Page 1 Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 First Published: May 07, 2013 Last Modified: August 08, 2013 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387)
Page 3: Table Of Contents
Accessing the CLI through a Console Connection or through Telnet Security Features Overview C H A P T E R 2 Security Features Overview Preventing Unauthorized Access C H A P T E R 3 Finding Feature Information Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 4 C H A P T E R 5 Finding Feature Information Prerequisites for Controlling Switch Access with Terminal Access Controller Access Control System Plus (TACACS+) Information About TACACS+ TACACS+ and Switch Access TACACS+ Overview Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 5 CoA Request Response Code Session Identification CoA ACK Response Code CoA NAK Response Code CoA Request Commands Session Reauthentication Session Reauthentication in a Switch Stack Session Termination CoA Disconnect-Request Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 6 C H A P T E R 7 Finding Feature Information How to Configure Local Authentication and Authorization Configuring the Switch for Local Authentication and Authorization Monitoring Local Authentication and Authorization Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 7 Monitoring Secure HTTP Server and Client Status Configuring IPv4 ACLs C H A P T E R 1 0 Finding Feature Information Prerequisites for Configuring Network Security with ACLs Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 8 Time Ranges for ACLs IPv4 ACL Interface Considerations How to Configure ACLs Configuring IPv4 ACLs Creating a Numbered Standard ACL Creating a Numbered Extended ACL Creating Named Standard ACLs Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 viii OL-29434-01...
Page 9 Example: Denying Access to a Server on Another VLAN Configuration Examples of Router ACLs and VLAN Maps Applied to VLANs Example: ACLs and Switched Packets Example: ACLs and Bridged Packets Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 10 Specifying the Packet Forwarding Address Prerequisites for Configuring DHCP Snooping and Option 82 Enabling DHCP Snooping and Option 82 Enabling the Cisco IOS DHCP Server Database Monitoring DHCP Snooping Information Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 11 Configuring ARP ACLs for Non-DHCP Environments Configuring Dynamic ARP Inspection in DHCP Environments How to Limit the Rate of Incoming ARP Packets How to Perform Validation Checks Monitoring DAI Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 12 802.1x Authentication with Inaccessible Authentication Bypass Inaccessible Authentication Bypass Support on Multiple-Authentication Ports Inaccessible Authentication Bypass Authentication Results Inaccessible Authentication Bypass Feature Interactions 802.1x User Distribution 802.1x User Distribution Configuration Guidelines Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 13 Configuring Periodic Re-Authentication Changing the Quiet Period Changing the Switch-to-Client Retransmission Time Setting the Switch-to-Client Frame-Retransmission Number Setting the Re-Authentication Number Enabling MAC Move Enabling MAC Replace Configuring 802.1x Accounting Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01 xiii...
Page 14 Device Roles Host Detection Session Creation Authentication Process Local Web Authentication Banner Web Authentication Customizable Web Pages Guidelines Authentication Proxy Web Page Guidelines Redirection URL for Successful Login Guidelines Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 15 Traffic Patterns How to Configure Storm Control Configuring Storm Control and Threshold Levels Monitoring Storm Control Information About Protected Ports Protected Ports Default Protected Port Configuration Protected Ports Guidelines Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 16 Monitoring Protocol Storm Protection Configuring IPv6 First Hop Security C H A P T E R 1 8 Prerequisites for First Hop Security in IPv6 Restrictions for First Hop Security in IPv6 Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 17 How to Attach an IPv6 Source Guard Policy to an Interface Configuring Cisco TrustSec C H A P T E R 1 9 Configuring Cisco TrustSec Finding Feature Information Information About Cisco TrustSec Feature Information for Cisco TrustSec Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01 xvii...
Page 18 Contents Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 xviii OL-29434-01...
Page 19 [x | y] Optional alternative keywords are grouped in brackets and separated by vertical bars. {x | y} Required alternative keywords are grouped in braces and separated by vertical bars. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 20 Means the described action saves time. You can save time by performing the action described in the Timesaver paragraph. Means reader be warned. In this situation, you might perform an action that could result in bodily Warning injury. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 21 Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html...
Page 22 Preface Obtaining Documentation and Submitting a Service Request Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 23: Using The Command-Line Interface
Command Modes The Cisco IOS user interface is divided into many different modes. The commands available to you depend on which mode you are currently in. Enter a question mark (?) at the system prompt to obtain a list of commands available for each command mode.
Page 24 (with a Ethernet ports. To return to specific interface). privileged EXEC mode, press Ctrl-Z or enter end. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 25: Using The Help System
Obtains a list of commands that begin with a particular character string. Example: Switch# di? dir disable disconnect Step 3 abbreviated-command-entry <Tab> Completes a partial command name. Example: Switch# sh conf<tab> Switch# show configuration Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 26: Understanding Abbreviated Commands
CLI Error Messages This table lists some error messages that you might encounter while using the CLI to configure your switch. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 27: Configuration Logging
The software provides a history or record of commands that you have entered. The command history feature is particularly useful for recalling long or complex commands or entries, including access lists. You can customize this feature to suit your needs. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 28: Changing The Command History Buffer Size
Returns to more recent commands in the history buffer after recalling commands with Ctrl-P or the up arrow key. Repeat the key sequence to recall successively more recent commands. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 29: Disabling The Command History Feature
DETAILED STEPS Command or Action Purpose Step 1 terminal editing Reenables the enhanced editing mode for the current terminal session in the privileged EXEC mode. Example: Switch# terminal editing Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 30: Editing Commands Through Keystrokes
Ctrl-U or Ctrl-X Deletes all characters from the cursor to the beginning of the command line. Ctrl-W Deletes the word to the left of the cursor. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 31: Editing Command Lines That Wrap
Note The following example shows how to wrap a command line that extend beyond a single line on the screen. SUMMARY STEPS 1. access-list 2. Ctrl-A 3. Return key Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 32: Searching And Filtering Output Of Show And More Commands
1. {show | more} command | {begin | include | exclude} regular-expression DETAILED STEPS Command or Action Purpose Step 1 {show | more} command | {begin | include | exclude} Searches and filters the output. regular-expression Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 33: Accessing The Cli Through A Console Connection Or Through Telnet
After you connect through the console port, through the Ethernet management port, through a Telnet session or through an SSH session, the user EXEC prompt appears on the management station. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 34 Using the Command-Line Interface Accessing the CLI through a Console Connection or through Telnet Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 35: Security Features Overview
The security features are as follows: • FIPS Certification Cisco IOS XE Release 15.0(2)XE on the Catalyst 2960-X switch has been submitted for certification under FIPS 140-2 and Common Criteria compliance with the US Government, Security Requirements for Network Devices.
Page 36 These 802.1x features are supported: ◦ Multidomain authentication (MDA) to allow both a data device and a voice device, such as an IP phone (Cisco or non-Cisco), to independently authenticate on the same IEEE 802.1x-enabled switch port. To use MDA, the switch must be running the LAN Base image.
Page 37 Note ◦ Port security for controlling access to 802.1x ports. ◦ Voice VLAN to permit a Cisco IP Phone to access the voice VLAN regardless of the authorized or unauthorized state of the port. ◦ IP phone detection enhancement to detect and recognize a Cisco IP phone.
Page 38 When there is a change in policy for a user or user group in AAA, administrators can send the RADIUS CoA packets from the AAA server, such as Cisco Identity Services Engine, or Cisco Secure ACS to reinitialize authentication, and apply to the new policies.
Page 39 This release adds support for the 168-bit Triple Data Encryption Standard (3DES) and the 128-bit, 192-bit, and 256-bit Advanced Encryption Standard (AES) encryption algorithms to SNMPv3. • Support for Cisco TrustSec SXP protocol. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 40 Security Features Overview Security Features Overview Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 41: Preventing Unauthorized Access
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Page 42 • You can also enable the login enhancements feature, which logs both failed and unsuccessful login attempts. Login enhancements can also be configured to block future login attempts after a set number of unsuccessful attempts are made. For more information, see the Cisco IOS Login Enhancements documentation.
Page 43: Controlling Switch Access With Passwords And Privilege Levels
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Page 44: Information About Passwords And Privilege Levels
Related Topics Protecting Enable and Enable Secret Passwords with Encryption, on page 25 Example: Protecting Enable and Enable Secret Passwords with Encryption, on page 35 Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 45: Password Recovery
(with associated rights and privileges) to each username and password pair. Related Topics Configuring Username and Password Pairs, on page 30 Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 46: Privilege Levels
Privilege Levels Privilege Levels Cisco switches (and other devices) use privilege levels to provide password security for different levels of switch operation. By default, the Cisco IOS software operates in two modes (privilege levels) of password security: user EXEC (Level 1) and privileged EXEC (Level 15). You can configure up to 16 hierarchical levels of commands for each mode.
Page 47: Protecting Enable And Enable Secret Passwords With Encryption
Beginning in privileged EXEC mode, follow these steps to establish an encrypted password that users must enter to access privileged EXEC mode (the default) or any privilege level you specify: Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 48 If you specify an encryption type and then enter a clear text Note password, you can not re-enter privileged EXEC mode. You cannot recover a lost encrypted password by any method. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 49: Disabling Password Recovery
Xmodem protocol. SUMMARY STEPS 1. configure terminal 2. no service password-recovery 3. end Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 50: Setting A Telnet Password For A Terminal Line
This setting is saved in an area of the flash memory that is Example: accessible by the boot loader and the Cisco IOS image, but it is not part of the file system and is not accessible by any user.
Page 51 By default, no password is defined. Switch(config-line)# password abcxyz543 Step 5 Returns to privileged EXEC mode. Example: Switch(config-line)# end Related Topics Preventing Unauthorized Access, on page 19 Terminal Line Telnet Configuration, on page 23 Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 52: Configuring Username And Password Pairs
Use one of the following: Enters line configuration mode, and configures the console port (line 0) or the VTY lines (line 0 to 15). • line console 0 • line vty 0 15 Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 53: Setting The Privilege Level For A Command
2. privilege mode level level command 3. enable password level level password 4. end DETAILED STEPS Command or Action Purpose Step 1 configure terminal Enters the global configuration mode. Example: Switch# configure terminal Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 54: Changing The Default Privilege Level For Lines
Beginning in privileged EXEC mode, follow these steps to change the default privilege level for the specified line: SUMMARY STEPS 1. configure terminal 2. line vty line 3. privilege level level 4. end Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 55: Logging Into And Exiting A Privilege Level
Privilege Levels, on page 24 Logging into and Exiting a Privilege Level Beginning in user EXEC mode, follow these steps to log into a specified privilege level and exit a specified privilege level. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 56: Monitoring Switch Access
For level, the range is 0 to 15. Switch# disable 1 Related Topics Privilege Levels, on page 24 Monitoring Switch Access Table 5: Commands for Displaying DHCP Information show privilege Displays the privilege level configuration. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 57: Configuration Examples For Setting Passwords And Privilege Levels
This example shows how to set the configure command to privilege level 14 and define SecretPswd14 as the password users must enter to use level 14 commands: Switch(config)# privilege exec level 14 configure Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 58 Example: Setting the Privilege Level for a Command Switch(config)# enable password level 14 SecretPswd14 Related Topics Setting the Privilege Level for a Command, on page 31 Privilege Levels, on page 24 Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 59: Configuring Tacacs
