocol (IGMP), and Internet Control Message Protocol (ICMP).

Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1    

   OL-29434-01

107

Configuring IPv4 ACLs

Information about Network Security with ACLs

Summary of Contents for Catalyst 2960-XR

Page 1: ...Release 15 0 2 EX1 First Published May 07 2013 Last Modified August 08 2013 Americas Headquarters Cisco Systems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Text Part Number OL 29434 01 ...

Page 2: ... Cisco Systems Inc All rights reserved ...

Page 3: ...s 5 Configuring the Command History 5 Changing the Command History Buffer Size 6 Recalling Commands 6 Disabling the Command History Feature 7 Enabling and Disabling Editing Features 7 Editing Commands through Keystrokes 8 Editing Command Lines That Wrap 9 Searching and Filtering Output of show and more Commands 10 Accessing the CLI through a Console Connection or through Telnet 11 C H A P T E R 2 ...

Page 4: ...d for a Terminal Line 28 Configuring Username and Password Pairs 30 Setting the Privilege Level for a Command 31 Changing the Default Privilege Level for Lines 32 Logging into and Exiting a Privilege Level 33 Monitoring Switch Access 34 Configuration Examples for Setting Passwords and Privilege Levels 35 Example Setting or Changing a Static Enable Password 35 Example Protecting Enable and Enable S...

Page 5: ...able 49 Monitoring TACACS 50 C H A P T E R 6 Configuring RADIUS 51 Finding Feature Information 51 Prerequisites for Controlling Switch Access with RADIUS 51 Restrictions for Controlling Switch Access with RADIUS 52 Information about RADIUS 53 RADIUS and Switch Access 53 RADIUS Overview 53 RADIUS Operation 54 RADIUS Change of Authorization 55 Change of Authorization Requests 55 RFC 5176 Compliance ...

Page 6: ...g Settings for All RADIUS Servers 73 Configuring the Switch to Use Vendor Specific RADIUS Attributes 75 Configuring the Switch for Vendor Proprietary RADIUS Server Communication 75 Configuring CoA on the Switch 77 Monitoring CoA Functionality 79 Configuration Examples for Controlling Switch Access with RADIUS 79 Examples Identifying the RADIUS Server Host 79 Examples Configuring the Switch to Use ...

Page 7: ...nfiguring Secure Socket Layer HTTP 93 Finding Feature Information 93 Information about Secure Sockets Layer SSL HTTP 93 Certificate Authority Trustpoints 94 CipherSuites 95 Default SSL Configuration 96 SSL Configuration Guidelines 96 Secure HTTP Servers and Clients Overview 96 How to Configure Secure HTTP Servers and Clients 96 Configuring a CA Trustpoint 96 Configuring the Secure HTTP Server 99 C...

Page 8: ...and Extended IPv4 ACLs 113 IPv4 ACL Switch Unsupported Features 113 Access List Numbers 113 Numbered Standard IPv4 ACLs 114 Numbered Extended IPv4 ACLs 114 Named IPv4 ACLs 115 ACL Logging 116 Hardware and Software Treatment of IP ACLs 116 VLAN Map Configuration Guidelines 117 VLAN Maps with Router ACLs 117 VLAN Maps and Router ACL Configuration Guidelines 118 VACL Logging 118 Time Ranges for ACLs ...

Page 9: ...amples Commented IP ACL Entries 145 Examples ACL Logging 145 Configuration Examples for ACLs and VLAN Maps 147 Example Creating an ACL and a VLAN Map to Deny a Packet 147 Example Creating an ACL and a VLAN Map to Permit a Packet 147 Example Default Action of Dropping IP Packets and Forwarding MAC Packets 147 Example Default Action of Dropping MAC Packets and Forwarding IP Packets 148 Example Defau...

Page 10: ...rver 165 DHCP Relay Agent 165 DHCP Snooping 166 Option 82 Data Insertion 167 Cisco IOS DHCP Server Database 170 DHCP Snooping Binding Database 170 DHCP Snooping and Switch Stacks 171 How to Configure DHCP Features 172 Default DHCP Snooping Configuration 172 DHCP Snooping Configuration Guidelines 173 Configuring the DHCP Server 173 DHCP Server and Switch Stacks 173 Configuring the DHCP Relay Agent ...

Page 11: ... IP Source Guard for Static Hosts on a Layer 2 Access Port 189 Monitoring IP Source Guard 193 C H A P T E R 1 4 Configuring Dynamic ARP Inspection 195 Finding Feature Information 195 Restrictions for Dynamic ARP Inspection 195 Understanding Dynamic ARP Inspection 197 Interface Trust States and Network Security 198 Rate Limiting of ARP Packets 199 Relative Priority of ARP ACLs and DHCP Snooping Ent...

Page 12: ...diness Check 226 Switch to RADIUS Server Communication 226 802 1x Authentication with VLAN Assignment 227 802 1x Authentication with Per User ACLs 228 802 1x Authentication with Downloadable ACLs and Redirect URLs 229 Cisco Secure ACS and Attribute Value Pairs for the Redirect URL 231 Cisco Secure ACS and Attribute Value Pairs for Downloadable ACLs 231 VLAN ID based MAC Authentication 232 802 1x A...

Page 13: ...on 245 VLAN Assignment Guest VLAN Restricted VLAN and Inaccessible Authentication Bypass 246 MAC Authentication Bypass 247 Maximum Number of Allowed Devices Per Port 247 Configuring 802 1x Readiness Check 247 Configuring Voice Aware 802 1x Security 248 Configuring 802 1x Violation Modes 250 Configuring 802 1x Authentication 252 Configuring 802 1x Port Based Authentication 253 Configuring the Switc...

Page 14: ...direct URLs 289 Configuring Downloadable ACLs 289 Configuring a Downloadable Policy 291 Configuring VLAN ID based MAC Authentication 293 Configuring Flexible Authentication Ordering 294 Configuring Open1x 295 Disabling 802 1x Authentication on the Port 297 Resetting the 802 1x Authentication Configuration to the Default Values 299 Monitoring 802 1x Statistics and Status 300 C H A P T E R 1 6 Confi...

Page 15: ...ogin 319 Configuring the Web Based Authentication Parameters 321 Configuring a Web Authentication Local Banner 321 Removing Web Based Authentication Cache Entries 322 Monitoring Web Based Authentication Status 323 C H A P T E R 1 7 Configuring Port Based Traffic Control 325 Overview of Port Based Traffic Control 326 Finding Feature Information 326 Information About Storm Control 326 Storm Control ...

Page 16: ...y Configuration 338 Port Security Configuration Guidelines 339 How to Configure Port Security 340 Enabling and Configuring Port Security 340 Enabling and Configuring Port Security Aging 344 Monitoring Port Security 346 Configuration Examples for Port Security 347 Information About Protocol Storm Protection 347 Protocol Storm Protection 347 Default Protocol Storm Protection Configuration 348 How to...

Page 17: ... an IPv6 Router Advertisement Guard Policy 362 How to Attach an IPv6 RA Guard Policy to an Interface 364 How to Attach an IPv6 RA Guard Policy to VLANs Globally 365 How to Configure an IPv6 DHCP Guard Policy 366 How to Attach an IPv6 DHCP Guard Policy to an Interface 367 How to Attach an IPv6 DHCP Guard Policy to VLANs Globally 368 How to Configure IPv6 Source Guard 369 How to Attach an IPv6 Sourc...

Page 18: ...Catalyst 2960 XR Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX1 xviii OL 29434 01 Contents ...

Page 19: ...lic font Italic font Terminal sessions and information the system displays appear in courier font Courier font Bold Courier font indicates text that the user must enter Bold Courier font Elements in square brackets are optional x An ellipsis three consecutive nonbolded periods without spaces after a syntax element indicates that the element can be repeated A vertical line called a pipe indicates a...

Page 20: ...dicates a comment line Reader Alert Conventions This document uses the following conventions for reader alerts Means reader take note Notes contain helpful suggestions or references to material not covered in the manual Note Means the following information will help you solve a problem Tip Means reader be careful In this situation you might do something that could result in equipment damage or los...

Page 21: ...thering additional information see the monthly What s New in Cisco Product Documentation which also lists all new and revised Cisco technical documentation at http www cisco com en US docs general whatsnew whatsnew html Subscribe to the What s New in Cisco Product Documentation as a Really Simple Syndication RSS feed and set content to be delivered directly to your desktop using a reader applicati...

Page 22: ...Catalyst 2960 XR Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX1 22 OL 29434 01 Preface Obtaining Documentation and Submitting a Service Request ...

Page 23: ...mmands which show the current configuration status and clear commands which clear counters or interfaces The user EXEC commands are not saved when the switch reboots To have access to all commands you must enter privileged EXEC mode Normally you must enter a password to enter privileged EXEC mode From this mode you can enter any privileged EXEC command or enter global configuration mode Using the ...

Page 24: ...ration Use this mode to configure VLAN parameters When VTP mode is transparent you can create extended range VLANs VLAN IDs greater than 1005 and save configurations in the switch startup configuration file To exit to global configuration mode enter the exit command To return to privileged EXEC mode press Ctrl Z or enter end Switch config vlan While in global configuration mode enter the vlan vlan...

Page 25: ...ssociated keywords and arguments for any command SUMMARY STEPS 1 help 2 abbreviated command entry 3 abbreviated command entry Tab 4 5 command 6 command keyword DETAILED STEPS Purpose Command or Action Obtains a brief description of the help system in any command mode help Example Switch help Step 1 Obtains a list of commands that begin with a particular character string abbreviated command entry E...

Page 26: ... or reverse the action of a command For example the no shutdown interface configuration command reverses the shutdown of an interface Use the command without the keyword no to reenable a disabled feature or to enable a feature that is disabled by default Configuration commands can also have a default form The default form of a command returns the command setting to its default Most commands are di...

Page 27: ...uration Logging You can log and view changes to the switch configuration You can use the Configuration Change Logging and Notification feature to track changes on a per session and per user basis The logger tracks each configuration command that is applied the user who entered the command the time that the command was entered and the parser return code for the command This feature includes a mecha...

Page 28: ... perform one of the actions listed in this table These actions are optional The arrow keys function only on ANSI compatible terminals such as VT100s Note SUMMARY STEPS 1 Ctrl P or use the up arrow key 2 Ctrl N or use the down arrow key 3 show history DETAILED STEPS Purpose Command or Action Recalls commands in the history buffer beginning with the most recent command Repeat the key sequence to rec...

Page 29: ...ory DETAILED STEPS Purpose Command or Action Disables the feature during the current terminal session in the privileged EXEC mode terminal no history Example Switch terminal no history Step 1 Enabling and Disabling Editing Features Although enhanced editing mode is automatically enabled you can disable it and reenable it SUMMARY STEPS 1 terminal editing 2 terminal no editing DETAILED STEPS Purpose...

Page 30: ... cursor to the beginning of the command line Ctrl A Moves the cursor to the end of the command line Ctrl E Moves the cursor back one word Esc B Moves the cursor forward one word Esc F Transposes the character to the left of the cursor with the character located at the cursor Ctrl T Erases the character to the left of the cursor Delete or Backspace key Deletes the character at the cursor Ctrl D Del...

Page 31: ... Ctrl R Editing Command Lines That Wrap You can use a wraparound feature for commands that extend beyond a single line on the screen When the cursor reaches the right margin the command line shifts ten spaces to the left You cannot see the first ten characters of the line but you can scroll back and check the syntax at the beginning of the command The keystroke actions are optional To scroll back ...

Page 32: ... the line to show that the line has been scrolled to the right Execute the commands Return key Step 3 The software assumes that you have a terminal screen that is 80 columns wide If you have a different width use the terminal width privileged EXEC command to set the width of your terminal Use line wrapping with the command history feature to recall and modify previous complex command entries Searc...

Page 33: ...se one of these methods to establish a connection with the switch Connect the switch console port to a management station or dial up modem or connect the Ethernet management port to a PC For information about connecting to the console or Ethernet management port see the switch hardware installation guide Use any Telnet TCP IP or encrypted Secure Shell SSH package from a remote management station T...

Page 34: ...Catalyst 2960 XR Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX1 12 OL 29434 01 Using the Command Line Interface Accessing the CLI through a Console Connection or through Telnet ...

Page 35: ...to the approved FIPS cryptographic strengths and management methods for safeguarding these operations IPv6 First Hop Security A suite of security features to be applied at the first hop switch to protect against vulnerabilities inherent in IPv6 networks These include Binding Integrity Guard Binding Table Router Advertisement Guard RA Guard DHCP Guard IPv6 Neighbor Discovery Inspection ND Guard Web...

Page 36: ...ty policies on Layer 2 interfaces port ACLs Extended MAC access control lists for defining security policies in the inbound direction on Layer 2 interfaces Source and destination MAC based ACLs for filtering non IP traffic DHCP snooping to filter untrusted DHCP messages between untrusted hosts and DHCP servers IP source guard to restrict traffic on nonrouted interfaces by filtering traffic based o...

Page 37: ... LAN Base image Note 802 1x accounting to track network usage 802 1x with wake on LAN to allow dormant PCs to be powered on based on the receipt of a specific Ethernet frame 802 1x readiness check to determine the readiness of connected end hosts before configuring IEEE 802 1x on the switch To use 802 1x readiness check the switch must be running the LAN Base image Note Voice aware 802 1x security...

Page 38: ...SL Version 3 0 support for the HTTP 1 1 server authentication encryption and message integrity and HTTP client authentication to allow secure HTTP communications requires the cryptographic version of the software IEEE 802 1x Authentication with ACLs and the RADIUS Filter Id Attribute Support for IP source guard on static hosts RADIUS Change of Authorization CoA to change the attributes of a certai...

Page 39: ...reappearance of the same MAC address on another port in the same way as a completely new MAC address Support for 3DES and AES with version 3 of the Simple Network Management Protocol SNMPv3 This release adds support for the 168 bit Triple Data Encryption Standard 3DES and the 128 bit 192 bit and 256 bit Advanced Encryption Standard AES encryption algorithms to SNMPv3 Support for Cisco TrustSec SXP...

Page 40: ...Catalyst 2960 XR Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX1 18 OL 29434 01 Security Features Overview Security Features Overview ...

Page 41: ...k To prevent unauthorized access into your switch you should configure one or more of these security features At a minimum you should configure passwords and privileges at each switch port These passwords are locally stored on the switch When users attempt to access the switch through a port or line they must enter the password specified for the port or line before they can access the switch For a...

Page 42: ...sful attempts are made For more information see the Cisco IOS Login Enhancements documentation Related Topics Configuring Username and Password Pairs on page 30 TACACS and Switch Access on page 39 Setting a Telnet Password for a Terminal Line on page 28 Catalyst 2960 XR Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX1 20 OL 29434 01 Preventing Unauthorized Access Preventing Unautho...

Page 43: ...e notes for your platform and software release Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Restrictions for Controlling Switch Access with Passwords and Privileges The following are the restrictions for controlling switch access with ...

Page 44: ...icularly for passwords that cross the network or that are stored on a Trivial File Transfer Protocol TFTP server you can use either the enable password or enable secret global configuration commands Both commands accomplish the same thing that is you can establish an encrypted password that users must enter to access privileged EXEC mode the default or any privilege level you specify We recommend ...

Page 45: ... use the service password recovery global configuration command Related Topics Disabling Password Recovery on page 27 Restrictions for Controlling Switch Access with Passwords and Privileges on page 21 Terminal Line Telnet Configuration When you power up your switch for the first time an automatic setup program runs to assign IP information and to create a default configuration for continued use T...

Page 46: ...d fairly widely But if you want more restricted access to the configure command you can assign it level 3 security and distribute that password to a more restricted group of users Command Privilege Levels When you set a command to a privilege level all commands whose syntax is a subset of that command are also set to that level For example if you set the show ip traffic command to level 15 the sho...

Page 47: ...le to create the password abc 123 do this Enter abc Enter Crtl v Enter 123 When the system prompts you to enter the enable password you need not precede the question mark with the Ctrl v you can simply enter abc 123 at the password prompt Returns to privileged EXEC mode end Example Switch config end Step 3 Related Topics Example Setting or Changing a Static Enable Password on page 35 Protecting En...

Page 48: ...ret level level password encryption type encrypted password For password specify a string from 1 to 25 alphanumeric characters The string cannot start with a number is case Example Switch config enable password example102 sensitive and allows spaces but ignores leading spaces By default no password is defined Optional For encryption type only type 5 a Cisco proprietary encryption algorithm is avai...

Page 49: ...tch Before You Begin If you disable password recovery we recommend that you keep a backup copy of the configuration file on a secure server in case the end user interrupts the boot process and sets the system back to default values Do not keep a backup copy of the configuration file on the switch If the switch is operating in VTP transparent mode we recommend that you also keep a backup copy of th...

Page 50: ...iguration command Related Topics Password Recovery on page 23 Restrictions for Controlling Switch Access with Passwords and Privileges on page 21 Setting a Telnet Password for a Terminal Line Beginning in user EXEC mode follow these steps to set a Telnet password for the connected terminal line Before You Begin Attach a PC or workstation with emulation software to the switch console port or attach...

