Security

This chapter contains the following sections:

TACACS+ Client

An organization can establish a Terminal Access Controller Access Control System (TACACS+) server to provide centralized security for all of its devices. In this way, authentication and authorization can be handled on a single server for all devices in the organization.

The device can act as a TACACS+ client that uses the TACACS+ server for the following services: The TACACS+ page enables configuring TACACS+ servers.

  • Authentication—Provides authentication of users logging onto the device by using usernames and user-defined passwords.

  • Authorization—Performed at login. After the authentication session is completed, an authorization session starts using the authenticated username. The TACACS+ server then checks user privileges.

  • Accounting—Enable accounting of login sessions using the TACACS+ server. This enables a system administrator to generate accounting reports from the TACACS+ server.

To configure TACACS+ server parameters, follow these steps:

Procedure


Step 1

Click Security > TACACS+ Client.

Step 2

Enable TACACS+ Accounting if required.

Step 3

Enter the following default parameters:

Option Description
Key String Enter the default Key String used for communicating with all TACACS+ servers in Encrypted or Plaintext mode.

If you enter both a key string here and a key string for an individual TACACS+ server, the key string configured for the individual TACACS+ server takes precedence.

Timeout for Reply

Enter the amount of time that passes before the connection between the device and the TACACS+ server times out. If a value isn’t entered in the Add TACACS+ Server page for a specific server, the value is taken from this field.

Source IPv4 Interface

Select the device IPv4 source interface to be used in messages sent for communication with the TACACS+ server.

Source IPv6 Interface

Select the device IPv6 source interface to be used in messages sent for communication with the TACACS+ server.

Note

 

If the Auto option is selected, the system takes the source IP address from the IP address defined on the outgoing interface.

Step 4

Click Apply. The TACACS+ default settings are added to the Running Configuration file. These are used if the equivalent parameters are not defined in the Add page.

The information for each TACACS server is displayed in the TACACS+ Server Table. The fields in this table are entered in the Add page except for the Status field. This field describes whether the server is connected or not to the device.

Step 5

To add a TACACS+ server, click Add. To edit the TACACS+ Server, select the TACACS+ server and click Edit.

Step 6

Next, configure the parameters.

Option Description
Server Definition Select one of the following ways to identify the TACACS+ server:
  • By IP address-If this is selected, enter the IP address of the server in the Server IP Address/Name field.

  • By name-If this is selected enter the name of the server in the Server IP Address/Name field.

IP Version

Select the supported IP version of the source address: IPv6 or IPv4.

IPv6 Address Type

Select the IPv6 address type (if IPv6 is used). The options are:

  • Link Local-The IPv6 address uniquely identifies hosts on a single network link. A link local address has a prefix of FE80, isn’t routable, and can be used for communication only on the local network. Only one link local address is supported. If a link local address exists on the interface, this entry replaces the address in the configuration.

  • Global-The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks.

Link Local Interface

Select the link local interface (if IPv6 Address Type Link Local is selected) from the list.

Server IP Address/Name

Enter the IP address or name of the TACACS+ server.

Priority

Enter the order in which this TACACS+ server is used. Zero is the highest priority TACACS+ server and is the first server used. If it can’t establish a session with the high priority server, the device tries the next highest priority server.

Key String

Enter the default key string used for authenticating and encrypting between the device and the TACACS+ server. This key must match the key configured on the TACACS+ server.

A key string is used to encrypt communications by using MD5. You can select the default key on the device, or the key can be entered in Encrypted or Plaintext form. If you don’t have an encrypted key string (from another device), enter the key string in plaintext mode and click Apply. The encrypted key string is generated and displayed.

Timeout for Reply

Select User Defined and enter the amount of time that passes before the connection between the device and the TACACS+ server times out. Select Use Default to use the default value displayed on the page.

Authentication IP Port

Enter the port number through which the TACACS+ session occurs.

Single Connection

Select to enable receiving all information in a single connection. If the TACACS+ server doesn’t support this, the device reverts to multiple connections.

Step 7

Click Apply. The TACACS+ server is added to the Running Configuration file of the device.

Step 8

To display sensitive data in plaintext form on this page, click Display Sensitive Data As Plaintext.


RADIUS Client

Remote Authorization Dial-In User Service (RADIUS) servers provide a centralized 802.1X or MAC-based network access control. The device can be configured to be a RADIUS client that can use a RADIUS server to provide centralized security, and as a RADIUS server. An organization can use the device as establish a Remote Authorization Dial-In User Service (RADIUS) server to provide centralized 802.1X or MAC-based network access control for all of its devices. In this way, authentication and authorization can be handled on a single server for all devices in the organization.

Use RADIUS in network environments that require access security. To set the RADIUS server parameters, follow these steps:

Procedure


Step 1

Click Security > RADIUS Client.

Step 2

Enter the RADIUS Accounting option. The following options are available:

  • Port Based Access Control (802 1X, MAC Based, Web Authentication)—Specifies that the RADIUS server is used for 802.1X port accounting.

  • Management Access—Specifies that the RADIUS server is used for user login accounting.

  • Both Port Based Access Control and Management Access—Specifies that the Radius server is used for both user login accounting and 802.1X port accounting.

  • None—Specifies that the RADIUS server is not used for accounting.

Step 3

Set the Accounting Period - the range is 0 to 65535.

Step 4

Enter the default RADIUS parameters if required. Values entered in the Default Parameters are applied to all servers. If a value is not entered for a specific server (in the Add RADIUS Server page) the device uses the values in these fields.

  • Retries—Enter the number of transmitted requests that are sent to the RADIUS server before a failure is considered to have occurred.

  • Timeout for Reply—Enter the number of seconds that the device waits for an answer from the RADIUS server before retrying the query, or switching to the next server.

  • Dead Time—Enter the number of minutes that elapse before a non-responsive RADIUS server is bypassed for service requests. If the value is 0, the server is not bypassed.

  • Key String—Enter the default key string used for authenticating and encrypting between the device and the RADIUS server. This key must match the key configured on the RADIUS server. A key string is used to encrypt communications by using MD5. The key can be entered in Encrypted or Plaintext form. If you do not have an encrypted key string (from another device), enter the key string in plaintext mode and click Apply. The encrypted key string is generated and displayed.

This overrides the default key string if one has been defined.

  • Source IPv4 Interface—Select the device IPv4 source interface to be used in messages for communication with the RADIUS server.

  • Source IPv6 Interface—Select the device IPv6 source interface to be used in messages for communication with the RADIUS server.

Note

 

If the Auto option is selected, the system takes the source IP address from the IP address defined on the outgoing interface.

Step 5

Click Apply. The RADIUS default settings for the device are updated in the Running Configuration file.

Step 6

To add a RADIUS server, click Add.

Step 7

Enter the values in the fields for each RADIUS server.

  • Server Definition—Select whether to specify the RADIUS server by IP address or name.

  • IP Version—Select the version of the IP address of the RADIUS server.

  • IPv6 Address Type—Select the IPv6 address type (if IPv6 is used). The options are:

    • Link Local—The IPv6 address uniquely identifies hosts on a single network link. A link local address has a prefix of FE80, is not routable, and can be used for communication only on the local network. Only one link local address is supported. If a link local address exists on the interface, this entry replaces the address in the configuration.

    • Global—The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks.

  • Link Local Interface—Select the link local interface (if IPv6 Address Type Link Local is selected) from the list. •

  • Server IP Address/Name—Enter the RADIUS server by IP address or name.

