Page 1 Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX First Published: July 10, 2013 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-29048-01...
Page 2 Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks . Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.
Page 3: Table Of Contents
Accessing the CLI on a Switch Stack Accessing the CLI Through a Console Connection or Through Telnet Security Features Overview C H A P T E R 2 Security Features Overview Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 4 Example: Setting a Telnet Password for a Terminal Line Example: Setting the Privilege Level for a Command Additional References Configuring TACACS+ C H A P T E R 5 Finding Feature Information Prerequisites for TACACS+ Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 5 Information about RADIUS RADIUS and Switch Access RADIUS Overview RADIUS Operation RADIUS Change of Authorization Change-of-Authorization Requests RFC 5176 Compliance Preconditions CoA Request Response Code Session Identification CoA ACK Response Code Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 6 Configuring RADIUS Server Load Balancing Monitoring CoA Functionality Configuration Examples for Controlling Switch Access with RADIUS Examples: Identifying the RADIUS Server Host Example: Using Two Different RADIUS Group Servers Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 7 Configuring Secure Socket Layer HTTP C H A P T E R 9 Finding Feature Information Information about Secure Sockets Layer (SSL) HTTP Secure HTTP Servers and Clients Overview Certificate Authority Trustpoints Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 8 Active Switch and ACL Functions Stack Member and ACL Functions Active Switch Failure and ACLs Standard and Extended IPv4 ACLs IPv4 ACL Switch Unsupported Features Access List Numbers Numbered Standard IPv4 ACLs Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX viii OL-29048-01...
Page 9 Examples: Including Comments in ACLs Examples: Troubleshooting ACLs IPv4 ACL Configuration Examples ACLs in a Small Networked Office Examples: ACLs in a Small Networked Office Example: Numbered ACLs Examples: Extended ACLs Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 10 Default Configuration for IPv6 ACLs Configuring IPv6 ACLs Attaching an IPv6 ACL to an Interface Monitoring IPv6 ACLs Additional References Configuring DHCP C H A P T E R 1 2 Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 11 Configuring IP Source Guard C H A P T E R 1 3 Finding Feature Information Information About IP Source Guard IP Source Guard IP Source Guard for Static Hosts Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 12 Port-Based Authentication Initiation and Message Exchange Authentication Manager for Port-Based Authentication Port-Based Authentication Methods Per-User ACLs and Filter-Ids Port-Based Authentication Manager CLI Commands Ports in Authorized and Unauthorized States Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 13 IEEE 802.1x Authentication with Wake-on-LAN IEEE 802.1x Authentication with MAC Authentication Bypass Network Admission Control Layer 2 IEEE 802.1x Validation Flexible Authentication Ordering Open1x Authentication Multidomain Authentication Limiting Login for Users Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 xiii...
Page 14 Configuring 802.1x Inaccessible Authentication Bypass with Critical Voice VLAN Example of Configuring Inaccessible Authentication Bypass Configuring 802.1x Authentication with WoL Configuring MAC Authentication Bypass Formatting a MAC Authentication Bypass Username and Password Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 15 Web Authentication Customizable Web Pages Guidelines Authentication Proxy Web Page Guidelines Redirection URL for Successful Login Guidelines Web-based Authentication Interactions with Other Features Port Security LAN Port IP Gateway IP ACLs Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 16 How to Configure Storm Control Configuring Storm Control and Threshold Levels Configuring Small-Frame Arrival Rate Finding Feature Information Information About Protected Ports Protected Ports Default Protected Port Configuration Protected Ports Guidelines Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 17 How to Configure Port Security Enabling and Configuring Port Security Enabling and Configuring Port Security Aging Finding Feature Information Information About Storm Control Storm Control How Traffic Activity is Measured Traffic Patterns Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 xvii...
Page 18 How to Configure Protocol Storm Protection Enabling Protocol Storm Protection Monitoring Protocol Storm Protection Additional References Configuring IPv6 First Hop Security C H A P T E R 1 8 Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX xviii OL-29048-01...
Page 19 How to Attach an IPv6 DHCP Guard Policy to VLANs Globally How to Configure IPv6 Source Guard How to Attach an IPv6 Source Guard Policy to an Interface Additional References Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 20 Contents Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 21: Document Conventions
A vertical line, called a pipe, indicates a choice within a set of keywords or arguments. [x | y] Optional alternative keywords are grouped in brackets and separated by vertical bars. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 22 Use the statement number provided at the end of each warning to locate its translation in the translated safety warnings that accompanied this device. Statement 1071 SAVE THESE INSTRUCTIONS Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX xxii OL-29048-01...
Page 23: Related Documentation
Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html...
Page 24 Preface Obtaining Documentation and Submitting a Service Request Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX xxiv OL-29048-01...
Page 25: Using The Command-Line Interface
Command Modes The Cisco IOS user interface is divided into many different modes. The commands available to you depend on which mode you are currently in. Enter a question mark (?) at the system prompt to obtain a list of commands available for each command mode.
Page 26 Interface While in global Use this mode to Switch(config-if)# configuration configuration configure parameters mode, enter the for the Ethernet interface command ports. (with a specific interface). Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 27: Understanding Abbreviated Commands
However, some commands are enabled by default and have variables set to certain default values. In these cases, the default command enables the command and sets variables to their default values. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 28: Cli Error Messages
You can enter a question mark (?) at the system prompt to display a list of commands available for each command mode. You can also obtain a list of associated keywords and arguments for any command. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 29 Step 6 command keyword ? Lists the associated arguments for a keyword. Example: Switch(config)# cdp holdtime ? <10-255> Length of time (in sec) that receiver must keep this packet Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 30: How To Use The Cli To Configure Features
The arrow keys function only on ANSI-compatible terminals such as VT100s. SUMMARY STEPS 1. Ctrl-P or use the up arrow key 2. Ctrl-N or use the down arrow key 3. show history Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 31: Disabling The Command History Feature
Switch# terminal no history Enabling and Disabling Editing Features Although enhanced editing mode is automatically enabled, you can disable it and reenable it. SUMMARY STEPS 1. terminal editing 2. terminal no editing Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 32: Editing Commands Through Keystrokes
Transposes the character to the left of the cursor with the character located at the cursor. Delete or Backspace key Erases the character to the left of the cursor. Ctrl-D Deletes the character at the cursor. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 33: Editing Command Lines That Wrap
The arrow keys function only on ANSI-compatible terminals such as VT100s. Note The following example shows how to wrap a command line that extends beyond a single line on the screen. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 34: Searching And Filtering Output Of Show And More Commands
Using these commands is optional. SUMMARY STEPS 1. {show | more} command | {begin | include | exclude} regular-expression Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 35: Accessing The Cli On A Switch Stack
• Use any Telnet TCP/IP or encrypted Secure Shell (SSH) package from a remote management station. The switch must have network connectivity with the Telnet or SSH client, and the switch must have an enable secret password configured. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 36 After you connect through the console port, through the Ethernet management port, through a Telnet session or through an SSH session, the user EXEC prompt appears on the management station. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 37: Security Features Overview
• Multilevel security for a choice of security level, notification, and resulting actions • Static MAC addressing for ensuring security • Protected port option for restricting the forwarding of traffic to designated ports on the same switch Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 38 LAN Lite image. ◦ Port security for controlling access to 802.1x ports. ◦ Voice VLAN to permit a Cisco IP Phone to access the voice VLAN regardless of the authorized or unauthorized state of the port.
Page 39 Security Features Overview Security Features Overview ◦ IP phone detection enhancement to detect and recognize a Cisco IP phone. ◦ Guest VLAN to provide limited services to non-802.1x-compliant users. ◦ Restricted VLAN to provide limited services to users who are 802.1x compliant, but do not have the credentials to authenticate via the standard 802.1x processes.
Page 40 When there is a change in policy for a user or user group in AAA, administrators can send the RADIUS CoA packets from the AAA server, such as Cisco Identity Services Engine, or Cisco Secure ACS to reinitialize authentication, and apply to the new policies.
Page 41: Chapter 3 Preventing Unauthorized Access
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Page 42 • You can also enable the login enhancements feature, which logs both failed and unsuccessful login attempts. Login enhancements can also be configured to block future login attempts after a set number of unsuccessful attempts are made. For more information, see the Cisco IOS Login Enhancements documentation.
Page 43: Controlling Switch Access With Passwords And Privilege Levels
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Page 44: Information About Passwords And Privilege Levels
Related Topics Protecting Enable and Enable Secret Passwords with Encryption, on page 24 Example: Protecting Enable and Enable Secret Passwords with Encryption, on page 35 Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 45: Password Recovery
(with associated rights and privileges) to each username and password pair. Related Topics Configuring Username and Password Pairs, on page 29 Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 46: Privilege Levels
Privilege Levels Privilege Levels Cisco switches (and other devices) use privilege levels to provide password security for different levels of switch operation. By default, the Cisco IOS software operates in two modes (privilege levels) of password security: user EXEC (Level 1) and privileged EXEC (Level 15). You can configure up to 16 hierarchical levels of commands for each mode.
Page 47 When the system prompts you to enter the enable password, you need not precede the question mark with the Ctrl-v; you can simply enter abc?123 at the password prompt. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 48: Protecting Enable And Enable Secret Passwords With Encryption
• enable password [level level] {password | encryption-type encrypted-password} • enable secret [level level] {password | encryption-type encrypted-password} 4. service password-encryption 5. end 6. show running-config 7. copy running-config startup-config Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 49 (Optional) Encrypts the password when the password is defined or when the configuration is written. Example: Encryption prevents the password from being readable in the configuration file. Switch(config)# service password-encryption Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 50: Disabling Password Recovery
Xmodem protocol. SUMMARY STEPS 1. enable 2. configure terminal 3. system disable password recovery switch {all | <1-9>} 4. end Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 51: Setting A Telnet Password For A Terminal Line
This setting is saved in an area of the flash memory that is accessible recovery switch all by the boot loader and the Cisco IOS image, but it is not part of the file system and is not accessible by any user.
Page 52 The string cannot start with a number, is case sensitive, and allows spaces but ignores leading spaces. By default, no password is Switch(config-line)# password abcxyz543 defined. Step 5 Returns to privileged EXEC mode. Example: Switch(config-line)# end Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 53: Configuring Username And Password Pairs
3. username name [privilege level] {password encryption-type password} 4. Use one of the following: • line console 0 • line vty 0 15 5. login local 6. end 7. show running-config 8. copy running-config startup-config Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 54 Enters line configuration mode, and configures the console port (line 0) or the VTY lines (line 0 to 15). • line console 0 • line vty 0 15 Example: Switch(config)# line console 0 Switch(config)# line vty 15 Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 55: Setting The Privilege Level For A Command
Follow these steps to set the privilege level for a command: SUMMARY STEPS 1. enable 2. configure terminal 3. privilege mode level level command 4. enable password level level password 5. end 6. copy running-config startup-config Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 56 Step 5 Returns to privileged EXEC mode. Example: Switch(config)# end Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file. Example: Switch# copy running-config startup-config Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 57: Changing The Default Privilege Level For Lines
For level, the range is from 0 to 15. Level 1 is for normal user Example: EXEC mode privileges. Level 15 is the level of access permitted by the enable password. Switch(config)# privilege level 15 Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 58: Logging Into And Exiting A Privilege Level
Logs in to a specified privilege level. Following the example, Level 15 is privileged EXEC mode. Example: For level, the range is 0 to 15. Switch> enable 15 Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 59: Monitoring Switch Access
Example: Protecting Enable and Enable Secret Passwords with Encryption This example shows how to configure the encrypted password $1$FaD0$Xyti5Rkls3LoyxzS8 for privilege level 2: Switch(config)# enable secret level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8 Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 60: Example: Setting A Telnet Password For A Terminal Line
Privilege Levels, on page 22 Additional References Error Message Decoder Description Link To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/ messages in this release, use the Error Message index.cgi Decoder tool. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 61 Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 62 Controlling Switch Access with Passwords and Privilege Levels Additional References Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 63: Configuring Tacacs
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Page 64 TACACS+ Login Authentication, on page 44 Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services, on page 50 TACACS+ Authorization for Privileged EXEC Access and Network Services, on page 44 Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 65: Information About Tacacs
Each service can be tied into its own database to take advantage of other services available on that server or on the network, depending on the capabilities of the daemon. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 66 TACACS+ Overview The goal of TACACS+ is to provide a method for managing multiple network access points from a single management service. Your switch can be a network access server along with other Cisco routers and access servers. Figure 1: Typical TACACS+ Network Configuration TACACS+, administered through the AAA security services, can provide these services: •...
Page 67: Tacacs+ Operation
• Telnet, Secure Shell (SSH), rlogin, or privileged EXEC services • Connection parameters, including the host or client IP address, access list, and user timeouts Related Topics Prerequisites for TACACS+, on page 39 Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 68: Method List
The user is granted access to a requested service only if the information in the user profile allows it. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 69: Tacacs+ Accounting