Page 51: ...h The 0 and 15 mean that you are configuring all 16 possible Telnet sessions Sets a Telnet password for the line or lines password password Step 4 Example Switch config line password For password specify a string from 1 to 25 alphanumeric characters The string cannot start with a number is case sensitive and allows spaces but ignores leading spaces By default no password is defined abcxyz543 Retur...

Page 52: ...nfig username adamsample Optional For level specify the privilege level the user has after gaining access The range is 0 to 15 Level 15 gives privileged EXEC mode access Level 1 gives user EXEC mode access privilege 1 password secret456 For encryption type enter 0 to specify that an unencrypted password will follow Enter 7 to specify that a hidden password will follow For password specify the pass...

Page 53: ...airs on page 23 Setting the Privilege Level for a Command Beginning in privileged EXEC mode follow these steps to set the privilege level for a command SUMMARY STEPS 1 configure terminal 2 privilege mode level level command 3 enable password level level password 4 end DETAILED STEPS Purpose Command or Action Enters the global configuration mode configure terminal Example Switch configure terminal ...

Page 54: ... to 15 Level 1 is for normal user EXEC mode privileges For password specify a string from 1 to 25 alphanumeric characters The string cannot start with a number is case sensitive and allows spaces but ignores leading spaces By default no password is defined level 14 SecretPswd14 Returns to privileged EXEC mode end Example Switch config end Step 4 Related Topics Privilege Levels on page 24 Example S...

Page 55: ...privilege level you set using the privilege level line configuration command by logging in to the line and enabling a different privilege level They can lower the privilege level by using the disable command If users know the password to a higher privilege level they can use that password to enable the higher privilege level You might specify a high level or privilege level for your console line t...

Page 56: ...level disable level Step 2 Example Switch disable 1 Following the example Level 1 is user EXEC mode For level the range is 0 to 15 Related Topics Privilege Levels on page 24 Monitoring Switch Access Table 5 Commands for Displaying DHCP Information Displays the privilege level configuration show privilege Catalyst 2960 XR Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX1 34 OL 29434 ...

Page 57: ... Enable Secret Passwords with Encryption on page 25 Additional Password Security on page 22 Example Setting a Telnet Password for a Terminal Line This example shows how to set the Telnet password to let45me67in89 Switch config line vty 10 Switch config line password let45me67in89 Related Topics Setting a Telnet Password for a Terminal Line on page 28 Terminal Line Telnet Configuration on page 23 E...

Page 58: ...e Privilege Level for a Command on page 31 Privilege Levels on page 24 Catalyst 2960 XR Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX1 36 OL 29434 01 Controlling Switch Access with Passwords and Privilege Levels Example Setting the Privilege Level for a Command ...

Page 59: ...and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Prerequisites for Controlling Switch Access with Terminal Access Controller Access Control System Plus TACACS The following are the prerequisites for set up and configuration of switch access with Terminal Access Controller Access Control System Plus TACACS mus...

Page 60: ...define method lists for TACACS authorization and accounting The method list defines the types of authentication to be performed and the sequence in which they are performed it must be applied to a specific port before any of the defined authentication methods are performed The only exception is the default method list which by coincidence is named default The default method list is automatically a...

Page 61: ...see the Cisco IOS Security Command Reference Release 12 4 and the Cisco IOS IPv6 Command Reference Note Related Topics Preventing Unauthorized Access on page 19 Configuring the Switch for Local Authentication and Authorization on page 81 SSH Servers Integrated Clients and Supported Versions on page 87 TACACS Overview TACACS is a security application that provides centralized validation of users at...

Page 62: ... messages to user screens For example a message could notify users that their passwords must be changed because of the company s password aging policy Authorization Provides fine grained control over user capabilities for the duration of the user s session including but not limited to setting autocommands access control session duration or protocol support You can also enforce restrictions on what...

Page 63: ...horization begins at this time REJECT The user is not authenticated The user can be denied access or is prompted to retry the login sequence depending on the TACACS daemon ERROR An error occurred at some time during authentication with the daemon or in the network connection between the daemon and the switch If an ERROR response is received the switch typically tries to use an alternative method f...

Page 64: ...S Login Authentication A method list describes the sequence and authentication methods to be queried to authenticate a user You can designate one or more security protocols to be used for authentication thus ensuring a backup system for authentication in case the initial method fails The software uses the first method listed to authenticate users if that method fails to respond the software select...

Page 65: ...ed Topics Starting TACACS Accounting on page 48 Default TACACS Configuration TACACS and AAA are disabled by default To prevent a lapse in security you cannot configure TACACS through a network management application When enabled TACACS can authenticate users accessing the switch through the CLI Although TACACS configuration is performed through the CLI the TACACS server authenticates HTTP connecti...

Page 66: ...ver Enables AAA aaa new model Example Switch config aaa new model Step 3 Optional Defines the AAA server group with a group name aaa group server tacacs group name Step 4 Example Switch config aaa group server tacacs This command puts the switch in a server group subconfiguration mode your_server_group Optional Associates a particular TACACS server with the defined server group Repeat this step fo...

Page 67: ...ch for HTTP access by using AAA methods Note For more information about the ip http authentication command see the Cisco IOS Security Command Reference Release 12 4 SUMMARY STEPS 1 configure terminal 2 aaa new model 3 aaa authentication login default list name method1 method2 4 line console tty vty line number ending line number 5 login authentication default list name 6 end DETAILED STEPS Purpose...

Page 68: ... TACACS Server Host and Setting the Authentication Key on page 43 line Use the line password for authentication Before you can use this authentication method you must define a line password Use the password password line configuration command local Use the local username database for authentication You must enter username information in the database Use the username password global configuration c...

Page 69: ...ccess to privileged EXEC mode The aaa authorization exec tacacs local command sets these authorization parameters Use TACACS for privileged EXEC access authorization if authentication was performed by using TACACS Use the local database if authentication was not performed by using TACACS Authorization is bypassed for authenticated users who log in through the CLI even if authorization has been con...

Page 70: ...urn user profile information such as autocommand information tacacs Returns to privileged EXEC mode end Example Switch config end Step 4 Related Topics TACACS Authorization for Privileged EXEC Access and Network Services on page 42 Prerequisites for Controlling Switch Access with Terminal Access Controller Access Control System Plus TACACS on page 37 Starting TACACS Accounting Beginning in privile...

Page 71: ...fault condition In some situations users might be prevented from starting a session on the console or terminal connection until after the system reloads which can take more than 3 minutes To establish a console or Telnet session with the router if the AAA server is unreachable when the router reloads use the no aaa accounting system guarantee first command Related Topics TACACS Accounting on page ...

Page 72: ...oads use the no aaa accounting system guarantee first command Monitoring TACACS Table 6 Commands for Displaying TACACS Information Displays TACACS server statistics show tacacs Catalyst 2960 XR Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX1 50 OL 29434 01 Configuring TACACS Monitoring TACACS ...

Page 73: ...oftware image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Prerequisites for Controlling Switch Access with RADIUS This section lists the prerequisites for controlling Catalyst switch access with RADIUS General RADIUS and AAA must be enabled to use any of the configuration commands in this chapter RADIUS is facilitated through AA...

Page 74: ...Access on page 53 RADIUS Operation on page 54 Restrictions for Controlling Switch Access with RADIUS This topic covers restrictions for controlling switch access with RADIUS General To prevent a lapse in security you cannot configure RADIUS through a network management application RADIUS is not suitable in the following network security situations Multiprotocol access environments RADIUS does not ...

Page 75: ...ll user authentication and network service access information Use RADIUS in these network environments that require access security Networks with multiple vendor access servers each supporting RADIUS For example access servers from several vendors use a single RADIUS server based security database In an IP based network with multiple vendors access servers dial in users are authenticated through a...

Page 76: ...ccess controlled by a RADIUS server these events occur 1 The user is prompted to enter a username and password 2 The username and encrypted password are sent over the network to the RADIUS server 3 The user receives one of the following responses from the RADIUS server ACCEPT The user is authenticated REJECT The user is either not authenticated and is prompted to re enter the username and password...

Page 77: ...authorization and accounting AAA or policy servers The switch supports these per session CoA requests Session reauthentication Session termination Session termination with port shutdown Session termination with port bounce This feature is integrated with the Cisco Identity Services Engine and the Cisco Secure Access Control Server ACS 5 1 The RADIUS interface is enabled by default on Catalyst swit...

Page 78: ...ETF Attributes Attribute Name Attribute Number State 24 Calling Station ID 31 Acct Session ID 44 Message Authenticator 80 Error Cause 101 This table shows the possible values for the Error Cause attribute Table 8 Error Cause Values Explanation Value Residual Session Context Removed 201 Invalid EAP Packet Ignored 202 Unsupported Attribute 401 Missing Attribute 402 NAS Identification Mismatch 403 In...

Page 79: ...o VSA Acct Session Id IETF attribute 44 Unless all session identification attributes included in the CoA message match the session the switch returns a Disconnect NAK or CoA NAK with the Invalid Attribute Value error code attribute If more than one session identification attribute is included in the message all the attributes must match the session or the switch returns a Disconnect negative ackno...

Page 80: ...ommands Table 9 CoA Commands Supported on the Switch Cisco VSA Command 1 Cisco Avpair subscriber command reauthenticate Reauthenticate host This is a standard disconnect request that does not require a VSA Terminate session Cisco Avpair subscriber command bounce host port Bounce host port Cisco Avpair subscriber command disable host port Disable host port 1 All CoA commands must include the sessio...

Page 81: ...thentication message It checkpoints the need for a re authentication before returning an acknowledgment ACK It initiates reauthentication for the appropriate session If authentication completes with either success or failure the signal that triggered the reauthentication is removed from the stack member If the stack master fails before authentication completes reauthentication is initiated after s...

Page 82: ...he switch disables the hosting port and returns a CoA ACK message If the switch fails before returning a CoA ACK to the client the process is repeated on the new active switch when the request is re sent from the client If the switch fails after returning a CoA ACK message to the client but before the operation has completed the operation is restarted on the new active switch A Disconnect Request ...

Page 83: ...tack master fails before the port bounce completes a port bounce is initiated after stack master change over based on the original command which is subsequently removed If the stack master fails before sending a CoA ACK message the new stack master treats the re sent command as a new command Stacking Guidelines for CoA Request Disable Port Because the disable port command is targeted at a session ...

Page 84: ...e if the first host entry fails to provide accounting services the RADIUS 4 RADIUS_DEAD message appears and then the switch tries the second host entry configured on the same device for accounting services The RADIUS host entries are tried in the order that they are configured A RADIUS server and the switch use a shared secret text string to encrypt passwords and exchange responses To configure RA...

Page 85: ...lists the IP addresses of the selected server hosts Server groups also can include multiple host entries for the same server if each entry has a unique identifier the combination of the IP address and UDP port number allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service If you configure two different host entries on the same RADIUS server for the same...

Page 86: ...s and associated VSAs For more information about vendor IDs and VSAs see RFC 2138 Remote Authentication Dial In User Service RADIUS For a complete list of RADIUS attributes or more information about vendor specific attribute 26 see the RADIUS Attributes appendix in the Cisco IOS Security Configuration Guide Related Topics Configuring the Switch to Use Vendor Specific RADIUS Attributes on page 75 V...

Page 87: ...configuring these settings on all RADIUS servers see Related Topics below SUMMARY STEPS 1 configure terminal 2 radius server host hostname ip address auth port port number acct port port number timeout seconds retransmit retries key string 3 end DETAILED STEPS Purpose Command or Action Enters the global configuration mode configure terminal Example Switch configure terminal Step 1 Specifies the IP...

Page 88: ...ognize more than one host entry associated with a single IP address enter this command as many times as necessary making sure that each UDP port number is different The switch software searches for hosts in the order in which you specify them Set the timeout retransmit and encryption key values to use with the specific RADIUS host Returns to privileged EXEC mode end Example Switch config end Step ...

Page 89: ...ally applied to all ports authentication login default For list name specify a character string to name the list you are creating local For method1 specify the actual method the authentication algorithm tries The additional methods of authentication are used only if the previous method returns an error not if it fails Select one of these methods enable Use the enable password for authentication Be...

Page 90: ...st name Step 5 If you specify default use the default list created with the aaa authentication login command Example Switch config login authentication default For list name specify the list created with the aaa authentication login command Returns to privileged EXEC mode end Example Switch config end Step 6 Related Topics RADIUS Login Authentication on page 62 RADIUS Server Host on page 62 Defini...

Page 91: ...1000 This setting overrides the radius server timeout global configuration key rad1 command setting If no timeout is set with the radius server host command the setting of the radius server timeout command is used Optional For retransmit retries specify the number of times a RADIUS request is resent to a server if that server is not responding or responding slowly The range is 1 to 1000 If no retr...

Page 92: ...he group must be previously defined in Step 2 172 20 0 1 auth port 1000 acct port 1001 Returns to privileged EXEC mode end Example Switch config end Step 6 Using Two Different RADIUS Group Servers In this example the switch is configured to recognize two different RADIUS group servers group1 and group2 Group1 has two different host entries on the same RADIUS server configured for the same services...

Page 93: ...STEPS Purpose Command or Action Enters the global configuration mode configure terminal Example Switch configure terminal Step 1 Configures the switch for user RADIUS authorization for all network related service requests aaa authorization network radius Example Switch config aaa authorization network Step 2 radius Configures the switch for user RADIUS authorization if the user has privileged EXEC...

Page 94: ... by using RADIUS Use the local database if authentication was not performed by using RADIUS Related Topics AAA Authorization on page 63 Starting RADIUS Accounting Beginning in privileged EXEC mode follow these steps to start RADIUS accounting SUMMARY STEPS 1 configure terminal 2 aaa accounting network start stop radius 3 aaa accounting exec start stop radius 4 end DETAILED STEPS Purpose Command or...

Page 95: ...as the first record which is the default condition In some situations users might be prevented from starting a session on the console or terminal connection until after the system reloads which can take more than 3 minutes To establish a console or Telnet session with the router if the AAA server is unreachable when the router reloads use the no aaa accounting system guarantee first command Relate...

Page 96: ...es Example Switch config radius server Step 3 retransmit 5 Specifies the number of seconds a switch waits for a reply to a RADIUS request before resending the request The default is 5 seconds the range is 1 to 1000 radius server timeout seconds Example Switch config radius server timeout Step 4 3 When a RADIUS server is not responding to authentication requests this command specifies a time to sto...

Page 97: ... the set of recognized vendor specific attributes to only accounting attributes Optional Use the authentication keyword to limit the set of recognized vendor specific attributes to only authentication attributes send If you enter this command without keywords both accounting and authentication vendor specific attributes are used Returns to privileged EXEC mode end Example Switch config end Step 3 ...

Page 98: ...erver key string Example Switch config radius server key Step 3 The key is a text string that must match the encryption key used on the RADIUS server Leading spaces are ignored but spaces within and at the end of the key are used If you use spaces in your key do not enclose the key in quotation marks unless the quotation marks are part of the key Note rad124 Returns to privileged EXEC mode end Exa...

Page 99: ... global configuration mode configure terminal Example Switch configure terminal Step 1 Enables AAA aaa new model Example Switch config aaa new model Step 2 Configures the switch as an authentication authorization and accounting AAA server to facilitate interaction with an external policy server aaa server radius dynamic author Example Switch config aaa server radius Step 3 dynamic author Enters dy...

Page 100: ... the ignore command see the Cisco IOS Intelligent Services Gateway Command Reference on Cisco com server key Optional Configures the switch to ignore a CoA request to temporarily disable the port hosting a session The purpose of authentication command bounce port ignore Example Switch config sg radius authentication Step 10 temporarily disabling the port is to trigger a DHCP renegotiation from the...

Page 101: ...information for troubleshooting command headers debug cmdhd detail error events For detailed information about the fields in these displays see the command reference for this release Configuration Examples for Controlling Switch Access with RADIUS Examples Identifying the RADIUS Server Host This example shows how to configure one RADIUS server to be used for authentication and another to be used f...

Page 102: ...This example shows how to apply an input ACL in ASCII format to an interface for the duration of this connection cisco avpair ip inacl 1 deny ip 10 10 10 10 0 0 255 255 20 20 20 20 255 255 0 0 cisco avpair ip inacl 2 deny ip 10 10 10 10 0 0 255 255 any cisco avpair mac inacl 3 deny any any decnet iv This example shows how to apply an output ACL in ASCII format to an interface for the duration of t...

Page 103: ...t required How to Configure Local Authentication and Authorization Configuring the Switch for Local Authentication and Authorization You can configure AAA to operate without a server by setting the switch to implement AAA in local mode The switch then handles authentication and authorization No accounting is available in this configuration To secure the switch for HTTP access by using AAA methods ...

Page 104: ...in default local Example Switch config aaa authentication login Step 3 default local Configures user AAA authorization check the local database and allow the user to run an EXEC shell aaa authorization exec local Example Switch config aaa authorization exec Step 4 local Configures user AAA authorization for all network related service requests aaa authorization network local Example Switch config ...