  • Priority—Enter the priority of the server. The priority determines the order the device attempts to contact the servers to authenticate a user. The device starts with the highest priority RADIUS server first. Zero is the highest priority.

  • Key String—Enter the key string used for authenticating and encrypting communication between the device and the RADIUS server. This key must match the key configured on the RADIUS server. It can be entered in Encrypted or Plaintext format. If Use Default is selected, the device attempts to authenticate to the RADIUS server by using the default Key String.

  • Timeout for Reply—Select User Defined and enter the number of seconds the device waits for an answer from the RADIUS server before retrying the query, or switching to the next server if the maximum number of retries made. If Use Default is selected, the device uses the default timeout value.

  • Authentication Port—Enter the UDP port number of the RADIUS server port for authentication requests

  • Accounting Port—Enter the UDP port number of the RADIUS server port for accounting requests.

  • Retries—Select User Defined and enter the number of requests that are sent to the RADIUS server before a failure is considered to have occurred. If Use Default is selected, the device uses the default value for the number of retries.

  • Dead Time—Select User Defined and enter the number of minutes that must pass before a non-responsive RADIUS server is bypassed for service requests. If Use Default is selected, the device uses the default value for the dead time. If you enter 0 minutes, there is no dead time.

  • Usage Type—Enter the RADIUS server authentication type. The options are:

    • Login—RADIUS server is used for authenticating users that ask to administer the device.

    • 802.1x—RADIUS server is used for 802.1x authentication.

    • All—RADIUS server is used for authenticating user that ask to administer the device and for 802.1X authentication.

  • Force Message Authenticator— Use this setting to define that all types of RADIUS responses from the specified RADIUS server must include the Message-Authenticator attribute (RADIUS attribute 80). If this setting is enabled, any type of RADIUS response that does not include the Message-Authenticator attribute will be silently discarded and the event will be logged. If this setting is disabled, then RADIUS responses that do not include this attribute will be discarded only if they are part of an RADIUS exchange using EAP authentication. By default this setting is disabled.

Step 8

Click Apply. The RADIUS server definition is added to the Running Configuration file of the device.

Step 9

To display sensitive data in plaintext form on the page, click Display Sensitive Data As Plaintext.


RADIUS Server

An organization can use the device as a Remote Authorization Dial-In User Service (RADIUS) server to provide centralized 802.1X or MAC-based network access control for all of its devices. Thus, authentication and authorization can be handled on a single server for all devices.

When the device is configured as a RADIUS client, it can use the RADIUS server for the following services:

  • Authentication-Provides authentication of regular and 802.1X users by using usernames and user-defined passwords

  • Authorization-Performed at login After the authentication session is completed, an authorization session starts using the authenticated username. The RADIUS server then checks user privileges.

Accounting-Enable accounting of login sessions using the RADIUS server. This enables a system administrator to generate accounting reports from the RADIUS server. The user-configurable, TCP port used for RADIUS server accounting is the same TCP port that is used for RADIUS server authentication and authorization.

RADIUS Server Global Settings

The device can be configured as a RADIUS server. To set the RADIUS server global parameters, follow these steps:

Procedure


Step 1

Click Security > RADIUS Server > RADIUS Server Global Settings.

Step 2

Enter the following parameters:

  • RADIUS Server Status—Check to enable the RADIUS server feature status.

  • Authentication Port—Enter the UDP port number of the RADIUS server port for authentication requests.

  • Accounting Port—Enter the UDP port number of the RADIUS server port for accounting requests.

    Trap Settings

  • RADIUS Accounting Traps—Check Enable to generate traps for RADIUS accounting events.

  • RADIUS Authentication Failure Traps—Check Enable to generate traps for logins that failed.

  • RADIUS Authentication Success Traps—Check Enable to generate traps for logins that succeeded.

Step 3

Click Apply. The RADIUS default settings for the device are updated in the Running Configuration file.


RADIUS Server Keys

To set the RADIUS server keys, follow these steps:

Procedure


Step 1

Click Security > RADIUS Server > RADIUS Server Keys.

Step 2

Enter the default RADIUS keys if required. Values entered in the Default Key are applied to all servers configured (in the Add RADIUS Server page) to use the default key.

  • Default Key—Enter the default key string used for authenticating and encrypting between the device and the RADIUS client. Select one of the following options:

    • Keep existing default key—For specified servers, the device attempts to authenticate the RADIUS client by using the existing, default Key String.

    • Encrypted—To encrypt communications by using MD5, enter the key in encrypted form.

    • Plaintext—Enter the key string in plaintext mode.

  • MD5 Digest—Displays the MD5 digest of the user-entered password.

Step 3

Click Apply. The RADIUS default settings for the device are updated in the Running Configuration file.

Step 4

Click Add to add a secret key or Edit to edit an existing secret key in the Secret Key Table. Next, enter the following fields:

  • NAS Address—Address of switch containing RADIUS client.

  • Key's MD5 Digest—Undefined by default. This appears only when editing the Secret Key Table.
  • Secret Key—Address of switch containing RADIUS client.

    • Use default Key—For specified servers, the device attempts to authenticate the RADIUS client by using the existing, default Key String.

    • Keep current user defined key— select to keep an existing user defined key.

    • Encrypted—To encrypt communications by using MD5, enter the key in encrypted form.

    • Plaintext—Enter the key string in plaintext mode.

Step 5

Click Apply. The key for the device is updated in the Running Configuration file.


RADIUS Server Groups

To set up a group of users that will be using the device as its RADIUS server, complete the following:

Procedure


Step 1

Click Security > RADIUS Server > RADIUS Server Groups.

Step 2

Click Add to add a RADIUS Server Group or Edit to edit an existing one. Then, complete the following fields:

  • Group Name—Enter a name for the group.

  • Privilege Level—Enter the management access privilege level of the group.

  • Time Range—Check to enable applying a time range to this group.

  • Time Range Name—If Time Range is selected, select the time range to be used. Click Edit to define a time range. This field is only displayed if a Time Range was previously created.

  • VLAN—Select the VLAN for the users:

    • None—No VLAN ID is sent.

    • VLAN ID—VLAN ID sent.

    • VLAN Name—VLAN name sent

Step 3

Click Apply. The RADIUS group definition is added to the Running Configuration file of the device.


RADIUS Server Users

To add a user, follow these steps:

Procedure


Step 1

Click Security > RADIUS Server > RADIUS Server Users.

The current users are displayed.

Step 2

Click Add or Edit to configure the following:

  • User Name—Enter the name of a user.

  • Group Name—Select a previously defined group.

  • Password's MD5—Displays the password's MD5 cryptographic hash.
  • Password—Enter one of the following options:

    • Keep current password— Use this option to keep your current password.

    • Encrypted—A key string is used to encrypt communications by using MD5. To use encryption, enter the key in encrypted form.

    • Plaintext—If you don’t have an encrypted key string (from another device), enter the key string in plaintext mode. The encrypted key string is generated and displayed.

Step 3

Click Apply. The user definition is added to the Running Configuration file of the device.


RADIUS Server Accounting

The Radius server saves the last accounting logs in a cycle file on FLASH. These can be displayed.

To display RADIUS server accounting, complete the following steps:

Procedure


Step 1

Click Security > RADIUS Server > RADIUS Server Accounting.

RADIUS accounting events are displayed along with the following fields:

  • User Name—Name of a user.

  • Event Type—One of the following values:

    • Start—Session was started.

    • Stop—Session was stopped.

    • Date/Time Change—Date/time on the device was changed.