Prerequisites for TACACS+, on page 39 Identifying the TACACS+ Server Host and Setting the Authentication Key Follow these steps to identify the TACACS+ server host and set the authentication key: Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 70 (Optional) Defines the AAA server-group with a group name. This command puts the Switch in a server group Example: subconfiguration mode. Switch(config)# aaa group server tacacs+ your_server_group Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 71: Configuring Tacacs+ Login Authentication
Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.4. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX...
Page 72: Tacacs+ Login Authentication
• For method1..., specify the actual method the authentication algorithm tries. The additional methods of authentication are used only if the previous method returns an error, not if it fails. Select one of these methods: Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 73: Tacacs+ Login Authentication
• For list-name, specify the list created with the aaa authentication login Switch(config-line)# login command. authentication default Step 7 Returns to privileged EXEC mode. Example: Switch(config-line)# end Step 8 show running-config Verifies your entries. Example: Switch# show running-config Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 74: Configuring Tacacs+ Authorization For Privileged Exec Access And Network Services
Follow these steps to specify TACACS+ authorization for privileged EXEC access and network services: SUMMARY STEPS 1. enable 2. configure terminal 3. aaa authorization network tacacs+ 4. aaa authorization exec tacacs+ 5. end 6. show running-config 7. copy running-config startup-config Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 75: Tacacs+ Authorization For Privileged Exec Access And Network Services
Step 6 show running-config Verifies your entries. Example: Switch# show running-config Step 7 copy running-config startup-config (Optional) Saves your entries in the configuration file. Example: Switch# copy running-config startup-config Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 76: Starting Tacacs+ Accounting
Enables TACACS+ accounting to send a start-record accounting notice at the beginning of a privileged EXEC process and a stop-record at the end. Example: Switch(config)# aaa accounting exec start-stop tacacs+ Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 77: Establishing A Session With A Router If The Aaa Server Is Unreachable
3 minutes. To establish a console or Telnet session with the router if the AAA server is unreachable when the router reloads, use the no aaa accounting system guarantee-first command. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 78: Monitoring Tacacs
Error Message Decoder Description Link To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/ messages in this release, use the Error Message index.cgi Decoder tool. Standards and RFCs Standard/RFC Title Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 79: Feature Information For Tacacs
Cisco IOS 15.2(1)E configured for authentication, authorization, and accounting (AAA) on TACACS+ servers. The following commands were introduced or modified: ip tacacs source-interface, ip vrf forwarding (server-group), server-private (TACACS+). Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 80: Feature Information For Tacacs
Configuring TACACS+ Feature Information for TACACS+ Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 81: Configuring Radius
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Page 82: Restrictions For Configuring Radius
PAD connections. • Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication. RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device requires authentication. • Networks using a variety of services. RADIUS generally binds a user to one service model.
Page 83: Information About Radius
Enigma’s security cards to validates users and to grant access to network resources. • Networks already using RADIUS. You can add a Cisco Switch containing a RADIUS client to the network. This might be the first step when you make a transition to a TACACS+ server. See Figure 2: Transitioning from RADIUS to TACACS+ Services below.
Page 84: Radius Operation
The additional data included with the ACCEPT or REJECT packets includes these items: • Telnet, SSH, rlogin, or privileged EXEC services • Connection parameters, including the host or client IP address, access list, and user timeouts Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 85: Radius Change Of Authorization
• Accounting—refer to the “Starting RADIUS Accounting” section in the Configuring Switch-Based Authentication chapter in this guide. Cisco IOS software supports the RADIUS CoA extensions defined in RFC 5176 that are typically used in a push model to allow the dynamic reconfiguring of sessions from external AAA or policy servers. Per-session CoA requests are supported for session identification, session termination, host reauthentication, port shutdown, and port bounce.
Page 86: Change-Of-Authorization Requests
• CoA non-acknowledgment (NAK) [CoA-NAK] The request is initiated from a CoA client (typically a RADIUS or policy server) and directed to the switch that acts as a listener. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 87: Rfc 5176 Compliance
Invalid EAP Packet (Ignored) Unsupported Attribute Missing Attribute NAS Identification Mismatch Invalid Request Unsupported Service Unsupported Extension Invalid Attribute Value Administratively Prohibited Request Not Routable (Proxy) Session Context Not Found Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 88: Preconditions
• Plain IP Address (IETF attribute #8) Unless all session identification attributes included in the CoA message match the session, the switch returns a Disconnect-NAK or CoA-NAK with the “Invalid Attribute Value” error-code attribute. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 89: Coa Ack Response Code
Attributes ... +-+-+-+-+-+-+-+-+-+-+-+-+- The attributes field is used to carry Cisco vendor-specific attributes (VSAs). For CoA requests targeted at a particular enforcement policy, the device returns a CoA-NAK with the error code “Invalid Attribute Value” if any of the above session identification attributes are included in the message.
Page 90: Session Reauthentication
To initiate session authentication, the AAA server sends a standard CoA-Request message which contains a Cisco VSA in this form: Cisco:Avpair=“subscriber:command=reauthenticate” and one or more session identification attributes. The current session state determines the switch response to the message. If the session is currently authenticated by IEEE 802.1x, the switch responds by sending an EAPoL (Extensible Authentication Protocol over Lan)
Page 91: Session Termination
To restrict a host’s access to the network, use a CoA Request with the Cisco:Avpair="subscriber:command=disable-host-port" VSA. This command is useful when a host is known to be causing problems on the network, and you need to immediately block network access for the host. When you want to restore network access on the port, re-enable it using a non-RADIUS mechanism.
Page 92: Coa Request: Bounce-Port
The switch initiates a port-bounce (disables the port for 10 seconds, then re-enables it). If the port-bounce is successful, the signal that triggered the port-bounce is removed from the standby stack master. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 93: Stacking Guidelines For Coa-Request Disable-Port
IP address and specific UDP port numbers. The combination of the IP address and the UDP port number creates a unique identifier, allowing different ports to be individually defined as RADIUS hosts Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 94: Radius Login Authentication
(the combination of the IP address and UDP port number), allowing different ports to be individually defined as RADIUS hosts providing a specific AAA service. This unique identifier enables RADIUS requests to be Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 95: Aaa Authorization
: attribute sep value * Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate attributevalue (AV) pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and is * for optional attributes.
Page 96 Configuring RADIUS Vendor-Specific RADIUS Attributes For example, the following AV pair causes Cisco’s “multiple named IP address pools” feature to be activated during IP authorization (during PPP’s Internet Protocol Control Protocol (IPCP) address assignment): cisco-avpair= ”ip:addr-pool=first“ If you insert an “*”, the AV pair “ip:addr-pool=first” becomes optional. Note that any AV pair can be made optional: cisco-avpair= ”ip:addr-pool*first“...
Page 97 Contains the challenge sent by a network access server to an MS-CHAP user. It can be used in both Access-Request and Access-Challenge packets. ( RFC 2548 ) VPDN Attributes Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 98 IP header of the tunnel packet for packets entering the tunnel at the LNS. l2tp-tunnel-authen If this attribute is set, it performs L2TP tunnel authentication. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 99 True indicates that a cover page was generated; false means that a cover page was not generated. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 100 DSN has been enabled. True indicates that DSN has been enabled; false means that DSN has not been enabled. Fax-Mdn-Address Indicates the address to which MDNs will be sent. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 101 Call-Type Describes the type of fax activity: fax receive or fax send. Port-Used Indicates the slot/port number of the Cisco AS5300 used to either transmit or receive this fax-mail. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 102 Possible values are (h323-call-type) telephony and VoIP. Connect-Time Indicates the connection time for this call leg in (h323-connect-time) UTC. Disconnect-Time Indicates the time this call leg was disconnected in (h323-disconnect-time) UTC. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 103 Defines the protocol to use (PAP or CHAP) for username-password authentication following CLID authentication. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 104 Initially, it performed the functions now provided by both the send-name and remote-name attributes. Because the remote-name attribute has been added, the send-name attribute is restricted to its current behavior. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 105 RADIUS misconfiguration. (For example, dialing a valid phone number but connecting to the wrong device.) Miscellaneous Attributes Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 106 Allows users to configure the downloadable user profiles (dynamic ACLs) by using the authentication proxy feature so that users can have the configured authorization to permit traffic going through the configured interfaces. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 107: Vendor-Proprietary Radius Server Communication
RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes. As mentioned earlier, to configure RADIUS (whether vendor-proprietary or IETF draft-compliant), you must specify the host running the RADIUS server daemon and the secret text string it shares with the switch.
Page 108 RADIUS server to reply before resending. The range is 1 to Switch(config)# radius-server host 172.29.36.49 auth-port 1612 1000. This setting overrides the radius-server timeout global configuration Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 109 (Optional) Saves your entries in the configuration file. Example: Switch# copy running-config startup-config Related Topics RADIUS Server Host, on page 69 Defining AAA Server Groups, on page 88 Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 110: Configuring Radius Login Authentication
Switch# configure terminal Step 3 Enables AAA. aaa new-model Example: Switch(config)# aaa new-model Step 4 aaa authentication login {default | Creates a login authentication method list. list-name} method1 [method2...] Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 111 • If you specify default, use the default list created with the aaa authentication login command. Example: • For list-name, specify the list created with the aaa authentication login Switch(config)# login command. authentication default Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 112: Defining Aaa Server Groups
2. configure terminal 3. radius server name 4. address {ipv4 | ipv6} {ip-address | hostname} auth-port port-number acct-port port-number 5. key string 6. end 7. show running-config 8. copy running-config startup-config Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 113 Switch(config-radius-server)# key cisco123 Step 6 Exits RADIUS server configuration mode and returns to privileged EXEC mode. Example: Switch(config-radius-server)# end Step 7 show running-config Verifies your entries. Example: Switch# show running-config Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 114: Configuring Radius Authorization For User Privileged Access And Network Services
5. end 6. show running-config 7. copy running-config startup-config DETAILED STEPS Command or Action Purpose Step 1 enable Enables privileged EXEC mode. Enter your password if prompted. Example: Switch> enable Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 115 The aaa authorization exec radius local command sets these authorization parameters: • Use RADIUS for privileged EXEC access authorization if authentication was performed by using RADIUS. • Use the local database if authentication was not performed by using RADIUS. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 116: Starting Radius Accounting
Enables RADIUS accounting to send a start-record accounting notice at the beginning of a privileged EXEC process and a stop-record at the end. Example: Switch(config)# aaa accounting exec start-stop radius Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 117: Establishing A Session With A Router If The Aaa Server Is Unreachable
Configuring Settings for All RADIUS Servers Beginning in privileged EXEC mode, follow these steps to configure settings for all RADIUS servers: Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 118 This avoids the wait for the request to timeout before trying the next Example: configured server. The default is 0; the range is 1 to 1440 minutes. Switch(config)# radius-server deadtime Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 119: Configuring The Switch To Use Vendor-Specific Radius Attributes
3. radius-server vsa send [accounting | authentication] 4. end 5. show running-config 6. copy running-config startup-config DETAILED STEPS Command or Action Purpose Step 1 enable Enables privileged EXEC mode. Enter your password if prompted. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 120 Switch# show running-config Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file. Example: Switch# copy running-config startup-config Related Topics Vendor-Specific RADIUS Attributes, on page 71 Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 121: Configuring The Switch For Vendor-Proprietary Radius Server Communication
If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks are part of the key. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 122: Configuring Coa On The Switch
Switch# copy running-config startup-config Related Topics Vendor-Proprietary RADIUS Server Communication, on page 83 Configuring CoA on the Switch Follow these steps to configure CoA on a switch. This procedure is required. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 123 Configures the switch as an authentication, authorization, and accounting (AAA) server to facilitate interaction with an external policy server. Example: Switch(config)# aaa server radius dynamic-author Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 124 Shutting down the port results in termination of the session. Example: Use standard CLI or SNMP commands to re-enable the port. Switch(config-sg-radius)# authentication command disable-port ignore Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 125: Configuring Radius Server Load Balancing
Configuring RADIUS Server Load Balancing This feature allows access and authentication requests to be evenly across all RADIUS servers in a server group. For more information, see the “RADIUS Server Load Balancing” chapter of the Cisco IOS Security Configuration Guide, Release 12.4.
Page 126: Configuration Examples For Controlling Switch Access With Radius
Switch(config)# aaa group server radius group1 Switch(config-sg-radius)# server 172.20.0.1 auth-port 1000 acct-port 1001 Switch(config-sg-radius)# exit Switch(config)# aaa group server radius group2 Switch(config-sg-radius)# server 172.20.0.1 auth-port 2000 acct-port 2001 Switch(config-sg-radius)# exit Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 127: Examples: Configuring The Switch To Use Vendor-Specific Radius Attributes
Examples: Configuring the Switch to Use Vendor-Specific RADIUS Attributes Examples: Configuring the Switch to Use Vendor-Specific RADIUS Attributes For example, this AV pair activates Cisco’s multiple named ip address pools feature during IP authorization (during PPP IPCP address assignment): cisco-avpair= ”ip:addr-pool=first“...
Page 128: Additional References
All supported MIBs for this release. To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 129: Feature Information For Radius
RADIUS server can access CLID or DNIS attribute information for all incoming calls. The following commands were introduced or modified: aaa attribute, aaa user profile, and test aaa group Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 130 Configuring RADIUS Feature Information for RADIUS Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 131: Configuring Local Authentication And Authorization