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Page 60 TACACS+ Login Authentication, on page 42 Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services, on page 47 TACACS+ Authorization for Privileged EXEC Access and Network Services, on page 42 Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 61: Information About Tacacs
The switch supports TACACS+ for IPv6. Information is in the “TACACS+ Over an IPv6 Transport” section of the “Implementing ADSL for IPv6” chapter in the Cisco IOS XE IPv6 Configuration Guide, Release 2. For information about configuring this feature, see the “Configuring TACACS+ over IPv6” section of the “Implementing ADSL for IPv6”...
Page 62 TACACS+ Overview The goal of TACACS+ is to provide a method for managing multiple network access points from a single management service. Your switch can be a network access server along with other Cisco routers and access servers. Figure 1: Typical TACACS+ Network Configuration TACACS+, administered through the AAA security services, can provide these services: •...
Page 63: Tacacs+ Operation
• Connection parameters, including the host or client IP address, access list, and user timeouts Related Topics Prerequisites for Controlling Switch Access with Terminal Access Controller Access Control System Plus (TACACS+), on page 37 Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 64: Method List Description
AAA authorization limits the services available to a user. When AAA authorization is enabled, the switch uses information retrieved from the user’s profile, which is located either in the local user database or on the Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 65: Tacacs+ Accounting
Identifying the TACACS+ Server Host and Setting the Authentication Key Beginning in privileged EXEC mode, follow these steps to identify the TACACS+ server host and set the authentication key: Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 66 AAA server group. Example: Each server in the group must be previously defined in Step 2. Switch(config)# server 10.1.2.3 Step 6 Returns to privileged EXEC mode. Example: Switch(config)# end Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 67: Configuring Tacacs+ Login Authentication
Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.4. SUMMARY STEPS 1.
Page 68 • If you specify default, use the default list created with the aaa authentication login command. Example: • For list-name, specify the list created with the aaa authentication login Switch(config-line)# login command. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 69: Configuring Tacacs+ Authorization For Privileged Exec Access And Network Services
Authorization is bypassed for authenticated users who log in through the CLI even if authorization has Note been configured. SUMMARY STEPS 1. configure terminal 2. aaa authorization network tacacs+ 3. aaa authorization exec tacacs+ 4. end Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 70: Starting Tacacs+ Accounting
Beginning in privileged EXEC mode, follow these steps to start TACACS+ Accounting: SUMMARY STEPS 1. configure terminal 2. aaa accounting network start-stop tacacs+ 3. aaa accounting exec start-stop tacacs+ 4. end Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 71: Establishing A Session With A Router If The Aaa Server Is Unreachable
In some situations, users might be prevented from starting a session on the console or terminal connection until after the system reloads, which can take more than 3 minutes. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 72: Monitoring Tacacs
To establish a console or Telnet session with the router if the AAA server is unreachable when the router reloads, use the no aaa accounting system guarantee-first command. Monitoring TACACS+ Table 6: Commands for Displaying TACACS+ Information show tacacs Displays TACACS+ server statistics. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 73: Configuring Radius
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Page 74: Restrictions For Controlling Switch Access With Radius
PAD connections. • Switch-to-switch or router-to-router situations. RADIUS does not provide two-way authentication. RADIUS can be used to authenticate from one device to a non-Cisco device if the non-Cisco device requires authentication. • Networks using a variety of services. RADIUS generally binds a user to one service model.
Page 75: Information About Radius
The switch supports RADIUS for IPv6. Information is in the “RADIUS Over IPv6” section of the “Implementing ADSL for IPv6” chapter in the Cisco IOS XE IPv6 Configuration Guide, Release 2. For information about configuring this feature, see the “Configuring the NAS” section in the “Implementing ADSL for IPv6” chapter in the Cisco IOS XE IPv6 Configuration Guide, Release 2.
Page 76: Radius Operation
The ACCEPT or REJECT response is bundled with additional data that is used for privileged EXEC or network authorization. The additional data included with the ACCEPT or REJECT packets includes these items: Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 77: Radius Change Of Authorization
• Session termination with port shutdown • Session termination with port bounce This feature is integrated with the Cisco Identity Services Engine, and the Cisco Secure Access Control Server (ACS) 5.1. The RADIUS interface is enabled by default on Catalyst switches. However, some basic configuration is required for the following attributes: •...
Page 78: Rfc 5176 Compliance
Table 8: Error-Cause Values Value Explanation Residual Session Context Removed Invalid EAP Packet (Ignored) Unsupported Attribute Missing Attribute NAS Identification Mismatch Invalid Request Unsupported Service Unsupported Extension Invalid Attribute Value Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 79: Coa Request Response Code
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Code Identifier Length +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 80: Coa Ack Response Code
RADIUS Change of Authorization Authenticator +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Attributes ... +-+-+-+-+-+-+-+-+-+-+-+-+- The attributes field is used to carry Cisco vendor-specific attributes (VSAs). Related Topics CoA Disconnect-Request, on page 60 CoA Request: Disable Host Port, on page 60 CoA Request: Bounce-Port, on page 60 CoA ACK Response Code If the authorization state is changed successfully, a positive acknowledgment (ACK) is sent.
Page 81: Session Reauthentication In A Switch Stack
To initiate session authentication, the AAA server sends a standard CoA-Request message which contains a Cisco VSA in this form: Cisco:Avpair=“subscriber:command=reauthenticate” and one or more session identification attributes. The current session state determines the switch response to the message. If the session is currently authenticated by IEEE 802.1x, the switch responds by sending an EAPoL (Extensible Authentication Protocol over Lan)
Page 82: Coa Disconnect-Request
If the session cannot be located, the switch returns a CoA-NAK message with the “Session Context Not Found” error-code attribute. If the session is located, the switch disables the hosting port for a period of 10 seconds, re-enables it (port-bounce), and returns a CoA-ACK. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 83: Stacking Guidelines For Session Termination
(which is subsequently removed). If the stack master fails before sending a CoA-ACK message, the new stack master treats the re-sent command as a new command. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 84: Default Radius Configuration
To configure AAA authentication, you define a named list of authentication methods and then apply that list to various ports. The method list defines the types of authentication to be performed and the sequence in which Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 85: Aaa Server Groups
Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server. You can then analyze the data for network management, client billing, or auditing. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 86: Vendor-Specific Radius Attributes
: attribute sep value * Protocol is a value of the Cisco protocol attribute for a particular type of authorization. Attribute and value are an appropriate attributevalue (AV) pair defined in the Cisco TACACS+ specification, and sep is = for mandatory attributes and is * for optional attributes.
Page 87: How To Configure Radius
RADIUS server to reply before resending. The range is 1 to 1000. This setting Switch(config)# radius-server host 172.29.36.49 auth-port overrides the radius-server timeout global configuration command setting. If no Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 88: Configuring Radius Login Authentication
Configuring AAA authentication does not secure the switch for HTTP access by using AAA methods. For more information about the ip http authentication command, see the Cisco IOS Security Command Reference, Release 12.4. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1...
Page 89 RADIUS server. ◦line—Use the line password for authentication. Before you can use this authentication method, you must define a line password. Use the password password line configuration command. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 90: Defining Aaa Server Groups
You can either identify the server by its IP address or identify multiple host instances or entries by using the optional auth-port and acct-port keywords. Beginning in privileged EXEC mode, follow these steps to define AAA server groups: Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 91 If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks are part of the key. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 92 Switch(config)# aaa group server radius group1 Switch(config-sg-radius)# server 172.20.0.1 auth-port 1000 acct-port 1001 Switch(config-sg-radius)# exit Switch(config)# aaa group server radius group2 Switch(config-sg-radius)# server 172.20.0.1 auth-port 2000 acct-port 2001 Switch(config-sg-radius)# exit Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 93: Configuring Radius Authorization For User Privileged Access And Network Services
Configures the switch for user RADIUS authorization if the user has privileged EXEC access. Example: The exec keyword might return user profile information (such as autocommand information). Switch(config)# aaa authorization exec radius Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 94: Starting Radius Accounting
2. aaa accounting network start-stop radius 3. aaa accounting exec start-stop radius 4. end DETAILED STEPS Command or Action Purpose Step 1 configure terminal Enters the global configuration mode. Example: Switch# configure terminal Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 95: Configuring Settings For All Radius Servers
Beginning in privileged EXEC mode, follow these steps to configure settings for all RADIUS servers: SUMMARY STEPS 1. configure terminal 2. radius-server key string 3. radius-server retransmit retries 4. radius-server timeout seconds 5. radius-server deadtime minutes 6. end Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 96 Switch(config)# radius-server deadtime Step 6 Returns to privileged EXEC mode. Example: Switch(config)# end Related Topics Identifying the RADIUS Server Host, on page 65 RADIUS Server Host, on page 62 Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 97: Configuring The Switch To Use Vendor-Specific Radius Attributes
Vendor-Specific RADIUS Attributes, on page 64 Configuring the Switch for Vendor-Proprietary RADIUS Server Communication Beginning in privileged EXEC mode, follow these steps to configure the switch to use vendor-proprietary RADIUS server communication: Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 98 What to Do Next This feature allows access and authentication requests to be evenly across all RADIUS servers in a server group. For more information, see the “RADIUS Server Load Balancing” chapter of the Cisco IOS Security Configuration Guide, Release 12.4.
Page 99: Configuring Coa On The Switch
{ip-address | name} [vrf vrfname] Enters dynamic authorization local server configuration mode and [server-key string] specifies a RADIUS client from which a device will accept CoA and disconnect requests. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 100 Switch(config-sg-radius)# auth-type any Step 8 ignore session-key (Optional) Configures the switch to ignore the session-key. For more information about the ignore command, see the Cisco IOS Intelligent Services Gateway Command Reference on Cisco.com. Step 9 ignore server-key (Optional) Configures the switch to ignore the server-key.
Page 101: Monitoring Coa Functionality
This example shows how to configure one RADIUS server to be used for authentication and another to be used for accounting: Switch(config)# radius-server host 172.29.36.49 auth-port 1612 key rad1 Switch(config)# radius-server host 172.20.36.50 acct-port 1618 key rad2 Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 102: Examples: Configuring The Switch To Use Vendor-Specific Radius Attributes
Switch(config)# radius-server host host1 Examples: Configuring the Switch to Use Vendor-Specific RADIUS Attributes For example, this AV pair activates Cisco’s multiple named ip address pools feature during IP authorization (during PPP IPCP address assignment): cisco-avpair= ”ip:addr-pool=first“ This example shows how to provide a user logging in from a switch with immediate access to privileged EXEC commands: cisco-avpair= ”shell:priv-lvl=15“...
Page 103: Configuring Local Authentication And Authorization
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Page 104 Configures user AAA authorization for all network-related service requests. Example: Switch(config)# aaa authorization network local Step 6 username name [privilege level] {password Enters the local database, and establishes a username-based encryption-type password} authentication system. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 105: Monitoring Local Authentication And Authorization
Setting Up the Switch to Run SSH, on page 89 SSH Configuration Guidelines, on page 87 Monitoring Local Authentication and Authorization To display Local Authentication and Authorization configuration, use the show running-config privileged EXEC command. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 106 Configuring Local Authentication and Authorization Monitoring Local Authentication and Authorization Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 107: (Scp)
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Page 108: Restrictions For Configuring The Switch For Ssh
• A user must have appropriate authorization to use SCP. • A user who has appropriate authorization can use SCP to copy any file in the Cisco IOS File System (IFS) to and from a switch by using the copy command. An authorized administrator can also do this from a workstation.