    • Reset—Device has reset at the specified time.

  • Authentication Method—Authentication method used by the user. Displays N/A if the Event Type is Date/Time Change or Reset.

  • NAS Address—Address of switch containing RADIUS client. Displays N/A if the Event Type is Date/Time Change or Reset.

  • User Address—If the authenticated user is the network administrator, this is its IP address; if the user is a station, this is its MAC address. Displays N/A if the Event Type is Date/Time Change or Reset.

  • Event Time—Time of event.

Step 2

To clear a RADIUS Server Accounting event click Clear.

Step 3

To see additional details for a user/event, select the user/event and click Details.


The following fields are displayed:


Note


The fields in this page depend on the type of account viewed and the details received for it. Not all fields are always displayed.

  • Event Time—See above.

  • Event Type—See above.

  • User Name—See above.

  • Authentication Method—See above.

  • NAS IPv4 Address—See NAS Address above.

  • User Address—See above.

  • Accounting Session Time—See Event Time above.

  • Session Termination Reason—Displays reason for session termination, such as User Request.


RADIUS Server Rejected Users

To view the users who have attempted to authenticate using the RADIUS server and have been rejected, complete the following steps:

Procedure


Step 1

Click Security > RADIUS Server > RADIUS Server Rejected Users.

The rejected users are displayed along with the following fields:

  • Event Type—Displays one of the following options:

    • Rejected—User was rejected.

    • Time Change—Clock on device was changed by the administrator.

    • Reset—Device was reset by the administrator.

  • User Name—Name of the rejected user.

  • User Type—Displays one of the following authentication options relevant to the user:

    • Login—Management access user

    • 802.1x—802.1x network access user

    • N/A—For Reset event

  • Reason—Reason that the user was rejected.

  • Time—Time that the user was rejected.

Step 2

To see additional details for the rejected user, select the user and click Details.


The following fields are displayed:


Note


The fields in this page depend on the type of account viewed and the details received for it. Not all fields are always displayed.

  • Event Time—See above.

  • User Name—See above.

  • User Type—See above.

  • Rejection Reason—Reason that the user was rejected.

  • NAS IP Address—Address of the Network Accessed Server (NAS). The NAS is the switch running the RADIUS client.


To clear out the table of rejected users, click Clear.

RADIUS Server Unknown NAS Entries

To display authentication rejections due to NASs not being known to RADIUS server, complete the following:

Procedure


Step 1

Click Security > RADIUS Server > RADIUS Server Unknown NAS Entries.

The following fields are displayed:

  • Event Type

    • Unknown NAS—An unknown NAS event occurred.

    • Time Change—Clock on device was changed by the administrator.

    • Reset—Device was reset by the administrator.

  • IP Address—IP address of the unknown NAS.

  • Time—Timestamp of event

Step 2

Click Clear to clear an entry.


RADIUS Server Statistics

To display RADIUS server statistics, follow these steps:

Procedure


Step 1

Click Security > RADIUS Server > RADIUS Server Statistics.

Step 2

Select the Statistics Source from the following options:

    • Global—Statistics for all users

    • Specific NAS—Statistics for specific NAS

Step 3

Select the Refresh Rate.

Step 4

The following statistics will be displayed.

Incoming Packets on Authentication Port

Number of packets received on the authentication port.

Incoming Access-Requests from Unknown Addresses

Number of incoming access requests from unknown NAS addresses

Duplicate Incoming Access-Requests

Number of retransmitted packets received.

Sent Access-Accepts

Number of access accepts sent.

Sent Access-Rejects

Number of access rejects sent.

Sent Access-Challenges

Number of access challenges sent.

Incoming Malformed Access-Requests

Number of malformed access requests received.

Incoming Authentication-Requests with Bad Authenticator

Number of incoming packets with bad passwords.

Incoming Authentication Packets with Other Mistakes

Number of received incoming authentication packets with other mistakes.

Incoming Authentication Packets of Unknown Type

Number of received incoming authentication packets of unknown type

Incoming Packets on the Accounting Port

Number of incoming packets on the accounting port.

Incoming Accounting-Requests from Unknown Addresses

Number of incoming accounting requests from unknown addresses.

Incoming Duplicate Accounting-Requests

Number of incoming duplicate account requests.

Accounting-Responses Sent

Number of accounting responses sent.

Incoming Malformed Accounting-Requests

Number of malformed accounting requests.

Incoming Accounting-Requests with Bad Authenticator

Number of incoming accounting requests with bad authenticator.

Incoming Accounting Packets with Other Mistakes

Number of incoming accounting packets with other mistakes.

Incoming Not Recorded Accounting-Requests

Number of incoming accounting requests not recorded.

Incoming Accounting Packets of Unknown Type

Number of incoming accounting packets of unknown type.

Step 5

To clear the counters, click Clear Counters.

Step 6

To refresh the counters, click Refresh.


Dynamic Authorization Server

Change of Authorization (CoA) is an extension to the RADIUS protocol, allowing dynamic changes to an AAA or dot1x user session. This includes support for disconnecting users and changing authorizations applicable to a user session. The device supports the following CoA actions:

  • Disconnect Session

  • Disable host port CoA command

  • Bounce host port CoA command

  • Reauthenticate host CoA command

Perform the following steps to enable the device as an authentication, authorization, and accounting (AAA) server for the dynamic authorization service. Change of Authorization (CoA) is an extension to the RADIUS protocol, allowing dynamic changes to an AAA or dot1x user session. This includes support for disconnecting users and changing authorizations applicable to a user session.

Procedure


Step 1

Click Security > Dynamic Authorization Server>

Step 2

Configure the following settings:

Setting

Description

Default Server Key MD5

Defines the Shared key between the device and the CoA client. Select one of the following:

  • None

  • Keep existing default key

  • User Defined (Encrypted)

  • User Defined (Plaintext)

Key's MD5 Digest Undefined by default

UDP Port

Enter a value to configure the UDP port for CoA request (Range 0 - 59999, Default: 1700).

Domain Stripping

Configures username domain options for the CoA application. Select from one of the following options:

  • None - No domain stripping

  • Left to Right - The left-to-right keyword terminates the string at the first delimiter going from left-to-right.

  • Right to Left - The right-to-left keyword terminates the string at the first delimiter going from right to left

Domain Delimiter

The delimiter field specifies the domain delimiter. One of the following options can be selected for the character argument: @ , / , $ , % , \ , # , or -.

Step 3

The Client table defines a per CoA client MD5 server key for a specific CoA client(s). The per client key overrides the key defined in the Default Server Key MD5 setting. If a key wasn't defined for a certain CoA client, then the client will use the Default Server Key MD5. To add or edit a key for a certain CoA client, click Add or Edit and configure the following:

  • IP Address - The IPv4 or IPv6 address of the CoA client

  • MD5 Digest - Undefined (Default)

  • Server Key - Select one of the following:

    • Use default key - in this case the default server key will be used.

    • Keep current user defined key - maintain the current user defined key.

    • User Defined (Encrypted) - enter the key in the encrypted format.

    • User Defined (Plaintext) - enter the key in the plaintext format.

Step 4

Click Apply to apply the settings.

Step 5

Next, select the Client Address and click the Counters to display the counters. The following table describes the fields shown in the pop-up:

Field

Description

IP Address

IP address

Average ACK response time

Average ACK response time in millisecond.

Requests

Counts the Requests received from CoA clients.

Transactions

Counts CoA completed transactions. A Completed transaction occurs once the switch send an ACK or NAK in response to a Request from a CoA client.