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Page 132 Sets the login authentication to use the local username database. The default keyword applies the local user database authentication to all ports. Example: Switch(config)# aaa authentication login Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 133 Step 8 Returns to privileged EXEC mode. Example: Switch(config)# end Step 9 show running-config Verifies your entries. Example: Switch# show running-config Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 134: Monitoring Local Authentication And Authorization
All supported MIBs for this release. To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 135: Feature Information For Local Authentication And Authorization
Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. Feature Information for Local Authentication and Authorization Release Feature Information Cisco IOS 15.0(2)EX This feature was introduced. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 136 Configuring Local Authentication and Authorization Feature Information for Local Authentication and Authorization Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 137: Configuring Secure Shell (Ssh)
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Page 138: Restrictions For Configuring Secure Shell
• A user must have appropriate authorization to use SCP. • A user who has appropriate authorization can use SCP to copy any file in the Cisco IOS File System (IFS) to and from a switch by using the copy command. An authorized administrator can also do this from a workstation.
Page 139: Ssh And Switch Access
The SSH server and SSH integrated client are applications that run on the switch. The SSH server works with the SSH client supported in this release and with non-Cisco SSH clients. The SSH client works with publicly and commercially available SSH servers. The SSH client supports the ciphers of Data Encryption Standard (DES), 3DES, and password authentication.
Page 140: Secure Copy Protocol Overview
(AAA) authorization be configured so the switch can determine whether the user has the correct privilege level. To configure the Secure Copy feature, you should understand the SCP concepts. Related Topics Prerequisites for Configuring Secure Shell, on page 113 Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 141: How To Configure Ssh
Configures a hostname and IP domain name for your Switch. Follow this procedure only if you are configuring the Note Example: Switch as an SSH server. Switch(config)# hostname your_hostname Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 142: Configuring The Ssh Server
SSH Configuration Guidelines, on page 115 Configuring the Switch for Local Authentication and Authorization, on page 107 Configuring the SSH Server Follow these steps to configure the SSH server: Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 143 SSH version supported by the SSH client. For example, if the SSH client supports SSHv1 and SSHv2, the SSH server selects SSHv2. Step 4 ip ssh {timeout seconds | Configures the SSH control parameters: authentication-retries number} Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 144 Step 7 Verifies your entries. show running-config Example: Switch# show running-config Step 8 copy running-config startup-config (Optional) Saves your entries in the configuration file. Example: Switch# copy running-config startup-config Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 145: Monitoring The Ssh Configuration And Status
Error Message Decoder Description Link To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/ messages in this release, use the Error Message index.cgi Decoder tool. Standards and RFCs Standard/RFC Title Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 146: Feature Information For Ssh
SSH must be enabled. This feature also eliminates the rotary-group limitation. This feature was supported on CAT4500-X, CAT4500E-SUP6E, CAT4500E-SUP6L-E, CAT4500E-SUP7E, CAT4500E-SUP7L-E. The following command was introduced: ssh. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 147 Configuring Secure Shell (SSH) Feature Information for SSH Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 148 Configuring Secure Shell (SSH) Feature Information for SSH Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 149: Configuring Secure Socket Layer Http
Internet. HTTP with SSL encryption provides a secure connection to allow such functions as configuring a switch from a Web browser. Cisco's implementation of the secure HTTP server and secure HTTP client uses an implementation of SSL Version 3.0 with application-layer encryption. HTTP over SSL is abbreviated as HTTPS;...
Page 150: Certificate Authority Trustpoints
(pages) back to the HTTP secure server, which, in turn, responds to the original request. The primary role of the HTTP secure client (the web browser) is to respond to Cisco IOS application requests for HTTPS User Agent services, perform HTTPS User Agent services for the application, and pass the response back to the application.
Page 151: Ciphersuites
For additional information on Certificate Authorities, see the “Configuring Certification Authority Interoperability” chapter in the Cisco IOS Security Configuration Guide, Release 12.4. CipherSuites A CipherSuite specifies the encryption algorithm and the digest algorithm to use on a SSL connection. When connecting to the HTTPS server, the client Web browser offers a list of supported CipherSuites, and the client and server negotiate the best encryption algorithm to use from those on the list that are supported by both.
Page 152: Default Ssl Configuration
Before you configure a CA trustpoint, you should ensure that the system clock is set. If the clock is not set, the certificate is rejected due to an incorrect date. In a switch stack, the SSL session terminates at the stack master. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 153: How To Configure Secure Http Servers And Clients
Specifies the IP domain name of the switch (required only if you have not previously configured an IP domain name). The domain name is required for security keys and certificates. Example: Switch(config)# ip domain-name your_domain Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 154 • For name, specify the trustpoint that you just configured. Switch(ca-trustpoint)# primary your_trustpoint Step 10 Exits CA trustpoint configuration mode and return to global exit configuration mode. Example: Switch(ca-trustpoint)# exit Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 155: Configuring The Secure Http Server
If you configure a port other than the default port, you must also specify the port number after the URL. For example: Note AES256_SHA2 is not supported. https://209.165.129:1026 https://host.domain.com:1026 Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 156 (Optional) Specifies the port number to be used for the HTTPS server. The default port number is 443. Valid options are 443 or any number in the range 1025 to 65535. Example: Switch(config)# ip http secure-port 443 Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 157 Switch(config)# ip http max-connections Step 11 ip http timeout-policy idle seconds life (Optional) Specifies how long a connection to the HTTP server can seconds requests value remain open under the defined circumstances: Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 158: Configuring The Secure Http Client
HTTP client fail. SUMMARY STEPS 1. configure terminal 2. ip http client secure-trustpoint name 3. ip http client secure-ciphersuite {[3des-ede-cbc-sha] [rc4-128-md5] [rc4-128-sha] [des-cbc-sha]} 4. end Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 159: Monitoring Secure Http Server And Client Status
Shows the HTTP secure client configuration. Shows the HTTP secure server configuration. show ip http server secure status show running-config Shows the generated self-signed certificate for secure HTTP connections. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 160: Additional References
All supported MIBs for this release. To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 161: Feature Information For Secure Socket Layer Http
Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. Feature Information for Secure Socket Layer HTTP Release Feature Information Cisco IOS 15.0(2)EX This feature was introduced. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 162 Configuring Secure Socket Layer HTTP Feature Information for Secure Socket Layer HTTP Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 163: C H A P T E
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Page 164: Restrictions For Configuring Ipv4 Access Control Lists
• A Layer 2 interface can have only one MAC access list. If you apply a MAC access list to a Layer 2 interface that has a MAC ACL configured, the new ACL replaces the previously configured one. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 165: Information About Network Security With Acls
Cisco TrustSec and ACLs Catalyst 3850 switches running the IP base or IP services feature set also support Cisco TrustSec Security Group Tag (SCT) Exchange Protocol (SXP). This feature supports security group access control lists (SGACLs), which define ACL policies for a group of devices instead of an IP address.
Page 166: Access Control Entries
ACL is applied are filtered by the port ACL. Incoming routed IP packets received on other ports are filtered by the router ACL. Other packets are not filtered. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 167: Port Acls
This is an example of using port ACLs to control access to a network when all workstations are in the same VLAN. ACLs applied at the Layer 2 input would allow Host A to access the Human Resources network, but Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 168: Router Acls
• Standard IP access lists use source addresses for matching operations. • Extended IP access lists use source and destination addresses and optional protocol type information for matching operations. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 169: Vlan Maps
• Permit ACEs that check the Layer 3 information in the fragment (including protocol type, such as TCP, UDP, and so on) are considered to match the fragment regardless of what the missing Layer 4 information might have been. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 170: Aces And Fragmented And Unfragmented Traffic Examples
Active Switch and ACL Functions The active switch performs these ACL functions: • It processes the ACL configuration and propagates the information to all stack members. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 171: Stack Member And Acl Functions
• Extended IP access lists use source and destination addresses for matching operations and optional protocol-type information for finer granularity of control. IPv4 ACL Switch Unsupported Features Configuring IPv4 ACLs on the switch is the same as configuring IPv4 ACLs on other Cisco switches and routers. The following ACL-related features are not supported: •...
Page 172: Access List Numbers
IP ACL can be 100 to 199. The advantage of using named ACLs instead of numbered lists is that you can delete individual entries from a named list. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 173: Numbered Standard Ipv4 Acls
• IP in IP tunneling (ipinip) • KA9Q NOS-compatible IP over IP tunneling (nos) • Open Shortest Path First routing (ospf) • Payload Compression Protocol (pcp) • Protocol-Independent Multicast (pim) Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 174: Named Ipv4 Acls
Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 175: Smart Logging
If there is no match clause for that type of packet, the default is to forward the packet. The following are the VLAN map configuration guidelines: Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 176: Vlan Maps With Router Acls
• Whenever possible, try to write the ACL with all entries having a single action except for the final, default action of the other type. That is, write the ACL using one of these two forms: permit... permit... permit... deny ip any any Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 177: Time Ranges For Acls
3 EtherChannel, or a routed port), the interface must have been configured with an IP address. Layer 3 access groups filter packets that are routed or are received by Layer 3 processes on the CPU. They do not affect packets bridged within a VLAN. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 178: How To Configure Acls
Apply the ACL to interfaces or terminal lines. You can also apply standard and extended IP ACLs to VLAN maps. Creating a Numbered Standard ACL Follow these steps to create a numbered standard ACL: Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 179 (Optional) Enter log to cause an informational logging message about the packet that matches the entry to be sent to the console. Logging is supported only on ACLs attached to Layer 3 interfaces. Note Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 180: Creating A Numbered Extended Acl
(Optional) Saves your entries in the configuration file. Example: Switch# copy running-config startup-config Related Topics Configuring VLAN Maps, on page 172 Creating a Numbered Extended ACL Follow these steps to create a numbered extended ACL: Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 181 The source-wildcard applies wildcard bits to the source. The destination is the network or host number to which the packet is sent. The destination-wildcard applies wildcard bits to the destination. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 182 • flag—Enter one of these flags to match by the specified TCP header bits: ack (acknowledge), fin (finish), psh (push), rst (reset), syn (synchronize), or urg (urgent). Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 183 [dscp dscp] Example: Switch(config)# access-list 101 permit igmp any any 14 Step 7 Returns to privileged EXEC mode. Example: Switch(config)# end Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 184: Creating Named Standard Acls
In access-list configuration mode, specify one or more conditions denied or permitted to decide if the packet is • deny {source [source-wildcard] | host source | any} forwarded or dropped. [log] Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 185: Creating Extended Named Acls
(Optional) Saves your entries in the configuration file. Example: Switch# copy running-config startup-config Creating Extended Named ACLs Follow these steps to create an extended ACL using names: Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 186 • host destintation—A destination and destination wildcard Switch(config-ext-nacl)# permit 0 any any of destination 0.0.0.0. • any—A source and source wildcard or destination and destination wildcard of 0.0.0.0 255.255.255.255. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 187: Configuring Time Ranges For Acls
After creating a named ACL, you can apply it to interfaces or to VLANs . Configuring Time Ranges for ACLs Follow these steps to configure a time-range parameter for an ACL: Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 188 [day-of-the-week] hh:mm • You can enter multiple periodic statements. For • periodic {weekdays | weekend | daily} hh:mm example, you could configure different hours for to hh:mm weekdays and weekends. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 189: Applying An Ipv4 Acl To A Terminal Line
You must set identical restrictions on all the virtual terminal lines because a user can attempt to connect to any of them. Follow these steps to restrict incoming and outgoing connections between a virtual terminal line and the addresses in an ACL: Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 190 Restricts incoming and outgoing connections between a particular virtual terminal line (into a device) and the addresses in an access list. Example: Switch(config-line)# access-class 10 in Step 5 Returns to privileged EXEC mode. Example: Switch(config-line)# end Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 191: Applying An Ipv4 Acl To An Interface
Identifies a specific interface for configuration, and enter interface configuration mode. Example: The interface can be a Layer 2 interface (port ACL), or a Layer 3 interface (router ACL). Switch(config)# interface gigabitethernet1/0/1 Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 192: Creating Named Mac Extended Acls
You can filter non-IPv4 traffic on a VLAN or on a Layer 2 interface by using MAC addresses and named MAC extended ACLs. The procedure is similar to that of configuring other extended named ACLs. Follow these steps to create a named MAC extended ACL: Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 193 Ethernet II or SNAP encapsulation in decimal, hexadecimal, or octal with optional mask of don’t care bits applied to the Example: EtherType before testing for a match. Switch(config-ext-macl)# deny any any Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 194: Applying A Mac Acl To A Layer 2 Interface
Configuring VLAN Maps, on page 172 Applying a MAC ACL to a Layer 2 Interface Follow these steps to apply a MAC access list to control access to a Layer 2 interface: Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 195 MAC access list. Example: Port ACLs are supported in the outbound and inbound directions . Switch(config-if)# mac access-group mac1 in Step 5 Returns to privileged EXEC mode. Example: Switch(config-if)# end Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 196: Configuring Vlan Maps