Page 109: Ssh Servers, Integrated Clients, And Supported Versions
You can use an SSH client to connect to a switch running the SSH server. The SSH server works with the SSH client supported in this release and with non-Cisco SSH clients. The SSH client also works with the SSH server supported in this release and with non-Cisco SSH servers.
Page 110: Secure Copy Protocol Overview
(AAA) authorization be configured so the router can determine whether the user has the correct privilege level. For information about how to configure and verify SCP, see the “Secure Copy Protocol” section in the Cisco IOS Security Configuration Guide: Securing User Services, Release 12.4.
Page 111: How To Configure Ssh
RSA key pair. Generating an RSA key pair for the switch automatically enables SSH. Example: We recommend that a minimum modulus size of 1024 bits. Switch(config)# crypto key generate Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 112: Configuring The Ssh Server
2. ip ssh version [1 | 2] 3. ip ssh {timeout seconds | authentication-retries number} 4. Use one or both of the following: • line vtyline_number[ ending_line_number ] • transport input ssh 5. end Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 113 • transport input ssh • Specifies that the switch prevent non-SSH Telnet connections. This limits the router to only SSH connections. Example: Switch(config)# line vty 1 10 Switch(config-line)# transport input ssh Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 114: Monitoring The Ssh Configuration And Status
Shows the status of the SSH server. For more information about these commands, see the “Secure Shell Commands” section in the “Other Security Features” chapter of the Cisco IOS Security Command Reference . Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 115: Configuring Secure Socket Layer Http
Internet. HTTP with SSL encryption provides a secure connection to allow such functions as configuring a switch from a Web browser. Cisco's implementation of the secure HTTP server and secure HTTP client uses an implementation of SSL Version 3.0 with application-layer encryption. HTTP over SSL is abbreviated as HTTPS;...
Page 116: Certificate Authority Trustpoints
(pages) back to the HTTP secure server, which, in turn, responds to the original request. The primary role of the HTTP secure client (the web browser) is to respond to Cisco IOS application requests for HTTPS User Agent services, perform HTTPS User Agent services for the application, and pass the response back to the application.
Page 117: Ciphersuites
For additional information on Certificate Authorities, see the “Configuring Certification Authority Interoperability” chapter in the Cisco IOS Security Configuration Guide, Release 12.4. CipherSuites A CipherSuite specifies the encryption algorithm and the digest algorithm to use on a SSL connection. When connecting to the HTTPS server, the client Web browser offers a list of supported CipherSuites, and the client and server negotiate the best encryption algorithm to use from those on the list that are supported by both.
Page 118: Default Ssl Configuration
(pages) back to the HTTP secure server, which, in turn, responds to the original request. The primary role of the HTTP secure client (the web browser) is to respond to Cisco IOS application requests for HTTPS User Agent services, perform HTTPS User Agent services for the application, and pass the response back to the application.
Page 119 RSA key pairs are generated automatically. You can use this command to Example: regenerate the keys, if needed. Switch(config)# crypto key generate rsa Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 120 Authenticates the CA by getting the public key of the CA. Use the same name used in Step 5. Example: Switch(config)# crypto ca authentication your_trustpoint Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 121: Configuring The Secure Http Server
If you configure a port other than the default port, you must also specify the port number after the URL. For example: https://209.165.129:1026 https://host.domain.com:1026 Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 122 (Optional) Specifies the port number to be used for the HTTPS server. The default port number is 443. Valid options are 443 or any number in the range 1025 to 65535. Example: Switch(config)# ip http secure-port 443 Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 123 Switch(config)# ip http max-connections Step 11 ip http timeout-policy idle seconds life (Optional) Specifies how long a connection to the HTTP server can seconds requests value remain open under the defined circumstances: Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 124: Configuring The Secure Http Client
HTTP client fail. SUMMARY STEPS 1. configure terminal 2. ip http client secure-trustpoint name 3. ip http client secure-ciphersuite {[3des-ede-cbc-sha] [rc4-128-md5] [rc4-128-sha] [des-cbc-sha]} 4. end Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 125: How To Configure Secure Http Servers And Clients
Table 13: Commands for Displaying the SSL Secure Server and Client Status Command Purpose show ip http client secure status Shows the HTTP secure client configuration. show ip http server secure status Shows the HTTP secure server configuration. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 126 Configuring Secure Socket Layer HTTP Monitoring Secure HTTP Server and Client Status Command Purpose show running-config Shows the generated self-signed certificate for secure HTTP connections. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 127: C H A P T E
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Page 128 • A Layer 2 interface can have only one MAC access list. If you apply a MAC access list to a Layer 2 interface that has a MAC ACL configured, the new ACL replaces the previously configured one. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 129: Information About Network Security With Acls
The switch supports IP ACLs and Ethernet (MAC) ACLs: • IP ACLs filter IPv4 traffic, including TCP, User Datagram Protocol (UDP), Internet Group Management Protocol (IGMP), and Internet Control Message Protocol (ICMP). Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 130: Supported Acls
VLAN map and the router ACL. Other packets are filtered only by the VLAN map. Related Topics Restrictions for Configuring Network Security with ACLs, on page 105 Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 131: Port Acls
You can filter both IP and non-IP traffic on the same Layer 2 interface by applying both an IP access list and a MAC access list to the interface. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 132: Router Acls
VLAN maps on traffic between hosts on a hub or on another switch connected to this switch. With VLAN maps, forwarding of packets is permitted or denied, based on the action specified in the map. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 133: Aces And Fragmented And Unfragmented Traffic
Layer 4 information is present. The remaining fragments also match the first ACE, even though they do not contain the SMTP port information, because the first ACE only checks Layer Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 134: Acls And Switch Stacks
Both the active and standby switches have the ACL information. When the active switch fails, the standby takes over. The new active switch distributes the ACL information to all stack members. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 135: Standard And Extended Ipv4 Acls
IPv4 ACL Switch Unsupported Features Configuring IPv4 ACLs on the switch is the same as configuring IPv4 ACLs on other Cisco switches and routers. The switch does not support these Cisco IOS router ACL-related features: •...
Page 136: Numbered Standard Ipv4 Acls
ACEs from a numbered list. The switch does not support dynamic or reflexive access lists. It also does not support filtering based on the type of service (ToS) minimize-monetary-cost bit. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 137: Named Ipv4 Acls
VLAN maps also accept a name. • A standard ACL and an extended ACL cannot have the same name. • Numbered ACLs are also available. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 138: Acl Logging
• If log has not been specified, the flows that match a deny statement in a security ACL are dropped by the hardware if ip unreachables is disabled. The flows matching a permit statement are switched in hardware. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 139: Vlan Map Configuration Guidelines
VLAN map to access control the bridged traffic. If a packet flow matches a VLAN-map deny clause in the ACL, regardless of the router ACL configuration, the packet flow is denied. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 140: Vlan Maps And Router Acl Configuration Guidelines
• When the first matching packet is received. • For any matching packets received within the last 5 minutes. • If the threshold is reached before the 5-minute interval. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 141: Time Ranges For Acls
For inbound ACLs, after receiving a packet, the switch checks the packet against the ACL. If the ACL permits the packet, the switch continues to process the packet. If the ACL rejects the packet, the switch discards the packet. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 142: How To Configure Acls
Apply the ACL to interfaces or terminal lines. You can also apply standard and extended IP ACLs to VLAN maps. Creating a Numbered Standard ACL Beginning in privileged EXEC mode, follow these steps to create a numbered standard ACL: Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 143 Logging is supported only on ACLs attached to Layer 3 interfaces. Note Step 3 Returns to privileged EXEC mode. Example: Switch(config)# end Related Topics Configuring VLAN Maps, on page 135 Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 144: Creating A Numbered Extended Acl
10.1.1.2 any precedence 0 tos 0 log The source is the number of the network or host from which the packet is sent. The source-wildcard applies wildcard bits to the source. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 145 500 The other optional keywords have these meanings: • established—Enter to match an established connection. This has the same function as matching on the ack or rst flag. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 146 [dscp dscp] Example: Switch(config)# access-list 101 permit igmp any any 14 Step 7 Returns to privileged EXEC mode. Example: Switch(config)# end Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 147: Creating Named Standard Acls
• permit {source [source-wildcard] | host source | any} [log]] 4. end DETAILED STEPS Command or Action Purpose Step 1 configure terminal Enters the global configuration mode. Example: Switch# configure terminal Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 148: Creating Extended Named Acls
3. {deny | permit} protocol {source [source-wildcard] | host source | any} {destination [destination-wildcard] | host destination | any} [precedence precedence] [tos tos] [established] [log] [time-range time-range-name] 4. end Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 149 Switch(config-ext-nacl)# no permit ip host 10.1.1.3 any Being able to selectively remove lines from a named ACL is one reason you might use named ACLs instead of numbered ACLs. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 150: Configuring Time Ranges For Acls
• You can enter multiple periodic statements. For example, • periodic {weekdays | weekend | daily} hh:mm you could configure different hours for weekdays and to hh:mm weekends. See the example configurations. Example: Switch(config-time-range)# absolute start Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 151: Applying An Ipv4 Acl To A Terminal Line
ACL: SUMMARY STEPS 1. configure terminal 2. line [console | vty] line-number 3. access-class access-list-number {in | out} 4. end 5. show running-config 6. copy running-config startup-config Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 152: Applying An Ipv4 Acl To An Interface
(Optional) Saves your entries in the configuration file. Example: Switch# copy running-config startup-config Applying an IPv4 ACL to an Interface This section describes how to apply IPv4 ACLs to network interfaces. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 153 Displays the access list configuration. show running-config Example: Switch# show running-config Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file. Example: Switch# copy running-config startup-config Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 154: Creating Named Mac Extended Acls
| lsap lsap mask | aarp | amber | dec-spanning MAC address, destination MAC address with a mask, or a specific | decnet-iv | diagnostic | dsm | etype-6000 | destination MAC address. etype-8042 | lat | lavc-sca | mop-console | (Optional) You can also enter these options: Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 155: Applying A Mac Acl To A Layer 2 Interface
Layer 2 interface: SUMMARY STEPS 1. configure terminal 2. interface interface-id 3. mac access-group {name} {in | out } 4. end 5. show mac access-group [interface interface-id] 6. copy running-config startup-config Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 156 ACL to an interface, the switch acts as if the ACL has not been applied and permits all packets. Remember this behavior if you use undefined ACLs for network security. Related Topics Restrictions for Configuring Network Security with ACLs, on page 105 Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 157: Configuring Vlan Maps
IP packets are matched against standard or extended IP access lists. Non-IP packets are only matched against Example: named MAC extended access lists. Switch(config-access-map)# match ip Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 158: Creating A Vlan Map
Creating a VLAN Map Each VLAN map consists of an ordered series of entries. Beginning in privileged EXEC mode, follow these steps to create, add to, or delete a VLAN map entry: Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 159 MAC extended access lists. Switch(config-access-map)# match ip address ip2 Step 4 action {drop | forward} (Optional) Sets the action for the map entry. The default is to forward. Example: Switch(config-access-map)# action forward Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 160: Applying A Vlan Map To A Vlan
Beginning in privileged EXEC mode, follow these steps to apply a VLAN map to one or more VLANs: SUMMARY STEPS 1. configure terminal 2. vlan filter mapname vlan-list list 3. end 4. show running-config 5. copy running-config startup-config Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 161: Monitoring Ipv4 Acls