Retransmissions

Counts received retransmitted CoA Requests. A retransmitted CoA requests is a request in which the Request identifier is identical to the identifier of a previous request.

Active Transactions

Transactions that are currently active. An active transaction is a transaction in which a Request from a COA Client has been received but an ACK or NAK response has not been sent yet. Once an ACK or NAK is sent this counter is decremented.

ACX Responses

Counts the number of ACK responses sent by the switch.

NAK Responses

Counts the number of NAK responses sent by the switch.

Invalid Requests

Counts invalid requests received by the switch. An invalid request is one of the following:

  • A request in which the secret in the request does not match the secret configured on the device.

  • A request with no session identifier.

  • A request with an unsupported attribute.

  • A request in which a supported attribute is empty.

  • A request which is discarded because the event-timestamp is not current, or if event-timestamp is mandatory and received request does not include this attributes.

  • A request with a not current or missing Event-Timestamp attribute.

  • A request received with "disable port" or "bounce port" command that are dropped due to user configuration.

Errors

Count errors, an error can be an internal error in which a request cannot be processed due to resource issue, or if a secret has not been configured for the CoA client.


Login Settings


Note


This setting is available in the Advanced Mode view only.


The default username/password is cisco/cisco. The first time that you log in with the default username and password, you’re required to enter a new password. Password complexity is enabled by default. If the password that you choose isn’t complex enough, then you’ll be prompted to create another password.

Procedure


Step 1

Click Security > Login Settings.

Step 2

Next, configure the following:

Option Description
Password Aging

Check Enable to enable the password aging. It’s disabled by default.

Password Aging Time

Enter the number of days. (Range: 1–365, Default: 180)

Note

 

A warning message appears 10 days before the password expiration date providing the option to change the password. User can ignore the warning and continue to use the existing password until the actual expiration date.

Recent Password Prevention

Check Enable to enable this feature. It’s disabled by default.

Password History Count

Defines the number for a recent password prevention. The range is 1- 24 and the default is 12.

Minimal Password Length

Enter the number of characters for the password. (Range: 8- 64, Default: 8)

Allowed Character Repetition

A character can’t be repeated consecutively. Enter a number for the allowed character repetition. (Range: 1- 16, Default: 3)

Keyboard Pattern Prevention

Allowed character repetition: Check Enable to enable this feature. It is disabled by default. When enabled, the password cannot contain more than 3 adjacent QWERTY keyboard letters or numbers.

Minimal Number of Character Classes:

Enter a number for the minimal number of character classes. (Range: 1- 4, Default: 3)

Note

 
The password complexity rules are as follows:
  • The minimal password length is 8 characters by default. Passwords are configurable with a range of 8-64.

  • Minimum number of character classes: The number of different character classes that must be included in the password (classes are: uppercase letter, lowercase letter, number, and special character). The minimum number is 3 by default and is configurable to 0-4 (0 and 1 are functionally identical).

  • Any password established or altered by the user (hence "Secret") is compared to a list of common passwords. If the secret contains a word from the list, the user receives the following error message and needs to re-enter an alternative password: "Password rejected- Passwords must not match words in the dictionary, and must not contain commonly used passwords".

  • Context-specific words (project and vendor name) – The password MUST NOT contain the username or the words “cisco”, "catalyst" or derivatives of such. This restriction includes these words reversed or in any case. Restriction also includes letters that are replaced with other characters, as follows: "$" for "s", "@" for "a", "0" for "o", "1" for "l", "!" for "i", "3" for "e", isn’t permitted. For example, C!$c0678! isn’t permitted.

Definition for Known Password

When a user attempts to configure a new password, it’s compared against the list of commonly used passwords. If a new password matches or begins with one of the passwords in the common password list. The comparison to passwords on the list is case insensitive.

If the new password doesn’t comply with the preceding requirement, the user configuration is rejected and the user needs to configure a different password.

Definition for Sequential Characters

The password MUST NOT contain more than a 2 sequential characters or numbers. The limitation applies to sequential letters in any case (e.g. AbC or aBC).

Examples for prohibited passwords: “eFg152!$”, “aztb567%”.

If the password doesn’t comply with these rules the configuration will be rejected and the user needs to configure a new password.


Login Lockdown


Note


This setting is available in the Advanced Mode view only.


If the address of a device is known, a malicious user may attempt to perform a dictionary attack. A dictionary attack is an automated process to attempt to login by attempting thousands, or even millions, of credentials. The purpose of a dictionary attack is to actually gain management access to the device.

To prevent these attacks the device can be configured to limit the amount of login attempts allowed within a specific time range and by defining a quiet mode period following a specified number of failed attempts. If the specified number of connection attempts fails (attempt tries) within a specified time (within seconds), the device won’t accept any additional login attempts for a specified time (block-for seconds). This can also occur when the user forgets his login credentials and tries to login several times resulting in login failure.


Note


Following a specified number of failed login attempts over a specified time period, the device enters into quiet mode. The device won’t accept any more connection requests during the quiet mode time, including telnet, SSH, SNMP, HTTP, or HTTPS. The device restarts accepting connection requests that once the quiet mode period has ended. The start and conclusion of the quiet mode time will be indicated by a Syslog message.

The number of failed attempts should be counted throughout a time that is measured from each failed attempt. Failed attempts aren’t counted during the quiet period. When the quiet period expires, the count of failed attempts resumes. A quiet period can be ended before the timer expires by disabling the functionality.


Procedure


Step 1

In the Login Response Delay, check Enable to enable the login response delay.

Step 2

Next, configure the following:

Option Description

Response Delay Period

Enter a number in seconds to set the response delay period. (Range: 1- 10, Default: 1)

Quiet Period Enforcement

Check Enable to enforce a quite period.

Quiet Period Length

Enter the number of seconds to set the quiet period length. (Range: 1- 65535, Default: 300)

Triggering Attempts

Enter the number of triggering attempts. (Range: 1- 100, Default: 4)

Triggering Interval

Enter the number in seconds for the triggering interval. (Range: 1- 3600, Default: 60)

Quiet Period Access Profiles.

Note

 

This link navigates to the Security → Management Access Method → Access Profiles page.

Console Only is the default setting.

Note

 

This drop-down contains an option for every existing access profile.


Login Protection Status


Note


This setting is only available in the Advanced Mode view.


The Login Protection Status page tracks and display any attempted attacks or login failures. (It won’t distinguish if the login failure is a user who forgot their credentials or an actual attack). Click the Refresh button to refresh the data.

To view the settings for the Login Protection Status, navigate to Security > Login Protection Status.

  • Quiet Mode Status- Can have either an active or inactive status.

  • Login Failures in the Last 3600 Seconds- Displays the number of login failures during the time lapse defined by the "Quiet Period Length" Parameter. The "Quiet Period Length" is a value in seconds configured in the Security > Login Settings page.

In the Login Failure Table, the following will be displayed:

  • Username- the name of the user

  • IP Address- the IP address of the user

  • Service- the service being used. This can be either HTTP, HTTPS, Telnet, SSH, or SNMP.

  • Count- the number of attempted login failures.

  • Most Recent Attempt Time- the most recent time that a failed login was attempted.

Key Management

This section describes how to configure key chains for applications and protocols, such as RIP.

Key Chain Settings

To create a new key chain.

Procedure


Step 1

Click Security > Key Management > Key Chain Settings.

Step 2

To add a new key chain, click Add to open the Add Key Chain page and enter the following fields:

  • Key Chain-Name for the key chain.