To create a VLAN map and apply it to one or more VLANs, perform these steps: Before You Begin Create the standard or extended IPv4 ACLs or named MAC extended ACLs that you want to apply to the VLAN. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 197 Sets the action for the map entry. specify an IP packet or a non-IP packet (with only a known MAC address) and to match the packet against one or more ACLs (standard or extended): Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 198: Creating A Vlan Map
2. vlan access-map name [number] 3. match {ip | mac} address {name | number} [name | number] 4. action {drop | forward} 5. end 6. show running-config 7. copy running-config startup-config Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 199 (Optional) Sets the action for the map entry. The default is to forward. Example: Switch(config-access-map)# action forward Step 5 Returns to global configuration mode. Example: Switch(config-access-map)# end Step 6 show running-config Displays the access list configuration. Example: Switch# show running-config Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 200: Applying A Vlan Map To A Vlan
Step 2 configure terminal Enters the global configuration mode. Example: Switch# configure terminal Step 3 vlan filter mapname vlan-list list Applies the VLAN map to one or more VLAN IDs. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 201: Configuring Vacl Logging
Beginning in privileged EXEC mode: SUMMARY STEPS 1. configure terminal 2. vlan access-map name [number] 3. action drop log 4. exit 5. vlan access-log {maxflow max_number | threshold pkt_count} 6. end Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 202 5-minute interval. The threshold range is from 0 to 2147483647. The default threshold is 0, which means that a syslog message is generated every 5 minutes. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 203: Monitoring Ipv4 Acls
[interface Displays MAC access lists applied to all Layer 2 interfaces or interface-id] the specified Layer 2 interface. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 204: Configuration Examples For Acls
To include a comment for IP numbered standard or extended ACLs, use the access-list access-list number remark remark global configuration command. To remove the remark, use the no form of this command. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 205: Examples: Troubleshooting Acls
• Move the fourth ACE before the first ACE by using ip access-list resequence global configuration command: permit tcp source source-wildcard destination destination-wildcard permit tcp source source-wildcard destination destination-wildcard range 5 60 Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 206: Ipv4 Acl Configuration Examples
This section provides examples of configuring and applying IPv4 ACLs. For detailed information about compiling ACLs, see the Cisco IOS Security Configuration Guide, Release 12.4 and to the Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.4.
Page 207: Examples: Acls In A Small Networked Office
128.88.1.2. The third line permits incoming ICMP messages for error feedback. Switch(config)# access-list 102 permit tcp any 128.88.0.0 0.0.255.255 gt 1023 Switch(config)# access-list 102 permit tcp any host 128.88.1.2 eq 25 Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 208: Examples: Named Acls
Switch(config-ext-nacl)# permit tcp any 171.69.0.0 0.0.255.255 eq telnet Switch(config-ext-nacl)# deny tcp any any Switch(config-ext-nacl)# permit icmp any any Switch(config-ext-nacl)# deny udp any 171.69.0.0 0.0.255.255 lt 1024 Switch(config-ext-nacl)# deny ip any any log Switch(config-ext-nacl)# exit Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 209: Examples: Time Range Applied To An Ip Acl
Switch(config)# access-list 100 deny host 171.69.3.13 any eq www In this example of a named ACL, the Jones subnet is not allowed access: Switch(config)# ip access-list standard prevention Switch(config-std-nacl)# remark Do not allow Jones subnet through Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 210: Examples: Acl Logging
Note that all logging entries for IP ACLs start with %SEC-6-IPACCESSLOG with minor variations in format depending on the kind of ACL and the access entry that has been matched. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 211: Configuration Examples For Acls And Vlan Maps
MAC packets. Used with standard ACL 101 and extended named access lists igmp-match and tcp-match, the map will have the following results: • Forward all UDP packets • Drop all IGMP packets • Forward all TCP packets Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 212: Example: Default Action Of Dropping Mac Packets And Forwarding Ip Packets
Examples 2 and 3, the map will have the following results: • Forward all TCP packets • Forward MAC packets from hosts 0000.0c00.0111 and 0000.0c00.0211 Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 213: Configuration Examples For Using Vlan Maps In Your Network
First, define the IP access list http that permits (matches) any TCP traffic on the HTTP port. Switch(config)# ip access-list extended http Switch(config-ext-nacl)# permit tcp host 10.1.1.32 host 10.1.1.34 eq www Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 214: Example: Restricting Access To A Server On Another Vlan
1 that denies access to hosts in subnet 10.1.2.0.8, host 10.1.1.4, and host 10.1.1.8 and permits other IP traffic. The final step is to apply the map SERVER1 to VLAN 10. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 215: Configuration Examples Of Router Acls And Vlan Maps Applied To Vlans
This example shows how an ACL is applied on packets that are switched within a VLAN. Packets switched within the VLAN without being routed or forwarded by fallback bridging are only subject to the VLAN map of the input VLAN. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 216: Example: Acls And Bridged Packets
This example shows how an ACL is applied on fallback-bridged packets. For bridged packets, only Layer 2 ACLs are applied to the input VLAN. Only non-IP, non-ARP packets can be fallback-bridged. Figure 10: Applying ACLs on Bridged Packets Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 217: Example: Acls And Routed Packets
VLANs and not in others. A copy of the packet is forwarded to those destinations where it is permitted. However, if the input VLAN map drops the packet, no destination receives a copy of the packet. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 218: Additional References
Cisco IOS XE Release 3SE (Catalyst 3850 Switches) http://www.cisco.com/en/US/docs/ios-xml/ios/ security/config_library/xe-3se/3850/ secdata-xe-3se-3850-library.html Error Message Decoder Description Link To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/ messages in this release, use the Error Message index.cgi Decoder tool. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 219: Feature Information For Ipv4 Access Control Lists
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 220 The following commands were introduced or modified: deny (IP), ip access-list resequence deny (IP), permit (IP). Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 221: Configuring Ipv6 Acls
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Page 222: Switch Stacks And Ipv6 Acls
• You cannot use MAC ACLs to filter IPv6 frames. MAC ACLs can only filter non-IP frames. • If the hardware memory is full, packets are dropped on the interface and an unload error message is logged. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 223: Restrictions For Ipv6 Acls
With IPv4, you can configure standard and extended numbered IP ACLs, named IP ACLs, and MAC ACLs. IPv6 supports only named ACLs. The switch supports most Cisco IOS-supported IPv6 ACLs with some exceptions: • The switch does not support matching on these keywords: flowlabel, routing header, and undetermined-transport.
Page 224: Configuring Ipv6 Acls
9. show ipv6 access-list 10. show running-config 11. copy running-config startup-config DETAILED STEPS Command or Action Purpose Step 1 enable Enables privileged EXEC mode. Enter your password if prompted. Example: Switch> enable Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 225 • (Optional) Enter log to cause an logging message to be sent to the console about the packet that matches the entry. Enter log-input to Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 226 IP protocols in Step 1, with the {destination-ipv6-prefix/prefix-length | any | addition of the ICMP message type and code parameters. These optional host destination-ipv6-address} [operator keywords have these meanings: [port-number]] [icmp-type [icmp-code] | Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 227: Attaching An Ipv6 Acl To An Interface
You can apply an ACL to outbound or inbound traffic on Layer 3 interfaces, or to inbound traffic on Layer 2 interfaces. You can also apply ACLs only to inbound management traffic on Layer 3 interfaces. Follow these steps to control access to an interface: Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 228 Apply the access list to incoming or outgoing traffic on the interface. The out keyword is not supported for Layer 2 interfaces Note (port ACLs). Step 7 Returns to privileged EXEC mode. Example: Switch(config)# end Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 229: Monitoring Ipv6 Acls
(15 matches) sequence 20 permit udp any any sequence 30 IPv6 access list outbound deny udp any any sequence 10 deny tcp any any eq telnet sequence 20 Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 230: Additional References
All supported MIBs for this release. To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 231 Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 232 Configuring IPv6 ACLs Additional References Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 233: Chapter 1 2 Configuring Dhcp
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Page 234: Dhcp Snooping
DHCP option-82 information, the switch drops packets with option-82 information when packets are received on an untrusted interface. If DHCP snooping is enabled and packets are received on a trusted Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 235: Option-82 Data Insertion
IP addresses to subscribers connected to the switch at the access layer. Because the DHCP clients and their associated DHCP server do not reside on the same IP network or subnet, a DHCP relay agent (the Catalyst Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 236 (see the illustration,Suboption Packet Formats): • Circuit-ID suboption fields ◦ Suboption type ◦ Length of the suboption type ◦ Circuit-ID type ◦ Length of the circuit-ID type Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 237 The values for these fields in the packets change from the default values when you configure the remote-ID and circuit-ID suboptions: • Circuit-ID suboption fields ◦ The circuit-ID type is 1. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 238: Cisco Ios Dhcp Server Database
It has IP addresses, address bindings, and configuration parameters, such as the boot file. An address binding is a mapping between an IP address and a MAC address of a host in the Cisco IOS DHCP server database. You can manually assign the client IP address, or the DHCP server can allocate an IP address from a DHCP address pool.
Page 239 • An entry has an expired lease time (the switch might not remove a binding entry when the lease time expires). • The interface in the entry no longer exists on the system. • The interface is a routed interface or a DHCP snooping-trusted interface. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 240: Dhcp Snooping And Switch Stacks
DHCP snooping option to accept packets on untrusted Disabled input interfaces DHCP snooping limit rate None configured DHCP snooping trust Untrusted DHCP snooping VLAN Disabled DHCP snooping MAC address verification Enabled Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 241: Dhcp Snooping Configuration Guidelines
The switch can act as a DHCP server. For procedures to configure the switch as a DHCP server, see the “Configuring DHCP” section of the “IP addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.4. DHCP Server and Switch Stacks The DHCP binding database is managed on the stack master.
Page 242: Configuring The Dhcp Relay Agent
By default, this feature is enabled. Example: Switch(config)# service dhcp Step 4 Returns to privileged EXEC mode. Example: Switch(config)# end Step 5 show running-config Verifies your entries. Example: Switch# show running-config Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 243: Specifying The Packet Forwarding Address
Example: Switch# copy running-config startup-config What to Do Next See the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.4 for these procedures: • Checking (validating) the relay agent information •...
Page 244 DHCP clients, and enter interface range configuration mode. • interface range port-range • interface interface-id Configures a single physical port that is connected to the DHCP client, and enter interface configuration mode. Example: Switch(config)# interface gigabitethernet1/0/2 Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 245: Prerequisites For Configuring Dhcp Snooping And Option 82
• For DHCP snooping to function properly, all DHCP servers must be connected to the switch through trusted interfaces. In a service-provider network, a trusted interface is connected to a port on a device in the same network. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 246: Enabling Dhcp Snooping And Option 82
Configuring DHCP Enabling DHCP Snooping and Option 82 • You must configure the switch to use the Cisco IOS DHCP server binding database to use it for DHCP snooping. • To use the DHCP snooping option of accepting packets on untrusted inputs, the switch must be an aggregation switch that receives packets with option-82 information from an edge switch.
Page 247 Example: IDs separated by hyphens, or a range of VLAN IDs separated by entering Switch(config)# ip dhcp snooping vlan the starting and ending VLAN IDs separated by a space. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 248 1 information option format-type (Optional) Use the override keyword when you do not want the curcuit-id override string ovrride2 circuit-ID suboption inserted in TLV format to define subscriber information. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 249 Step 15 show running-config Verifies your entries. Example: Switch# show running-config Step 16 (Optional) Saves your entries in the configuration file. copy running-config startup-config Example: Switch# copy running-config startup-config Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 250: Enabling The Cisco Ios Dhcp Server Database
Enabling the Cisco IOS DHCP Server Database For procedures to enable and configure the Cisco IOS DHCP server database, see the “DHCP Configuration Task List” section in the “Configuring DHCP” chapter of the Cisco IOS IP Configuration Guide, Release 12.4 Monitoring DHCP Snooping Information...
Page 251: Default Port-Based Address Allocation Configuration
In all cases, by connecting the Ethernet cable to the same port, the same IP address is allocated through DHCP to the attached device. The DHCP server port-based address allocation feature is only supported on a Cisco IOS DHCP server and not a third-party server.
Page 252 The range is from 15 to 86400 seconds. The default is 300 seconds (5 minutes). Example: Switch(config)# ip dhcp snooping database write-delay 15 Step 6 Returns to privileged EXEC mode. Example: Switch(config)# end Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 253: Enabling Dhcp Server Port-Based Address Allocation
3. ip dhcp use subscriber-id client-id 4. ip dhcp subscriber-id interface-name 5. interface interface-id 6. ip dhcp server use subscriber-id client-id 7. end 8. show running-config 9. copy running-config startup-config Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 254 Example: Switch(config-if)# ip dhcp server use subscriber-id client-id Step 7 Returns to privileged EXEC mode. Example: Switch(config)# end Step 8 show running-config Verifies your entries. Example: Switch# show running-config Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 255: Monitoring Dhcp Server Port-Based Address Allocation
Displays address bindings on the Cisco IOS DHCP server. Additional References Related Documents Related Topic Document Title DHCP Configuration Information and Procedures IP Addressing: DHCP Configuration Guide, Cisco IOS XE Release 3S http://www.cisco.com/en/US/docs/ios-xml/ios/ ipaddr_dhcp/configuration/xe-3s/ dhcp-xe-3s-book.html Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 256: Feature Information For Dhcp Snooping And Option 82
Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. Feature Information for DHCP Snooping and Option 82 Release Feature Information Cisco IOS 15.0(2)EX This feature was introduced. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 257 • show ip dhcp snooping statistics user EXEC command for displaying DHCP snooping statistics. • clear ip dhcp snooping statistics privileged EXEC command for clearing the snooping statistics counters. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 258 Configuring DHCP Feature Information for DHCP Snooping and Option 82 Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 259: Chapter 1 3 Configuring Ip Source Guard
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Page 260: Ip Source Guard For Static Hosts
DHCP and static hosts. For example, bindings are stored in both the device tracking database as well as in the DHCP snooping binding database. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 261: Ip Source Guard Configuration Guidelines