You can also display the MAC ACLs applied to a Layer 2 interface. You can use the privileged EXEC commands as described in this table to display this information. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 162: Configuration Examples For Acls
1, 2006, as a company holiday. Switch# show time-range time-range entry: new_year_day_2003 (inactive) absolute start 00:00 01 January 2006 end 23:59 01 January 2006 time-range entry: workhours (inactive) periodic weekdays 8:00 to 12:00 Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 163: Examples: Including Comments In Acls
In this example, the Jones subnet is not allowed to use outbound Telnet: Switch(config)# ip access-list extended telnetting Switch(config-ext-nacl)# remark Do not allow Jones subnet to telnet out Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 164: Ipv4 Acl Configuration Examples
This section provides examples of configuring and applying IPv4 ACLs. For detailed information about compiling ACLs, see the Cisco IOS Security Configuration Guide, Release 12.4 and to the Configuring IP Services” section in the “IP Addressing and Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.4.
Page 165: Examples: Acls In A Small Networked Office
Switch(config)# access-list 102 permit tcp any 128.88.0.0 0.0.255.255 gt 1023 Switch(config)# access-list 102 permit tcp any host 128.88.1.2 eq 25 Switch(config)# access-list 102 permit icmp any any Switch(config)# interface gigabitethernet2/0/1 Switch(config-if)# ip access-group 102 in Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 166: Examples: Named Acls
The Internet_filter ACL is applied to outgoing traffic and the marketing_group ACL is applied to incoming traffic on a Layer 3 port. Switch(config)# interface gigabitethernet3/0/2 Switch(config-if)# no switchport Switch(config-if)# ip address 2.0.5.1 255.255.255.0 Switch(config-if)# ip access-group Internet_filter out Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 167: Examples: Time Range Applied To An Ip Acl
Two variations of logging are supported on router ACLs. The log keyword sends an informational logging message to the console about the packet that matches the entry; the log-input keyword includes the input interface in the log entry. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 168 A log message for the same sort of packet using the log keyword does not include the input interface information: 00:05:47:%SEC-6-IPACCESSLOGDP:list inputlog permitted icmp 10.1.1.10 -> 10.1.1.61 (0/0), 1 packet Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 169: Configuration Examples For Acls And Vlan Maps
Switch(config-ext-nacl)# permit igmp any any Switch(config)# action forward Switch(config-ext-nacl)# permit tcp any any Switch(config-ext-nacl)# exit Switch(config)# vlan access-map drop-ip-default 10 Switch(config-access-map)# match ip address 101 Switch(config-access-map)# action forward Switch(config-access-map)# exit Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 170: Example: Default Action Of Dropping Mac Packets And Forwarding Ip Packets
• Drop all other MAC packets Switch(config)# vlan access-map drop-all-default 10 Switch(config-access-map)# match ip address tcp-match Switch(config-access-map)# action forward Switch(config-access-map)# exit Switch(config)# vlan access-map drop-all-default 20 Switch(config-access-map)# match mac address good-hosts Switch(config-access-map)# action forward Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 171: Configuration Examples For Using Vlan Maps In Your Network
Switch(config)# vlan access-map map2 10 Switch(config-access-map)# match ip address http Switch(config-access-map)# action drop Switch(config-access-map)# exit Switch(config)# ip access-list extended match_all Switch(config-ext-nacl)# permit ip any any Switch(config-ext-nacl)# exit Switch(config)# vlan access-map map2 20 Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 172: Example: Restricting Access To A Server On Another Vlan
Define a VLAN map using this ACL that will drop IP packets that match SERVER1_ACL and forward IP packets that do not match the ACL. Switch(config)# vlan access-map SERVER1_MAP Switch(config-access-map)# match ip address SERVER1_ACL Switch(config-access-map)# action drop Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 173: Configuration Examples Of Router Acls And Vlan Maps Applied To Vlans
This example shows how an ACL is applied on fallback-bridged packets. For bridged packets, only Layer 2 ACLs are applied to the input VLAN. Only non-IP, non-ARP packets can be fallback-bridged. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 174: Example: Acls And Routed Packets
This example shows how ACLs are applied on routed packets. The ACLs are applied in this order: 1 VLAN map for input VLAN 2 Input router ACL 3 Output router ACL 4 VLAN map for output VLAN Figure 10: Applying ACLs on Routed Packets Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 175: Example: Acls And Multicast Packets
However, if the input VLAN map drops the packet, no destination receives a copy of the packet. Figure 11: Applying ACLs on Multicast Packets Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 176 Configuring IPv4 ACLs Configuration Examples of Router ACLs and VLAN Maps Applied to VLANs Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 177: Chapter 1 1 Configuring Ipv6 Acls
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Page 178: Switch Stacks And Ipv6 Acls
With IPv4, you can configure standard and extended numbered IP ACLs, named IP ACLs, and MAC ACLs. IPv6 supports only named ACLs. The switch supports most Cisco IOS-supported IPv6 ACLs with some exceptions: • The switch does not support matching on these keywords: flowlabel, routing header, and undetermined-transport.
Page 179: Default Configuration For Ipv6 Acls
3 Apply the IPv6 ACL to an interface. For router ACLs, you must also configure an IPv6 address on the Layer 3 interface to which the ACL is applied. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 180 0 prefix-length | any | host to 255 representing an IPv6 protocol number. destination-ipv6-address} [operator [port-number]][dscp value] [fragments] [log] Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 181 Enter tcp for Transmission Control Protocol. The parameters are the same source-ipv6-address} [operator as those described in Step 3a, with these additional optional parameters: [port-number]] {destination-ipv6- prefix/prefix-length | any | host • ack—Acknowledgment bit set. destination-ipv6-address} [operator Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 182 Step 7 Return to privileged EXEC mode. Step 8 show ipv6 access-list Verify the access list configuration. Step 9 copy running-config startup-config (Optional) Save your entries in the configuration file. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 183: How To Attach An Ipv6 Acl To An Interface
This example configures the IPv6 access list named CISCO. The first deny entry in the list denies all packets that have a destination TCP port number greater than 5000. The second deny entry denies packets that have a source UDP port number less than 5000.
Page 184: Monitoring Ipv6 Acls
Use the no ipv6 traffic-filter access-list-name interface configuration command to remove an access list from an interface. This example shows how to apply the access list Cisco to outbound traffic on a Layer 3 interface: Switch(config)# interface gigabitethernet 1/0/3 Switch(config-if)# no switchport...
Page 185 (15 matches) sequence 20 permit udp any any sequence 30 IPv6 access list outbound deny udp any any sequence 10 deny tcp any any eq telnet sequence 20 Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 186 Configuring IPv6 ACLs Monitoring IPv6 ACLs Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 187: Chapter 1 2 Configuring Dhcp
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Page 188: Dhcp Snooping
DHCP option-82 information, the switch drops packets with option-82 information when packets are received on an untrusted interface. If DHCP snooping is enabled and packets are received on a trusted Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 189: Option-82 Data Insertion
DHCP messages between the clients and the server. Figure 12: DHCP Relay Agent in a Metropolitan Ethernet Network Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 190 The illustration, Suboption Packet Formats. shows the packet formats for the remote-ID suboption and the circuit-ID suboption when the default suboption configuration is used. For the circuit-ID suboption, the module Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 191 ◦ The circuit-ID type is 1. ◦ The length values are variable, depending on the length of the string that you configure. • Remote-ID suboption fields ◦ The remote-ID type is 1. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 192: Cisco Ios Dhcp Server Database
It has IP addresses, address bindings, and configuration parameters, such as the boot file. An address binding is a mapping between an IP address and a MAC address of a host in the Cisco IOS DHCP server database. You can manually assign the client IP address, or the DHCP server can allocate an IP address from a DHCP address pool.
Page 193: Dhcp Snooping And Switch Stacks
DHCP snooping is managed on the stack master. When a new switch joins the stack, the switch receives the DHCP snooping configuration from the stack master. When a member leaves the stack, all DHCP snooping address bindings associated with the switch age out. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 194: How To Configure Dhcp Features
Cisco IOS DHCP server binding database Enabled in Cisco IOS software, requires configuration. Note The switch gets network addresses and configuration parameters only from a device configured as a DHCP server. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 195: Dhcp Snooping Configuration Guidelines
The switch can act as a DHCP server. For procedures to configure the switch as a DHCP server, see the “Configuring DHCP” section of the “IP addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.4. DHCP Server and Switch Stacks The DHCP binding database is managed on the stack master.
Page 196: Specifying The Packet Forwarding Address
Example: Switch(config)# end What to Do Next See the “Configuring DHCP” section of the “IP Addressing and Services” section of the Cisco IOS IP Configuration Guide, Release 12.4 for these procedures: • Checking (validating) the relay agent information • Configuring the relay agent forwarding policy...
Page 197 DHCP requests. 172.16.1.2 If you have multiple servers, you can configure one helper address for each server. Step 5 Returns to global configuration mode. Example: Switch(config-if)# end Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 198: Prerequisites For Configuring Dhcp Snooping And Option 82
URL before the switch can write bindings to the binding file at that URL. See the documentation for your TFTP server to determine whether you must first create an empty file on the server; some TFTP servers cannot be configured this way. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 199: Enabling Dhcp Snooping And Option 82
• To use the DHCP snooping option of accepting packets on untrusted inputs, the switch must be an aggregation switch that receives packets with option-82 information from an edge switch. • You must configure the switch to use the Cisco IOS DHCP server binding database to use it for DHCP snooping.
Page 200 Switch(config)# ip dhcp snooping information option Step 5 (Optional) Configures the remote-ID suboption. ip dhcp snooping information option format remote-id [string ASCII-string | hostname] You can configure the remote ID as: Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 201 If you configure rate limiting for trusted limit rate 100 interfaces, you might need to increase the rate limit if the port is a trunk port assigned to more than one VLAN with DHCP snooping. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 202: Enabling The Cisco Ios Dhcp Server Database
Enabling the Cisco IOS DHCP Server Database For procedures to enable and configure the Cisco IOS DHCP server database, see the “DHCP Configuration Task List” section in the “Configuring DHCP” chapter of the Cisco IOS IP Configuration Guide, Release 12.4 Monitoring DHCP Snooping Information...
Page 203: Configuring Dhcp Server Port-Based Address Allocation
In all cases, by connecting the Ethernet cable to the same port, the same IP address is allocated through DHCP to the attached device. The DHCP server port-based address allocation feature is only supported on a Cisco IOS DHCP server and not a third-party server.
Page 204: Enabling The Dhcp Snooping Binding Database Agent
The default is 300 seconds. The range is 0 to 86400. Use 0 to define an infinite duration, which means to continue trying the Switch(config)# ip dhcp snooping database transfer indefinitely. timeout 300 Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 205: Enabling Dhcp Server Port-Based Address Allocation
4. interface interface-id 5. ip dhcp server use subscriber-id client-id 6. end DETAILED STEPS Command or Action Purpose Step 1 configure terminal Enters the global configuration mode. Example: Switch# configure terminal Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 206: Monitoring Dhcp Server Port-Based Address Allocation
Displays the status and configuration of a specific interface. Displays the DHCP address pools. show ip dhcp pool show ip dhcp binding Displays address bindings on the Cisco IOS DHCP server. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 207: Chapter 1 3 Configuring Ip Source Guard
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Page 208: Ip Source Guard For Static Hosts
DHCP and static hosts. For example, bindings are stored in both the device tracking database as well as in the DHCP snooping binding database. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 209: Ip Source Guard Configuration Guidelines
To remove the binding from the running configuration, you must disable IP source guard before entering the no switch provision command. The configuration is also removed if the switch reloads while the interface is removed from the binding table. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 210: How To Configure Ip Source Guard
Adds a static IP source binding. interface interface-id Enter this command for each static binding. Example: Switch(config)# ip source binding 0100.0230.0002 vlan 11 10.0.0.4 interface gigabitethernet1/0/1 Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 211: Configuring Ip Source Guard For Static Hosts On A Layer 2 Access Port