  • Key Identifier-Integer identifier for the key chain.

  • Key String-Value of the key chain string. Enter one of the following options:

    • User Defined (Encrypted)-Enter an encrypted version.

    • User Defined (Plaintext)-Enter a plaintext version

      Note

       

      Both the Accept Life Time and the Send LifeTime values can be entered. The Accept Life Time indicates when the key-identifier for receiving packets is valid. The Send Life Time indicates when the key-identifier for sending packets is valid.

  • Accept Life Time/Send Life Time-Specifies when packets with this key are accepted. Select one of the following options.

    • Always Valid-No limit to the life of the key-identifier

    • User Defined-Life of the key-chain is limited. If this option, is selected enter values in the following fields.

      Note

       

      If you select User Defined, the system time must be set either manually or from SNTP. Otherwise, Accept Life Time and Send Life Times always fail.

      The following fields are relevant for the Accept Life Time and Send Life Time fields:

  • Start Date-Enter the earliest date that the key-identifier is valid.

  • Start Time-Enter the earliest time that the key-identifier is valid on the Start Date.

  • End Time-Specifies the last date that the key-identifier is valid. Select one of the following options.

    • Infinite-No limit to the life of the key-identifier

    • Duration-Life of the key-identifier is limited. If this option, is selected enter values in the following fields.

  • Duration-Length of time that the key identifier is valid. Enter the following fields:

    • Days-Number of days that the key-identifier is valid.

    • Hours-Number of hours that the key-identifier is valid.

    • Minutes-Number of minutes that the key-identifier is valid.

    • Seconds-Number of seconds that the key-identifier is valid.

Step 3

Click Apply. The settings are written to the Running Configuration file.


Key Settings

To add a key to an already existing key chain.

Procedure


Step 1

Click Security > Key Management > Key Settings.

Step 2

To add a new key string, click Add.

Step 3

Enter the following fields:

  • Key Chain-Name for the key chain.

  • Key Identifier-Integer identifier for the key chain.

  • Key String (Encrypted)-Value of the key chain string. Enter one of the following options:

    • User Defined (Encrypted)-Enter an encrypted version.

    • User Defined (Plaintext)-Enter a plaintext version.

  • Accept Life Time-Specifies when packets with this key are accepted. Select one of the following options.

    • Always Valid-No limit to the life of the key-identifier

    • User Defined-Life of the key-chain is limited. If this option, is selected enter the values in the Start Date and Start Time below.

  • Start Date-Enter the earliest date that the key-identifier is valid.

  • Start Time-Enter the earliest time that the key-identifier is valid on the Start Date.

  • End Time-Specifies the latest time that the key-identifier is valid. Select one of the following options.

    • Infinite-No limit to the life of the key-identifier

    • Duration-Life of the key-identifier is limited. If this option, is selected enter values in the following fields.

  • Duration-Length of time that the key identifier is valid. Enter the following fields:

    • Days-Number of days that the key-identifier is valid.

    • Hours-Number of hours that the key-identifier is valid.

    • Minutes-Number of minutes that the key-identifier is valid.

    • Seconds-Number of seconds that the key-identifier is valid.

  • Send Life Time-Specifies when packets with this key are accepted. Check the default option.

    • Always Valid-No limit to the life of the key-identifier

    • Duration-Life of the key-identifier is limited. If this option, is selected enter values in the following fields.

  • Start Date-Enter the earliest date that the send life time is valid.

  • Start Time-Enter the earliest time that the send life time r is valid on the Start Date.

  • End Time-Specifies the latest time that the send life time is valid. Select one of the following options.

    • Infinite-No limit to the life of the send life time

    • Duration-Life of the send life time is limited. If this option, is selected enter values in the following fields.

      • Days-Number of days that the key-identifier is valid.

      • Hours-Number of hours that the key-identifier is valid.

      • Minutes-Number of minutes that the key-identifier is valid.

      • Seconds-Number of seconds that the key-identifier is valid.

Step 4

Click Apply. The settings are written to the Running Configuration file.


Management Access Method


Note


This setting is only available in the Advanced Mode view.


This section describes access rules for various management methods.

Access profiles determine how to authenticate and authorize users accessing the device through various access methods. Access Profiles can limit management access from specific sources.

Only users who pass both the active access profile and the management access authentication methods are given management access to the device.

There can only be a single access profile active on the device at one time.

Access profiles consist of one or more rules. The rules are executed in order of their priority within the access profile (top to bottom).

Rules are composed of filters that include the following elements:

  • Access Methods-Methods for accessing and managing the device:

    • Telnet

    • Secure Telnet (SSH)

    • Hypertext Transfer Protocol (HTTP)

    • Secure HTTP (HTTPS)

    • Simple Network Management Protocol (SNMP)

    • All of the above

  • Action-Permit or deny access to an interface or source address.

  • Interface-Which ports, LAGs, or VLANs are permitted to access or are denied access to the web-based configuration utility.

  • Source IP Address-IP addresses or subnets. Access to management methods might differ among user groups. For example, one user group might be able to access the device module only by using an HTTPS session, while another user group might be able to access the device module by using both HTTPS and Telnet sessions.

Access Profiles

The Access Profiles page displays the access profiles that are defined and enables selecting one access profile to be the active one.

When a user attempts to access the device through an access method, the device looks to see if the active access profile explicitly permits management access to the device through this method. If no match is found, access is denied.

When an attempt to access the device is in violation of the active access profile, the device generates a SYSLOG message to alert the system administrator of the attempt.

If a console-only access profile has been activated, the only way to deactivate it’s through a direct connection from the management station to the physical console port on the device.

For more information, see Profile Rules.

Use the Access Profiles page to create an access profile and to add its first rule. If the access profile only contains a single rule, you’re finished. To add more rules to the profile, use the Profile Rules page.

Procedure


Step 1

Click Security > Mgmt Access Method > Access Profiles.

Step 2

To change the active access profile, select a profile from the Active Access Profile drop down menu and click Apply.

Step 3

A pop-up will appear asking you to confirm the Active Access Profile change. Click OK to confirm or click Cancel to cancel.

Step 4

Click Add to open the Add Access Profile page. The page allows you to configure a new profile and one rule.

Step 5

Enter the Access Profile Name. This name can contain up to 32 characters.

Step 6

Enter the parameters.

  • Rule Priority—Enter the rule priority. When the packet is matched to a rule, user groups are either granted or denied access to the device. The rule priority is essential to matching packets to rules, as packets are matched on a first-match basis. The highest priority is ‘1’.

  • Management Method—Select the management method for which the rule is defined. The options are:

    • All—Assigns all management methods to the rule

    • Telnet—Users requesting access to the device that meets the Telnet access profile criteria are permitted or denied access.

    • Secure Telnet (SSH)—Users requesting access to the device that meets the SSH access profile criteria, are permitted or denied access.

    • HTTP— Users requesting access to the device that meets the HTTP access profile criteria, are permitted or denied.

    • Secure HTTP (HTTPS)—Users requesting access to the device that meets the HTTPS access profile criteria, are permitted or denied.

    • SNMP—Users requesting access to the device that meets the SNMP access profile criteria are permitted or denied.

  • Action—Select the action attached to the rule. The options are:

    • Permit—Permits access to the device if the user matches the settings in the profile.

    • Deny—Denies access to the device if the user matches the settings in the profile

  • Applies to Interface—Select the interface attached to the rule. The options are:

    • All—Applies to all ports, VLANs, and LAGs

    • User Defined—Applies to selected interface.