To remove the binding from the running configuration, you must disable IP source guard before entering the no switch provision command. The configuration is also removed if the switch reloads while the interface is removed from the binding table. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 262: How To Configure Ip Source Guard
[mac-check ] Enables IP source guard with source IP address filtering. (Optional) mac-check—Enables IP Source Guard with Example: source IP address and MAC address filtering. Switch(config-if)# ip verify source Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 263: Configuring Ip Source Guard For Static Hosts On A Layer 2 Access Port
IPSG for static hosts to work. If you only configure this command on a port without enabling IP device tracking globally or by setting an IP device tracking maximum on that interface, IPSG with static hosts rejects all the IP traffic from that interface. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 264 Switch(config)# ip device tracking Step 4 interface interface-id Enters interface configuration mode. Example: Switch(config)# interface gigabitethernet 1/0/1 Step 5 switchport mode access Configures a port as access. Example: Switch(config-if)# switchport mode access Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 265: Monitoring Ip Source Guard
Displays information about the entries in the IP device | ip ip-address | mac imac-address} tracking table. Table 23: Interface Configuration Commands Command Purpose ip verify source tracking Verifies the data source. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 266: Additional References
Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 267: Finding Feature Information
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Page 268: Configuring Dynamic Arp Inspection
VLANs. You also can use the ip arp inspection limit none interface configuration command to make the rate unlimited. A high rate-limit on one VLAN can cause a denial-of-service attack to other VLANs when the software places the port in the error-disabled state. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 269: Understanding Dynamic Arp Inspection
ARP packets with invalid IP-to-MAC address bindings. This capability protects the network from certain man-in-the-middle attacks. Dynamic ARP inspection ensures that only valid ARP requests and responses are relayed. The switch performs these activities: Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 270: Interface Trust States And Network Security
VLAN that includes Host 1 and Host 2. If Host 1 and Host 2 acquire their IP addresses from the DHCP server connected to Switch A, only Switch A binds the IP-to-MAC address of Host 1. Therefore, if the interface Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 271: Rate Limiting Of Arp Packets
The port remains in that state until you intervene. You can use the errdisable recovery global configuration command to enable error disable recovery so that ports automatically emerge from this state after a specified timeout period. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 272: Relative Priority Of Arp Acls And Dhcp Snooping Entries
The rate is unlimited on all trusted interfaces. The burst interval is 1 second. ARP ACLs for non-DHCP environments No ARP ACLs are defined. Validation checks No checks are performed. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 273: Relative Priority Of Arp Acls And Dhcp Snooping Entries
A) you must separate Switch A from Switch B at Layer 3 and use a router to route packets between them. Follow these steps to configure an ARP ACL on Switch A. This procedure is required in non-DHCP environments. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 274 Permits ARP packets from the specified host (Host 2). sender-mac • Forsender-ip, enter the IP address of Host 2. • For sender-mac, enter the MAC address of Host 2. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 275 Returns to privileged EXEC mode. Step 10 Use the following show commands: Verifies your entries. • show arp access-list acl-name • show ip arp inspection vlan vlan-range • show ip arp inspection interfaces Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 276: Configuring Dynamic Arp Inspection In Dhcp Environments
ARP packets that have dynamically assigned IP addresses. Follow these steps to configure dynamic ARP inspection. You must perform this procedure on both switches. This procedure is required. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 277 VLANs separated by a hyphen, or a series of VLANs separated by Switch(config)# ip arp inspection vlan 1 a comma. The range is 1 to 4094. Specify the same VLAN ID for both switches. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 278 Checks the dynamic ARP inspection statistics on VLAN. show ip arp inspection statistics vlan vlan-range Example: Switch(config-if)#show ip arp inspection statistics vlan 1 Step 12 Enters the global configuration mode. configure terminal Example: Switch# configure terminal Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 279: Limiting The Rate Of Incoming Arp Packets
If you enter the no ip arp inspection limit interface configuration command, the interface reverts to its default rate limit. Follow these steps to limit the rate of incoming ARP packets. This procedure is optional. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 280 The burst interval is 1 second. The keywords have these meanings: • For ratepps, specify an upper limit for the number of incoming packets processed per second. The range is 0 to 2048 pps. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 281: Performing Dynamic Arp Inspection Validation Checks
You can configure the switch to perform additional checks on the destination MAC address, the sender and target IP addresses, and the source MAC address. Follow these steps to perform specific checks on incoming ARP packets. This procedure is optional. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 282 IP validation only, the src and dst mac validations are disabled as a result of the second command. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 283: Monitoring Dai
ACL or DHCP permitted packets for each packet that is denied by source MAC, destination MAC, or IP validation checks, and the switch increments the appropriate. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 284: Verifying The Dai Configuration
All supported MIBs for this release. To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 285 Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 286 Configuring Dynamic ARP Inspection Additional References Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 287: Chapter 1 5 Configuring Ieee 802.1X Port-Based Authentication
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Page 288: Port-Based Authentication Process
Until the client is authenticated, 802.1x access control allows only Extensible Authentication Protocol over LAN (EAPOL), Cisco Discovery Protocol (CDP), and Spanning Tree Protocol (STP) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.
Page 289 When the ReAuthenticate action is set (the attribute value is RADIUS-Request), the session is not affected during re-authentication. • You manually re-authenticate the client by entering the dot1x re-authenticate interface interface-id privileged EXEC command. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 290: Port-Based Authentication Initiation And Message Exchange
The specific exchange of EAP frames depends on the authentication method being used. This figure shows a message exchange initiated by the client when the client uses the One-Time-Password (OTP) authentication method with a RADIUS server. Figure 19: Message Exchange Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 291 Ethernet packet, the switch stops the MAC authentication bypass process and starts 802.1x authentication. This figure shows the message exchange during MAC authentication bypass. Figure 20: Message Exchange During MAC Authentication Bypass Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 292: Authentication Manager For Port-Based Authentication
Filter-Id attribute Filter-Id attribute Filter-Id attribute Filter-Id attribute Downloadable Downloadable Downloadable Downloadable 5 Supported in Cisco IOS Release 12.2(50)SE and later. 6 For clients that do not support 802.1x authentication. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 293: Per-User Acls And Filter-Ids
• The no dot1x logging verbose global configuration command filters 802.1x authentication verbose messages. • The no mab logging verbose global configuration command filters MAC authentication bypass (MAB) verbose messages Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 294: Ports In Authorized And Unauthorized States
The port starts in the unauthorized state. While in this state, the port that is not configured as a voice VLAN port disallows all ingress and egress traffic except for 802.1x authentication, CDP, and STP packets. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 295: Port-Based Authentication And Switch Stacks
802.1x authentication process continues as usual. If IP connectivity to the RADIUS server is interrupted because the switch that was connected to the server is removed or fails, these events occur: Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 296: 802.1X Host Mode
The switch supports multidomain authentication (MDA), which allows both a data device and a voice device, such as an IP Phone (Cisco or non-Cisco), to connect to the same switch port. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX...
Page 297: 802.1X Multiple Authentication Mode
VLANs assigned to the clients on the port that has a single configured access VLAN. The port configured as an access port where the traffic for all the VLANs associated with data domain is not dot1q tagged, and these VLANs are treated as native VLANs. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 298: Limitation In Multi-Auth Per User Vlan Assignment
In the Multi-auth Per User VLAN assignment feature, egress traffic from multiple vlans are untagged on a port where the hosts receive traffic that is not meant for them. This can be a problem with broadcast and multicast traffic. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 299: Mac Move
This feature does not apply to ports in multi-auth mode, because violations are not triggered in that mode. It does not apply to ports in multiple host mode, because in that mode, only the first host requires authentication. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 300: 802.1X Accounting
• STOP–sent when a session terminates You can view the AV pairs that are being sent by the switch by entering the debug radius accounting privileged EXEC command. For more information about this command, see the Cisco IOS Debug Command Reference, Release 12.4.
Page 301: 802.1X Readiness Check
802.1x-capable. You use an alternate authentication such as MAC authentication bypass or web authentication for the devices that do not support 802.1x functionality. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 302: Switch-To-Radius-Server Communication
Voice device authentication is supported with multidomain host mode in Cisco IOS Release 12.2(37)SE. In Cisco IOS Release 12.2(40)SE and later, when a voice device is authorized and the RADIUS server returned an authorized VLAN, the voice VLAN on the port is configured to send and receive packets on the assigned voice VLAN.
Page 303 • Assign vendor-specific tunnel attributes in the RADIUS server. The RADIUS server must return these attributes to the switch: ◦ [64] Tunnel-Type = VLAN ◦ [65] Tunnel-Medium-Type = 802 ◦ [81] Tunnel-Private-Group-ID = VLAN name or VLAN ID ◦ [83] Tunnel-Preference Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 304: 802.1X Authentication With Per-User Acls
If the RADIUS server does not allow the .in or .out syntax, the access list is applied to the outbound ACL by default. Because of limited support of Cisco IOS access lists on the switch, the Filter-Id attribute is supported only for IP ACLs numbered 1 to 199 and 1300 to 2699 (IP standard and IP extended ACLs).
Page 305: 802.1X Authentication With Downloadable Acls And Redirect Urls
Beginning with Cisco IOS Release 12.2(55)SE, if there is no static ACL on a port, a dynamic auth-default ACL is created, and policies are enforced before dACLs are downloaded and applied.
Page 306: Cisco Secure Acs And Attribute-Value Pairs For The Redirect Url
The switch then forwards the client web browser to the specified redirect address. The url-redirect AV pair on the Cisco Secure ACS contains the URL to which the web browser is redirected. The url-redirect-acl attribute value pair contains the name or number of an ACL that specifies the HTTP or HTTPS traffic to redirect.
Page 307: Vlan Id-Based Mac Authentication
If the default ACL is configured on the switch and the Cisco Secure ACS sends a host-access-policy to the switch, it applies the policy to traffic from the host connected to a switch port. If the policy does not apply, the switch applies the default ACL.
Page 308: 802.1X Authentication With Restricted Vlan
RADIUS server replies with either an EAP failure or an empty response without an EAP packet. When the port moves into the restricted VLAN, the failed attempt counter resets. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 309: 802.1X Authentication With Inaccessible Authentication Bypass
When a new host tries to connect to the critical port, that port is reinitialized and all the connected hosts are moved to the user-specified access VLAN. This command is supported on all host modes. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 310: Inaccessible Authentication Bypass Authentication Results
RADIUS-configured or user-specified access VLAN and the voice VLAN must be different. • Remote Switched Port Analyzer (RSPAN)—Do not configure an RSPAN VLAN as the RADIUS-configured or user-specified access VLAN for inaccessible authentication bypass. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 311: 802.1X Critical Voice Vlan
You can configure 802.1x user distribution to load-balance users with the same group name across multiple different VLANs. The VLANs are either supplied by the RADIUS server or configured through the switch CLI under a VLAN group name. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 312: 802.1X User Distribution Configuration Guidelines
A voice VLAN port becomes active when there is a link, and the device MAC address appears after the first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices. As a result, if several IP phones are connected in series, the switch recognizes only the one directly connected to it.
Page 313: Ieee 802.1X Authentication With Port Security
If you enable IEEE 802.1x authentication on an access port on which a voice VLAN is configured and to Note which a Cisco IP Phone is connected, the Cisco IP phone loses connectivity to the switch for up to 30 seconds.
Page 314: Ieee 802.1X Authentication With Mac Authentication Bypass
VLAN if one is configured. • Restricted VLAN—This feature is not supported when the client connected to an IEEE 802.lx port is authenticated with MAC authentication bypass. • Port security • Voice VLAN Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 315: Network Admission Control Layer 2 Ieee 802.1X Validation
MAB when NEAT is enabled on an interface, and you cannot enable NEAT when MAB is enabled on an interface. Cisco IOS Release 12.2(55)SE and later supports filtering of verbose MAB system messages Network Admission Control Layer 2 IEEE 802.1x Validation The switch supports the Network Admission Control (NAC) Layer 2 IEEE 802.1x validation, which checks...
Page 316: Open1X Authentication
The switch supports multidomain authentication (MDA), which allows both a data device and voice device, such as an IP phone (Cisco or non-Cisco), to authenticate on the same switch port. The port is divided into a data domain and a voice domain.
Page 317 • If more than one device attempts authorization on either the voice or the data domain of a port, it is error disabled. • Until a device is authorized, the port drops its traffic. Non-Cisco IP phones or voice devices are allowed into both the data and voice VLANs. The data VLAN allows the voice device to contact a DHCP server to obtain an IP address and acquire the voice VLAN information.
Page 318: Limiting Login For Users
Spanning Tree Protocol (STP) bridge protocol data unit (BPDU) packets before the supplicant switch has authenticated. Beginning with Cisco IOS Release 15.0(1)SE, you can control traffic exiting the supplicant port during the authentication period. Entering...
Page 319: Voice Aware 802.1X Security
• Auto enablement: Automatically enables trunk configuration on the authenticator switch, allowing user traffic from multiple VLANs coming from supplicant switches. Configure the cisco-av-pair as device-traffic-class=switch at the ACS. (You can configure this under the group or the user settings.)
Page 320: Common Session Id
The ID appears automatically. No configuration is required. How to Configure 802.1x Port-Based Authentication Default 802.1x Authentication Configuration Table 27: Default 802.1x Authentication Configuration Feature Default Setting Switch 802.1x enable state Disabled. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 321 30 seconds (when relaying a request from the authentication server to the client, the amount of time the switch waits for a response before resending the request to the client.) Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 322: 802.1X Authentication Configuration Guidelines