Page 105: ...ord specify the password the user must enter to gain access to the switch The password must be from 1 to 25 characters can contain embedded spaces and must be the last option specified in the username command Returns to privileged EXEC mode end Example Switch config end Step 7 Related Topics Setting Up the Switch to Run SSH on page 89 SSH Configuration Guidelines on page 87 Monitoring Local Authen...

Page 106: ...Catalyst 2960 XR Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX1 84 OL 29434 01 Configuring Local Authentication and Authorization Monitoring Local Authentication and Authorization ...

Page 107: ...latform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required PrerequisitesforConfiguringtheSwitchforSecureShell SSH and Secure Copy Protocol SCP The following are the prerequisites for configuring the switch for secure shell SSH For SSH to work the switch needs an RSA public private key pair This is the s...

Page 108: ...r symmetric cipher AES to encrypt the keys is not supported This software release does not support IP Security IPSec When using SCP you cannot enter the password into the copy command You must enter the password when prompted Related Topics Secure Copy Protocol Concepts on page 88 Information about SSH Secure Shell SSH is a protocol that provides a secure remote connection to a device SSH provides...

Page 109: ...he Switch for Local Authentication and Authorization on page 81 TACACS and Switch Access on page 39 RADIUS and Switch Access on page 53 SSH Configuration Guidelines Follow these guidelines when configuring the switch as an SSH server or SSH client An RSA key pair generated by a SSHv1 server can be used by an SSHv2 server and the reverse If the SSH server is running on a stack master and the stack ...

Page 110: ...assword into the copy command You must enter the password when prompted Note Secure Copy Protocol Concepts The Secure Copy Protocol SCP feature provides a secure and authenticated method for copying switch configurations or switch image files SCP relies on Secure Shell SSH an application and a protocol that provides a secure replacement for the Berkeley r tools To configure the Secure Copy feature...

Page 111: ...e and IP domain name for your switch hostname hostname Step 2 Example Switch config hostname your_hostname Follow this procedure only if you are configuring the switch as an SSH server Note Configures a host domain for your switch ip domain name domain_name Example Switch config ip domain name Step 3 your_domain Enables the SSH server for local and remote authentication on the switch and generates...

Page 112: ...ch for Local Authentication and Authorization on page 81 Configuring the SSH Server Beginning in privileged EXEC mode follow these steps to configure the SSH server This procedure is only required if you are configuring the switch as an SSH server Note SUMMARY STEPS 1 configure terminal 2 ip ssh version 1 2 3 ip ssh timeout seconds authentication retries number 4 Use one or both of the following l...

Page 113: ...out values of the CLI based sessions authentication retries 2 By default up to five simultaneous encrypted SSH connections for multiple CLI based sessions over the network are available session 0 to session 4 After the execution shell starts the CLI based session time out value returns to the default of 10 minutes Specify the number of times that a client can re authenticate to the server The defa...

Page 114: ...tus Purpose Command Shows the version and configuration information for the SSH server show ip ssh Shows the status of the SSH server show ssh For more information about these commands see the Secure Shell Commands section in the Other Security Features chapter of the Cisco IOS Security Command Reference Catalyst 2960 XR Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX1 92 OL 29434 ...

Page 115: ...d Information about Secure Sockets Layer SSL HTTP This section describes how to configure Secure Sockets Layer SSL Version 3 0 support for the HTTP 1 1 server and client SSL provides server authentication encryption and message integrity as well as HTTP client authentication to allow secure HTTP communications SSL evolved into Transport Layer Security TLS in 1999 but is still used in this particul...

Page 116: ... certified self signed certificate does not provide adequate security the connecting client generates a notification that the certificate is self certified and the user has the opportunity to accept or reject the connection This option is useful for internal network topologies such as testing If you do not configure a CA trustpoint when you enable a secure HTTP connection either a temporary or a p...

Page 117: ...on a SSL connection When connecting to the HTTPS server the client Web browser offers a list of supported CipherSuites and the client and server negotiate the best encryption algorithm to use from those on the list that are supported by both For example Netscape Communicator 4 76 supports U S security with RSA Public Key Cryptography MD2 MD5 RC2 CBC RC4 DES CBC and DES EDE3 CBC For the best possib...

Page 118: ...on of the secure HTTP server and secure HTTP client uses an implementation of SSL Version 3 0 with application layer encryption HTTP over SSL is abbreviated as HTTPS the URL of a secure connection begins with https instead of http The primary role of the HTTP secure server the switch is to listen for HTTPS requests on a designated port the default HTTPS port is 443 and pass the request to the HTTP...

Page 119: ... certificates hostname hostname Example Switch config hostname your_hostname Step 2 Specifies the IP domain name of the switch required only if you have not previously configured an IP domain name The domain name is required for security keys and certificates ip domain name domain name Example Switch config ip domain name your_domain Step 3 Optional Generates an RSA key pair RSA key pairs are requ...

Page 120: ...igures the switch to request a certificate revocation list CRL to ensure that the certificate of the peer has not been revoked crl query url Example Switch ca trustpoint crl query ldap your_host 49 Step 8 Optional Specifies that the trustpoint should be used as the primary default trustpoint for CA requests primary name Example Switch ca trustpoint primary Step 9 For name specify the trustpoint th...

Page 121: ...server If you have not configured a CA trustpoint a self signed certificate is generated the first time that you enable the secure HTTP server After you have configured the server you can configure options path access list to apply maximum number of connections or timeout policy that apply to both standard and secure HTTP servers To verify the secure HTTP connection by using a Web browser enter ht...

Page 122: ...n the output HTTP secure server capability Present show ip http server status Example Switch show ip http server status Step 1 or HTTP secure server capability Not present Enters global configuration mode configure terminal Example Switch configure terminal Step 2 Enables the HTTPS server if it has been disabled The HTTPS server is enabled by default ip http secure server Example Switch config ip ...

Page 123: ...Example Switch config ip http Step 7 Use of this command assumes you have already configured a CA trustpoint according to the previous procedure Note secure trustpoint your_trustpoint Optional Sets a base HTTP path for HTML files The path specifies the location of the HTTP server files on the local system usually located in system flash memory ip http path path name Example Switch config ip http p...

Page 124: ... Client Beginning in privileged EXEC mode follow these steps to configure a secure HTTP client Before You Begin The standard HTTP client and secure HTTP client are always enabled A certificate authority is required for secure HTTP client certification This procedure assumes that you have previously configured a CA trustpoint on the switch If a CA trustpoint is not configured and the remote HTTPS s...

Page 125: ...c sha Step 3 a reason to specify a particular CipherSuite you should allow the server and client to negotiate a CipherSuite that they both support This is the default Example Switch config ip http client secure ciphersuite rc4 128 md5 Returns to privileged EXEC mode end Example Switch config end Step 4 How to Configure Secure HTTP Servers and Clients These sections contain this configuration infor...

Page 126: ...ned certificate for secure HTTP connections show running config Catalyst 2960 XR Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX1 104 OL 29434 01 Configuring Secure Socket Layer HTTP Monitoring Secure HTTP Server and Client Status ...

Page 127: ...otes for your platform and software release Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Prerequisites for Configuring Network Security with ACLs This section lists the prerequisites for configuring network security with Access Control...

Page 128: ...nternet Control Message Protocol ICMP unreachable messages when a packet is denied by an access group on a Layer 3 interface These access group denied packets are not dropped in hardware but are bridged to the switch CPU so that it can generate the ICMP unreachable message They do not generate ICMP unreachable messages ICMP unreachable messages can be disabled on router ACLs with the no ip unreach...

Page 129: ...itch stops testing after the first match the order of conditions in the list is critical If no conditions match the switch rejects the packet If there are no restrictions the switch forwards the packet otherwise the switch drops the packet The switch can use ACLs on all packets it forwards including packets bridged within a VLAN You configure access lists on a router or Layer 3 switch to provide b...

Page 130: ...eceived on ports with a port ACL applied are filtered by the port ACL Other packets are filtered by the VLAN map When an input router ACL and input port ACL exist in a switch virtual interface SVI incoming packets received on ports to which a port ACL is applied are filtered by the port ACL Incoming routed IP packets received on other ports are filtered by the router ACL Other packets are not filt...

Page 131: ...ing port ACLs to control access to a network when all workstations are in the same VLAN ACLs applied at the Layer 2 input would allow Host A to access the Human Resources network but prevent Host B from accessing the same network Port ACLs can only be applied to Layer 2 interfaces in the inbound direction Figure 3 Using ACLs to Control Traffic in a Network When you apply a port ACL to a trunk port...

Page 132: ...interface are examined After packets are routed and before they are forwarded to the next hop all ACLs associated with outbound features configured on the egress interface are examined ACLs permit or deny packet forwarding based on how the packet matches the entries in the ACL and can be used to control access to a network or to part of a network VLAN Maps Use VLAN ACLs or VLAN maps to access cont...

Page 133: ...might have been Deny ACEs that check Layer 4 information never match a fragment unless the fragment contains Layer 4 information Example ACEs and Fragmented and Unfragmented Traffic Consider access list 102 configured with these commands applied to three fragmented packets Switch config access list 102 permit tcp any host 10 1 1 1 eq smtp Switch config access list 102 deny tcp any host 10 1 1 2 eq...

Page 134: ...osts ACLs and Switch Stacks ACL support is the same for a switch stack as for a standalone switch ACL configuration information is propagated to all switches in the stack All switches in the stack including the active switch process the information and program their hardware Active Switch and ACL Functions The active switch performs these ACL functions It processes the ACL configuration and propag...

Page 135: ...h is the same as configuring IPv4 ACLs on other Cisco switches and routers The switch does not support these Cisco IOS router ACL related features Non IP protocol ACLs IP accounting Reflexive ACLs and dynamic ACLs are not supported ACL logging for port ACLs and VLAN maps Access List Numbers The number you use to denote your ACL shows the type of access list that you are creating This lists the acc...

Page 136: ...ification 0 0 0 0 is assumed to be the mask The switch always rewrites the order of standard access lists so that entries with host matches and entries with matches having a don t care mask of 0 0 0 0 are moved to the top of the list above any entries with non zero don t care masks Therefore in show command output and in the configuration file the ACEs do not necessarily appear in the order in whi...

Page 137: ...n a number You can use named ACLs to configure more IPv4 access lists in a router than if you were to use numbered access lists If you identify your access list with a name rather than a number the mode and command syntax are slightly different However not all commands that use IP access lists accept a named access list The name you give to a standard or extended ACL can also be a number in the su...

Page 138: ...ation cannot be implemented in hardware due to an out of resource condition on a switch or stack member then only the traffic in that VLAN arriving on that switch is affected Note For router ACLs other factors can cause packets to be sent to the CPU Using the log keyword Generating ICMP unreachable messages When traffic flows are both logged and forwarded forwarding is done by hardware but logging...

Page 139: ...is no match clause for that type of packet in the VLAN map the default is to forward the packet Logging is not supported for VLAN maps When a switch has an IP access list or MAC access list applied to a Layer 2 interface and you apply a VLAN map to a VLAN that the port belongs to the port ACL takes precedence over the VLAN map If a VLAN map configuration cannot be applied in hardware all packets i...

Page 140: ...t is write the ACL using one of these two forms permit permit permit deny ip any any or deny deny deny permit ip any any To define multiple actions in an ACL permit deny group each action type together to reduce the number of entries Avoid including Layer 4 information in an ACL adding this information complicates the merging process The best merge results are obtained if the ACLs are filtered bas...

Page 141: ...messages ACL entries can be set to log traffic only at certain times of the day Therefore you can simply deny access without needing to analyze many logs generated during peak hours Time based access lists trigger CPU activity because the new configuration of the access list must be merged with other features and the combined configuration loaded into the hardware memory For this reason you should...

Page 142: ...emember this behavior if you use undefined ACLs for network security Related Topics Applying an IPv4 ACL to an Interface on page 130 Restrictions for Configuring Network Security with ACLs on page 105 How to Configure ACLs Configuring IPv4 ACLs These are the steps to use IP ACLs on the switch SUMMARY STEPS 1 Create an ACL by specifying an access list number or name and the access conditions 2 Appl...

Page 143: ... deny your_host The 32 bit quantity in dotted decimal format The keyword any as an abbreviation for source and source wildcard of 0 0 0 0 255 255 255 255 You do not need to enter a source wildcard The keyword host as an abbreviation for source and source wildcard of source 0 0 0 0 Optional The source wildcard applies wildcard bits to the source Optional Enter log to cause an informational logging ...

Page 144: ...tination wildcard igmp type precedence precedence tos tos fragments log log input time range time range name dscp dscp 7 end DETAILED STEPS Purpose Command or Action Enters the global configuration mode configure terminal Example Switch configure terminal Step 1 Defines an extended IPv4 access list and the access conditions access list access list number deny permit protocol source source wildcard...

Page 145: ...f available values If you enter a dscp value you cannot enter tos or precedence You can enter both a tos and a precedence value with no dscp Note Defines an extended TCP access list and the access conditions access list access list number deny permit tcp source source wildcard operator port Step 3 The parameters are the same as those described for an extended IPv4 ACL with these exceptions destina...

Page 146: ...ard icmp type icmp type icmp code icmp message precedence precedence tos tos fragments log icmp type Enter to filter by ICMP message type a number from 0 to 255 log input time range time range name dscp dscp Example Switch config access list 101 permit icmp code Enter to filter ICMP packets that are filtered by the ICMP message code type a number from 0 to 255 icmp message Enter to filter ICMP pac...

Page 147: ...0 0 0 when defining an extended IP ACL use the host keyword in place of the source and destination wildcard or mask Switch configure terminal Switch config access list 101 permit ip host 10 1 1 2 any Switch config end Related Topics Configuring VLAN Maps on page 135 Creating Named Standard ACLs Beginning in privileged EXEC mode follow these steps to create a standard ACL using names SUMMARY STEPS ...

Page 148: ...d of 0 0 0 0 255 255 255 255 Example Switch config std nacl deny 192 168 0 0 0 0 255 255 255 255 0 0 0 0 255 255 or Switch config std nacl permit 10 108 0 0 0 0 0 0 255 255 255 0 0 0 0 0 Returns to privileged EXEC mode end Example Switch config std nacl end Step 4 Creating Extended Named ACLs Beginning in privileged EXEC mode follow these steps to create an extended ACL using names SUMMARY STEPS 1...

Page 149: ...nation wildcard of 0 0 0 0 255 255 255 255 Returns to privileged EXEC mode end Example Switch config ext nacl end Step 4 When you are creating extended ACLs remember that by default the end of the ACL contains an implicit deny statement for everything if it did not find a match before reaching the end For standard ACLs if you omit the mask from an associated IP host address access list specificati...

Page 150: ...uration time range time range name Example Switch config time range workhours Step 2 mode The name cannot contain a space or quotation mark and must begin with a letter Specifies when the function it will be applied to is operational Use one of the following Step 3 absolute start time date end time date You can use only one absolute statement in the time range If you configure more than one absolu...

Page 151: ...ines You cannot apply named ACLs to lines You must set identical restrictions on all the virtual terminal lines because a user can attempt to connect to any of them Beginning in privileged EXEC mode follow these steps to restrict incoming and outgoing connections between a virtual terminal line and the addresses in an ACL SUMMARY STEPS 1 configure terminal 2 line console vty line number 3 access c...

Page 152: ...outgoing connections between a particular virtual terminal line into a device and the addresses in an access list access class access list number in out Example Switch config line access class 10 in Step 3 Returns to privileged EXEC mode end Example Switch config line end Step 4 Displays the access list configuration show running config Example Switch show running config Step 5 Optional Saves your...

Page 153: ...2 The interface can be a Layer 2 interface port ACL or a Layer 3 interface router ACL Controls access to the specified interface ip access group access list number name in out Step 3 Example Switch config if ip access group 2 in The out keyword is not supported for Layer 2 interfaces port ACLs Returns to privileged EXEC mode end Example Switch config if end Step 4 Displays the access list configur...

Page 154: ...65535 cos cos 4 end DETAILED STEPS Purpose Command or Action Enters the global configuration mode configure terminal Example Switch configure terminal Step 1 Defines an extended MAC access list using a name mac access list extended name Example Switch config mac access list extended Step 2 mac1 In extended MAC access list configuration mode specifies to permit or deny any source MAC address a sour...

Page 155: ...dump msdos mumps netbios vines echo vines ip xns idp A non IP protocol cos cos An IEEE 802 1Q cost of service number from 0 to 7 used to set priority Returns to privileged EXEC mode end Example Switch config ext macl end Step 4 Related Topics Restrictions for Configuring Network Security with ACLs on page 105 Configuring VLAN Maps on page 135 Applying a MAC ACL to a Layer 2 Interface Beginning in ...

Page 156: ...ayer 2 interfaces show mac access group interface interface id Example Switch show mac access group interface Step 5 gigabitethernet1 0 2 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 6 After receiving a packet the switch checks it against the inbound ACL If the ACL permits it the switch continues to ...

Page 157: ...1 When you create VLAN maps with the same name numbers are assigned sequentially in increments of 10 When modifying or deleting maps you can enter the number of the map entry that you want to modify or delete 20 VLAN maps do not use the specific permit or deny keywords To deny a packet by using VLAN maps create an ACL that would match the packet and set the action to drop A permit in the ACL count...