  • Interface—Enter the interface number if User Defined was selected.

  • Applies to Source IP Address—Select the type of source IP address to which the access profile applies. The Source IP Address field is valid for a subnetwork. Select one of the following values:

    • All—Applies to all types of IP addresses

    • User Defined—Applies to only those types of IP addresses defined in the fields.

  • IP Version—Enter the version of the source IP address: Version 6 or Version 4.

  • IP Address—Enter the source IP address.

  • Mask—Select the format for the subnet mask for the source IP address, and enter a value in one of the fields:

    • Network Mask—Select the subnet to which the source IP address belongs and enter the subnet mask in dotted decimal format.

    • Prefix Length—Select the Prefix Length and enter the number of bits that comprise the source IP address prefix.

Step 7

Click Apply. The access profile is written to the Running Configuration file. You can now select this access profile as the active access profile.


Profile Rules

Access profiles can contain up to 128 rules to determine who is permitted to manage and access the device, and the access methods that may be used. Each rule in an access profile contains an action and criteria (one or more parameters) to match. Each rule has a priority; rules with the lowest priority are checked first. If the incoming packet matches a rule, the action associated with the rule is performed. If no matching rule is found within the active access profile, the packet is dropped.

For example, you can limit access to the device from all IP addresses except IP addresses that are allocated to the IT management center. In this way, the device can still be managed and has gained another layer of security.

To add profile rules to an access profile, complete the following steps:

Procedure


Step 1

Click Security > Mgmt Access Method > Profile Rules.

Step 2

Select the Filter field, and an access profile. Click Go.

The selected access profile appears in the Profile Rule Table.

Step 3

Click Add to add a rule.

Step 4

Enter the parameters.

  • Access Profile Name—Select an access profile.

  • Rule Priority—Enter the rule priority. When the packet is matched to a rule, user groups are either granted or denied access to the device. The rule priority is essential to matching packets to rules, as packets are matched on a first-fit basis.

  • Management Method—Select the management method for which the rule is defined. The options are:

    • All—Assigns all management methods to the rule

    • Telnet—Users requesting access to the device that meets the Telnet access profile criteria are permitted or denied access.

    • Secure Telnet (SSH)—Users requesting access to the device that meets the Telnet access profile criteria, are permitted or denied access.

    • HTTP—Assigns HTTP access to the rule Users requesting access to the device that meets the HTTP access profile criteria, are permitted or denied.

    • Secure HTTP (HTTPS)—Users requesting access to the device that meets the HTTPS access profile criteria, are permitted or denied.

    • SNMP—Users requesting access to the device that meets the SNMP access profile criteria are permitted or denied.

  • Action—Select one of the following options.

    • Permit—Allow device access to users coming from the interface and IP source defined in this rule.

    • Deny—Deny device access to users coming from the interface and IP source defined in this rule.

  • Applies to Interface—Select the interface attached to the rule. The options are:

    • All—Applies to all ports, VLANs, and LAGs

    • User Defined—Applies only to the port, VLAN, or LAG selected.

  • Interface—Enter the interface number if the User Defined option is selected for the field above.

  • Applies to Source IP Address—Select the type of source IP address to which the access profile applies. The Source IP Address field is valid for a subnetwork. Select one of the following values:

    • All—Applies to all types of IP addresses

    • User Defined—Applies to only those types of IP addresses defined in the fields.

  • IP Version—Select the supported IP version of the source address: IPv6 or IPv4.

  • IP Address—Enter the source IP address.

  • Mask—Select the format for the subnet mask for the source IP address, and enter a value in one of the fields:

    • Network Mask—Select the subnet to which the source IP address belongs and enter the subnet mask in dotted decimal format.

    • Prefix Length—Select the Prefix Length and enter the number of bits that comprise the source IP address prefix.

Step 5

Click Apply and the rule is added to the access profile.


Management Access Authentication


Note


This setting is only available in the Advanced Mode view.


You can assign authentication methods to the various management access methods, such as SSH, Telnet, HTTP, and HTTPS. The authentication can be performed locally or on a server.

If authorization is enabled, both the identity and read/write privileges of the user are verified. If authorization isn’t enabled, only the identity of the user is verified.

The authorization/authentication method used is determined by the order that the authentication methods are selected. If the first authentication method isn’t available, the next selected method is used. For example, if the selected authentication methods are RADIUS and Local, and all configured RADIUS servers are queried in priority order and don’t reply, the user is authorized/authenticated locally.

If authorization is enabled, and an authentication method fails or the user has an insufficient privilege level, the user is denied access to the device. In other words, if authentication fails for an authentication method, the device stops the authentication attempt; it doesn’t continue and doesn’t attempt to use the next authentication method.

Similarly, if authorization isn’t enabled, and authentication fails for a method, the device stops the authentication attempt.

To define authentication methods for an access method:

Procedure


Step 1

Click Security > Management Access Authentication.

Step 2

Enter the Application (type) of the management access method.

Step 3

Select Authorization to enable both authentication and authorization of the user by the list of methods described below. If the field isn’t selected, only authentication is performed. If Authorization is enabled, the read/write privileges of users are checked. This privilege level is set in the User Accounts page.

Step 4

Use the arrows to move the authentication method between the Optional Methods column and the Selected Methods column. The first method selected is the first method that is used.

  • RADIUS—User is authorized/authenticated on a RADIUS server. You must have configured one or more RADIUS servers. For the RADIUS server to grant access to the web-based configuration utility, the RADIUS server must return RADIUS Attribute "Service-Type 6" value "Administrative".

  • TACACS+—User authorized/authenticated on the TACACS+ server. You must have configured one or more TACACS+ servers.

  • None—User is allowed to access the device without authorization/authentication.

  • Local—Username and password are checked against the data stored on the local device. These username and password pairs are defined in the User Accounts page.

    Note

     

    The Local or None authentication method must always be selected last. All authentication methods selected after Local or None are ignored.

Step 5

Click Apply. The selected authentication methods are associated with the access method.


Secure Sensitive Data Management


Note


This setting is only available in the Advanced Mode view.


SSD protects sensitive data on a device, such as passwords and keys, permits, and denies access to sensitive data encrypted and in plain text based on user credentials and SSD rules, and protects configuration files containing sensitive data from being tampered with.

In addition, the SSD enables the secure backup and sharing of configuration files containing sensitive data.

The SSD provides users with the flexibility to configure the desired level of protection on their sensitive data; from no protection with sensitive data in plaintext, minimum protection with encryption based on the default passphrase, and better protection with encryption based on user-defined passphrase.

SSD grants read permission to sensitive data only to authenticated and authorized users, and according to SSD rules. A device authenticates and authorizes management access to users through the user authentication process.

Whether or not the SSD is used, it is recommended that the administrator secure the authentication process by using the local authentication database, and/or secure the communication to the external authentication servers used in the user authentication process.

In summary, the SSD protects sensitive data on a device with SSD rules, SSD properties, and user authentication. And SSD rules, SSD properties, and user authentication configurations of the device are themselves sensitive data protected by SSD.

SSD Properties

SSD properties are a set of parameters that, with the SSD rules, define, and control the SSD environment of a device. The SSD environment consists of these properties:
  • Controlling how the sensitive data is encrypted.

  • Controlling the strength of security on configuration files.

  • Controlling how the sensitive data are viewed within the current session.

To configure the SSD properties, follow these steps:

Procedure


Step 1

Click Security > Secure Sensitive Data Management > Properties.