2. ip device tracking 3. interface interface-id 4. switchport mode access 5. switchport access vlan vlan-id 6. ip verify source[tracking] [mac-check ] 7. ip device tracking maximum number 8. end Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 212 IP device tracking table allows on the port. The range is 1to 10. The maximum number is 10. Example: You must configure the ip device tracking maximum Note Switch(config-if)# ip device tracking limit-number interface configuration command. maximum 8 Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 213 Switch(config-if)# switchport access vlan 1 Switch(config-if)# ip device tracking maximum 5 Switch(config-if)# ip verify source tracking Switch(config-if)# end Switch# show ip verify source Interface Filter-type Filter-mode IP-address Mac-address Vlan Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 214 Global IP Device Tracking Probe Interval = 30 ----------------------------------------------------------------------------------------------- IP Address MAC Address Vlan Interface Probe-Timeout STATE ----------------------------------------------------------------------------------------------- 200.1.1.8 0001.0600.0000 GigabitEthernet1/0/1 INACTIVE 200.1.1.9 0001.0600.0000 GigabitEthernet1/0/1 INACTIVE 200.1.1.10 0001.0600.0000 GigabitEthernet1/0/1 INACTIVE Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 215: Monitoring Ip Source Guard
Table 21: Interface Configuration Commands Command Purpose ip verify source tracking Verifies the data source. For detailed information about the fields in these displays, see the command reference for this release. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 216 Configuring IP Source Guard Monitoring IP Source Guard Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 217: Finding Feature Information
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Page 218: Chapter 1 4 Configuring Dynamic Arp Inspection
EtherChannel ports is equal to the sum of the incoming rate of packets from all the channel members. Configure the rate limit for EtherChannel ports only after examining the rate of incoming ARP packets on the channel-port members. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 219: Understanding Dynamic Arp Inspection
IP address of IA (or IB) and a MAC address of MC. Hosts with poisoned ARP caches use the MAC address MC as the destination MAC address for traffic intended for IA or IB. This Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 220: Interface Trust States And Network Security
VLAN that includes Host 1 and Host 2. If Host 1 and Host 2 acquire their IP addresses from the DHCP server connected to Switch A, only Switch A binds the IP-to-MAC address of Host 1. Therefore, if the interface Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 221: Rate Limiting Of Arp Packets
The port remains in that state until you intervene. You can use the errdisable recovery global configuration command to enable error disable recovery so that ports automatically emerge from this state after a specified timeout period. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 222: Relative Priority Of Arp Acls And Dhcp Snooping Entries
The rate is unlimited on all trusted interfaces. The burst interval is 1 second. Dynamic ARP inspection No ARP ACLs are defined. Interface trust state No checks are performed. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 223: Restrictions For Dynamic Arp Inspection
30 pps on an EtherChannel that has one port on switch 1 and one port on switch 2, each port can receive packets at 29 pps without causing the EtherChannel to become error-disabled. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 224: Relative Priority Of Arp Acls And Dhcp Snooping Entries
Configuring ARP ACLs for Non-DHCP Environments This procedure shows how to configure dynamic ARP inspection when Switch B shown in Figure 2 does not support dynamic ARP inspection or DHCP snooping. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 225 Apply the ARP ACL to the VLAN. By default, no defined ARP ACLs are applied to any VLAN. arp-acl-name vlan vlan-range [static] • For arp-acl-name, specify the name of the ACL created in Step 2. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 226 To remove the ARP ACL, use the no arp access-list global configuration command. To remove the ARP ACL attached to a VLAN, use the no ip arp inspection filter arp-acl-name vlan vlan-range global configuration command. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 227: Configuring Dynamic Arp Inspection In Dhcp Environments
9. show ip arp inspection statistics vlan vlan-range 10. copy running-config startup-config DETAILED STEPS Command or Action Purpose Step 1 show cdp neighbors Verify the connection between the switches. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 228 Example: Step 8 show ip dhcp snooping binding Verify the DHCP bindings. Example: Step 9 show ip arp inspection statistics vlan Check the dynamic ARP inspection statistics. vlan-range Example: Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 229: How To Limit The Rate Of Incoming Arp Packets
To disable error recovery for dynamic ARP inspection, use the no errdisable recovery cause arp-inspection global configuration command. Beginning in privileged EXEC mode, follow these steps to limit the rate of incoming ARP packets. This procedure is optional. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 230 By default, recovery is disabled, and the recovery interval is 300 seconds. For interval interval, specify the time in seconds to recover from the error-disabled state. The range is 30 to 86400. Step 6 Return to privileged EXEC mode. exit Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 231: How To Perform Validation Checks
• For dst-mac, check the destination MAC address in the Ethernet header against the target MAC address in ARP body. This check is performed for ARP responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 232: Monitoring Dai
ACL or DHCP permitted packets for each packet that is denied by source MAC, destination MAC, or IP validation checks, and the switch increments the appropriate. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 233: Verifying The Dai Configuration
ARP inspection for the specified VLAN. If no VLANs are specified or if a range is specified, displays information only for VLANs with dynamic ARP inspection enabled (active). Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 234 Configuring Dynamic ARP Inspection Verifying the DAI Configuration Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 235: Chapter 1 5 Configuring Ieee 802.1X Port-Based Authentication
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Page 236: Port-Based Authentication Process
Port-Based Authentication Process For complete syntax and usage information for the commands used in this chapter, see the “RADIUS Note Commands” section in the Cisco IOS Security Command Reference, Release 12.4 and the command reference for this release. Port-Based Authentication Process When 802.1x port-based authentication is enabled and the client supports 802.1x-compliant client software,...
Page 237 When the ReAuthenticate action is set (the attribute value is RADIUS-Request), the session is not affected during re-authentication. • You manually re-authenticate the client by entering the dot1x re-authenticate interface interface-id privileged EXEC command. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 238: Port-Based Authentication Initiation And Message Exchange
The specific exchange of EAP frames depends on the authentication method being used. This figure shows a message exchange initiated by the client when the client uses the One-Time-Password (OTP) authentication method with a RADIUS server. Figure 18: Message Exchange Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 239: Authentication Manager For Port-Based Authentication
Authentication Manager for Port-Based Authentication In Cisco IOS Release 12.2(46)SE and earlier, you could not use the same authorization methods, including CLI commands and messages, on this switch and also on other network devices, such as a Catalyst 6000. You had to use separate authentication configurations.
Page 240: Port-Based Authentication Methods
Filter-Id attribute Filter-Id attribute Filter-Id attribute Filter-Id attribute Downloadable Downloadable Downloadable Downloadable 5 Supported in Cisco IOS Release 12.2(50)SE and later. 6 For clients that do not support 802.1x authentication. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 241: Per-User Acls And Filter-Ids
The authentication manager commands provide the same functionality as earlier 802.1x commands. Beginning with Cisco IOS Release 12.2(55)SE, you can filter out verbose system messages generated by the authentication manager. The filtered content typically relates to authentication success. You can also filter verbose messages for 802.1x authentication and MAB authentication.
Page 242 Display 802.1x statistics, administrative status, and operational status for the switch or for the specified port. authentication manager: compatibility with earlier 802.1x CLI commands Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 243: Ports In Authorized And Unauthorized States
When a client logs off, it sends an EAPOL-logoff message, causing the switch port to change to the unauthorized state. If the link state of a port changes from up to down, or if an EAPOL-logoff frame is received, the port returns to the unauthorized state. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 244: Port-Based Authentication And Switch Stacks
In this topology, the wireless access point is responsible for authenticating the clients attached to it, and it also acts as a client to the switch. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 245: 802.1X Multiple Authentication Mode
Guest VLAN and authentication-failed VLAN features are supported for ports configured in Note multiple-authentication mode. Beginning with Cisco IOS Release 12.2(55)SE, you can assign a RADIUS-server-supplied VLAN in multi-auth mode, under these conditions: • Only one voice VLAN assignment is supported on a multi-auth port.
Page 246: Mac Replace
MAC Replace Beginning with Cisco IOS Release 12.2(55)SE, the MAC replace feature can be configured to address the violation that occurs when a host attempts to connect to a port where another host was previously authenticated.
Page 247: 802.1X Accounting Attribute-Value Pairs
• STOP–sent when a session terminates You can view the AV pairs that are being sent by the switch by entering the debug radius accounting privileged EXEC command. For more information about this command, see the Cisco IOS Debug Command Reference, Release 12.4.
Page 248: 802.1X Readiness Check
IP address and specific UDP port numbers. The combination of the IP address and UDP port number creates a unique identifier, which enables RADIUS requests to be sent to multiple UDP ports on a Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 249: 802.1X Authentication With Vlan Assignment
• If the VLAN configuration change of one device results in matching the other device configured or assigned VLAN, authorization of all devices on the port is terminated and multidomain host mode is Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 250: 802.1X Authentication With Per-User Acls
ACLs are supported only in the ingress direction. The switch supports VSAs only in the ingress direction. It does not support port ACLs in the egress direction on Layer 2 ports. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 251: 802.1X Authentication With Downloadable Acls And Redirect Urls
If the RADIUS server does not allow the .in or .out syntax, the access list is applied to the outbound ACL by default. Because of limited support of Cisco IOS access lists on the switch, the Filter-Id attribute is supported only for IP ACLs numbered 1 to 199 and 1300 to 2699 (IP standard and IP extended ACLs).
Page 252 The auth-default ACL is removed from the port when the last authenticated session ends. You can configure the auth-default ACL by using the ip access-list extended auth-default-acl global configuration command. The auth-default-ACL does not support Cisco Discovery Protocol (CDP) bypass in the single host mode. Note You must configure a static ACL on the interface to support CDP bypass.
Page 253: Cisco Secure Acs And Attribute-Value Pairs For The Redirect Url
The switch then forwards the client web browser to the specified redirect address. The url-redirect AV pair on the Cisco Secure ACS contains the URL to which the web browser is redirected. The url-redirect-acl attribute value pair contains the name or number of an ACL that specifies the HTTP or HTTPS traffic to redirect.
Page 254: Vlan Id-Based Mac Authentication
The feature also limits the number of VLANs monitored and handled by STP. The network can be managed as a fixed VLAN. This feature is not supported on Cisco ACS Server. (The ACS server ignores the sent VLAN-IDs for new Note hosts and only authenticates based on the MAC address.)
Page 255: 802.1X Authentication With Restricted Vlan
If you do this, the only way to restart the authentication process is for the port to receive a link down or EAP logoff event. We recommend that you keep re-authentication enabled if a client might Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 256: 802.1X Authentication With Inaccessible Authentication Bypass
• If the port is already authorized and reauthentication occurs, the switch puts the critical port in the critical-authentication state in the current VLAN, which might be the one previously assigned by the RADIUS server. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 257: Inaccessible Authentication Bypass Feature Interactions
When a member is added to the stack, the stack master sends the member the server status. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 258: 802.1X User Distribution
• PVID to carry the data traffic to and from the workstation connected to the switch through the IP phone. The PVID is the native VLAN of the port. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 259: Ieee 802.1X Authentication With Port Security
A voice VLAN port becomes active when there is a link, and the device MAC address appears after the first CDP message from the IP phone. Cisco IP phones do not relay CDP messages from other devices. As a result, if several IP phones are connected in series, the switch recognizes only the one directly connected to it.
Page 260: Ieee 802.1X Authentication With Mac Authentication Bypass
• Guest VLAN—If a client has an invalid MAC address identity, the switch assigns the client to a guest VLAN if one is configured. • Restricted VLAN—This feature is not supported when the client connected to an IEEE 802.lx port is authenticated with MAC authentication bypass. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 261: Network Admission Control Layer 2 Ieee 802.1X Validation