Page 158: ...drop Applies the VLAN map to one or more VLAN IDs vlan filter mapname vlan list list Step 4 Example Switch config vlan filter map 1 The list can be a single VLAN ID 22 a consecutive list 10 22 or a string of VLAN IDs 12 22 30 Spaces around the comma and hyphen are optional vlan list 20 22 Related Topics Creating a Numbered Standard ACL on page 120 Creating a Numbered Extended ACL on page 122 Creat...

Page 159: ...ermit or deny keywords To deny a packet by using VLAN maps create an ACL that would match the packet and set the action to drop A permit in the ACL counts as a match A deny in the ACL means no match Entering this command changes to access map configuration mode Match the packet using either the IP or MAC address against one or more standard or extended access lists Note that packets are only match...

Page 160: ... Switch copy running config Step 7 startup config Related Topics Configuring VLAN Maps on page 135 Applying a VLAN Map to a VLAN Beginning in privileged EXEC mode follow these steps to apply a VLAN map to one or more VLANs SUMMARY STEPS 1 configure terminal 2 vlan filter mapname vlan list list 3 end 4 show running config 5 copy running config startup config Catalyst 2960 XR Switch Security Configu...

Page 161: ...ur entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 5 Related Topics Configuring VLAN Maps on page 135 Monitoring IPv4 ACLs You can monitor IPv4 ACLs by displaying the ACLs that are configured on the switch and displaying the ACLs that have been applied to interfaces and VLANs When you use the ip access group interface conf...

Page 162: ... or the specified Layer 2 interface show mac access group interface interface id You can also monitor VLAN maps by displaying information about VLAN access maps or VLAN filters Use the privileged EXEC commands in this table to display VLAN map information Table 16 Commands for Displaying VLAN Map Information Displays information about all VLAN access maps or the specified access map show vlan acce...

Page 163: ...de comments remarks about entries in any IP standard or extended ACL The remarks make the ACL easier for you to understand and scan Each remark line is limited to 100 characters The remark can go before or after a permit or deny statement You should be consistent about where you put the remark so that it is clear which remark describes which permit or deny statement For example it would be confusi...

Page 164: ...d office environment with routed Port 2 connected to Server A containing benefits and other information that all employees can access and routed Port 1 connected to Server B containing confidential payroll data All users can access Server A but Server B has restricted access Figure 5 Using Router ACLs to Control Traffic Use router ACLs to do this in one of two ways Create a standard ACL and filter...

Page 165: ...6 in Example Numbered ACLs In this example network 36 0 0 0 is a Class A network whose second octet specifies a subnet that is its subnet mask is 255 255 0 0 The third and fourth octets of a network 36 0 0 0 address specify a particular host Using access list 2 the switch accepts one address on subnet 48 and reject all others on that subnet The last line of the list shows that the switch accepts a...

Page 166: ...ch config access list 102 permit tcp any 128 88 0 0 0 0 255 255 established Switch config access list 102 permit tcp any host 128 88 1 2 eq 25 Switch config interface gigabitethernet1 0 1 Switch config if ip access group 102 in Examples Named ACLs This example creates a standard ACL named internet_filter and an extended ACL named marketing_group The internet_filter ACL allows all traffic from the ...

Page 167: ... config access list 1 deny 171 69 3 13 In this example of a numbered ACL the Winter and Smith workstations are not allowed to browse the web Switch config access list 100 remark Do not allow Winter to browse the web Switch config access list 100 deny host 171 69 3 85 any eq www Switch config access list 100 remark Do not allow Smith to browse the web Switch config access list 100 deny host 171 69 ...

Page 168: ...config ip access list extended ext1 Switch config ext nacl permit icmp any 10 1 1 0 0 0 0 255 log Switch config ext nacl deny udp any any log Switch config std nacl exit Switch config interface gigabitethernet1 0 2 Switch config if ip access group ext1 in This is a an example of a log for an extended ACL 01 24 23 SEC 6 IPACCESSLOGDP list ext1 permitted icmp 10 1 1 15 10 1 1 61 0 0 1 packet 01 25 1...

Page 169: ...dropped Switch config ip access list extended ip2 Switch config ext nacl permit udp any any Switch config ext nacl exit Switch config vlan access map map_1 20 Switch config access map match ip address ip2 Switch config access map action forward Example Default Action of Dropping IP Packets and Forwarding MAC Packets In this example the VLAN map has a default action of drop for IP packets and a def...

Page 170: ...witch config ext macl permit any any vines ip Switch config ext nacl exit Switch config vlan access map drop mac default 10 Switch config access map match mac address good hosts Switch config access map action forward Switch config access map exit Switch config vlan access map drop mac default 20 Switch config access map match mac address good protocols Switch config access map action forward Exam...

Page 171: ...IP address 10 1 1 32 to Host Y IP address 10 1 1 34 at Switch A and not bridge it to Switch B First define the IP access list http that permits matches any TCP traffic on the HTTP port Switch config ip access list extended http Switch config ext nacl permit tcp host 10 1 1 32 host 10 1 1 34 eq www Switch config ext nacl exit Next create VLAN access map map2 so that traffic that matches the http ac...

Page 172: ...to hosts in subnet 10 1 2 0 8 host 10 1 1 4 and host 10 1 1 8 and permits other IP traffic The final step is to apply the map SERVER1 to VLAN 10 Define the IP ACL that will match the correct packets Switch config ip access list extended SERVER1_ACL Switch config ext nacl permit ip 10 1 2 0 0 0 0 255 host 10 1 1 100 Switch config ext nacl permit ip host 10 1 1 4 host 10 1 1 100 Switch config ext na...

Page 173: ...ible that the packet might be dropped rather than forwarded Example ACLs and Switched Packets This example shows how an ACL is applied on packets that are switched within a VLAN Packets switched within the VLAN without being routed or forwarded by fallback bridging are only subject to the VLAN map of the input VLAN Figure 8 Applying ACLs on Switched Packets Example ACLs and Bridged Packets This ex...

Page 174: ... applied in this order 1 VLAN map for input VLAN 2 Input router ACL 3 Output router ACL 4 VLAN map for output VLAN Figure 10 Applying ACLs on Routed Packets Catalyst 2960 XR Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX1 152 OL 29434 01 Configuring IPv4 ACLs Configuration Examples of Router ACLs and VLAN Maps Applied to VLANs ...

Page 175: ...tput VLAN in which case a different router output ACL and VLAN map would apply for each destination VLAN The final result is that the packet might be permitted in some of the output VLANs and not in others A copy of the packet is forwarded to those destinations where it is permitted However if the input VLAN map drops the packet no destination receives a copy of the packet Figure 11 Applying ACLs ...

Page 176: ...Catalyst 2960 XR Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX1 154 OL 29434 01 Configuring IPv4 ACLs Configuration Examples of Router ACLs and VLAN Maps Applied to VLANs ...

Page 177: ...nt on Cisco com is not required Information about IPv6 ACLs You can filter IP Version 6 IPv6 traffic by creating IPv6 access control lists ACLs and applying them to interfaces similarly to the way that you create and apply IP Version 4 IPv4 named ACLs You can also create and apply input router ACLs to filter Layer 3 management traffic when the switch is running the IP base and LAN base feature set...

Page 178: ...both IPv4 and IPv6 ACLs to the same interface Each ACL must have a unique name an error message appears if you try to use a name that is already configured You use different commands to create IPv4 and IPv6 ACLs and to attach IPv4 or IPv6 ACLs to the same Layer 2 or Layer 3 interface If you use the wrong command to attach an ACL for example an IPv4 command to attach an IPv6 ACL you receive an erro...

Page 179: ... ACLs The switch supports IPv6 address matching for a full range of prefix lengths Default Configuration for IPv6 ACLs The default IPv6 ACL configuration is as follows Switch show access lists preauth_ipv6_acl IPv6 access list preauth_ipv6_acl per user permit udp any any eq domain sequence 10 permit tcp any any eq domain sequence 20 permit icmp any any nd ns sequence 30 permit icmp any any nd na s...

Page 180: ... operator port number destination ipv6 prefix prefix length any host destination ipv6 address operator port number icmp type icmp code icmp message dscp value log log input routing sequence value time range name 7 end 8 show ipv6 access list 9 copy running config startup config DETAILED STEPS Purpose Command or Action Enters the global configuration mode configure terminal Example Switch configure...

Page 181: ...ptional Enter dscp value to match a differentiated services code point value against the traffic class value in the Traffic Class field of each IPv6 packet header The acceptable range is from 0 to 63 Optional Enter fragments to check noninitial fragments This keyword is visible only if the protocol is ipv6 Optional Enter log to cause an logging message to be sent to the console about the packet th...

Page 182: ...ame Optional Define an ICMP access list and the access conditions deny permit icmp source ipv6 prefix prefix length any host Step 6 Enter icmp for Internet Control Message Protocol The ICMP parameters are the same as those described for most IP protocols in Step 1 with the source ipv6 address operator port number destination ipv6 prefix prefix length any addition of the ICMP message type and code ...

Page 183: ...cl deny 0 lt 5000 0 log Switch config ipv6 acl permit icmp any any Switch config ipv6 acl permit any any What to Do Next Attach the IPv6 ACL to an Interface How to Attach an IPv6 ACL to an Interface You can apply an ACL to outbound or inbound traffic on Layer 3 interfaces or to inbound traffic on Layer 2 interfaces You can also apply ACLs only to inbound management traffic on Layer 3 interfaces Be...

Page 184: ... to apply the access list Cisco to outbound traffic on a Layer 3 interface Switch config interface gigabitethernet 1 0 3 Switch config if no switchport Switch config if ipv6 address 2001 64 eui 64 Switch config if ipv6 traffic filter CISCO out Monitoring IPv6 ACLs You can display information about all configured access lists all IPv6 access lists or a specific access list by using one or more of t...

Page 185: ...list IPv6 access list inbound permit tcp any any eq bgp 8 matches sequence 10 permit tcp any any eq telnet 15 matches sequence 20 permit udp any any sequence 30 IPv6 access list outbound deny udp any any sequence 10 deny tcp any any eq telnet sequence 20 Catalyst 2960 XR Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX1 OL 29434 01 163 Configuring IPv6 ACLs Monitoring IPv6 ACLs ...

Page 186: ...Catalyst 2960 XR Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX1 164 OL 29434 01 Configuring IPv6 ACLs Monitoring IPv6 ACLs ...

Page 187: ...ired Information About DHCP DHCP Server The DHCP server assigns IP addresses from specified address pools on a switch or router to DHCP clients and manages them If the DHCP server cannot give the DHCP client the requested configuration parameters from its database it forwards the request to one or more secondary DHCP servers defined by the network administrator The switch can act as a DHCP server ...

Page 188: ...figure as trusted is one connected to a port on a device in the same network An example of an untrusted interface is one that is connected to an untrusted interface in the network or to an interface on a device that is not in the network When a switch receives a packet on an untrusted interface and the interface belongs to a VLAN in which DHCP snooping is enabled the switch compares the source MAC...

Page 189: ...net access environments DHCP can centrally manage the IP address assignments for a large number of subscribers When the DHCP option 82 feature is enabled on the switch a subscriber device is identified by the switch port through which it connects to the network in addition to its MAC address Multiple hosts on the subscriber LAN can be connected to the same port on the access switch and are uniquel...

Page 190: ...it originally inserted the option 82 data by inspecting the remote ID and possibly the circuit ID fields The switch removes the option 82 field and forwards the packet to the switch port that connects to the DHCP client that sent the DHCP request In the default suboption configuration when the described sequence of events occurs the values in these fields do not change see the illustration Subopti...

Page 191: ... ip dhcp snooping information option format remote id global configuration command and theip dhcp snooping vlan information option format type circuit id string interface configuration command are entered The values for these fields in the packets change from the default values when you configure the remote ID and circuit ID suboptions Circuit ID suboption fields The circuit ID type is 1 The lengt...

Page 192: ... chapter of the Cisco IOS IP Configuration Guide Release 12 4 DHCP Snooping Binding Database When DHCP snooping is enabled the switch uses the DHCP snooping binding database to store information about untrusted interfaces The database can have up to 64 000 bindings Each database entry binding has an IP address an associated MAC address the lease time in hexadecimal format the interface to which th...

Page 193: ...iated with a previous file update This is an example of a binding file 2bb4c2a1 TYPE DHCP SNOOPING VERSION 1 BEGIN 192 1 168 1 3 0003 47d8 c91f 2BB6488E Gi1 0 4 21ae5fbb 192 1 168 3 3 0003 44d6 c52f 2BB648EB Gi1 0 4 1bdb223f 192 1 168 2 3 0003 47d9 c8f1 2BB648AB Gi1 0 4 584a38f0 END When the switch starts and the calculated checksum value equals the stored checksum value the switch reads entries f...

Page 194: ... agent None configured DHCP packet forwarding address Enabled invalid messages are dropped Checking the relay agent information Replace the existing relay agent information DHCP relay agent forwarding policy Disabled DHCP snooping enabled globally Enabled DHCP snooping information option Disabled DHCP snooping option to accept packets on untrusted input interfaces4 None configured DHCP snooping li...

Page 195: ...cs privileged EXEC command Configuring the DHCP Server The switch can act as a DHCP server For procedures to configure the switch as a DHCP server see the Configuring DHCP section of the IP addressing and Services section of the Cisco IOS IP Configuration Guide Release 12 4 DHCP Server and Switch Stacks The DHCP binding database is managed on the stack master When a new stack master is assigned th...

Page 196: ...ay agent forwarding policy Specifying the Packet Forwarding Address If the DHCP server and the DHCP clients are on different networks or subnets you must configure the switch with the ip helper address address interface configuration command The general rule is to configure the command on the Layer 3 interface closest to the client The address used in the ip helper address command can be a specifi...

Page 197: ...s and an IP subnet ip address ip address subnet mask Example Switch config if ip address 192 108 1 27 255 255 255 0 Step 3 Specifies the DHCP packet forwarding address ip helper address address Step 4 Example Switch config if ip helper address 172 16 1 2 The helper address can be a specific DHCP server address or it can be the network address if other DHCP servers are on the destination network se...

Page 198: ...dresses that the DHCP server can assign or exclude or you must configure DHCP options for these devices For DHCP snooping to function properly all DHCP servers must be connected to the switch through trusted interfaces Before configuring the DHCP relay agent on your switch make sure to configure the device that is acting as the DHCP server You must specify the IP addresses that the DHCP server can...

Page 199: ...estination on the DHCP snooping binding database to use the switch for DHCP snooping For DHCP snooping to function properly all DHCP servers must be connected to the switch through trusted interfaces In a service provider network a trusted interface is connected to a port on a device in the same network You must globally enable DHCP snooping on the switch Before globally enabling DHCP snooping on ...

Page 200: ...on a VLAN or range of VLANs The range is 1 to 4094 ip dhcp snooping vlan vlan range Example Switch config ip dhcp snooping vlan 10 Step 3 You can enter a single VLAN ID identified by VLAN ID number a series of VLAN IDs separated by commas a range of VLAN IDs separated by hyphens or a range of VLAN IDs separated by entering the starting and ending VLAN IDs separated by a space Enables the switch to...

Page 201: ...rt identifier using a VLAN ID in the range of 1 to 4094 The default circuit ID is the port identifier in the format vlan mod port Example Switch config if ip dhcp snooping vlan You can configure the circuit ID to be a string of 3 to 63 ASCII characters no spaces 1 information option format type curcuit id override string ovrride2 Optional Use the override keyword when you do not want the circuit I...

Page 202: ...DHCP Configuration Task List section in the Configuring DHCP chapter of the Cisco IOS IP Configuration Guide Release 12 4 Monitoring DHCP Snooping Information Table 18 Commands for Displaying DHCP Information Displays the DHCP snooping configuration for a switch show ip dhcp snooping Displays only the dynamically configured bindings in the DHCP snooping binding database also referred to as a bindi...

Page 203: ...t even as the client identifier or client hardware address changes in the DHCP messages received on that port The DHCP protocol recognizes DHCP clients by the client identifier option in the DHCP packet Clients that do not include the client identifier option are identified by the client hardware address When you configure this feature the port name of the interface overrides the client identifier...

Page 204: ...e flash number filename ftp user password host filename Step 2 http username password hostname flash number filename host ip directory image name tar rcp user host filename tftp host filename Optional Use the number parameter to specify the stack member number of the stack master The range for number is 1 to 9 Example Switch config ip dhcp snooping database tftp 10 90 90 90 snooping rp2 ftp user p...

Page 205: ...er this command for each entry that you add Use this command when you are testing or debugging the switch 0001 1234 1234 vlan 1 172 20 50 5 interface gi1 1 expiry 1000 Enabling DHCP Server Port Based Address Allocation Beginning in privileged EXEC mode follow these steps to globally enable port based address allocation and to automatically generate a subscriber identifier on an interface SUMMARY S...