The following field appears:

  • Current Local Passphrase Type—Displays whether the default passphrase or a user-defined passphrase is currently being used.

Step 2

In the Configuration File Passphrase Control—Select an option from the following:

  • Unrestricted (default)—The device includes its passphrase when creating a configuration file. This enables any device accepting the configuration file to learn the passphrase from the file.

  • Restricted—The device restricts its passphrase from being exported into a configuration file. Restricted mode protects the encrypted sensitive data in a configuration file from devices that don’t have the passphrase. This mode should be used when a user doesn’t want to expose the passphrase in a configuration file.

Step 3

Next, select to enable the Configuration File Integrity Control.

Step 4

Select a Read Mode for the current session.

  • Plaintext—Users are permitted to access sensitive data in plaintext only. Users will also have read and write permission to SSD parameters.

  • Encrypted—Users are permitted to access sensitive data as encrypted only.

Step 5

Click Change Local Passphrase, and enter a new Local Passphrase:

  • Default—Use the devices default passphrase.

  • User Defined (Plaintext)—Enter a new passphrase. The maximum number of characters is 16.

  • Confirm Passphrase—Confirm the new passphrase.

Step 6

Click Apply. The settings are saved to the Running Configuration file.


SSD Rules

Only users with SSD read permission of Plaintext-only or Both are allowed to set SSD rules.

To configure SSD rules, follow these steps:

Procedure


Step 1

Click Security > Secure Sensitive Data Management > SSD Rules.

The currently-defined rules are displayed. The Rule Type field indicates whether the rule is a user-defined one or a default rule.

Step 2

To add a new rule, click Add. Enter the following fields:

  • User—This defines the user(s) to which the rule applies: Select one of the following options:

    • Specific User—Select and enter the specific user name to which this rule applies (this user does not necessarily have to be defined).

    • Default User (cisco)—Indicates that this rule applies to the default user.

    • Level 15—Indicates that this rule applies to all users with privilege level 15.

    • All—Indicates that this rule applies to all users.

  • Channel—This defines the security level of the input channel to which the rule applies: Select one of the following options:

    • Secure—Indicates that this rule applies only to secure channels (console, SCP, SSH and HTTPS), not including the SNMP and XML channels.

    • Insecure—Indicates that this rule applies only to insecure channels (Telnet, TFTP and HTTP), not including the SNMP and XML channels.

    • Secure XML SNMP—Indicates that this rule applies only to XML over HTTPS and SNMPv3 with privacy.

    • Insecure XML SNMP—Indicates that this rule applies only to XML over HTTP or and SNMPv1/v2and SNMPv3 without privacy.

  • Read Permission—The read permissions associated with the rule. These can be the following:

    • Exclude—Lowest read permission. Users are not permitted to get sensitive data in any form.

    • Plaintext Only—Higher read permission than above ones. Users are permitted to get sensitive data in plaintext only.

    • Encrypted Only—Middle read permission. Users are permitted to get sensitive data as encrypted only.

    • Both (Plaintext and Encrypted)—Highest read permission. Users have both encrypted and plaintext permissions and are permitted to get sensitive data as encrypted and in plaintext

  • Default Read Mode—All default read modes are subjected to the read permission of the rule. The following options exist, but some might be rejected, depending on the rule’s read permission.

    • Exclude—Do not allow reading the sensitive data.

    • Encrypted—Sensitive data is presented encrypted.

    • Plaintext—Sensitive data is presented as plaintext.

Step 3

Click Apply. The settings are saved to the Running Configuration file.

Step 4

The following actions can be performed on selected rules:

  • Add, Edit or Delete rules or Restore To Default.

  • Restore All Rules to Default—Restore a user-modified default rule to the default rule.


SSL Server


Note


This setting is only available in the Advanced Mode view.


The Secure Socket Layer (SSL) feature is used to open an HTTPS session to the device. An HTTPS session may be opened with the default certificate that exists on the device. Some browsers generate warnings when using a default certificate, since this certificate is not signed by a Certification Authority (CA). It is best practice to have a certificate signed by a trusted CA. By default, the device contains certificates that can be modified. HTTPS is enabled by default.

SSL Server Authentication Settings

Secure Sockets Layer (SSL) authentication is a protocol for creating a secure connection for user-server interactions. A server and a user are involved in every web interaction. Users frequently enter sensitive, personal information on websites, putting persons and systems at risk. Better authentication strengthens security, especially for sites that store financial, medical, or personal data. Stable, verifiable, and secure user interactions are required. The way that a server verifies that the user is a real person is by collecting information. There are a number of ways this can be done.

Procedure


Step 1

Click Security > SSL Server > SSL Server Authentication Settings.

Information appears for certificate 1 and 2 in the SSL Server Key Table. These fields are defined in the Edit page except for the following fields:

  • Valid From—Specifies the date from which the certificate is valid.

  • Valid To—Specifies the date up to which the certificate is valid.

  • Certificate Source—Specifies whether the certificate was generated by the system (Auto Generated) or the user (User Defined).

Step 2

The device includes 2 certificates. Only one of them is the active certificate which can be used for the HTTPS session. To define which certificate is active, in the SSL Active Certificate Number, select an active certificate (1 or 2).

Step 3

Click Apply.

Step 4

In the HTTPS Session Logging section, check Enable to enable. By enabling the HTTPS session logging, this will allow a user to track the progress of HTTPS session setup and tear-down, via syslog messages generated by the device.

Step 5

Click Apply.


Generate Certificate Request

A new self-signed certificate maybe is required to replace the certificate found on the device. To create a new certificate, complete the following steps:

Procedure

Step 1

Click Generate Certificate Request.

Step 2

Next, enter the following fields:

  • Certificate ID—Select the certificate ID.

  • Regenerate RSA Key—Check the checkbox to regenerate an RSA key.
  • Key Length—Select the key length from one of the 2 options (2048 bits or 3072 bits).
  • Common Name—Enter a name for the certificate.
  • Organization Unit—Enter the organization unit.
  • Organization Name—Enter the organization name.

  • Location—Enter the location or city name.

  • State—Enter the state or province.

  • Country—Enter the name of the country.

  • Certificate Request—The Begin Certificate Request will be displayed.
  • Duration—Displays the number of days that the certificate is valid for. (Range 30-1095, Default 730).

    Note

     

    The Duration field can only be seen when trying to edit an existing certificate.

Step 3

Click Generate Certificate Request. The new certificate is generated and replaces the existing one.

Step 4

To import a certificate signed by a CA, select an active certificate and click Import Certificate.

Step 5

Enter the following fields:

  • Certificate ID—Select a certificate.

  • Certificate Source—Displays that the certificate is auto-generated.

  • Certificate—Copy in the received certificate.

  • Import RSA Key—Pair-Select to enable copying in the new RSA key-pair.

  • Public Key—Copy in the RSA public key.

  • Private Key (Encrypted)—Select and copy in the RSA private key-in encrypted form.

  • Private Key (Plaintext)—Select and copy the RSA Private Key in Plaintext form.

Step 6

Click Apply to apply the changes to the Running Configuration.

Step 7

Click the Details button to display the SSL certificate details.

Step 8

Next, click Display Sensitive Data as Encrypted to display this key as encrypted. When this button is clicked, the private keys are written to the configuration file in encrypted form (when Apply is clicked). When the text is displayed in encrypted form, the button becomes Display Sensitive Data as Plaintext enabling you to view the text in plaintext again.