Open1x authentication allows a device access to a port before that device is authenticated. When open authentication is configured, a new host can pass traffic according to the access control list (ACL) defined on Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 262: Multidomain Authentication
The switch supports multidomain authentication (MDA), which allows both a data device and voice device, such as an IP phone (Cisco or non-Cisco), to authenticate on the same switch port. The port is divided into a data domain and a voice domain.
Page 263: Supplicant And Authenticator Switches With Network Edge Access Topology
• If more than one device attempts authorization on either the voice or the data domain of a port, it is error disabled. • Until a device is authorized, the port drops its traffic. Non-Cisco IP phones or voice devices are allowed into both the data and voice VLANs. The data VLAN allows the voice device to contact a DHCP server to obtain an IP address and acquire the voice VLAN information.
Page 264: Voice Aware 802.1X Security
• Auto enablement: Automatically enables trunk configuration on the authenticator switch, allowing user traffic from multiple VLANs coming from supplicant switches. Configure the cisco-av-pair as device-traffic-class=switch at the ACS. (You can configure this under the group or the user settings.)
Page 265: Common Session Id
Table 25: Default 802.1x Authentication Configuration Feature Default Setting Switch 802.1x enable state Disabled. Per-port 802.1x enable state Disabled (force-authorized). The port sends and receives normal traffic without 802.1x-based authentication of the client. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 266 You can change this timeout period by using the dot1x timeout server-timeout interface configuration command. Guest VLAN None specified. Inaccessible authentication bypass Disabled. Restricted VLAN None specified. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 267: 802.1X Authentication Configuration Guidelines
• Before globally enabling 802.1x authentication on a switch by entering the dot1x system-auth-control global configuration command, remove the EtherChannel configuration from the interfaces on which 802.1x authentication and EtherChannel are configured. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 268: Vlan Assignment, Guest Vlan, Restricted Vlan, And Inaccessible Authentication Bypass
Configuring IEEE 802.1x Port-Based Authentication 802.1x Authentication Configuration Guidelines • If you are using a device running the Cisco Access Control Server (ACS) application for IEEE 802.1x authentication with EAP-Transparent LAN Services (TLS) and EAP-MD5, make sure that the device is running ACS Version 3.2.1 or later.
Page 269: Mac Authentication Bypass
This is the maximum number of devices allowed on an 802.1x-enabled port: • In single-host mode, only one device is allowed on the access VLAN. If the port is also configured with a voice VLAN, an unlimited number of Cisco IP phones can send and receive traffic through the voice VLAN.
Page 270: Configuring Voice Aware 802.1X Security
If error-disabled recovery is not configured for the port, you re-enable it by using the shutdown and no shutdown interface configuration commands. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 271 [vlan-list] (Optional) Reenables individual VLANs that have been error disabled. Example: • For interface-id, specify the port on which to reenable individual VLANs. Switch(config)# clear errdisable interface GigabitEthernet4/0/2 vlan Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 272: Configuring 802.1X Violation Modes
• the maximum number of allowed about devices have been authenticated on the port Beginning in privileged EXEC mode, follow these steps to configure the security violation actions on the switch: Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 273 Specifies the port connected to the client that is to be enabled for IEEE 802.1x authentication, and enter interface configuration mode. Example: Switch(config)# interface gigabitethernet1/0/4 Step 5 switchport mode access Sets the port to access mode. Example: Switch(config-if)# switchport mode access Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 274: Configuring 802.1X Authentication
6. The switch sends an interim accounting update to the accounting server that is based on the result of re-authentication. 7. The user disconnects from the port. 8. The switch sends a stop message to the accounting server. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 275: Configuring 802.1X Port-Based Authentication
5. aaa authorization network {default} group radius 6. radius-server host ip-address 7. radius-server key string 8. interface interface-id 9. switchport mode access 10. authentication port-control auto 11. dot1x pae authenticator 12. end Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 276 This setting is the default. Switch(config)# aaa authorization network default group radius Step 6 radius-server host ip-address (Optional) Specifies the IP address of the RADIUS server. Example: Switch(config)# radius-server host 124.2.2.12 Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 277: Configuring The Switch-To-Radius-Server Communication
If you want to configure these options on a per-server basis, use the radius-server timeout, the radius-server retransmit, and the radius-server key global configuration commands. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 278 This key must match the encryption used on the RADIUS daemon. If you want to use multiple RADIUS servers, re-enter this command. Step 3 Returns to privileged EXEC mode. Example: Switch(config)# end Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 279: Configuring The Host Mode
IEEE 802.1x-authorized port that has the authentication port-control interface configuration command set to auto. Use the multi-domain keyword to configure and enable multidomain authentication (MDA), which allows both a host and a voice device, such as an IP phone (Cisco or non-Cisco), on the same switch port. This procedure is optional.
Page 280: Configuring Periodic Re-Authentication
4. authentication timer {{[inactivity | reauthenticate | restart]} {value}} 5. end DETAILED STEPS Command or Action Purpose Step 1 configure terminal Enters the global configuration mode. Example: Switch# configure terminal Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 281: Changing The Quiet Period
Beginning in privileged EXEC mode, follow these steps to change the quiet period. This procedure is optional. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 282 Verifies your entries. Example: Switch# show authentication sessions interface gigabitethernet2/0/1 Step 6 copy running-config startup-config (Optional) Saves your entries in the configuration file. Example: Switch# copy running-config startup-config Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 283: Changing The Switch-To-Client Retransmission Time
EAP-request/identity frame from the client before resending the request. Example: The range is 1 to 65535 seconds; the default is 5. Switch(config-if)# authentication timer reauthenticate 60 Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 284: Setting The Switch-To-Client Frame-Retransmission Number
Beginning in privileged EXEC mode, follow these steps to set the switch-to-client frame-retransmission number. This procedure is optional. SUMMARY STEPS 1. configure terminal 2. interface interface-id 3. dot1x max-reauth-req count 4. end Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 285: Setting The Re-Authentication Number
Beginning in privileged EXEC mode, follow these steps to set the re-authentication number. This procedure is optional. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 286: Enabling Mac Move
Step 5 Returns to privileged EXEC mode. Example: Switch(config-if)# end Enabling MAC Move MAC move allows an authenticated host to move from one port on the switch to another. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 287 Step 4 show running-config Verifies your entries. Example: Switch# show running-config Step 5 (Optional) Saves your entries in the configuration file. copy running-config startup-config Example: Switch# copy running-config startup-config Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 288: Enabling Mac Replace
• restrict: violating packets are dropped by the CPU and a system message is generated. • shutdown: the port is error disabled when it receives an unexpected MAC address. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 289: Configuring 802.1X Accounting
RADIUS Accounting” in your RADIUS server System Configuration tab. Beginning in privileged EXEC mode, follow these steps to configure 802.1x accounting after AAA is enabled on your switch. This procedure is optional. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 290 RADIUS servers) and generates system accounting reload event messages when the switch Example: reloads. Switch(config-if)# aaa accounting system default start-stop group radius Step 5 Returns to privileged EXEc mode. Example: Switch(config-if)# end Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 291: Configuring A Guest Vlan
4. authentication event no-response action authorize vlan vlan-id 5. end DETAILED STEPS Command or Action Purpose Step 1 configure terminal Enters the global configuration mode. Example: Switch# configure terminal Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 292: Configuring A Restricted Vlan
VLAN when the authentication server does not receive a valid username and password. The switch supports restricted VLANs only in single-host mode. Beginning in privileged EXEC mode, follow these steps to configure a restricted VLAN. This procedure is optional. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 293 • Configures the Layer 2 port as a private-VLAN host port. • switchport mode private-vlan host Example: Switch(config-if)# switchport mode access Step 4 Enables 802.1x authentication on the port. authentication port-control auto Example: Switch(config-if)# authentication port-control auto Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 294: Configuring Number Of Authentication Attempts On A Restricted Vlan
• switchport mode access • switchport mode private-vlan host 4. authentication port-control auto 5. authentication event fail action authorize vlan vlan-id 6. authentication event retry retry count 7. end Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 295 Specifies a number of authentication attempts to allow before a port moves to the restricted VLAN. The range is 1 to 3, and the default is 3. Example: Switch(config-if)# authentication event retry Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 296: Configuring The Inaccessible Authentication Bypass Feature
The range for time is from 1 to 120 seconds. The switch dynamically determines Example: the default seconds value that is 10 to 60 seconds. Switch(config)# radius-server Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 297 RADIUS daemon. You can also configure the authentication and encryption key by using the radius-server key {0 string| 7 string | string} global configuration command. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 298: Example Of Configuring Inaccessible Authentication Bypass
Switch(config)# radius-server deadtime 60 Switch(config)# radius-server host 1.1.1.2 acct-port 1550 auth-port 1560 test username user1 idle-time 30 key abc1234 Switch(config)# dot1x critical eapol Switch(config)# dot1x critical recovery delay 2000 Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 299: Configuring 802.1X Authentication With Wol
By default, the port is bidirectional. • in—Sets the port as unidirectional. The port can send packets to the host but cannot receive packets from the host. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 300: Configuring Mac Authentication Bypass
2. interface interface-id 3. authentication port-control auto 4. mab [eap] 5. end DETAILED STEPS Command or Action Purpose Step 1 configure terminal Enters the global configuration mode. Example: Switch# configure terminal Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 301: Formatting A Mac Authentication Bypass Username And Password
2. mab request format attribute 1 groupsize {1 | 2 | 4 |12} [separator {- | : | .} {lowercase | uppercase}] 3. mab request format attribute2 {0 | 7} text 4. end Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 302: Configuring 802.1X User Distribution
Returns to privileged EXEC mode. Example: Switch(config)# end Configuring 802.1x User Distribution Beginning in privileged EXEC mode, follow these steps to configure a VLAN group and to map a VLAN to Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 303: Example Of Configuring Vlan Groups
VLAN group configurations and mapping to the specified VLANs: Switch(config)# vlan group eng-dept vlan-list 10 Switch(config)# show vlan group group-name eng-dept Group Name Vlans Mapped ------------- -------------- eng-dept Switch(config)# show dot1x vlan-group all Group Name Vlans Mapped Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 304: Configuring Nac Layer 2 802.1X Validation
Switch(config)# no vlan group end-dept vlan-list all Switch(config)# show vlan-group all For more information about these commands, see the Cisco IOS Security Command Reference. Configuring NAC Layer 2 802.1x Validation You can configure NAC Layer 2 802.1x validation, which is also referred to as 802.1x authentication with a RADIUS server.
Page 305 Example: This command affects the behavior of the switch only if periodic re-authentication is enabled. Switch(config-if)# authentication timer reauthenticate Step 7 Returns to privileged EXEC mode. Example: Switch(config-if)# end Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 306: Configuring An Authenticator Switch With Neat
Note The cisco-av-pairs must be configured as device-traffic-class=switch on the ACS, which sets the interface as a trunk after the supplicant is successfully authenticated. Beginning in privileged EXEC mode, follow these steps to configure a switch as an authenticator: SUMMARY STEPS 1.
Page 307 Enables Port Fast on an access port connected to a single workstation or server.. Example: Switch(config-if)# spanning-tree portfast trunk Step 8 Returns to privileged EXEC mode. Example: Switch(config-if)# end Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 308: Configuring A Supplicant Switch With Neat