Page 206: ...face gigabitethernet1 0 1 Step 4 Configures the DHCP server to use the subscriber identifier as the client identifier on all incoming DHCP messages on the interface ip dhcp server use subscriber id client id Example Switch config if ip dhcp server use subscriber id client id Step 5 Returns to privileged EXEC mode end Example Switch config end Step 6 Monitoring DHCP Server Port Based Address Alloca...

Page 207: ...on about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Information About IP Source Guard IP Source Guard You can use IP source guard to prevent traffic attacks if a host tries to use the IP address of its neighbor and you can enable IP source guard when DHCP snooping is enabled on an untru...

Page 208: ...e in the IP DHCP snooping table the same entry is learned by the IP device tracking table In a stacked environment when the master failover occurs the IP source guard entries for static hosts attached to member ports are retained When you enter the show ip device tracking all EXEC command the IP device tracking table displays the entries as ACTIVE Some IP hosts with multiple network interfaces can...

Page 209: ...e when 802 1x port based authentication is enabled When you configure IP source guard smart logging packets with a source address other than the specified address or an address learned by DHCP are denied and the packet contents are sent to a NetFlow collector If you configure this feature make sure that smart logging is globally enabled In a switch stack if IP source guard is configured on a stack...

Page 210: ... 1 Step 2 Enables IP source guard with source IP address filtering ip verify source mac check Step 3 Example Switch config if ip verify source Optional mac check Enables IP Source Guard with source IP address and MAC address filtering Returns to global configuration mode exit Example Switch config if exit Step 4 Adds a static IP source binding ip source binding mac address vlan vlan id ip address ...

Page 211: ...c Hosts on a Layer 2 Access Port You must configure the ip device tracking maximum limit number interface configuration command globally for IPSG for static hosts to work If you only configure this command on a port without enabling IP device tracking globally or by setting an IP device tracking maximum on that interface IPSG with static hosts rejects all the IP traffic from that interface SUMMARY...

Page 212: ...ing ip verify source tracking mac check Step 6 Example Switch config if ip verify source tracking mac check Optional tracking Enables IP source guard for static hosts Optional mac check Enables MAC address filtering The command ip verify source tracking mac checkenables IP source guard for static hosts with MAC address filtering Establishes a maximum limit for the number of static IPs that the IP ...

Page 213: ...ify source tracking Switch config if end Switch show ip verify source Interface Filter type Filter mode IP address Mac address Vlan Gi1 0 3 ip trk active 40 1 1 24 10 Gi1 0 3 ip trk active 40 1 1 20 10 Gi1 0 3 ip trk active 40 1 1 21 10 This example shows how to enable IPSG for static hosts with IP MAC filters on a Layer 2 access port to verify the valid IP MAC bindings on the interface Gi1 0 3 an...

Page 214: ...net1 0 1 INACTIVE 200 1 1 6 0001 0600 0000 8 GigabitEthernet1 0 1 INACTIVE 200 1 1 7 0001 0600 0000 8 GigabitEthernet1 0 1 INACTIVE This example displays all active IP or MAC binding entries for all interfaces Switch show ip device tracking all active IP Device Tracking for wireless clients Enabled Global IP Device Tracking for wired clients Enabled Global IP Device Tracking Probe Count 3 Global I...

Page 215: ...rface Maximum Limit Number of Entries Gi1 0 3 5 Monitoring IP Source Guard Table 20 Privileged EXEC show Commands Purpose Command Displays the IP source guard configuration on the switch or on a specific interface show ip verify source interface interface id Displays information about the entries in the IP device tracking table show ip device tracking all interface interface id ip ip address mac i...

Page 216: ...Catalyst 2960 XR Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX1 194 OL 29434 01 Configuring IP Source Guard Monitoring IP Source Guard ...

Page 217: ...fying the DAI Configuration page 211 Finding Feature Information Your software release may not support all the features documented in this module For the latest feature information and caveats see the release notes for your platform and software release Use Cisco Feature Navigator to find information about platform support and Cisco software image support To access Cisco Feature Navigator go to ht...

Page 218: ...lue For example if you set the rate limit to 30 pps on an EtherChannel that has one port on switch 1 and one port on switch 2 each port can receive packets at 29 pps without causing the EtherChannel to become error disabled The operating rate for the port channel is cumulative across all the physical ports within the channel For example if you configure the port channel with an ARP rate limit of 4...

Page 219: ...cause ARP allows a gratuitous reply from a host even if an ARP request was not received an ARP spoofing attack and the poisoning of ARP caches can occur After the attack all traffic from the device under attack flows through the attacker s computer and then to the router switch or host A malicious user can attack hosts switches and routers connected to your Layer 2 network by poisoning the ARP cac...

Page 220: ...ts ACLs for hosts with statically configured IP addresses You define an ARP ACL by using the arp access list acl name global configuration command You can configure dynamic ARP inspection to drop ARP packets when the IP addresses in the packets are invalid or when the MAC addresses in the body of the ARP packets do not match the addresses specified in the Ethernet header Use the ip arp inspection ...

Page 221: ... packets from nondynamic ARP inspection switches configure the switch running dynamic ARP inspection with ARP ACLs When you cannot determine such bindings at Layer 3 isolate switches running dynamic ARP inspection from switches not running dynamic ARP inspection switches Depending on the setup of the DHCP server and the network it might not be possible to validate a given ARP packet on all switche...

Page 222: ... the message is generated the switch clears the entry from the log buffer Each log entry contains flow information such as the receiving VLAN the port number the source and destination IP addresses and the source and destination MAC addresses You use the ip arp inspection log buffer global configuration command to configure the number of entries in the buffer and the number of entries needed in th...

Page 223: ...ing is disabled or in non DHCP environments use ARP ACLs to permit or to deny packets Dynamic ARP inspection is supported on access ports trunk ports EtherChannel ports and private VLAN ports Do not enable Dynamic ARP inspection on RSPAN VLANs If Dynamic ARP inspection is enabled on RSPAN VLANs Dynamic ARP inspection packets might not reach the RSPAN destination port Note A physical port can join ...

Page 224: ...her than the physical ports configuration The rate limit configuration on a port channel is independent of the configuration on its physical ports If the EtherChannel receives more ARP packets than the configured rate the channel including all physical ports is placed in the error disabled state Make sure to limit the rate of ARP packets on incoming trunk ports Configure trunk ports with higher ra...

Page 225: ...LED STEPS Purpose Command or Action Enter global configuration mode Configureterminal Step 1 Define an ARP ACL and enter ARP access list configuration mode By default no ARP access lists are defined arp access list acl name Step 2 At the end of the ARP access list there is an implicitdeny ip any mac any command Note Permit ARP packets from the specified host Host 2 permit ip host sender ip mac hos...

Page 226: ... inspection trust Step 7 By default all interfaces are untrusted For untrusted interfaces the switch intercepts all ARP requests and responses It verifies that the intercepted packets have valid IP to MAC address bindings before updating the local cache and before forwarding the packet to the appropriate destination The switch drops invalid packets and logs them in the log buffer according to the ...

Page 227: ...the bindings for Host 1 and Host 2 and Switch B has the binding for Host 2 Dynamic ARP inspection depends on the entries in the DHCP snooping binding database to verify IP to MAC address bindings in incoming ARP requests and ARP responses Make sure to enable DHCP snooping to permit ARP packets that have dynamically assigned IP addresses Note Beginning in privileged EXEC mode follow these steps to ...

Page 228: ...wards the packets For untrusted interfaces the switch intercepts all ARP requests and responses It verifies that the intercepted packets have valid IP to MAC address bindings before updating the local cache and before forwarding the packet to the appropriate destination The switch drops invalid packets and logs them in the log buffer according to the logging configuration specified with the ip arp...

Page 229: ...sabled recovery so that ports automatically emerge from this state after a specified timeout period Unless you configure a rate limit on an interface changing the trust state of the interface also changes its rate limit to the default value for that trust state After you configure the rate limit the interface retains the rate limit even when its trust state is changed If you enter the no ip arp in...

Page 230: ...gs For rate pps specify an upper limit for the number of incoming packets processed per second The range is 0 to 2048 pps Optional For burst interval seconds specify the consecutive interval in seconds over which the interface is monitored for a high rate of ARP packets The range is 1 to 15 For rate none specify no upper limit for the rate of incoming ARP packets that can be processed Return to gl...

Page 231: ...S 1 configure terminal 2 ip arp inspection validate src mac dst mac ip 3 exit 4 show ip arp inspection vlan vlan range 5 copy running config startup config DETAILED STEPS Purpose Command or Action Enter global configuration mode configure terminal Step 1 Perform a specific check on incoming ARP packets By default no checks are performed ip arp inspection validate src mac dst mac ip Step 2 The keyw...

Page 232: ...stics clear ip arp inspection statistics Displays statistics for forwarded dropped MAC validation failure IP validation failure ACL permitted and denied and DHCP permitted and denied packets for the specified VLAN If no VLANs are specified or if a range is specified displays information only for VLANs with dynamic ARP inspection enabled active show ip arp inspection statistics vlan vlan range Clea...

Page 233: ...interfaces show ip arp inspection interfaces interface id Displays the configuration and the operating state of dynamic ARP inspection for the specified VLAN If no VLANs are specified or if a range is specified displays information only for VLANs with dynamic ARP inspection enabled active show ip arp inspection vlan vlan range Catalyst 2960 XR Switch Security Configuration Guide Cisco IOS Release ...

Page 234: ...Catalyst 2960 XR Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX1 212 OL 29434 01 Configuring Dynamic ARP Inspection Verifying the DAI Configuration ...

Page 235: ...on about platform support and Cisco software image support To access Cisco Feature Navigator go to http www cisco com go cfn An account on Cisco com is not required Information About 802 1x Port Based Authentication The 802 1x standard defines a client server based access control and authentication protocol that prevents unauthorized clients from connecting to a LAN through publicly accessible por...

Page 236: ...d and the authorization fails the switch assigns the client to a guest VLAN that provides limited services if a guest VLAN is configured If the switch gets an invalid identity from an 802 1x capable client and a restricted VLAN is specified the switch can assign the client to a restricted VLAN that provides limited services If the RADIUS authentication server is unavailable down and inaccessible a...

Page 237: ... Attribute 27 specifies the time after which re authentication occurs The Termination Action RADIUS attribute Attribute 29 specifies the action to take during re authentication The actions are Initialize and ReAuthenticate When the Initialize action is set the attribute value is DEFAULT the 802 1x session ends and connectivity is lost during re authentication When the ReAuthenticate action is set ...

Page 238: ...s not receive an EAP request identity frame after three attempts to start authentication the client sends frames as if the port is in the authorized state A port in the authorized state effectively means that the client has been successfully authenticated Note When the client supplies its identity the switch begins its role as the intermediary passing EAP frames between the client and the authenti...

Page 239: ... bypass process and starts 802 1x authentication This figure shows the message exchange during MAC authentication bypass Figure 19 Message Exchange During MAC Authentication Bypass Authentication Manager for Port Based Authentication In Cisco IOS Release 12 2 46 SE and earlier you could not use the same authorization methods including CLI commands and messages on this switch and also on other netw...

Page 240: ...uthentication bypass Proxy ACL Filter Id attribute downloadable ACL Standalone web authentication Filter Id attribute Downloadable ACL Redirect URL Filter Id attribute Downloadable ACL Redirect URL Filter Id attribute Downloadable ACL Redirect URL Filter Id attribute Downloadable ACL Redirect URL NAC Layer 2 IP validation Proxy ACL Filter Id attribute Downloadable ACL Proxy ACL Filter Id attribute...

Page 241: ...uthentication on an interface However the dot1x system authentication control global configuration command only globally enables or disables 802 1x authentication If 802 1x authentication is globally disabled other authentication methods are still enabled on that port such as web authentication Note The authentication manager commands provide the same functionality as earlier 802 1x commands Begin...

Page 242: ...on host mode multi auth multi domain multi host single host Provides the flexibility to define the order of authentication methods to be used mab authentication order Enable periodic re authentication of the client dot1x reauthentication authentication periodic Enable manual control of the authorization state of the port dot1x port control auto force authorized force unauthorized authentication po...

Page 243: ...cation of the client This is the default setting force unauthorized causes the port to remain in the unauthorized state ignoring all attempts by the client to authenticate The switch cannot provide authentication services to the client through the port auto enables 802 1x authentication and causes the port to begin in the unauthorized state allowing only EAPOL frames to be sent and received throug...

Page 244: ...ng on the boot up time and whether the connectivity to the RADIUS server is re established by the time the authentication is attempted To avoid loss of connectivity to the RADIUS server you should ensure that there is a redundant connection to it For example you can have a redundant connection to the stack master and another to a stack member and if the stack master fails the switch stack still ha...

Page 245: ... in multi auth mode under these conditions Only one voice VLAN assignment is supported on a multi auth port The behavior of the critical auth VLAN is not changed for multi auth mode When a host tries to authenticate and the server is not reachable all authorized hosts are reinitialized in the configured VLAN MAC Move When a MAC address is authenticated on one switch port that address is not allowe...

Page 246: ...figure the authentication violation interface configuration command with the replace keyword the authentication process on a port in multi domain mode is A new MAC address is received on a port with an existing authenticated MAC address The authentication manager replaces the MAC address of the current data host on the port with the new MAC address The authentication manager initiates the authenti...

Page 247: ...dius accounting privileged EXEC command For more information about this command see the Cisco IOS Debug Command Reference Release 12 4 This table lists the AV pairs and when they are sent are sent by the switch Table 24 Accounting AV Pairs STOP INTERIM START AV Pair Name Attribute Number Always Always Always User Name Attribute 1 Always Always Always NAS IP Address Attribute 4 Always Always Always...

Page 248: ... The readiness check is typically used before 802 1x is enabled on the switch If you use the dot1x test eapol capable privileged EXEC command without specifying an interface all the ports on the switch stack are tested When you configure the dot1x test eapol capable command on an 802 1x enabled port and the link comes up the port queries the connected client about its 802 1x capability When the cl...

Page 249: ... RADIUS server is not valid authorization fails and configured VLAN remains in use This prevents ports from appearing unexpectedly in an inappropriate VLAN because of a configuration error Configuration errors could include specifying a VLAN for a routed port a malformed VLAN ID a nonexistent or internal routed port VLAN ID an RSPAN VLAN a shut down or suspended VLAN In the case of a multidomain h...

Page 250: ...es the ACL attributes based on the user identity and sends them to the switch The switch applies the attributes to the 802 1x port for the duration of the user session The switch removes the per user ACL configuration when the session is over if authentication fails or if a link down condition occurs The switch does not save RADIUS specified ACLs in the running configuration When the port is unaut...

Page 251: ... the RADIUS server Enable 802 1x authentication Configure the user profile and VSAs on the RADIUS server Configure the 802 1x port for single host mode Per user ACLs are supported only in single host mode Note 802 1x Authentication with Downloadable ACLs and Redirect URLs You can download ACLs and redirect URLs from a RADIUS server to the switch during 802 1x authentication or MAC authentication b...

Page 252: ...s are enforced with IP address insertion to prevent security breaches Web authentication is subject to the auth default ACL OPEN To control access for hosts with no authorization policy you can configure a directive The supported values for the directive are open and default When you configure the open directive all traffic is allowed The default directive subjects traffic to the access provided b...

Page 253: ... client switch port must also be configured Cisco Secure ACS and Attribute Value Pairs for Downloadable ACLs You can set the CiscoSecure Defined ACL Attribute Value AV pair on the Cisco Secure ACS with the RADIUS cisco av pair vendor specific attributes VSAs This pair specifies the names of the downloadable ACLs on the Cisco Secure ACS with the ACL IP name number attribute The name is the ACL name...

Page 254: ...story If an EAPOL packet is detected on the interface during the lifetime of the link the switch determines that the device connected to that interface is an IEEE 802 1x capable supplicant and the interface does not change to the guest VLAN state EAPOL history is cleared if the interface link status goes down If no EAPOL packet is detected on the interface the interface changes to the guest VLAN s...

Page 255: ...nd cannot access another VLAN because they fail the authentication process A restricted VLAN allows users without valid credentials in an authentication server typically visitors to an enterprise to access a limited set of services The administrator can control the services available to the restricted VLAN You can configure a VLAN to be both the guest VLAN and the restricted VLAN if you want to pr...

Page 256: ...igured RADIUS server If a server is available the switch can authenticate the host However if all the RADIUS servers are unavailable the switch grants network access to the host and puts the port in the critical authentication state which is a special case of the authentication state Inaccessible Authentication Bypass Support on Multiple Authentication Ports When a port is configured on any host m...

Page 257: ...o a critical port and was previously assigned to a guest VLAN the switch keeps the port in the guest VLAN Restricted VLAN If the port is already authorized in a restricted VLAN and the RADIUS servers are unavailable the switch puts the critical port in the critical authentication state in the restricted VLAN 802 1x accounting Accounting is not affected if the RADIUS servers are unavailable Voice V...

Page 258: ...es or VLAN groups Note 802 1x User Distribution Configuration Guidelines Confirm that at least one VLAN is mapped to the VLAN group You can map more than one VLAN to a VLAN group You can modify the VLAN group by adding or deleting a VLAN When you clear an existing VLAN from the VLAN group name none of the authenticated ports in the VLAN are cleared but the mappings are removed from the existing VL...