◦EtherChannel port—Do not configure a port that is an active or a not-yet-active member of an EtherChannel as an 802.1x port. If you try to enable 802.1x authentication on an EtherChannel port, an error message appears, and 802.1x authentication is not enabled. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 323: Vlan Assignment, Guest Vlan, Restricted Vlan, And Inaccessible Authentication Bypass
EtherChannel configuration from the interfaces on which 802.1x authentication and EtherChannel are configured. • Cisco IOS Release 12.2(55)SE and later supports filtering of system messages related to 802.1x authentication. VLAN Assignment, Guest VLAN, Restricted VLAN, and Inaccessible Authentication Bypass...
Page 324: Mac Authentication Bypass
This is the maximum number of devices allowed on an 802.1x-enabled port: • In single-host mode, only one device is allowed on the access VLAN. If the port is also configured with a voice VLAN, an unlimited number of Cisco IP phones can send and receive traffic through the voice VLAN.
Page 325 Purpose Step 1 enable Enables privileged EXEC mode. Enter your password if prompted. Example: Switch> enable Step 2 configure terminal Enters the global configuration mode. Example: Switch# configure terminal Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 326: Configuring Voice Aware 802.1X Security
VLAN. The traffic on the voice VLAN flows through the switch without interruption. Follow these guidelines to configure voice aware 802.1x voice security on the switch: Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 327 • For interface-id specify the port on which to reenable individual VLANs. • (Optional) For vlan-list specify a list of VLANs to be re-enabled. If vlan-list is not specified, all VLANs are re-enabled. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 328: Configuring 802.1X Violation Modes
1. configure terminal 2. aaa new-model 3. aaa authentication dot1x {default} method1 4. interface interface-id 5. switchport mode access 6. authentication violation {shutdown | restrict | protect | replace} 7. end Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 329 Example: • protect–Drop packets from any new device that sends traffic Switch(config-if)# authentication violation restrict to the port. • replace–Removes the current session and authenticates with the new host. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 330: Configuring 802.1X Authentication
VLAN assignment is enabled, as appropriate, based on the RADIUS server configuration. Step 4 The switch sends a start message to an accounting server. Step 5 Re-authentication is performed, as necessary. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 331: Configuring 802.1X Port-Based Authentication
Enters the global configuration mode. Example: Switch# configure terminal Step 2 aaa new-model Enables AAA. Example: Switch(config)# aaa new-model Step 3 aaa authentication dot1x {default} method1 Creates an 802.1x authentication method list. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 332 Step 8 interface interface-id Specifies the port connected to the client that is to be enabled for IEEE 802.1x authentication, and enter interface configuration mode. Example: Switch(config)# interface gigabitethernet1/0/2 Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 333: Configuring The Switch-To-Radius-Server Communication
You must enable authentication, authorization, and accounting (AAA) and specify the authentication method list. A method list describes the sequence and authentication method to be queried to authenticate a user. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 334 This key must match the encryption used on the RADIUS daemon. If you want to use multiple RADIUS servers, re-enter this command. Step 4 Returns to privileged EXEC mode. Example: Switch(config)# end Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 335: Configuring The Host Mode
IEEE 802.1x-authorized port that has the authentication port-control interface configuration command set to auto. Use the multi-domain keyword to configure and enable multidomain authentication (MDA), which allows both a host and a voice device, such as an IP phone (Cisco or non-Cisco), on the same switch port. This procedure is optional.
Page 336: Configuring Periodic Re-Authentication
Enters the global configuration mode. Example: Switch# configure terminal Step 2 interface interface-id Specifies the port to be configured, and enter interface configuration mode. Example: Switch(config)# interface gigabitethernet2/0/1 Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 337: Changing The Quiet Period
Beginning in privileged EXEC mode, follow these steps to change the quiet period. This procedure is optional. SUMMARY STEPS 1. configure terminal 2. interface interface-id 3. authentication timer inactivity seconds 4. end 5. show authentication sessions interface interface-id 6. copy running-config startup-config Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 338: Changing The Switch-To-Client Retransmission Time
The client responds to the EAP-request/identity frame from the switch with an EAP-response/identity frame. If the switch does not receive this response, it waits a set period of time (known as the retransmission time) and then resends the frame. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 339 Switch(config-if)# authentication timer reauthenticate 60 Step 4 Returns to privileged EXEC mode. Example: Switch(config-if)# end Step 5 show authentication sessions interface interface-id Verifies your entries. Example: Switch# show authentication sessions interface Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 340: Setting The Switch-To-Client Frame-Retransmission Number
Enters the global configuration mode. Example: Switch# configure terminal Step 2 interface interface-id Specifies the port to be configured, and enter interface configuration mode. Example: Switch(config)# interface Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 341: Setting The Re-Authentication Number
Beginning in privileged EXEC mode, follow these steps to set the re-authentication number. This procedure is optional. SUMMARY STEPS 1. configure terminal 2. interface interface-id 3. switchport mode access 4. dot1x max-req count 5. end Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 342: Enabling Mac Move
MAC move allows an authenticated host to move from one port on the switch to another. Beginning in privileged EXEC mode, follow these steps to globally enable MAC move on the switch. This procedure is optional. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 343: Enabling Mac Replace
(Optional) Saves your entries in the configuration file. Example: Switch# copy running-config startup-config Enabling MAC Replace MAC replace allows a host to replace an authenticated host on a port. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 344 • restrict: violating packets are dropped by the CPU and a system message is generated. • shutdown: the port is error disabled when it receives an unexpected MAC address. Step 4 Returns to privileged EXEC mode. Example: Switch(config-if)# end Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 345: Configuring 802.1X Accounting
RADIUS Accounting” in your RADIUS server System Configuration tab. Beginning in privileged EXEC mode, follow these steps to configure 802.1x accounting after AAA is enabled on your switch. This procedure is optional. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 346 RADIUS servers) and generates system accounting reload event messages when the switch Example: reloads. Switch(config-if)# aaa accounting system default start-stop group radius Step 5 Returns to privileged EXEc mode. Example: Switch(config-if)# end Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 347: Configuring A Guest Vlan
4. authentication event no-response action authorize vlan vlan-id 5. end DETAILED STEPS Command or Action Purpose Step 1 configure terminal Enters the global configuration mode. Example: Switch# configure terminal Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 348: Configuring A Restricted Vlan
VLAN when the authentication server does not receive a valid username and password. The switch supports restricted VLANs only in single-host mode. Beginning in privileged EXEC mode, follow these steps to configure a restricted VLAN. This procedure is optional. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 349 • Configures the Layer 2 port as a private-VLAN host port. • switchport mode private-vlan host Example: Switch(config-if)# switchport mode access Step 4 Enables 802.1x authentication on the port. authentication port-control auto Example: Switch(config-if)# authentication port-control auto Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 350: Configuring Number Of Authentication Attempts On A Restricted Vlan
• switchport mode access • switchport mode private-vlan host 4. authentication port-control auto 5. authentication event fail action authorize vlan vlan-id 6. authentication event retry retry count 7. end Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 351 Specifies a number of authentication attempts to allow before a port moves to the restricted VLAN. The range is 1 to 3, and the default is 3. Example: Switch(config-if)# authentication event retry Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 352: Configuring 802.1X Inaccessible Authentication Bypass With Critical Voice Vlan
10. authentication event server dead action authorize voice 11. show authentication interface interface-id 12. copy running-config startup-config DETAILED STEPS Command or Action Purpose Step 1 configure terminal Enters the global configuration mode. Example: Switch# configure terminal Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 353 • ignore-auth-port—Disable testing on the RADIUS-server authentication port. • For keystring, specify the authentication and encryption key used between the switch and the RADIUS daemon running on the Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 354 Specifies the voice VLAN for the port. The voice VLAN cannot be the same as the critical data VLAN configured in Step 6. Example: Switch(config-if)# switchport voice vlan Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 355: Example Of Configuring Inaccessible Authentication Bypass
Switch(config)# dot1x critical eapol Switch(config)# dot1x critical recovery delay 2000 Switch(config)# interface gigabitethernet 1/0/1 Switch(config-if)# dot1x critical Switch(config-if)# dot1x critical recovery action reinitialize Switch(config-if)# dot1x critical vlan 20 Switch(config-if)# end Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 356: Configuring 802.1X Authentication With Wol
• in—Sets the port as unidirectional. The port can send packets to the host but cannot receive packets from the host. Step 4 Returns to privileged EXEC mode. Example: Switch(config-if)# end Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 357: Configuring Mac Authentication Bypass
Enters the global configuration mode. configure terminal Example: Switch# configure terminal Step 2 interface interface-id Specifies the port to be configured, and enter interface configuration mode. Example: Switch(config)# interface gigabitethernet2/0/1 Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 358: Formatting A Mac Authentication Bypass Username And Password
3. mab request format attribute2 {0 | 7} text 4. end DETAILED STEPS Command or Action Purpose Step 1 configure terminal Enters the global configuration mode. Example: Switch# configure terminal Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 359: Configuring 802.1X User Distribution
Beginning in privileged EXEC mode, follow these steps to configure a VLAN group and to map a VLAN to SUMMARY STEPS 1. configure terminal 2. vlan group vlan-group-name vlan-list vlan-list 3. end 4. no vlan group vlan-group-name vlan-list vlan-list Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 360: Example Of Configuring Vlan Groups
This example shows how to add a VLAN to an existing VLAN group and to verify that the VLAN was added: Switch(config)# vlan group eng-dept vlan-list 30 Switch(config)# show vlan group eng-dept Group Name Vlans Mapped ------------- -------------- Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 361: Configuring Nac Layer 2 802.1X Validation
Switch(config)# no vlan group end-dept vlan-list all Switch(config)# show vlan-group all For more information about these commands, see the Cisco IOS Security Command Reference. Configuring NAC Layer 2 802.1x Validation You can configure NAC Layer 2 802.1x validation, which is also referred to as 802.1x authentication with a RADIUS server.
Page 362 Switch(config-if)# authentication timer reauthenticate Step 7 Returns to privileged EXEC mode. Example: Switch(config-if)# end Step 8 show authentication sessions interface interface-id Verifies your entries. Example: Switch# show authentication sessions interface gigabitethernet2/0/3 Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 363: Configuring Limiting Login For Users
Device(config)# aaa new-model Step 4 aaa authentication login default local Sets the authentication, authorization, and accounting (AAA) authentication by using the default authentication methods. Example: Device(config)# aaa authentication login default local Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 364: Configuring An Authenticator Switch With Neat
Note The cisco-av-pairs must be configured as device-traffic-class=switch on the ACS, which sets the interface as a trunk after the supplicant is successfully authenticated. Beginning in privileged EXEC mode, follow these steps to configure a switch as an authenticator: Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX...
Page 365 Sets the port mode to access. Example: Switch(config-if)# switchport mode access Step 5 Sets the port-authentication mode to auto. authentication port-control auto Example: Switch(config-if)# authentication port-control auto Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 366: Configuring A Supplicant Switch With Neat
Example: Switch# copy running-config startup-config Configuring a Supplicant Switch with NEAT Beginning in privileged EXEC mode, follow these steps to configure a switch as a supplicant: Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 367 Creates 802.1x credentials profile. This must be attached to the port that is configured as supplicant. Example: Switch(config)# dot1x credentials test Step 4 username suppswitch Creates a username. Example: Switch(config)# username suppswitch Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 368 Switch(config-if)# dot1x pae supplicant Step 11 dot1x credentials profile-name Attaches the 802.1x credentials profile to the interface. Example: Switch(config-if)# dot1x credentials test Step 12 Returns to privileged EXEC mode. Example: Switch(config-if)# end Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 369: Configuring 802.1X Authentication With Downloadable Acls And Redirect Urls
The policies take effect after client authentication and the client IP address addition to the IP device tracking table. The switch then applies the downloadable ACL to the port. Beginning in privileged EXEC mode: Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 370 Example: Switch(config)# aaa authorization network default local group radius Step 5 radius-server vsa send authentication Configures the radius vsa send authentication. Example: Switch(config)# radius-server vsa send authentication Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 371: Configuring A Downloadable Policy
6. aaa new-model 7. aaa authorization network default group radius 8. ip device tracking 9. ip device tracking probe [count | interval | use-svi] 10. radius-server vsa send authentication 11. end Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 372 Configures the default ACL on the port in the input direction. The acl-id is an access list name or Note Example: number. Switch(config-if)# ip access-group default_acl in Step 5 exit Returns to global configuration mode. Example: Switch(config-if)# exit Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 373 Configures the network access server to recognize and use vendor-specific attributes. Example: Note The downloadable ACL must be operational. Switch(config)# radius-server vsa send authentication Step 11 Returns to privileged EXEC mode. Example: Switch(config)# end Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 374: Configuring Vlan Id-Based Mac Authentication
Before changing the default order and priority of these authentication methods, however, you should Note understand the potential consequences of those changes. See http://www.cisco.com/en/US/prod/collateral/ iosswrel/ps6537/ps6586/ps6638/application_note_c27-573287_ps6638_Products_White_Paper.html details. Beginning in privileged EXEC mode, follow these steps: Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 375 [ dot1x | mab ] | {webauth} (Optional) Adds an authentication method to the port-priority list. Example: Switch(config-if)# authentication priority mab dot1x Step 6 Returns to privileged EXEC mode. Example: Switch(config-if)# end Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 376: Configuring Open1X
Example: Switch(config)# interface gigabitethernet 1/0/1 Step 3 Sets the port to access mode only if you configured switchport mode access the RADIUS server. Example: Switch(config-if)# switchport mode access Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 377 Example: Switch(config-if)# authentication periodic Step 10 authentication port-control {auto | force-authorized | (Optional) Enables manual control of the port authorization state. force-un authorized} Example: Switch(config-if)# authentication port-control auto Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 378: Disabling 802.1X Authentication On The Port