9. switchport mode trunk 10. dot1x pae supplicant 11. dot1x credentials profile-name 12. end 13. show running-config interface interface-id 14. copy running-config startup-config 15. Configuring NEAT with Auto Smartports Macros Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 309 Specifies the port to be configured, and enter interface configuration mode. Example: Switch(config)# interface gigabitethernet1/0/1 Step 8 Sets the port to trunk mode. switchport trunk encapsulation dot1q Example: Switch(config-if)# switchport trunk Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 310 You can also use an Auto Smartports user-defined macro instead of the switch VSA to configure the authenticator switch. For more information, see the Auto Smartports Configuration Guide for this release. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 311: Configuring 802.1X Authentication With Downloadable Acls And Redirect Urls
Purpose Step 1 Enters global configuration mode. configure terminal Example: Switch# configure terminal Step 2 ip device tracking Sets the ip device tracking table. Example: Switch(config)# ip device tracking Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 312 Verifies your configuration. Example: Switch(config-if)# show running-config interface gigabitethernet2/0/4 Step 9 (Optional) Saves your entries in the configuration copy running-config startup-config file. Example: Switch# copy running-config startup-config Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 313: Configuring A Downloadable Policy
• host: The keyword host as an abbreviation for source and source-wildcard of source 0.0.0.0. (Optional) Applies the source-wildcard wildcard bits to the source. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 314 • interval interval—Sets the number of seconds that the switch Switch(config)# ip device tracking waits for a response before resending the ARP probe. The range probe count is from 30 to 300 seconds. The default is 30 seconds. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 315: Configuring Vlan Id-Based Mac Authentication
Example: Switch# configure terminal Step 2 mab request format attribute 32 vlan access-vlan Enables VLAN ID-based MAC authentication. Example: Switch(config)# mab request format attribute 32 vlan access-vlan Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 316: Configuring Flexible Authentication Ordering
5. authentication priority [ dot1x | mab ] | {webauth} 6. end DETAILED STEPS Command or Action Purpose Step 1 Enters the global configuration mode. configure terminal Example: Switch# configure terminal Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 317: Configuring Open1X
Switch(config-if)# end Related Topics Flexible Authentication Ordering, on page 239 Configuring Open1x Beginning in privileged EXEC mode, follow these steps to enable manual control of the port authorization state: Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 318 Step 5 authentication fallback name (Optional) Configures a port to use web authentication as a fallback method for clients that do not support 802.1x authentication. Example: Switch(config-if)# authentication fallback profile1 Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 319: Disabling 802.1X Authentication On The Port
Related Topics Open1x Authentication, on page 239 Disabling 802.1x Authentication on the Port You can disable 802.1x authentication on the port by using the no dot1x pae interface configuration command. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 320 Switch(config-if)# switchport mode access Step 4 no dot1x pae authenticator Disables 802.1x authentication on the port. Example: Switch(config-if)# no dot1x pae authenticator Step 5 Returns to privileged EXEC mode. Example: Switch(config-if)# end Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 321: Resetting The 802.1X Authentication Configuration To The Default Values
Switch(config)# interface gigabitethernet1/0/2 Step 3 Resets the 802.1x parameters to the default values. dot1x default Example: Switch(config-if)# dot1x default Step 4 Returns to privileged EXEC mode. Example: Switch(config-if)# end Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 322: Monitoring 802.1X Statistics And Status
Filters verbose 802.1x authentication messages no dot1x logging verbose (beginning with Cisco IOS Release 12.2(55)SE) For detailed information about the fields in these displays, see the command reference for this release. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 323: Chapter 1 6 Configuring Web-Based Authentication
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Page 324: Device Roles
For Layer 2 interfaces, web-based authentication detects IP hosts by using these mechanisms: • ARP based trigger—ARP redirect ACL allows web-based authentication to detect hosts with a static IP address or a dynamic IP address. • Dynamic ARP inspection Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 325: Session Creation
• If the terminate action is RADIUS, the feature sends a nonresponsive host (NRH) request to the server. The terminate action is included in the response from the server. • If the terminate action is default, the session is dismantled, and the applied policy is removed. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 326: Local Web Authentication Banner
• Legacy mode—Use the ip admission auth-proxy-banner http global configuration command. • New-style mode—Use the parameter-map type webauth global bannerglobal configuration command. The default banner Cisco Systems and Switch host-name Authentication appear on the Login Page. Cisco Systems appears on the authentication result pop-up page.
Page 327 • Legacy mode—Use the ip admission auth-proxy-banner http file-path global configuration command. • New-style mode—Use the parameter-map type webauth global banner global configuration command Figure 24: Customized Web Banner Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 328: Web Authentication Customizable Web Pages
Figure 25: Login Screen With No Banner For more information, see the Session Aware Networking Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches) Session Aware Networking Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches) and the Web Authentication Enhancements - Customizing Authentication Proxy Web Pages.
Page 329 • You must include an HTML redirect command in the success page to access a specific URL. • The URL string must be a valid URL (for example, http://www.cisco.com). An incomplete URL might cause page not found or similar errors on a web browser.
Page 330: Authentication Proxy Web Page Guidelines
• To remove the specification of a custom file, use the no form of the command. Because the custom login page is a public web form, consider these guidelines for the page: Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 331: Redirection Url For Successful Login Guidelines
You can configure web-based authentication on the same Layer 3 interface as Gateway IP. The host policies for both features are applied in software. The GWIP policy overrides the web-based authentication host policy. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 332: Acls
How to Configure Web-Based Authentication ACLs If you configure a VLAN ACL or a Cisco IOS ACL on an interface, the ACL is applied to the host traffic only after the web-based authentication host policy is applied. For Layer 2 web-based authentication, it is more secure, though not required, to configure a port ACL (PACL) as the default access policy for ingress traffic from hosts connected to the port.
Page 333: Web-Based Authentication Configuration Guidelines And Restrictions
Configuring the Authentication Rule and Interfaces Examples in this section are legacy-style configurations. For new-style configurations, see the Session Aware Networking Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches) This example shows how to verify the configuration: Switch# show ip admission status...
Page 334 Applies the default ACL. Example: Switch(config-if)# ip access-group webauthag Step 5 ip admission name Configures web-based authentication on the specified interface. Example: Switch(config-if)# ip admission webauth1 Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 335: Configuring Aaa Authentication
3. aaa authentication login default group {tacacs+ | radius} 4. aaa authorization auth-proxy default group {tacacs+ | radius} 5. tacacs-server host {hostname | ip_address} 6. tacacs-server key {key-data} 7. end Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 336 {key-data} Configures the authorization and encryption key used between the switch and the TACACS server. Example: Switch(config)# tacacs-server key Step 7 Returns to privileged EXEC mode. Example: Switch(config)# end Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 337: Configuring Switch-To-Radius-Server Communication
Example: Switch(config)# ip radius source-interface vlan 80 Step 3 radius-server host {hostname | Specifies the host name or IP address of the remote RADIUS server. ip-address} test username username Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 338 If you want to configure these options on a per-server basis, use the radius-server timeout, radius-server transmit, and the radius-server key global configuration commands. For more information, see the Cisco IOS Security Configuration Guide, Release 12.4 and the Cisco IOS Security Command Reference, Release 12.4. Note...
Page 339: Configuring The Http Server
HTTPS (secure HTTP) even if the user sends an HTTP request. Step 4 Returns to privileged EXEC mode. Example: Switch(config)# end Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 340: Customizing The Authentication Proxy Web Pages
For the equivalent Session Aware Networking configuration example for this feature, see the section "Configuring a Parameter Map for Web-Based Authentication" in the chapter, "Configuring Identity Control Policies." of the book, "Session Aware Networking Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)."...
Page 341: Specifying A Redirection Url For Successful Login
Specifying a Redirection URL for Successful Login Beginning in privileged EXEC mode, follow these steps to specify a URL to which the user is redirected after authentication, effectively replacing the internal Success HTML page: Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 342 Hi watermark HTTPD1 Contexts Hi watermark Parameter Map: Global Custom Pages Custom pages not configured Banner Banner not configured Related Topics Redirection URL for Successful Login Guidelines, on page 309 Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 343: Configuring The Web-Based Authentication Parameters
Beginning in privileged EXEC mode, follow these steps to configure a local banner on a switch that has web authentication configured. SUMMARY STEPS 1. configure terminal 2. ip admission auth-proxy-banner http [banner-text | file-path] 3. end Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 344: Removing Web-Based Authentication Cache Entries
Delete authentication proxy entries. Use an asterisk to delete all cache entries. Enter a specific IP address to delete the entry for a single host. Example: Switch# clear ip auth-proxy cache 192.168.4.5 Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 345: Monitoring Web-Based Authentication Status
Displays the web-based authentication settings for show authentication sessions interface type slot/port[details] the specified interface for fastethernet, gigabitethernet, or tengigabitethernet. In Session Aware Networking mode, use the show access-session interface command. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 346 Configuring Web-Based Authentication Monitoring Web-Based Authentication Status Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 347: Configuring Port-Based Traffic Control
Configuration Examples for Port Security, page 347 • Information About Protocol Storm Protection, page 347 • How to Configure Protocol Storm Protection, page 348 • Monitoring Protocol Storm Protection, page 349 Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 348: Overview Of Port-Based Traffic Control
Overview of Port-Based Traffic Control Port-based traffic control is a set of Layer 2 features on the Cisco Catalyst switches used to filter or block packets at the port level in response to specific traffic conditions. The following port-based traffic control features are supported in the Cisco IOS Release for which this guide is written: •...
Page 349: Traffic Patterns
When the storm control threshold for multicast traffic is reached, all multicast traffic except control traffic, Note such as bridge protocol data unit (BDPU) and Cisco Discovery Protocol (CDP) frames, are blocked. However, the switch does not differentiate between routing updates, such as OSPF, and regular multicast data traffic, so both types of traffic are blocked.
Page 350: How To Configure Storm Control
Enters global configuration mode. Example: Switch# configure terminal Step 2 interface interface-id Specifies the interface to be configured, and enter interface configuration mode. Example: Switch(config)# interface gigabitethernet1/0/1 Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 351 • Select the shutdown keyword to error-disable the port during a storm. Example: • Select the trap keyword to generate an SNMP trap when a storm is detected. Switch(config-if)# storm-control action trap Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 352: Monitoring Storm Control
Some applications require that no traffic be forwarded at Layer 2 between ports on the same switch so that one neighbor does not see the traffic generated by another neighbor. In such an environment, the use of Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 353: Default Protected Port Configuration
Protected ports are not pre-defined. This is the task to configure one. SUMMARY STEPS 1. configure terminal 2. interface interface-id 3. switchport protected 4. end 5. show interfaces interface-id switchport 6. copy running-config startup-config Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 354 Verifies your entries. Example: Switch# show interfaces gigabitethernet1/0/1 switchport Step 6 (Optional) Saves your entries in the configuration copy running-config startup-config file. Example: Switch# copy running-config startup-config Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 355: Monitoring Protected Ports
The interface can be a physical interface or an EtherChannel group. When you block multicast or unicast traffic for a port channel, it is blocked on all ports in the port-channel group. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 356 Example: Switch(config-if)# switchport block unicast Step 5 Returns to privileged EXEC mode. Example: Switch(config-if)# end Step 6 show interfaces interface-id switchport Verifies your entries. Example: Switch# show interfaces gigabitethernet1/0/1 Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 357: Monitoring Port Blocking