Page 259: ... on which a voice VLAN is configured and to which a Cisco IP Phone is connected the Cisco IP phone loses connectivity to the switch for up to 30 seconds Note IEEE 802 1x Authentication with Port Security In general Cisco does not recommend enabling port security when IEEE 802 1x is enabled Since IEEE 802 1x enforces a single MAC address per port or per VLAN when MDA is configured for IP telephony ...

Page 260: ...oes not unauthorize the client connected to the port When re authentication occurs the switch uses the authentication or re authentication methods configured on the port if the previous session ended because the Termination Action RADIUS attribute value is DEFAULT Clients that were authorized with MAC authentication bypass can be re authenticated The re authentication process is the same as that f...

Page 261: ... switch tries to re authenticate the client by using the Termination Action RADIUS attribute Attribute 29 If the value is the DEFAULT or is not set the session ends If the value is RADIUS Request the re authentication process starts View the NAC posture token which shows the posture of the client by using the show authentication privileged EXEC command Configure secondary private VLANs as guest VL...

Page 262: ...ntication use access session closed Note Related Topics Configuring Open1x on page 295 Multidomain Authentication The switch supports multidomain authentication MDA which allows both a data device and voice device such as an IP phone Cisco or non Cisco to authenticate on the same switch port The port is divided into a data domain and a voice domain MDA does not enforce the order of device authenti...

Page 263: ...or disabled When a port host mode is changed from single or multihost to multidomain mode an authorized data device remains authorized on the port However a Cisco IP phone that has been allowed on the port voice VLAN is automatically removed and must be reauthenticated on that port Active fallback mechanisms such as guest VLAN and restricted VLAN remain configured after a port changes from single ...

Page 264: ...figuration on the authenticator switch allowing user traffic from multiple VLANs coming from supplicant switches Configure the cisco av pair as device traffic class switch at the ACS You can configure this under the group or the user settings Figure 21 Authenticator and Supplicant Switch using CISP Supplicant switch outside wiring closet 2 Workstations clients 1 Access control server ACS 4 Authent...

Page 265: ...this example is also160000050000000B288508E5 1w0d AUTHMGR 5 START Starting mab for client 0000 0000 0203 on Interface Fa4 0 4 AuditSessionID 160000050000000B288508E5 1w0d MAB 5 SUCCESS Authentication successful for client 0000 0000 0203 on Interface Fa4 0 4 AuditSessionID 160000050000000B288508E5 1w0d AUTHMGR 7 RESULT Authentication result success from mab for client 0000 0000 0203 on Interface Fa...

Page 266: ... times number of times that the switch will send an EAP request identity frame before restarting the authentication process Maximum retransmission number 30 seconds when relaying a request from the authentication server to the client the amount of time the switch waits for a response before resending the request to the client Client timeout period 30 seconds when relaying a response from the clien...

Page 267: ...x authentication on a dynamic port an error message appears and 802 1x authentication is not enabled If you try to change the mode of an 802 1x enabled port to dynamic an error message appears and the port mode is not changed Dynamic access ports If you try to enable 802 1x authentication on a dynamic access VLAN Query Protocol VQP port an error message appears and 802 1x authentication is not ena...

Page 268: ...N a restricted VLAN or a per user ACL on private VLAN ports You can configure any VLAN except an RSPAN VLAN private VLAN or a voice VLAN as an 802 1x guest VLAN The guest VLAN feature is not supported on internal VLANs routed ports or trunk ports it is supported only on access ports After you configure a guest VLAN for an 802 1x port to which a DHCP client is connected you might need to get a host...

Page 269: ...s added to the database the switch can use MAC authentication bypass to re authorize the port If the port is in the authorized state the port remains in this state until re authorization occurs Maximum Number of Allowed Devices Per Port This is the maximum number of devices allowed on an 802 1x enabled port In single host mode only one device is allowed on the access VLAN If the port is also confi...

Page 270: ...ring Voice Aware 802 1x Security Follow these guidelines to configure voice aware 802 1x voice security on the switch You enable voice aware 802 1x security by entering the errdisable detect cause security violation shutdown vlan global configuration command You disable voice aware 802 1x security by entering the no version of this command This command applies to all 802 1x configured ports in the...

Page 271: ...olation error occurs errdisable detect cause security violation shutdown vlan Step 2 Example Switch config errdisable detect cause If the shutdown vlan keywords are not included the entire port enters the error disabled state and shuts down Note security violation shutdown vlan Optional Enables automatic per VLAN error recovery errdisable recovery cause security violation Example Switch config err...

Page 272: ...opics Voice Aware 802 1x Security on page 242 Configuring 802 1x Violation Modes You can configure an 802 1x port so that it shuts down generates a syslog error or discards packets from a new device when a device connects to an 802 1x enabled port the maximum number of allowed about devices have been authenticated on the port Beginning in privileged EXEC mode follow these steps to configure the se...

Page 273: ...keyword followed by the method that is to be used in default situations The default method list is automatically applied to all ports default group radius For method1 enter the group radius keywords to use the list of all RADIUS servers for authentication Though other keywords are visible in the command line help string only the group radius keywords are supported Note Specifies the port connected...

Page 274: ...onfigure 802 1x port based authentication you must enable authentication authorization and accounting AAA and specify the authentication method list A method list describes the sequence and authentication method to be queried to authenticate a user SUMMARY STEPS 1 A user connects to a port on the switch 2 Authentication is performed 3 VLAN assignment is enabled as appropriate based on the RADIUS s...

Page 275: ...ssage to the accounting server Step 8 Configuring 802 1x Port Based Authentication Beginning in privileged EXEC mode follow these steps to configure 802 1x port based authentication SUMMARY STEPS 1 configure terminal 2 aaa new model 3 aaa authentication dot1x default method1 4 dot1x system auth control 5 aaa authorization network default group radius 6 radius server host ip address 7 radius server...

Page 276: ...her keywords are visible in the command line help string only the group radius keywords are supported Note Enables 802 1x authentication globally on the switch dot1x system auth control Example Switch config dot1x system auth control Step 4 Optional Configures the switch to use user RADIUS authorization for all network related service requests such as per user ACLs or VLAN assignment aaa authoriza...

Page 277: ...witch config if authentication Step 10 port control auto Sets the interface Port Access Entity to act only as an authenticator and ignore messages meant for a supplicant dot1x pae authenticator Example Switch config if dot1x pae authenticator Step 11 Returns to privileged EXEC mode end Example Switch config if end Step 12 Configuring the Switch to RADIUS Server Communication You can globally confi...

Page 278: ...ress specify the hostname or IP address of the remote RADIUS server Example Switch config radius server For auth port port number specify the UDP destination port for authentication requests The default is 1812 The range is 0 to 65536 For key string specify the authentication and encryption key used between the switch and the RADIUS daemon running on the RADIUS server The key is a text string that...

Page 279: ...ure terminal Example Switch configure terminal Step 1 Specifies the port to which multiple hosts are indirectly attached and enter interface configuration mode interface interface id Example Switch config interface Step 2 gigabitethernet2 0 1 Allows multiple hosts clients on an 802 1x authorized port authentication host mode multi auth multi domain multi host single host Step 3 The keywords have t...

Page 280: ... do not specify a time period before enabling re authentication the number of seconds between attempts is 3600 Beginning in privileged EXEC mode follow these steps to enable periodic re authentication of the client and to configure the number of seconds between re authentication attempts This procedure is optional SUMMARY STEPS 1 configure terminal 2 interface interface id 3 authentication periodi...

Page 281: ...ate Time in seconds after which an automatic re authentication attempt is initiated timer reauthenticate 180 restart value Interval in seconds after which an attempt is made to authenticate an unauthorized port This command affects the behavior of the switch only if periodic re authentication is enabled Returns to privileged EXEC mode end Example Switch config if end Step 5 Changing the Quiet Peri...

Page 282: ...e following a failed authentication exchange with the client authentication timer inactivity seconds Example Switch config if authentication timer inactivity Step 3 The range is 1 to 65535 seconds the default is 60 30 Returns to privileged EXEC mode end Example Switch config if end Step 4 Verifies your entries show authentication sessions interface interface id Example Switch show authentication s...

Page 283: ... timer reauthenticate seconds 4 end 5 show authentication sessions interface interface id 6 copy running config startup config DETAILED STEPS Purpose Command or Action Enters the global configuration mode configure terminal Example Switch configure terminal Step 1 Specifies the port to be configured and enter interface configuration mode interface interface id Example Switch config interface gigab...

Page 284: ...tch sends an EAP request identity frame assuming no response is received to the client before restarting the authentication process You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain clients and authentication servers Note Beginning in privileged EXEC mode follow these steps to set the s...

Page 285: ...Returns to privileged EXEC mode end Example Switch config if end Step 4 Setting the Re Authentication Number You can also change the number of times that the switch restarts the authentication process before the port changes to the unauthorized state You should change the default value of this command only to adjust for unusual circumstances such as unreliable links or specific behavioral problems...

Page 286: ...he RADIUS server switchport mode access Example Switch config if switchport mode access Step 3 Sets the number of times that the switch restarts the authentication process before the port changes to the unauthorized state The range is 0 to 10 the default is 2 dot1x max req count Example Switch config if dot1x max req 4 Step 4 Returns to privileged EXEC mode end Example Switch config if end Step 5 ...

Page 287: ...nfig authentication mac move In Session Aware Networking mode the default CLI is access session mac move deny To enable Mac Move in Session Aware Networking use the no access session mac move global configuration command permit Returns to privileged EXEC mode end Example Switch config end Step 3 Verifies your entries show running config Example Switch show running config Step 4 Optional Saves your...

Page 288: ...e interface id Example Switch config interface Step 2 gigabitethernet2 0 2 Use the replace keyword to enable MAC replace on the interface The port removes the current session and initiates authentication with the new host authentication violation protect replace restrict shutdown Example Switch config if authentication violation Step 3 The other keywords have these effects protect the port drops p...

Page 289: ...e number of retransmissions of an accounting request this system message appears Accounting message s for session s failed to receive Accounting Response When the stop message is not sent successfully this message appears 00 09 55 RADIUS 4 RADIUS_DEAD RADIUS server 172 20 246 201 1645 1646 is not responding You must configure the RADIUS server to perform accounting tasks such as logging start stop...

Page 290: ...es 802 1x accounting using the list of all RADIUS servers aaa accounting dot1x default start stop group radius Example Switch config if aaa accounting dot1x default Step 3 start stop group radius Optional Enables system accounting using the list of all RADIUS servers and generates system aaa accounting system default start stop group radius Example Switch config if aaa accounting system default St...

Page 291: ... granted network access The switch supports guest VLANs in single host or multiple hosts mode Beginning in privileged EXEC mode follow these steps to configure a guest VLAN This procedure is optional SUMMARY STEPS 1 configure terminal 2 interface interface id 3 Use one of the following switchport mode access switchport mode private vlan host 4 authentication event no response action authorize vlan...

Page 292: ...tive VLAN except an internal VLAN routed port an RSPAN VLAN a primary private VLAN or a voice VLAN as an 802 1x guest VLAN no response action authorize vlan 2 Returns to privileged EXEC mode end Example Switch config if end Step 5 Configuring a Restricted VLAN When you configure a restricted VLAN on a switch stack or a switch clients that are IEEE 802 1x compliant are moved into the restricted VLA...

Page 293: ...onfiguration mode interface interface id Example Switch config interface gigabitethernet2 0 2 Step 2 Use one of the following Step 3 Sets the port to access mode Configures the Layer 2 port as a private VLAN host port switchport mode access switchport mode private vlan host Example Switch config if switchport mode access Enables 802 1x authentication on the port authentication port control auto Ex...

Page 294: ...user is assigned to the restricted VLAN by using the authentication event retry retry count interface configuration command The range of allowable authentication attempts is 1 to 3 The default is 3 attempts Beginning in privileged EXEC mode follow these steps to configure the maximum number of allowed authentication attempts This procedure is optional SUMMARY STEPS 1 configure terminal 2 interface...

Page 295: ...authentication port control Step 4 auto Specifies an active VLAN as an 802 1x restricted VLAN The range is 1 to 4094 authentication event fail action authorize vlan vlan id Example Switch config if authentication event fail Step 5 You can configure any active VLAN except an internal VLAN routed port an RSPAN VLAN a primary private VLAN or a voice VLAN as an 802 1x restricted VLAN action authorize ...

Page 296: ...ort key string 5 dot1x critical eapol recovery delay milliseconds 6 interface interface id 7 authentication event server dead action authorize reinitialize vlan vlan id 8 dot1x critical recovery action reinitialize vlan vlan id 9 end DETAILED STEPS Purpose Command or Action Enters the global configuration mode configure terminal Example Switch configure terminal Step 1 Optional Sets the conditions...

Page 297: ...le time 30 key abc1234 test username name Enables automated testing of the RADIUS server status and specify the username to be used idle time time Sets the interval of time in minutes after which the switch sends test packets to the server The range is from 1 to 35791 minutes The default is 60 minutes 1 hour ignore acct port Disables testing on the RADIUS server accounting port ignore auth port Di...

Page 298: ...ritical VLAN Example Switch config if authentication reinitialize Moves all authorized hosts on the port to the user specified critical VLAN event server dead action reinitialize vlan 5 Enables the inaccessible authentication bypass feature and use these keywords to configure the feature dot1x critical recovery action reinitialize vlan vlan id Step 8 Example Switch config if dot1x critical authori...

Page 299: ...ch configure terminal Step 1 Specifies the port to be configured and enter interface configuration mode interface interface id Example Switch config interface gigabitethernet2 0 3 Step 2 Enables 802 1x authentication with WoL on the port and use these keywords to configure the port as bidirectional or unidirectional authentication control direction both in Example Switch config if authentication S...

Page 300: ...Step 6 Configuring MAC Authentication Bypass Beginning in privileged EXEC mode follow these steps to enable MAC authentication bypass This procedure is optional SUMMARY STEPS 1 configure terminal 2 interface interface id 3 authentication port control auto 4 mab eap 5 end DETAILED STEPS Purpose Command or Action Enters the global configuration mode configure terminal Example Switch configure termin...

Page 301: ... Bypass Username and Password Use the optional mab request format command to format the MAB username and password in a style accepted by the authentication server The username and password are usually the MAC address of the client Some authentication server configurations require the password to be different from the username Beginning in privileged EXEC mode follow these steps to format MAC authe...

Page 302: ...f nonnumeric hex nibbles should be in lowercase or uppercase 2 Specifies a custom nondefault value for the User Password attribute in MAB generated Access Request packets mab request format attribute2 0 7 text Example Switch config mab request format Step 3 0 Specifies a cleartext password to follow 7 Specifies an encrypted password to follow text Specifies the password to be used in the User Pass...

Page 303: ...p configuration or elements of the VLAN group configuration no vlan group vlan group name vlan list vlan list Example Switch config no vlan group eng dept vlan list Step 4 10 Example of Configuring VLAN Groups This example shows how to configure the VLAN groups to map the VLANs to the groups to and verify the VLAN group configurations and mapping to the specified VLANs Switch config vlan group eng...

Page 304: ...ll Switch config show vlan group all For more information about these commands see the Cisco IOS Security Command Reference Configuring NAC Layer 2 802 1x Validation You can configure NAC Layer 2 802 1x validation which is also referred to as 802 1x authentication with a RADIUS server Beginning in privileged EXEC mode follow these steps to configure NAC Layer 2 802 1x validation The procedure is o...

Page 305: ...an configure any active VLAN except an internal VLAN routed port an RSPAN VLAN or a voice VLAN as an 802 1x guest VLAN no response action authorize vlan 8 Enables periodic re authentication of the client which is disabled by default authentication periodic Example Switch config if authentication periodic Step 5 Sets re authentication attempt for the client set to one hour authentication timer reau...

Page 306: ...isco av pairs must be configured as device traffic class switch on the ACS which sets the interface as a trunk after the supplicant is successfully authenticated Note Beginning in privileged EXEC mode follow these steps to configure a switch as an authenticator SUMMARY STEPS 1 configure terminal 2 cisp enable 3 interface interface id 4 switchport mode access 5 authentication port control auto 6 do...

Page 307: ...ion mode to auto authentication port control auto Example Switch config if authentication port control auto Step 5 Configures the interface as a port access entity PAE authenticator dot1x pae authenticator Example Switch config if dot1x pae authenticator Step 6 Enables Port Fast on an access port connected to a single workstation or server spanning tree portfast Example Switch config if spanning t...

Page 308: ... supplicant SUMMARY STEPS 1 configure terminal 2 cisp enable 3 dot1x credentials profile 4 username suppswitch 5 password password 6 dot1x supplicant force multicast 7 interface interface id 8 switchport trunk encapsulation dot1q 9 switchport mode trunk 10 dot1x pae supplicant 11 dot1x credentials profile name 12 end 13 show running config interface interface id 14 copy running config startup conf...