Enters the global configuration mode. Example: Switch# configure terminal Step 2 interface interface-id Specifies the port to be configured, and enter interface configuration mode. Example: Switch(config)# interface gigabitethernet2/0/1 Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 379: Resetting The 802.1X Authentication Configuration To The Default Values
1. configure terminal 2. interface interface-id 3. dot1x default 4. end DETAILED STEPS Command or Action Purpose Step 1 Enters the global configuration mode. configure terminal Example: Switch# configure terminal Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 380: Monitoring 802.1X Statistics And Status
Filters verbose 802.1x authentication messages (beginning with Cisco IOS Release 12.2(55)SE) For detailed information about the fields in these displays, see the command reference for this release. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 381: Additional References
All supported MIBs for this release. To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 382: Feature Information For 802.1X Port-Based Authentication
Cisco IOS 15.0(2)EX This feature was introduced. Supports the use of same authorization methods on all the Catalyst switches in a network. Supports filtering verbose system messages from the authentication manager. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 383: Chapter 1 6 Configuring Web-Based Authentication
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Page 384: Device Roles
(proxy) between the client and the authentication server, requesting identity information from the client, verifying that information with the authentication server, and relaying a response to the client. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 385: Host Detection
• Sets up the HTTP intercept ACL If the server response to the NRH request is access rejected, the HTTP intercept ACL is activated, and the session waits for HTTP traffic from the host. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 386: Authentication Process
• The feature applies the downloaded timeout or the locally configured session timeout. Note Beginning with Cisco IOS XE Denali 16.1.1 and later, the default session timeout value for web-based authentication on WLC is 1800 seconds. The default session timeout value was infinite seconds, prior to Cisco IOS XE Denali 16.1.1.
Page 387 Local Web Authentication Banner • New-style mode—Use the parameter-map type webauth global bannerglobal configuration command. The default banner Cisco Systems and Switch host-name Authentication appear on the Login Page. Cisco Systems appears on the authentication result pop-up page. Figure 24: Authentication Successful Banner The banner can be customized as follows: •...
Page 388 Configuring Web-Based Authentication Local Web Authentication Banner • New-style mode—Use the parameter-map type webauth global banner global configuration command Figure 25: Customized Web Banner Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 389: Web Authentication Customizable Web Pages
Figure 26: Login Screen With No Banner For more information, see the Session Aware Networking Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches) Session Aware Networking Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches) and the Web Authentication Enhancements - Customizing Authentication Proxy Web Pages.
Page 390 • You must include an HTML redirect command in the success page to access a specific URL. • The URL string must be a valid URL (for example, http://www.cisco.com). An incomplete URL might cause page not found or similar errors on a web browser.
Page 391: Authentication Proxy Web Page Guidelines
• To remove the specification of a custom file, use the no form of the command. Because the custom login page is a public web form, consider these guidelines for the page: Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 392: Redirection Url For Successful Login Guidelines
LPIP posture validation. The LPIP host policy overrides the web-based authentication host policy. If the web-based authentication idle timer expires, the NAC policy is removed. The host is authenticated, and posture is validated again. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 393: Gateway Ip
The GWIP policy overrides the web-based authentication host policy. ACLs If you configure a VLAN ACL or a Cisco IOS ACL on an interface, the ACL is applied to the host traffic only after the web-based authentication host policy is applied.
Page 394: Web-Based Authentication Configuration Guidelines And Restrictions
• You must configure the default ACL on the interface before configuring web-based authentication. Configure a port ACL for a Layer 2 interface or a Cisco IOS ACL for a Layer 3 interface. • You cannot authenticate hosts on Layer 2 interfaces with static ARP cache assignment. These hosts are not detected by the web-based authentication feature because they do not send ARP messages.
Page 395: Web-Based Authentication Configuration Task List
If you want to configure these options on a per-server basis, use the radius-server timeout, radius-server transmit, and the radius-server key global configuration commands. For more information, see the Cisco IOS Security Configuration Guide, Release 12.4 and the Cisco IOS Security Command Reference, Release 12.4.
Page 396 Layer 2 or Layer 3 interface to be enabled for web-based authentication. Example: type can be fastethernet, gigabit ethernet, or Switch(config)# interface gigabitEthernet1/0/1 tengigabitethernet. Step 5 ip access-group name Applies the default ACL. Example: Switch(config-if)# ip access-group webauthag Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 397: Configuring Aaa Authentication
Switch# copy running-config startup-config Configuring AAA Authentication Follow these steps to configure AAA authentication: Use default list for AAA authorization, if you are planning to use features such as dACL. Note Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 398 Switch(config)# aaa authentication login default group tacacs+ Step 5 aaa authorization auth-proxy default group {tacacs+ | Creates an authorization method list for web-based radius} authorization. Example: Switch(config)# aaa authorization auth-proxy default Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 399: Configuring Switch-To-Radius-Server Communication
Step 10 copy running-config startup-config (Optional) Saves your entries in the configuration file. Example: Switch# copy running-config startup-config Configuring Switch-to-RADIUS-Server Communication Follow these steps to configure the RADIUS server parameters: Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 400 Step 5 radius-server key string Configures the authorization and encryption key used between the switch and the RADIUS daemon running on the RADIUS server. Example: Switch(config)# radius-server key rad123 Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 401: Configuring The Http Server
3. ip http server 4. ip http secure-server 5. end DETAILED STEPS Command or Action Purpose Step 1 enable Enables privileged EXEC mode. Enter your password if prompted. Example: Switch> enable Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 402: Customizing The Authentication Proxy Web Pages
For the equivalent Session Aware Networking configuration example for this feature, see the section "Configuring a Parameter Map for Web-Based Authentication" in the chapter, "Configuring Identity Control Policies." of the book, "Session Aware Networking Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)."...
Page 403 Specifies the location of the custom HTML file to use ip admission proxy http failure page file device:fail-filename in place of the default login failure page. Example: Switch(config)# ip admission proxy http fail page file disk1:fail.htm Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 404: Specifying A Redirection Url For Successful Login
3. ip admission proxy http success redirect url-string 4. end DETAILED STEPS Command or Action Purpose Step 1 enable Enables privileged EXEC mode. Enter your password if prompted. Example: Switch> enable Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 405: Configuring The Web-Based Authentication Parameters
Follow these steps to configure the maximum number of failed login attempts before the client is placed in a watch list for a waiting period: SUMMARY STEPS 1. enable 2. configure terminal 3. ip admission max-login-attempts number 4. end 5. show running-config 6. copy running-config startup-config Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 406: Configuring A Web-Based Authentication Local Banner
Example: Switch# copy running-config startup-config Configuring a Web-Based Authentication Local Banner Follow these steps to configure a local banner on a switch that has web authentication configured. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 407 Switch(config)# ip admission auth-proxy-banner http C My Switch C Step 4 Returns to privileged EXEC mode. Example: Switch(config)# end Step 5 Verifies your entries. show running-config Example: Switch# show running-config Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 408: Configuring Web-Based Authentication Without Svi
Example: keyword differ from the commands supported for a named Switch (config)# parameter-map type webauth global parameter map defined with the parameter-map-name argument. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 409: Configuring Web-Based Authentication With Vrf Aware
You configure the web-based authentication with VRF aware to redirect the HTML login page to the client. These steps are optional. SUMMARY STEPS 1. enable 2. configure terminal 3. parameter-map type webauth global 4. webauth-vrf-aware 5. end 6. show running-config 7. copy running-config startup-config Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 410 Step 6 show running-config Verifies your entries. Example: Switch# show running-config Step 7 (Optional) Saves your entries in the configuration file. copy running-config startup-config Example: Switch# copy running-config startup-config Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 411: Removing Web-Based Authentication Cache Entries
Use the commands in this topic to display the web-based authentication settings for all interfaces or for specific ports. Table 31: Privileged EXEC show Commands Command Purpose show authentication sessions method webauth Displays the web-based authentication settings for all interfaces for fastethernet, gigabitethernet, or tengigabitethernet Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 412: Feature Information For Web-Based Authentication
In Session Aware Networking mode, use the show access-session interface command. Feature Information for Web-Based Authentication Release Feature Information Cisco IOS 15.0(2)EX This feature is introduced. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 413 Restrictions for Port Security, page 406 • Information About Port Security, page 406 • How to Configure Port Security, page 411 • Configuration Examples for Port Security, page 432 • Additional References, page 433 Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 414: Configuring Port-Based Traffic Control
Overview of Port-Based Traffic Control Port-based traffic control is a set of Layer 2 features on the Cisco Catalyst switches used to filter or block packets at the port level in response to specific traffic conditions. The following port-based traffic control features are supported in the Cisco IOS Release for which this guide is written: •...
Page 415: How Traffic Activity Is Measured
When the storm control threshold for multicast traffic is reached, all multicast traffic except control traffic, Note such as bridge protocol data unit (BDPU) and Cisco Discovery Protocol (CDP) frames, are blocked. However, the switch does not differentiate between routing updates, such as OSPF, and regular multicast data traffic, so both types of traffic are blocked.
Page 416: How To Configure Storm Control
Storm control is supported on physical interfaces. You can also configure storm control on an EtherChannel. When storm control is configured on an EtherChannel, the storm control settings propagate to the EtherChannel physical interfaces. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 417 The port forwards traffic when traffic drops below this level. If you do not configure a falling suppression level, it is set to the rising suppression level. The range is 0.00 to 100.00. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 418 Verifies the storm control suppression levels set on the interface for the specified [broadcast | multicast | unicast] traffic type. If you do not enter a traffic type, broadcast storm control settings are displayed. Example: Switch# show storm-control gigabitethernet1/0/1 unicast Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 419: Configuring Small-Frame Arrival Rate
9. show interfaces interface-id 10. show running-config 11. copy running-config startup-config DETAILED STEPS Command or Action Purpose Step 1 enable Enables privileged EXEC mode. Enter your password if prompted. Example: Switch> enable Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 420 The range is 1 to 10,000 packets per second (pps) Example: Switch(config-if)# small-frame violation rate 10000 Step 8 Returns to privileged EXEC mode. Example: Switch(config)# end Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 421: Finding Feature Information
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Page 422: Default Protected Port Configuration
Protected ports are not pre-defined. This is the task to configure one. SUMMARY STEPS 1. enable 2. configure terminal 3. interface interface-id 4. switchport protected 5. end 6. show interfaces interface-id switchport 7. show running-config 8. copy running-config startup-config Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 423 Example: Switch(config)# end Step 6 show interfaces interface-id switchport Verifies your entries. Example: Switch# show interfaces gigabitethernet1/0/1 switchport Step 7 show running-config Verifies your entries. Example: Switch# show running-config Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 424: Monitoring Protected Ports
Where to Go Next • Additional References Error Message Decoder Description Link To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/ messages in this release, use the Error Message index.cgi Decoder tool. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 425: Feature Information
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Page 426: Information About Port Blocking
1. enable 2. configure terminal 3. interface interface-id 4. switchport block multicast 5. switchport block unicast 6. end 7. show interfaces interface-id switchport 8. show running-config 9. copy running-config startup-config Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 427 Switch(config-if)# switchport block unicast Step 6 Returns to privileged EXEC mode. Example: Switch(config)# end Step 7 show interfaces interface-id switchport Verifies your entries. Example: Switch# show interfaces gigabitethernet1/0/1 switchport Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 428: Monitoring Port Blocking
Displays the administrative and operational status of all switching (nonrouting) ports or the specified port, including port blocking and port protection settings. Where to Go Next • Additional References Related Documents Related Topic Document Title Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 429: Feature Information
Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. Feature Information Release Feature Information Cisco IOS 15.0(2)EX This feature was introduced. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 430: Prerequisites For Port Security
• Static secure MAC addresses—These are manually configured by using the switchport port-security mac-address mac-address interface configuration command, stored in the address table, and added to the switch running configuration. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 431: Sticky Secure Mac Addresses
MAC addresses to drop below the maximum value or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred. An SNMP trap is sent, a syslog message is logged, and the violation counter increments. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 432: Port Security Aging
When a switch joins a stack, the new switch will get the configured secure addresses. All dynamic secure addresses are downloaded by the new stack member from the other stack members. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 433: Default Port Security Configuration
IP phone requires one MAC address. The Cisco IP phone address is learned on the voice VLAN, but is not learned on the access VLAN. If you connect a single PC to the Cisco IP phone, no additional MAC addresses are required. If you connect more than one PC to the Cisco IP phone, you must configure enough secure addresses to allow one for each PC and one for the phone.
Page 434 14 You must set the maximum allowed secure addresses on the port to two plus the maximum number of secure addresses allowed on the access VLAN. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 435: Overview Of Port-Based Traffic Control
Overview of Port-Based Traffic Control Port-based traffic control is a set of Layer 2 features on the Cisco Catalyst switches used to filter or block packets at the port level in response to specific traffic conditions. The following port-based traffic control features are supported in the Cisco IOS Release for which this guide is written: •...