Switch Database Management (SDM) template. This number is the total of available MAC addresses, including those used for other Layer 2 functions and any other secure MAC addresses configured on interfaces. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 358: Information About Port Security
If sticky learning is disabled, the sticky secure MAC addresses are converted to dynamic secure addresses and are removed from the running configuration. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 359: Security Violations
This table shows the violation mode and the actions taken when you configure an interface for port security. Table 33: Security Violation Mode Actions Violation Traffic is Sends SNMP Sends syslog Displays Violation Shuts down Mode forwarded trap message error counter port message increments protect restrict Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 360: Port Security Aging
MAC addresses configured or learned by that switch are deleted from the secure MAC address table. Default Port Security Configuration Table 34: Default Port Security Configuration Feature Default Setting Port security Disabled on a port. Sticky address learning Disabled. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 361: Port Security Configuration Guidelines
IP phone requires one MAC address. The Cisco IP phone address is learned on the voice VLAN, but is not learned on the access VLAN. If you connect a single PC to the Cisco IP phone, no additional MAC addresses are required. If you connect more than one PC to the Cisco IP phone, you must configure enough secure addresses to allow one for each PC and one for the phone.
Page 362: How To Configure Port Security
Enabling and Configuring Port Security Before You Begin This task restricts input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port: Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 363 Step 4 switchport voice vlan vlan-id Enables voice VLAN on a port. vlan-id—Specifies the VLAN to be used for voice traffic. Example: Switch(config-if)# switchport voice vlan 22 Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 364 MAC addresses or increase the number of maximum allowable addresses. An SNMP trap is sent, a syslog message is logged, and the violation counter increments. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 365 If you do not enable sticky learning before this command is entered, an Note error message appears, and you cannot enter a sticky secure MAC address. Switch(config-if)# switchport (Optional) vlan—sets a per-VLAN maximum value. port-security mac-address sticky Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 366: Enabling And Configuring Port Security Aging
Use this feature to remove and add devices on a secure port without manually deleting the existing secure MAC addresses and to still limit the number of secure addresses on a port. You can enable or disable the aging of secure addresses on a per-port basis. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 367 Step 4 Returns to privileged EXEC mode. Example: Switch(config)# end Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 368: Monitoring Port Security
Displays the number of secure MAC addresses configured per VLAN on the specified interface. vlan Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 369: Configuration Examples For Port Security
When a switch is flooded with Address Resolution Protocol (ARP) or control packets, high CPU utilization can cause the CPU to overload. These issues can occur: • Routing protocol can flap because the protocol control packets are not received, and neighboring adjacencies are dropped. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 370: Default Protocol Storm Protection Configuration
2. psp {arp | dhcp | igmp} pps value 3. errdisable detect cause psp 4. errdisable recovery interval time 5. end 6. show psp config {arp | dhcp | igmp} Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 371: Monitoring Protocol Storm Protection
{arp | dhcp | igmp} Verifies your entries. Example: Switch# show psp config dhcp Monitoring Protocol Storm Protection Command Purpose show psp config {arp | dhcp | igmp} Verify your entries. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 372 Configuring Port-Based Traffic Control Monitoring Protocol Storm Protection Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 373: Prerequisites For First Hop Security In Ipv6
• You have configured the necessary IPv6 enabled SDM template. • You should be familiar with the IPv6 neighbor discovery feature. For information, see the "Implementing IPv6 Addressing and Basic Connectivity" chapter of the Cisco IOS IPv6 Configuration Library on Cisco.com.
Page 374: Information About First Hop Security In Ipv6
DHCP guard. To debug DHCP guard packets, use the debug ipv6 snooping dhcp-guard privileged EXEC command. How to Configure an IPv6 Snooping Policy Beginning in privileged EXEC mode, follow these steps to configure IPv6 Snooping Policy : Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 375 In addition, it rejects RA and DHCP server messages. This is the default option. inspect—Gleans addresses, validates messages for consistency and conformance, and enforces address ownership. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 376: How To Attach An Ipv6 Snooping Policy To An Interface Or A Vlan On An Interface
4. ipv6 snooping [attach-policy policy_name [ vlan {vlan_id | add vlan_ids | exceptvlan_ids | none | remove vlan_ids}] | vlan {vlan_id | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ] 5. do show running-config Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 377 111,112 Step 5 do show running-config Verifies that the policy is attached to the specified interface without exiting the interface configuration mode. Example: Switch#(config-if)# do show running-config Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 378: How To Attach An Ipv6 Snooping Policy To Vlans Globally
Example: Switch#(config-if)# do show running-config How to Configure the IPv6 Binding Table Content Beginning in privileged EXEC mode, follow these steps to configure IPv6 Binding Table Content : Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 379 Enables the logging of binding table main events. Example: Switch(config)# ipv6 neighbor binding logging Step 5 exit Exits global configuration mode, and places the router in privileged EXEC mode. Example: Switch(config)# exit Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 380: How To Configure An Ipv6 Neighbor Discovery Inspection Policy
Switch# configure terminal Step 2 [no]ipv6 nd inspection policy policy-name Specifies the ND inspection policy name and enters ND Inspection Policy configuration mode. Example: Switch(config)# ipv6 nd inspection policy example_policy Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 381 Step 11 default {device-role | drop-unsecure | limit address-count | Restores configuration to the default values. sec-level minimum | tracking | trusted-port | validate source-mac} Example: Switch(config-nd-inspection)# default limit address-count Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 382: How To Attach An Ipv6 Neighbor Discovery Inspection Policy To An Interface
] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ] attach-policy option is not used. Example: Switch(config-if)# ipv6 nd inspection attach-policy example_policy Switch(config-if)# ipv6 nd inspection attach-policy example_policy vlan 222,223,224 Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 383: How To Attach An Ipv6 Neighbor Discovery Inspection Policy To Vlans Globally
Attaches the IPv6 Neighbor Discovery policy to the specified VLANs across all switch and stack interfaces. The default policy is attached if the attach-policy option is not used. Example: Switch(config-vlan-config)#ipv6 nd inspection attach-policy example_policy Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 384: How To Configure An Ipv6 Router Advertisement Guard Policy
Switch# configure terminal Step 2 [no]ipv6 nd raguard policy policy-name Specifies the RA Guard policy name and enters RA Guard Policy configuration mode. Example: Switch(config)# ipv6 nd raguard policy example_policy Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 385 {device-role | hop-limit {maximum | minimum} | Restores a command to its default value. managed-config-flag | match {ipv6 access-list | ra prefix-list } | other-config-flag | router-preference maximum| trusted-port} Example: Switch(config-nd-raguard)# default hop-limit Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 386: How To Attach An Ipv6 Ra Guard Policy To An Interface
| except vlan_ids | none | remove vlan_ids | all} ] to the interface or the specified VLANs on that interface. The default policy is attached if the attach-policy option is not used. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 387: How To Attach An Ipv6 Ra Guard Policy To Vlans Globally
Step 2 vlan configuration vlan_list Specifies the VLANs to which the IPv6 RA Guard policy will be attached ; enters the VLAN interface configuration mode. Example: Switch(config)# vlan configuration 335 Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 388: How To Configure An Ipv6 Dhcp Guard Policy
(Optional) device-role [client | server]—Specifies the role of the device attached to the port. Example: • client—Default value, specifies that the attached device Switch(config-dhcp-guard)# device-role server is a client. Server messages are dropped on this port. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 389: How To Attach An Ipv6 Dhcp Guard Policy To An Interface
3. ipv6 dhcp guard [attach-policy policy_name [ vlan {vlan_ids | add vlan_ids | except vlan_ids | none | remove vlan_ids | all} ] | vlan [ {vlan_ids | add vlan_ids | exceptvlan_ids | none | remove vlan_ids | all} ] 4. do show running-config Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 390: How To Attach An Ipv6 Dhcp Guard Policy To Vlans Globally
Beginning in privileged EXEC mode, follow these steps to attach an IPv6 DHCP Guard policy to VLANs across multiple interfaces: SUMMARY STEPS 1. configure terminal 2. vlan configuration vlan_list 3. ipv6 dhcp guard [attach-policy policy_name] 4. do show running-config Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 391: How To Configure Ipv6 Source Guard
3. [deny global-autoconf] [permit link-local] [default{. . . }] [exit] [no{. . . }] 4. end 5. show ipv6 source-guard policy policy_name DETAILED STEPS Command or Action Purpose Step 1 configure terminal Enters the global configuration mode. Example: Switch# configure terminal Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 392: How To Attach An Ipv6 Source Guard Policy To An Interface
How to Attach an IPv6 Source Guard Policy to an Interface SUMMARY STEPS 1. configure terminal 2. interface Interface_type stack/module/port 3. ipv6 source-guard attach-policy policy_name 4. do show running-config Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 393 Switch(config-if)# ipv6 source-guard attach-policy example_policy Step 4 do show running-config Confirms that the policy is attached to the specified interface without exiting the configuration mode. Example: Switch#(config-if)# do show running-config Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 394 Configuring IPv6 First Hop Security How to Attach an IPv6 Source Guard Policy to an Interface Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 395: Chapter 1 9 Configuring Cisco Trustsec
The key component of Cisco TrustSec is the Cisco Identity Services Engine (ISE). Cisco ISE can provision switches with TrustSec Identities and Security Group ACLs (SGACLs), though these may be configured manually on the switch.
Page 396: Information About Cisco Trustsec
Information About Cisco TrustSec Information About Cisco TrustSec The table below lists the TrustSec features to be eventually implemented on TrustSec-enabled Cisco switches. Successive general availability releases of TrustSec will expand the number of switches supported and the number of TrustSec features supported per switch.
Page 397: Feature Information For Cisco Trustsec
Table 37: Feature Information for Cisco TrustSec Feature Name Releases Feature Information Cisco TrustSec 15.0(2)EX SXP is introduced on the Catalyst 2960-X switch. 15.0(2)EX1 SXP is introduced on the Catalyst 2960-XR switch. Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 398 Configuring Cisco TrustSec Feature Information for Cisco TrustSec Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01...
Page 399 113, 114, 120, 127 authentication 39, 43, 45, 65, 66, 81 implicit deny local mode with AAA implicit masks RADIUS 65, 66 matching criteria undefined login Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01 IN-1...
Page 400 43, 45, 47, 48, 65, 66, 71, 72, 73, 88, 96, 99, 102 location accounting 48, 72 configuration guidelines authentication configuring authentication key described authorization 47, 71 Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 IN-2 OL-29434-01...
Page 401 Layer 2 interfaces 106, 133 Identifying the RADIUS Server Host manual Examples command monitoring 103, 139, 140 identifying the server 43, 65 access groups IP ACLs IPv4 ACL configuration named Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01 IN-3...
Page 402 RADIUS server parameters on the switch router ACLs 108, 110 default configuration defined device roles types of displaying statistics enabling 802.1X authentication switch as proxy preventing unauthorized access and SSH private VLANs Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 IN-4 OL-29434-01...
Page 403 188, 189 static hosts statistics 802.1X vendor-proprietary suggested network environments vendor-specific SVIs VLAN ACLs and router ACLs See VLAN maps Switch Access VLAN map entries, order of displaying Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 OL-29434-01 IN-5...
Page 404 RADIUS 66, 71, 72 defined with TACACS+ 39, 45, 47, 48 denying access to a server example with usernames denying and permitting packets 135, 137 displaying Catalyst 2960-XR Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX1 IN-6 OL-29434-01...

Cisco Catalyst 2960-XR Security Configuration Manual

Using the Command-Line Interface

Security Features Overview

Controlling Switch Access with Passwords and Privilege Levels

Configuring TACACS

Configuring RADIUS

Configuring Local Authentication and Authorization

Configuring Secure Shell (SSH)

Configuring Secure Socket Layer HTTP

C H a P T E

Configuring Ipv4 Acls

Chapter 1 1 Configuring Ipv6 Acls

Chapter 1 2 Configuring DHCP

Chapter 1 3 Configuring IP Source Guard

Chapter 1 4 Configuring Dynamic ARP Inspection

Chapter 1 5 Configuring IEEE 802.1X Port-Based Authentication

Quick Links

Related Manuals for Cisco Catalyst 2960-XR

Summary of Contents for Cisco Catalyst 2960-XR