Page 309: ...rd myswitch Step 5 Forces the switch to send only multicast EAPOL packets when it receives either unicast or multicast packets dot1x supplicant force multicast Example Switch config dot1x supplicant force multicast Step 6 This also allows NEAT to work on the supplicant switch in all host modes Specifies the port to be configured and enter interface configuration mode interface interface id Example...

Page 310: ...ies your configuration show running config interface interface id Example Switch show running config interface Step 13 gigabitethernet1 0 1 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step 14 You can also use an Auto Smartports user defined macro instead of the switch VSA to configure the authenticator C...

Page 311: ...s addition to the IP device tracking table The switch then applies the downloadable ACL to the port Beginning in privileged EXEC mode SUMMARY STEPS 1 configure terminal 2 ip device tracking 3 aaa new model 4 aaa authorization network default local group radius 5 radius server vsa send authentication 6 interface interface id 7 ip access group acl id in 8 show running config interface interface id 9...

Page 312: ...nterface interface id Example Switch config interface gigabitethernet2 0 4 Step 6 Configures the default ACL on the port in the input direction ip access group acl id in Example Switch config if ip access group default_acl in Step 7 The acl id is an access list name or number Note Verifies your configuration show running config interface interface id Example Switch config if show running config in...

Page 313: ... number is a decimal number from 1 to 99 or 1300 to 1999 Example Switch config access list 1 deny any log Enter deny or permit to specify whether to deny or permit access if conditions are matched The source is the source address of the network or host that sends a packet such as this hostname The 32 bit quantity in dotted decimal format any The keyword any as an abbreviation for source and source...

Page 314: ... network default group radius Example Switch config aaa authorization Step 7 network default group radius Enables the IP device tracking table ip device tracking Step 8 Example Switch config ip device tracking To disable the IP device tracking table use the no ip device tracking global configuration commands Optional Configures the IP device tracking table ip device tracking probe count interval u...

Page 315: ...ning in privileged EXEC mode follow these steps SUMMARY STEPS 1 configure terminal 2 mab request format attribute 32 vlan access vlan 3 copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Switch configure terminal Step 1 Enables VLAN ID based MAC authentication mab request format attribute 32 vlan access vlan Examp...

Page 316: ...ver you should understand the potential consequences of those changes See http www cisco com en US prod collateral iosswrel ps6537 ps6586 ps6638 application_note_c27 573287_ps6638_Products_White_Paper html for details Note Beginning in privileged EXEC mode follow these steps SUMMARY STEPS 1 configure terminal 2 interface interface id 3 switchport mode access 4 authentication order dot1x mab webaut...

Page 317: ... Switch config if authentication order mab dot1x Step 4 Optional Adds an authentication method to the port priority list authentication priority dot1x mab webauth Example Switch config if authentication priority mab Step 5 dot1x Returns to privileged EXEC mode end Example Switch config if end Step 6 Related Topics Flexible Authentication Ordering on page 239 Configuring Open1x Beginning in privile...

Page 318: ...n mode interface interface id Example Switch config interface gigabitethernet 1 0 1 Step 2 Sets the port to access mode only if you configured the RADIUS server switchport mode access Example Switch config if switchport mode access Step 3 Optional Configures the port control as unidirectional or bidirectional authentication control direction both in Example Switch config if authentication control ...

Page 319: ...on on a port authentication periodic Example Switch config if authentication periodic Step 9 Optional Enables manual control of the port authorization state authentication port control auto force authorized force un authorized Example Switch config if authentication port control auto Step 10 Returns to privileged EXEC mode end Example Switch config if end Step 11 Related Topics Open1x Authenticati...

Page 320: ...guration mode interface interface id Example Switch config interface gigabitethernet2 0 1 Step 2 Optional Sets the port to access mode only if you configured the RADIUS server switchport mode access Example Switch config if switchport mode access Step 3 Disables 802 1x authentication on the port no dot1x pae authenticator Example Switch config if no dot1x pae authenticator Step 4 Returns to privil...

Page 321: ...l Example Switch configure terminal Step 1 Enters interface configuration mode and specify the port to be configured interface interface id Example Switch config interface gigabitethernet1 0 2 Step 2 Resets the 802 1x parameters to the default values dot1x default Example Switch config if dot1x default Step 3 Returns to privileged EXEC mode end Example Switch config if end Step 4 Catalyst 2960 XR ...

Page 322: ... Displays the 802 1x administrative and operational status for a specific port show dot1x interface interface id Table 27 Global Configuration Commands Purpose Command Filters verbose 802 1x authentication messages beginning with Cisco IOS Release 12 2 55 SE no dot1x logging verbose For detailed information about the fields in these displays see the command reference for this release Catalyst 2960...

Page 323: ...ttp www cisco com go cfn An account on Cisco com is not required Information About Web Based Authentication Use the web based authentication feature known as web authentication proxy to authenticate end users on host systems that do not run the IEEE 802 1x supplicant You can configure web based authentication on Layer 2 and Layer 3 interfaces Note When you initiate an HTTP session web based authen...

Page 324: ...nt is denied Switch Controls the physical access to the network based on the authentication status of the client The switch acts as an intermediary proxy between the client and the authentication server requesting identity information from the client verifying that information with the authentication server and relaying a response to the client This figure shows the roles of these devices in a net...

Page 325: ... the authentication succeeds the switch downloads and activates the user s access policy from the authentication server The login success page is sent to the user If the authentication fails the switch sends the login fail page The user retries the login If the maximum number of attempts fails the switch sends the login expired page and the host is placed in a watch list After the watch list times...

Page 326: ...ew style mode Use the parameter map type webauth global bannerglobal configuration command The default banner Cisco Systems and Switch host name Authentication appear on the Login Page Cisco Systems appears on the authentication result pop up page Figure 23 Authentication Successful Banner The banner can be customized as follows Add a message such as switch router or company name to the banner Leg...

Page 327: ...configuration command New style mode Use the parameter map type webauth global banner global configuration command Figure 24 Customized Web Banner Catalyst 2960 XR Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX1 OL 29434 01 305 Configuring Web Based Authentication Local Web Authentication Banner ...

Page 328: ...b Pages During the web based authentication process the switch internal HTTP server hosts four HTML pages to deliver to an authenticating client The server uses these pages to notify you of these four authentication process states Login Your credentials are requested Success The login was successful Fail The login failed Expire The login session has expired because of excessive login failures Guid...

Page 329: ...ered and then the command configuring web pages is entered the CLI command redirecting users to a specific URL does not take effect Configured web pages can be copied to the switch boot flash or flash On stackable switches configured pages can be accessed from the flash on the stack master or members The login page can be on one flash and the success and failure pages can be another flash for exam...

Page 330: ... an accessible HTTP server Configure an intercept ACL within the admission rule Any external link from a custom page requires configuration of an intercept ACL within the admission rule T o access a valid DNS server any name resolution required for external links or images requires configuration of an intercept ACL within the admission rule If the custom web pages feature is enabled a configured a...

Page 331: ...authentication authenticates the port and port security manages network access for all MAC addresses including that of the client You can then limit the number or group of clients that can access the network through the port For more information about enabling port security see the LAN Port IP You can configure LAN port IP LPIP and Layer 2 web based authentication on the same port The host is auth...

Page 332: ...Control Web based authentication cannot be configured on a Layer 2 port if context based access control CBAC is configured on the Layer 3 VLAN interface of the port VLAN EtherChannel You can configure web based authentication on a Layer 2 EtherChannel interface The web based authentication configuration applies to all member channels How to Configure Web Based Authentication Default Web Based Auth...

Page 333: ...Session aware policy mode IPv6 Web authentication requires at least one IPv6 address configured on the switch and IPv6 Snooping configured on the switchport Web based authentication and Network Edge Access Topology NEAT are mutually exclusive You cannot use web based authentication when NEAT is enabled on an interface and you cannot use NEAT when web based authentication is running on an interface...

Page 334: ...oxy Step 2 http Enters interface configuration mode and specifies the ingress Layer 2 or Layer 3 interface to be enabled for web based authentication interface type slot port Example Switch config interface gigabitEthernet1 0 1 Step 3 type can be fastethernet gigabit ethernet or tengigabitethernet Applies the default ACL ip access group name Example Switch config if ip access group webauthag Step ...

Page 335: ...file copy running config startup config Example Switch copy running config startup config Step 10 Configuring AAA Authentication Beginning in privileged EXEC mode follow these steps to configure AAA authentication SUMMARY STEPS 1 configure terminal 2 aaa new model 3 aaa authentication login default group tacacs radius 4 aaa authorization auth proxy default group tacacs radius 5 tacacs server host ...

Page 336: ...tion aaa authorization auth proxy default group tacacs radius Example Switch config aaa authorization auth proxy default Step 4 group tacacs Specifies an AAA server tacacs server host hostname ip_address Example Switch config tacacs server host 10 1 1 1 Step 5 Configures the authorization and encryption key used between the switch and the TACACS server tacacs server key key data Example Switch con...

Page 337: ...RADIUS host entries are chosen in the order that they were configured SUMMARY STEPS 1 configure terminal 2 ip radius source interface vlan vlan interface number 3 radius server host hostname ip address test username username 4 radius server key string 5 radius server dead criteria tries num tries 6 end DETAILED STEPS Purpose Command or Action Enters the global configuration mode configure terminal...

Page 338: ... tries 30 key is a text string that must match the encryption key used on the RADIUS server When you specify the key string use spaces within and at the end of the key If you use spaces in the key do not enclose the key in quotation marks unless the quotation marks are part of the key This key must match the encryption used on the RADIUS daemon You can globally configure the timeout retransmission...

Page 339: ...eature uses the HTTP server to communicate with the hosts for user authentication ip http server Example Switch config ip http server Step 2 Enables HTTPS ip http secure server Step 3 Example Switch config ip http secure server You can configure custom authentication proxy web pages or specify a redirection URL for successful login To ensure secure authentication when you enter the ip http secure ...

Page 340: ...p success page file device success filename 4 ip admission proxy http failure page file device fail filename 5 ip admission proxy http login expired page file device expired filename 6 end DETAILED STEPS Purpose Command or Action Enters the global configuration mode configure terminal Example Switch configure terminal Step 1 Specifies the location in the switch memory file system of the custom HTM...

Page 341: ...f a custom authentication proxy web page Switch show ip admission status IP admission status Enabled interfaces 0 Total sessions 0 Init sessions 0 Max init sessions allowed 100 Limit reached 0 Hi watermark 0 TCP half open connections 0 Hi watermark 0 TCP new connections 0 Hi watermark 0 TCP half open new 0 Hi watermark 0 HTTPD1 Contexts 0 Hi watermark 0 Parameter Map Global Custom Pages Custom pag...

Page 342: ...ple Switch config end Step 3 Verifying Redirection URL for Successful Login Switch show ip admission status Enabled interfaces 0 Total sessions 0 Init sessions 0 Max init sessions allowed 100 Limit reached 0 Hi watermark 0 TCP half open connections 0 Hi watermark 0 TCP new connections 0 Hi watermark 0 TCP half open new 0 Hi watermark 0 HTTPD1 Contexts 0 Hi watermark 0 Parameter Map Global Custom P...

Page 343: ...ts The range is 1 to 2147483647 attempts The default is 5 ip admission max login attempts number Example Switch config ip admission max login attempts Step 2 10 Returns to privileged EXEC mode end Example Switch config end Step 3 Configuring a Web Authentication Local Banner Beginning in privileged EXEC mode follow these steps to configure a local banner on a switch that has web authentication con...

Page 344: ...config end Step 3 Removing Web Based Authentication Cache Entries Beginning in privileged EXEC mode follow these steps to remove web based authentication cache entries SUMMARY STEPS 1 clear ip auth proxy cache host ip address 2 clear ip admission cache host ip address DETAILED STEPS Purpose Command or Action Delete authentication proxy entries Use an asterisk to delete all cache entries Enter a sp...

Page 345: ...eged EXEC show Commands Purpose Command Displays the web based authentication settings for all interfaces for fastethernet gigabitethernet or tengigabitethernet show authentication sessions method webauth Displays the web based authentication settings for the specified interface for fastethernet gigabitethernet or tengigabitethernet In Session Aware Networking mode use the show access session inte...

Page 346: ...Catalyst 2960 XR Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX1 324 OL 29434 01 Configuring Web Based Authentication Monitoring Web Based Authentication Status ...

Page 347: ...formation About Port Blocking page 333 How to Configure Port Blocking page 333 Monitoring Port Blocking page 335 Prerequisites for Port Security page 335 Restrictions for Port Security page 335 Information About Port Security page 336 How to Configure Port Security page 340 Monitoring Port Security page 346 Configuration Examples for Port Security page 347 Information About Protocol Storm Protecti...

Page 348: ...he physical interfaces A LAN storm occurs when packets flood the LAN creating excessive traffic and degrading network performance Errors in the protocol stack implementation mistakes in network configurations or users issuing a denial of service attack can cause a storm Storm control or traffic suppression monitors packets passing from an interface to the switching bus and determines if the packet...

Page 349: ...c patterns on an interface over a given period of time Figure 27 Broadcast Storm Control Example Broadcast traffic being forwarded exceeded the configured threshold between time intervals T1 and T2 and between T4 and T5 When the amount of specified traffic exceeds the threshold all traffic of that kind is dropped for the next time period Therefore broadcast traffic is blocked during the intervals ...

Page 350: ...ontrol on an EtherChannel When storm control is configured on an EtherChannel the storm control settings propagate to the EtherChannel physical interfaces SUMMARY STEPS 1 configure terminal 2 interface interface id 3 storm control broadcast multicast unicast level level level low bps bps bps low pps pps pps low 4 storm control action shutdown trap 5 end 6 show storm control interface id broadcast ...

Page 351: ...traffic when the rising threshold is reached The range is 0 0 to 10000000000 0 Optional For bps low specifies the falling threshold level in bits per second up to one decimal place It can be less than or equal to the rising threshold level The port forwards traffic when traffic drops below this level The range is 0 0 to 10000000000 0 For pps pps specifies the rising threshold level for broadcast m...

Page 352: ...mmand Displays the administrative and operational status of all switching nonrouting ports or the specified port including port blocking and port protection settings show interfaces interface id switchport Displays storm control suppression levels set on all interfaces or the specified interface for the specified traffic type or for broadcast traffic if no traffic type is entered show storm contro...

Page 353: ...Default Protected Port Configuration The default is to have no protected ports defined Protected Ports Guidelines You can configure protected ports on a physical interface for example Gigabit Ethernet port 1 or an EtherChannel group for example port channel 5 When you enable protected ports for a port channel it is enabled for all ports in the port channel group Do not configure a private VLAN por...

Page 354: ...Example Switch config if switchport protected Step 3 Returns to privileged EXEC mode end Example Switch config if end Step 4 Verifies your entries show interfaces interface id switchport Example Switch show interfaces gigabitethernet1 0 1 Step 5 switchport Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config startup config Step...

Page 355: ... or multicast traffic from being forwarded from one port to another you can block a port protected or nonprotected from flooding unknown unicast or multicast packets to other ports With multicast traffic the port blocking feature blocks only pure Layer 2 packets Multicast packets that contain IPv4 or IPv6 information in the header are not blocked Note How to Configure Port Blocking Blocking Floode...

Page 356: ... of the port switchport block multicast Step 3 Example Switch config if switchport block multicast Only pure Layer 2 multicast traffic is blocked Multicast packets that contain IPv4 or IPv6 information in the header are not blocked Note Blocks unknown unicast forwarding out of the port switchport block unicast Example Switch config if switchport block unicast Step 4 Returns to privileged EXEC mode...

Page 357: ...maximum value to a number less than the number of secure addresses already configured on an interface the command is rejected Note Restrictions for Port Security The maximum number of secure MAC addresses that you can configure on a switch or switch stack is set by the maximum number of available MAC addresses allowed in the system This number is determined by the active Switch Database Management...

Page 358: ...Dynamic secure MAC addresses These are dynamically configured stored only in the address table and removed when the switch restarts Sticky secure MAC addresses These can be dynamically learned or manually configured stored in the address table and added to the running configuration If these addresses are saved in the configuration file when the switch restarts the interface does not need to dynami...

Page 359: ...u remove a sufficient number of secure MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses In this mode you are notified that a security violation has occurred An SNMP trap is sent a syslog message is logged and the violation counter increments shutdown a port security violation causes the interface to become error disabled and to shut down immediate...

Page 360: ...ecure addresses on the port are deleted only if the secure addresses are inactive for the specified aging time Related Topics Enabling and Configuring Port Security Aging on page 344 Port Security and Switch Stacks When a switch joins a stack the new switch will get the configured secure addresses All dynamic secure addresses are downloaded by the new stack member from the other stack members When...

Page 361: ...co IP phone no additional MAC addresses are required If you connect more than one PC to the Cisco IP phone you must configure enough secure addresses to allow one for each PC and one for the phone When a trunk port configured with port security and assigned to an access VLAN for data traffic and to a voice VLAN for voice traffic entering the switchport voice and switchport priority extend interfac...