Page 436 Layer 2 functions and any other secure Switch(config-if)# switchport MAC addresses configured on interfaces. port-security maximum 20 (Optional) vlan—sets a per-VLAN maximum value Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 437 (Optional) Enters a secure MAC address for the interface. You can use this [mac-address mac-address [vlan command to enter the maximum number of secure MAC addresses. If you {vlan-id | {access | voice}}] Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 438 • voice—On an access port, specifies the VLAN as a voice VLAN. The voice keyword is available only if a voice VLAN is configured on Note a port and if that port is not the access VLAN. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 439: Enabling And Configuring Port Security Aging
Use this feature to remove and add devices on a secure port without manually deleting the existing secure MAC addresses and to still limit the number of secure addresses on a port. You can enable or disable the aging of secure addresses on a per-port basis. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 440 • absolute—Sets the aging type as absolute aging. All the secure addresses on this port age out exactly after the time (minutes) specified lapses and are removed from the secure address list. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 441: Finding Feature Information
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Page 442: Information About Storm Control
When the storm control threshold for multicast traffic is reached, all multicast traffic except control traffic, Note such as bridge protocol data unit (BDPU) and Cisco Discovery Protocol (CDP) frames, are blocked. However, the switch does not differentiate between routing updates, such as OSPF, and regular multicast data traffic, so both types of traffic are blocked.
Page 443: Traffic Patterns
Depending on the sizes of the packets making up the incoming traffic, the actual enforced threshold might differ from the configured level by several percentage points. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 444 Enters the global configuration mode. configure terminal Example: Switch# configure terminal Step 3 interface interface-id Specifies the interface to be configured, and enter interface configuration mode. Example: Switch(config)# interface gigabitethernet1/0/1 Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 445 • Select the shutdown keyword to error-disable the port during a storm. Example: • Select the trap keyword to generate an SNMP trap when a storm is detected. Switch(config-if)# storm-control action trap Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 446: Configuring Small-Frame Arrival Rate
4. errdisable recovery interval interval 5. errdisable recovery cause small-frame 6. interface interface-id 7. small-frame violation-rate pps 8. end 9. show interfaces interface-id 10. show running-config 11. copy running-config startup-config Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 447 Configures the threshold rate for the interface to drop incoming packets and error disable the port. The range is 1 to 10,000 packets per second (pps) Example: Switch(config-if)# small-frame violation rate 10000 Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 448: Finding Feature Information
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Page 449: Default Protected Port Configuration
Protected ports are not pre-defined. This is the task to configure one. SUMMARY STEPS 1. enable 2. configure terminal 3. interface interface-id 4. switchport protected 5. end 6. show interfaces interface-id switchport 7. show running-config 8. copy running-config startup-config Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 450 Example: Switch(config)# end Step 6 show interfaces interface-id switchport Verifies your entries. Example: Switch# show interfaces gigabitethernet1/0/1 switchport Step 7 show running-config Verifies your entries. Example: Switch# show running-config Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 451: Monitoring Protected Ports
Where to Go Next • Additional References Error Message Decoder Description Link To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/ messages in this release, use the Error Message index.cgi Decoder tool. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 452: Feature Information
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Page 453: Information About Port Blocking
7. show interfaces interface-id switchport 8. show running-config 9. copy running-config startup-config DETAILED STEPS Command or Action Purpose Step 1 enable Enables privileged EXEC mode. Enter your password if prompted. Example: Switch> enable Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 454 Step 8 show running-config Verifies your entries. Example: Switch# show running-config Step 9 (Optional) Saves your entries in the configuration file. copy running-config startup-config Example: Switch# copy running-config startup-config Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 455: Monitoring Port Blocking
Error Message Decoder Description Link To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/ messages in this release, use the Error Message index.cgi Decoder tool. Standards and RFCs Standard/RFC Title Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 456: Feature Information
50. The violation mode is the default, no static secure MAC addresses are configured, and sticky learning is enabled. Switch(config)# interface gigabitethernet1/0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 50 Switch(config-if)# switchport port-security mac-address sticky Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 457: Additional References
All supported MIBs for this release. To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 458: Finding Feature Information
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Page 459: Default Protocol Storm Protection Configuration
7. show psp config {arp | dhcp | igmp} DETAILED STEPS Command or Action Purpose Step 1 enable Enables privileged EXEC mode. Enter your password if prompted. Example: Switch> enable Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 460: Monitoring Protocol Storm Protection
{arp | dhcp | igmp} Verifies your entries. Example: Switch# show psp config dhcp Monitoring Protocol Storm Protection Command Purpose show psp config {arp | dhcp | igmp} Verify your entries. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 461: Additional References
Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 462 Configuring Port-Based Traffic Control Additional References Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 463: Finding Feature Information
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Page 464: Chapter 1 8 Configuring Ipv6 First Hop Security
• IPv6 DHCP Guard—The IPv6 DHCP Guard feature blocks reply and advertisement messages that come from unauthorized DHCPv6 servers and relay agents. IPv6 DHCP guard can prevent forged messages Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 465 It relies on the address glean functionality to populate all destinations active on the link into the binding table and then blocks resolutions before they happen when the destination is not found in the binding table. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 466: How To Configure An Ipv6 Snooping Policy
For more information about DHCPv6 Relay, See the DHCPv6 Relay—Lightweight DHCPv6 Relay Agent section of the IP Addressing: DHCP Configuration Guide, Cisco IOS Release 15.1SG. How to Configure an IPv6 Snooping Policy Beginning in privileged EXEC mode, follow these steps to configure IPv6 Snooping Policy : SUMMARY STEPS 1.
Page 467 Step 4 Exits configuration modes to Privileged EXEC mode. Example: Switch(config-ipv6-snooping)# exit Step 5 show ipv6 snooping policy policy-name Displays the snooping policy configuration. Example: Switch#show ipv6 snooping policy example_policy Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 468: How To Attach An Ipv6 Snooping Policy To An Interface
The command prompt displays as (config-if)# in Switchport configuration mode. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 469: How To Attach An Ipv6 Snooping Policy To A Layer 2 Etherchannel Interface
3. ipv6 snooping [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ] 4. do show running-config interfaceportchannel_interface_name Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 470: How To Attach An Ipv6 Snooping Policy To Vlans Globally
How to Attach an IPv6 Snooping Policy to VLANs Globally Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Snooping Policy to VLANs across multiple interfaces: Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 471: How To Configure The Ipv6 Binding Table Content
Example: Switch#(config-if)# do show running-config How to Configure the IPv6 Binding Table Content Beginning in privileged EXEC mode, follow these steps to configure IPv6 Binding Table Content : Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 472 Enables the logging of binding table main events. Example: Switch(config)# ipv6 neighbor binding logging Step 5 exit Exits global configuration mode, and places the router in privileged EXEC mode. Example: Switch(config)# exit Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 473: How To Configure An Ipv6 Neighbor Discovery Inspection Policy
Switch# configure terminal Step 2 [no]ipv6 nd inspection policy policy-name Specifies the ND inspection policy name and enters ND Inspection Policy configuration mode. Example: Switch(config)# ipv6 nd inspection policy example_policy Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 474 Step 11 default {device-role | drop-unsecure | limit address-count | Restores configuration to the default values. sec-level minimum | tracking | trusted-port | validate source-mac} Example: Switch(config-nd-inspection)# default limit address-count Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 475: How To Attach An Ipv6 Neighbor Discovery Inspection Policy To An Interface
] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ] attach-policy option is not used. Example: Switch(config-if)# ipv6 nd inspection attach-policy example_policy Switch(config-if)# ipv6 nd inspection attach-policy example_policy vlan 222,223,224 Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 476: Interface
EtherChannel was created. Enters the interface range configuration mode. Example: Switch(config)# interface Po11 Enter the do show interfaces summary command for quick reference to interface names and types. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 477: How To Attach An Ipv6 Neighbor Discovery Inspection Policy To Vlans Globally
3. ipv6 nd inspection [attach-policy policy_name] 4. do show running-config DETAILED STEPS Command or Action Purpose Step 1 Enters the global configuration mode. configure terminal Example: Switch# configure terminal Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 478: How To Configure An Ipv6 Router Advertisement Guard Policy
10. default {device-role | hop-limit {maximum | minimum} | managed-config-flag | match {ipv6 access-list | ra prefix-list } | other-config-flag | router-preference maximum| trusted-port} 11. do show ipv6 nd raguard policy policy_name Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 479 Off—Accepts and forwards RA messages with an M value of 0, blocks those with 1. Step 6 [no]match {ipv6 access-list list | ra prefix-list Matches a specified prefix list or access list. list} Example: Switch(config-nd-raguard)# match ipv6 access-list example_list Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 480: How To Attach An Ipv6 Router Advertisement Guard Policy To An Interface
How to Attach an IPv6 Router Advertisement Guard Policy to an Interface Beginning in privileged EXEC mode, follow these steps to attach an IPv6 Router Advertisement policy to an interface or to VLANs on the interface : Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 481 Switch(config-if)# ipv6 nd raguard vlan 222, 223,224 Step 4 do show running-config Confirms that the policy is attached to the specified interface without exiting the configuration mode. Example: Switch#(config-if)# do show running-config Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 482: How To Attach An Ipv6 Router Advertisement Guard Policy To A Layer 2 Etherchannel Interface
] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ] Example: Switch(config-if-range)# ipv6 nd raguard attach-policy example_policy Switch(config-if-range)# ipv6 nd raguard attach-policy example_policy vlan 222,223,224 Switch(config-if-range)#ipv6 nd raguard vlan 222, 223,224 Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 483: How To Configure An Ipv6 Dhcp Guard Policy
Default is client. Example: Switch(config-dhcp-guard)# device-role server • client—Default value, specifies that the attached device is a client. Server messages are dropped on this port. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 484 If you configure a trusted port then the device-role option Switch(config-dhcp-guard)# trusted-port is not available. Step 8 default {device-role | trusted-port} (Optional) default—Sets a command to its defaults. Example: Switch(config-dhcp-guard)# default device-role Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 485: How To Attach An Ipv6 Dhcp Guard Policy To An Interface Or A Vlan On An Interface
| all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ] 4. do show running-config interface Interface_type stack/module/port DETAILED STEPS Command or Action Purpose Step 1 configure terminal Enters the global configuration mode. Example: Switch# configure terminal Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 486: How To Attach An Ipv6 Dhcp Guard Policy To A Layer 2 Etherchannel Interface
3. ipv6 dhcp guard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ] 4. do show running-config interfaceportchannel_interface_name Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 487: How To Attach An Ipv6 Dhcp Guard Policy To Vlans Globally
How to Attach an IPv6 DHCP Guard Policy to VLANs Globally Beginning in privileged EXEC mode, follow these steps to attach an IPv6 DHCP Guard policy to VLANs across multiple interfaces: Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 488: How To Configure Ipv6 Source Guard
2. configure terminal 3. [no] ipv6 source-guard policy policy_name 4. [deny global-autoconf] [permit link-local] [default{. . . }] [exit] [no{. . . }] 5. end 6. show ipv6 source-guard policy policy_name Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 489 Shows the policy configuration and all the interfaces where the policy is applied. Example: Switch# show ipv6 source-guard policy example_policy What to Do Next Apply the IPv6 Source Guard policy to an interface. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 490: How To Attach An Ipv6 Source Guard Policy To An Interface
Switch(config-if)# ipv6 source-guard attach-policy example_policy Step 5 show ipv6 source-guard policy policy_name Shows the policy configuration and all the interfaces where the policy is applied. Example: Switch#(config-if)# show ipv6 source-guard policy example_policy Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 491: Additional References
3850 Switches) http://www.cisco.com/en/US/docs/ ios-xml/ios/ipv6/command/ ipv6-xe-3se-3850-cr-book.html Error Message Decoder Description Link To help you research and resolve system error https://www.cisco.com/cgi-bin/Support/Errordecoder/ messages in this release, use the Error Message index.cgi Decoder tool. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 492 Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01...
Page 493 147, 149, 154, 163 authentication 41, 45, 47, 83, 86, 107 implicit deny local mode with AAA implicit masks RADIUS 83, 86 matching criteria undefined login Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 IN-1...
Page 494 45, 47, 50, 52, 83, 86, 90, 92, 93, 116, 129, 131, 134 format accounting 52, 92 location authentication configuration guidelines authentication key configuring authorization 50, 90 Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX IN-2 OL-29048-01...
Page 495 ACLs applying to Layer 2 interfaces 140, 170 Identifying the RADIUS Server Host manual Examples command monitoring 135, 179 identifying the server 45, 83 access groups Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 IN-3...
Page 496 802.1X authentication switch as proxy preventing unauthorized access privilege levels 22, 31, 33, 34 and SSH changing the default for lines Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX IN-4 OL-29048-01...
Page 497 See VLAN maps Switch Access VLAN map entries, order of displaying VLAN maps 142, 151, 172, 173, 174, 175, 176, 189, 190 switched packets, ACLs on applying common uses for Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 IN-5...
Page 498 RADIUS 86, 90, 92 denying and permitting packets 173, 175 with TACACS+ 41, 47, 50, 52 with usernames Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX IN-6 OL-29048-01...

Cisco Catalyst 2960-X Security Configuration Manual

Using the Command-Line Interface

Security Features Overview

Chapter 3 Preventing Unauthorized Access

Controlling Switch Access with Passwords and Privilege Levels

Configuring TACACS

Configuring RADIUS

Configuring Local Authentication and Authorization

Configuring Secure Shell (SSH)

Configuring Secure Socket Layer HTTP

C H a P T E

Configuring Ipv4 Acls

Configuring Ipv6 Acls

Chapter 1 2 Configuring DHCP

Chapter 1 3 Configuring IP Source Guard

Configuring Dynamic ARP Inspection

Quick Links

Related Manuals for Cisco Catalyst 2960-X

Summary of Contents for Cisco Catalyst 2960-X