Page 362: ...ed with the switchport mode dynamic interface configuration command 13 A VLAN Query Protocol VQP port configured with the switchport access vlan dynamic interface configuration command 14 You must set the maximum allowed secure addresses on the port to two plus the maximum number of secure addresses allowed on the access VLAN How to Configure Port Security Enabling and Configuring Port Security Be...

Page 363: ... global configuration mode configure terminal Example Switch configure terminal Step 1 Specifies the interface to be configured and enter interface configuration mode interface interface id Example Switch config interface Step 2 gigabitethernet1 0 1 Sets the interface switchport mode as access or trunk an interface in the default mode dynamic auto cannot be configured as a secure port switchport m...

Page 364: ...rt and if that port is not the access VLAN If an interface is configured for voice VLAN configure a maximum of two secure MAC addresses Note Optional Sets the violation mode the action to be taken when a security violation is detected as one of these switchport port security violation protect restrict shutdown shutdown vlan Step 7 protect When the number of port secure MAC addresses reaches the ma...

Page 365: ...ss 00 A0 C7 12 C9 25 vlan 3 voice Enter one of these options after you enter the vlan keyword vlan id On a trunk port you can specify the VLAN ID and the MAC address If you do not specify a VLAN ID the native VLAN is used access On an access port specifies the VLAN as an access VLAN voice On an access port specifies the VLAN as a voice VLAN The voice keyword is available only if a voice VLAN is co...

Page 366: ...how port security Example Switch show port security Step 12 Optional Saves your entries in the configuration file copy running config startup config Example Switch copy running config Step 13 startup config Related Topics Port Security on page 336 Configuration Examples for Port Security on page 347 Enabling and Configuring Port Security Aging Use this feature to remove and add devices on a secure...

Page 367: ... does not support port security aging of sticky secure addresses Note Enter static to enable aging for statically configured secure addresses on this port port security aging time 120 For time specifies the aging time for this port The valid range is from 0 to 1440 minutes For type select one of these keywords absolute Sets the aging type as absolute aging All the secure addresses on this port age...

Page 368: ... or for the specified interface including the maximum allowed number of secure MAC addresses for each interface the number of secure MAC addresses on the interface the number of security violations that have occurred and the violation mode show port security interface interface id Displays all secure MAC addresses configured on all switch interfaces or on a specified interface with aging informati...

Page 369: ...itchport mode access Switch config if switchport voice vlan 22 Switch config if switchport port security Switch config if switchport port security maximum 20 Switch config if switchport port security violation restrict Switch config if switchport port security mac address sticky Switch config if switchport port security mac address sticky 0000 0000 0002 Switch config if switchport port security ma...

Page 370: ...disable the virtual port blocking all incoming traffic on the virtual port You can manually enable the virtual port or set a time interval for automatic re enabling of the virtual port Excess packets are dropped on no more than two virtual ports Virtual port error disabling is not supported for EtherChannel and Flexlink interfaces Note Default Protocol Storm Protection Configuration Protocol storm...

Page 371: ...h config errdisable detect cause Step 3 If this feature is disabled the port drops excess packets without error disabling the port psp Optional Configures an auto recovery time in seconds for error disabled virtual ports When a virtual port is error disabled the errdisable recovery interval time Example Switch Step 4 switch auto recovers after this time The range is from 30 to 86400 seconds Return...

Page 372: ...Catalyst 2960 XR Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX1 350 OL 29434 01 Configuring Port Based Traffic Control Monitoring Protocol Storm Protection ...

Page 373: ...isites for First Hop Security in IPv6 You have configured the necessary IPv6 enabled SDM template You should be familiar with the IPv6 neighbor discovery feature For information see the Implementing IPv6 Addressing and Basic Connectivity chapter of the Cisco IOS IPv6 Configuration Library on Cisco com Restrictions for First Hop Security in IPv6 Although visible in the command line help strings the...

Page 374: ... Control MAC mapping is verifiable IPv6 Router Advertisement Guard The IPv6 Router Advertisement RA guard feature enables the network administrator to block or reject unwanted or rogue RA guard messages that arrive at the network switch platform RAs are used by routers to announce themselves on the link The RA Guard feature analyzes the RAs and filters out bogus RAs sent by unauthorized routers In...

Page 375: ...l device role node switch Specifies the role of the device attached to the port Default is node reachable lifetime seconds infinite trusted port Optional limit address count value Limits the number of addresses allowed per target Example Switch config ipv6 snooping security level inspect Optional no Negates a command or sets it to defaults Optional protocol dhcp ndp Specifies which protocol should...

Page 376: ... show ipv6 snooping policy example_policy Step 5 What to Do Next Attach an IPv6 Snooping policy to interfaces or VLANs How to Attach an IPv6 Snooping Policy to an Interface or a VLAN on an Interface Beginning in privileged EXEC mode follow these steps to attach an IPv6 Snooping Policy ot and interface or VLAN SUMMARY STEPS 1 configure terminal 2 interface Interface_type stack module port 3 switchp...

Page 377: ...nfiguration mode Note Attaches a custom ipv6 snooping policy to the interface or the specified VLANs on the interface To attach the default policy to the interface ipv6 snooping attach policy policy_name vlan vlan_id add vlan_ids exceptvlan_ids none Step 4 use the ipv6 snooping command without the attach policy keyword remove vlan_ids vlan vlan_id add vlan_ids exceptvlan_ids none remove vlan_ids a...

Page 378: ...oping policy to the specified VLANs across all switch and stack interfaces The default policy is attached if ipv6 snooping attach policy policy_name Example Switch config vlan config ipv6 snooping attach policy example_policy Step 3 the attach policy option is not used The default policy is security level guard device role node protocol ndp and dhcp Verifies that the policy is attached to the spec...

Page 379: ... reachable lifetimevalue Step 2 seconds default infinite tracking default disable reachable lifetimevalue seconds default infinite enable reachable lifetimevalue seconds default infinite retry interval seconds default reachable lifetimevalue seconds default infinite Example Switch config ipv6 neighbor binding Specifies the maximum number of entries that are allowed to be inserted in the binding ta...

Page 380: ...o device role drop unsecure limit address count sec level minimum tracking trusted port validate source mac 11 default device role drop unsecure limit address count sec level minimum tracking trusted port validate source mac 12 do show ipv6 nd inspection policy policy_name DETAILED STEPS Purpose Command or Action Enters the global configuration mode configure terminal Example Switch configure term...

Page 381: ...value infinite Step 7 Example Switch config nd inspection tracking disable stale lifetime infinite Configures a port to become a trusted port trusted port Example Switch config nd inspection trusted port Step 8 validate source mac Step 9 Example Switch config nd inspection validate source mac Remove the current configuration of a parameter with the no form of the command no device role drop unsecu...

Page 382: ...lobal configuration mode configure terminal Example Switch configure terminal Step 1 Specifies an interface type and identifier enters the interface configuration mode interface Interface_type stack module port Example Switch config interface gigabitethernet 1 1 4 Step 2 Attaches the Neighbor Discovery Inspection policy to the interface or the specified VLANs on that ipv6 nd inspection attach poli...

Page 383: ...mmand or Action Enters the global configuration mode configure terminal Example Switch configure terminal Step 1 Specifies the VLANs to which the IPv6 Snooping policy will be attached enters the VLAN interface configuration mode vlan configuration vlan_list Example Switch config vlan configuration 334 Step 2 Attaches the IPv6 Neighbor Discovery policy to the specified VLANs across all switch and s...

Page 384: ... default device role hop limit maximum minimum managed config flag match ipv6 access list ra prefix list other config flag router preference maximum trusted port 11 no device role hop limit maximum minimum managed config flag match ipv6 access list ra prefix list other config flag router preference maximum trusted port 12 do show ipv6 nd raguard policy policy_name DETAILED STEPS Purpose Command or...

Page 385: ... flag on off Example Switch config nd raguard other config flag on Step 7 Enables verification of the advertised Router Preference flag router preference maximum high medium low Example Switch config nd raguard router preference maximum high Step 8 high Discards RAs with router preference greater than high low Discards RAs with router preference greater than low medium Discards RAs with router pre...

Page 386: ...tack module port 3 ipv6 nd raguard attach policy policy_name vlan vlan_ids add vlan_ids except vlan_ids none remove vlan_ids all vlan vlan_ids add vlan_ids exceptvlan_ids none remove vlan_ids all 4 do show running config DETAILED STEPS Purpose Command or Action Enters the global configuration mode configure terminal Example Switch configure terminal Step 1 Specifies an interface type and identifie...

Page 387: ...C mode follow these steps to attach an IPv6 Router Advertisement policy to VLANs regardless of interface SUMMARY STEPS 1 configure terminal 2 vlan configuration vlan_list 3 ipv6 dhcp guard attach policy policy_name 4 do show running config DETAILED STEPS Purpose Command or Action Enters the global configuration mode configure terminal Example Switch configure terminal Step 1 Specifies the VLANs to...

Page 388: ...lient server 4 trusted port 5 default device role trusted port 6 no device role trusted port 7 do show ipv6 dhcp guard policy policy_name DETAILED STEPS Purpose Command or Action Enters the global configuration mode configure terminal Example Switch configure terminal Step 1 Specifies the DHCP Guard policy name and enters DHCP Guard Policy configuration mode no ipv6 dhcp guard policy policy name E...

Page 389: ...onal Displays the configuration of the IPv6 DHCP guard policy without leaving the configuration submode do show ipv6 dhcp guard policy policy_name Example Switch config dhcp guard do show ipv6 dhcp guard policy example_policy Step 7 How to Attach an IPv6 DHCP Guard Policy to an Interface Beginning in privileged EXEC mode follow these steps to configure IPv6 Binding Table Content SUMMARY STEPS 1 co...

Page 390: ...mple Switch config if ipv6 dhcp guard attach policy example_policy or Switch config if ipv6 dhcp guard attach policy example_policy vlan 222 223 224 or Switch config if ipv6 dhcp guard vlan 222 223 224 Confirms that the policy is attached to the specified interface without exiting the configuration mode do show running config Example Switch config if do show running config Step 4 How to Attach an ...

Page 391: ... if the attach policy option is not used The default policy is device role client no trusted port Confirms that the policy is attached to the specified VLANs without exiting the configuration mode do show running config Example Switch config if do show running config Step 4 How to Configure IPv6 Source Guard SUMMARY STEPS 1 configure terminal 2 no ipv6 source guard policy policy_name 3 deny global...

Page 392: ...fic permit link local Allows all data traffic that is sourced by a link local address Exits to Privileged Exec mode end Example Switch config sisf sourceguard end Step 4 Shows the policy configuration and all the interfaces where the policy is applied show ipv6 source guard policy policy_name Example Switch show ipv6 source guard policy example_policy Step 5 What to Do Next Apply the IPv6 Source G...

Page 393: ...terface The default policy is attached if the attach policy option is not used ipv6 source guard attach policy policy_name Example Switch config if ipv6 source guard attach policy example_policy Step 3 Confirms that the policy is attached to the specified interface without exiting the configuration mode do show running config Example Switch config if do show running config Step 4 Catalyst 2960 XR ...

Page 394: ...Catalyst 2960 XR Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX1 372 OL 29434 01 Configuring IPv6 First Hop Security How to Attach an IPv6 Source Guard Policy to an Interface ...

Page 395: ...y component of Cisco TrustSec is the Cisco Identity Services Engine ISE Cisco ISE can provision switches with TrustSec Identities and Security Group ACLs SGACLs though these may be configured manually on the switch Finding Feature Information To configure Cisco TrustSec on the switch see the Cisco TrustSec Switch Configuration Guide at the following URL www cisco com en US docs switches lan trusts...

Page 396: ...n be 802 1X MAC Authentication Bypass MAB and Web Authentication Proxy WebAuth Endpoint Admission Control EAC NDAC is an authentication process where each network device in the TrustSec domain can verify the credentials and trustworthiness of its peer device NDAC utilizes an authentication framework based on IEEE 802 1X port based authentication and uses EAP FAST as its EAP method Successful authe...

Page 397: ...n then forward a sourceIP to SGT binding to a TrustSec hardware capable device will tag the source traffic for SGACL enforcement SGT Exchange Protocol SXP Feature Information for Cisco TrustSec This table lists the features in this module and provides links to specific configuration information Table 37 Feature Information for Cisco TrustSec Feature Information Releases Feature Name SXP is introdu...

Page 398: ...Catalyst 2960 XR Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX1 376 OL 29434 01 Configuring Cisco TrustSec Feature Information for Cisco TrustSec ...

Page 399: ...ined 120 ACLs continued IPv4 113 119 129 130 applying to interfaces 130 creating 113 interfaces 119 matching criteria 113 numbers 113 terminal lines setting on 129 unsupported features 113 Layer 4 information in 118 logging messages 116 matching 119 monitoring 139 port 108 precedence of 108 router 108 router ACLs and VLAN map configuration guidelines 118 standard IPv4 113 120 creating 120 matching...

Page 400: ...unication global 65 73 communication per server 65 login authentication 45 multiple UDP ports 65 configuring a secure HTTP client 102 configuring a secure HTTP server 99 Configuring the Switch for Vendor Proprietary RADIUS Server Communication 80 Example command 80 Configuring the Switch to Use Vendor Specific RADIUS Attributes 80 Examples command 80 customizeable web pages web based authenticatio...

Page 401: ...115 named 115 IP source guard 185 187 188 189 802 1x 187 binding configuration 185 automatic 185 manual 185 binding table 185 configuration guidelines 187 described 185 DHCP snooping 185 enabling 188 189 EtherChannels 187 port security 187 private VLANs 187 routed ports 187 static bindings 188 189 adding 188 189 static hosts 189 TCAM entries 187 trunk interfaces 187 VRF 187 IPv4 ACLs 119 120 122 1...

Page 402: ...ilege levels 24 31 32 33 changing the default for lines 32 exiting 33 logging into 33 overview 24 setting a command with 31 Protecting Enable and Enable Secret Passwords with Encryption 35 Example command 35 R RADIUS 53 54 62 65 66 68 71 72 73 75 80 attributes 75 80 vendor proprietary 75 80 vendor specific 75 configuring 65 66 71 72 73 accounting 72 authentication 66 authorization 71 communication...

Page 403: ...atic hosts 189 statistics 323 802 1X 323 suggested network environments 53 SVIs 110 and router ACLs 110 Switch Access 34 displaying 34 switched packets ACLs on 151 T TACACS 39 41 43 45 47 48 50 accounting defined 39 authentication defined 39 authorization defined 39 configuring 43 45 47 48 accounting 48 authentication key 43 authorization 47 login authentication 45 default configuration 43 defined...

Page 404: ...ample 150 denying and permitting packets 135 137 displaying 140 VRF 187 W web based authentication 301 306 customizeable web pages 306 description 301 web based authentication interactions with other features 309 with RADIUS 66 71 72 with TACACS 39 45 47 48 with usernames 30 Catalyst 2960 XR Switch Security Configuration Guide Cisco IOS Release 15 0 2 EX1 IN 6 OL 29434 01 Index ...

Reviews:

No comments

Related manuals for Catalyst 2960-XR

D-Link Express Ethernetwork DI-704P Quick Install Manual preview
Express Ethernetwork DI-704P
Brand: D-Link Pages: 17
C4i U1000 User Manual preview
U1000
Brand: C4i Pages: 8
3Com TokenLink 3C359B Release Note preview
TokenLink 3C359B
Brand: 3Com Pages: 4
3Com TokenLink 3C359B Quick Start Manual preview
TokenLink 3C359B
Brand: 3Com Pages: 8
3Com TokenLink 3C339 Release Note preview
TokenLink 3C339
Brand: 3Com Pages: 2
3Com EtherLink 3C985B-SX Installation And User Manual preview
EtherLink 3C985B-SX
Brand: 3Com Pages: 44
3Com 3CR990 Administration Manual preview
3CR990
Brand: 3Com Pages: 88
3Com 3C16080 Important Information preview
3C16080
Brand: 3Com Pages: 2
3Com 3C905C-TX-M User Manual preview
3C905C-TX-M
Brand: 3Com Pages: 111
3Com TokenLink 3C359 Release Note preview
TokenLink 3C359
Brand: 3Com Pages: 4
3Com 3C421600A Quick Setup Manual preview
3C421600A
Brand: 3Com Pages: 74
3Com 3C421600A Installation Manual preview
3C421600A
Brand: 3Com Pages: 6
3Com IntelliJack NJ200 Datasheet preview
IntelliJack NJ200
Brand: 3Com Pages: 4
Hama HDD Silenser Bedienungsanleitung preview
HDD Silenser
Brand: Hama Pages: 12
TP-Link VIGI NVR1008 Quick Installation Manual preview
VIGI NVR1008
Brand: TP-Link Pages: 2
Fracarro FRPRO EVO HD Quick Start Manual preview
FRPRO EVO HD
Brand: Fracarro Pages: 12
Multitech MultiConnect SE MTS2EA Specification Sheet preview
MultiConnect SE MTS2EA
Brand: Multitech Pages: 2
Omega OMB-DAQBOARD-3000 Series User Manual preview
OMB-DAQBOARD-3000 Series
Brand: Omega Pages: 108

Brands by name

Popular brands

Load more brands