What to do next
Viewing the Certificate Chain

If the device certificate was signed by an intermediate CA authority and not a CA root authority – the user needs to import the intermediate certificate(s) used to sign the device certificate and each certificate in the chain up to the root certificate. Intermediate certificates can be imported using the CA Certificate Settings. To view this certificate chain select Certificate 1 or 2 from the SSL Server Key Table and click Certificate Chain. This opens the Certificate Chain modal which displays the device certificate and any intermediate certificate part of the device certificate chain.

On the SSL Server Key Table there’s a Delete button. The Delete button allows you to delete user-imported certificates. However, you can’t delete an auto-generated certificate.

Renew the Self-signed Certificate

To renew the self-signed certificate, please complete the following steps:

Procedure

Step 1

Select the certificates to renew and click Edit.

Step 2

Next, enter the following fields:

  • Certificate ID—Select the certificate ID.

  • Regenerate RSA Key—Check the checkbox to regenerate a RSA key.

  • Key Length—Select the key length from one of the 2 options (2048 bits or 3072 bits).

  • Common Name—Enter a name for the certificate.

  • Organization Unit—Enter the organization unit.

  • Organization Name—Enter the organization name.

  • Location—Enter the location or city name.

  • State—Enter the state or province.

  • Country—Enter the name of the country.

  • Certificate Request—The Begin Certificate Request will be displayed.

  • Duration—Displays the number of days that the certificate is valid for. (Range 30-1095, Default 730)

Step 3

Press the Generate button.


What to do next

SSH Server


Note


This setting is only available in the Advanced Mode view.


The SSH Server feature enables a remote user to establish SSH sessions to the device. This is similar to establishing a telnet session, except the session is secured.

The device, as an SSH server, supports SSH User Authentication which authenticates a remote user either by password, or by public key. At the same time, the remote user as an SSH client can perform SSH Server Authentication to authenticate the device using the device public key (fingerprint).

SSH Server can operate in the following modes:

  • By Internally generated RSA/DSA Keys (Default Setting)—An RSA and a DSA key are generated. Users log on to the SSH Server application and are automatically authenticated to open a session on the device when they supply the IP address of the device.

  • Public Key Mode—Users are defined on the device. Their RSA/DSA keys are generated in an external SSH server application, such as PuTTY. The public keys are entered in the device. The users can then open an SSH session on the device through the external SSH server application.

SSH User Authentication

If you use the SSH User Authentication page to create an SSH username for a user who is already configured in the local user database. You can prevent additional authentication by configuring the Automatic Login feature, which works as follows:

  • Enabled—If a user is defined in the local database, and this user passed SSH Authentication using a public-key, the authentication by the local database username and password is skipped.


    Note


    The configured authentication method for this specific management method (console, Telnet, SSH, and so on) must be Local.


  • Not Enabled—After successful authentication by SSH public key, even if the username is configured in the local user database, the user is authenticated again, as per the configured authentication methods.

To enable authentication and add a user.

Procedure


Step 1

Click Security > SSH Server > SSH User Authentication.

Step 2

Select the following fields:

  • SSH User Authentication by Password—Select Enable to enable and perform authentication of the SSH client user using the username/password configured in the local database.

  • SSH Session Logging—Select Enable to enable SSH session logging. The SSH session logging allows a user to track the progress of an SSH session setup and tear-down, via syslog messages generated by the device.

  • SSH User Authentication by Public Key—Select Enable to enable authentication of the SSH client user using the public key.

  • Automatic Login—Select Enable to enable SSH User Authentication by Public Key feature.

Step 3

Click Apply. The settings are saved to the Running Configuration file.

The following fields are displayed for the configured users:

  • SSH User Name—User name of user

  • Key Type—Whether this is an RSA or DSA key.

  • Fingerprint—Fingerprint generated from the public keys

Step 4

Click Add or Edit to add or edit a user and enter the fields:

  • SSH User Name—Enter a user name.

  • Key Type—Select either RSA or DSA.

  • Public Key—Copy the public key generated by an external SSH client application (like PuTTY) into this text box.

Step 5

Click Apply to save the new user.

The following fields are displayed for all active users:

  • IP Address—IP address of the active user

  • SSH User Name—User name of the active user

  • SSH Version—Version of SSH used by the active user

  • Cipher—Cipher of the active user

  • Authentication Code—Authentication code of the active user


SSH Server Authentication

A remote SSH client can perform SSH Server Authentication to ensure it’s establishing an SSH session to the expected SSH driver. To perform SSH Server Authentication, the remote SSH client must have a copy of the SSH server public key (or fingerprint) of the target SSH server.

The SSH Server Authentication page generates/imports the private/public key for the device as an SSH server. A user should copy the SSH server public key (or fingerprint) of this device to the application if it’s to perform an SSH Server Authentication on its SSH sessions. Public and private RSA and DSA keys are automatically generated when the device is booted from the factory defaults. Each key is also automatically created when the appropriate user-configured key is deleted by the user.

To regenerate an RSA or DSA key or to copy in an RSA/DSA key generated on another device, complete the following steps:

Procedure


Step 1

Click Security > SSH Server > SSH Server Authentication.

The following fields are displayed for each key in the Fingerprint section:

  • Key Type—RSA or DSA.

  • Key Source—Auto Generated or User Defined.

  • Fingerprint—Fingerprint generated from the key.

Step 2

Select either an RSA or DSA key.

Step 3

You can perform any of the following actions:

  • Generate—Generates a key of the selected type.

  • Edit—Enables you to copy in a key from another device. Enter the following fields:

    • Key Type—As described above.

    • Public Key—Enter the public key.

    • Private Key—Select either Plaintext or Encrypted and enter the private key.

      Plaintext—Enter the key as plaintext.

    • Click Apply to save the settings.

  • Delete—Enables you to delete a key.

    Note

     

    Auto Generated Keys cannot be deleted.

  • Details—Enables you to view the generated key. The Details window also enables you to click Display Sensitive Data as Plaintext. If this is clicked, the keys are displayed as plaintext and not in encrypted form. If the key is already being displayed as plaintext, you can click Display Sensitive Data as Encrypted. To display the text in encrypted form.


SSH Client


Note


This setting is only available in the Advanced Mode view.


An SSH client helps the user manage a network composed of one or more switches in which various system files are stored on a central SSH server. When configuration files are transferred over a network, the Secure Copy (SCP), which is an application that uses the SSH protocol, ensures that sensitive data, such as username/password can’t be intercepted.

The SSH client only communicates with a trusted SSH server. When SSH server authentication is disabled (the default setting), any SSH server is considered trusted. When SSH server authentication is enabled, the user must add an entry for the trusted servers to the Trusted SSH Servers Table.

In general the SSH protocol can be used for two purposes, file transfers and terminal access.

SSH User Authentication

When a device (SSH client) attempts to establish a SSH session to a SSH server, the SSH server uses various methods for client authentication. Use this page to select an SSH user authentication method, set a username and password on the device, if the password method is selected or generate an RSA or DSA key, if the public/private key method is selected.

To select an authentication method, and set the username/password/keys, follow these steps:

Procedure


Step 1

Click Security > SSH Client > SSH User Authentication.

Step 2

Under Global Configuration, select an SSH User Authentication Method. This is the global method defined for the secure copy (SCP). Select one of the options:

  • By Password—This is the default setting. If this is selected, enter a password or retain the default one.

  • By RSA Public Key—If this is selected, create an RSA public and Private key in the SSH User Key Table block.

  • By DSA Public Key—If this is selected, create a DSA public/private key in the SSH User Key Table block.

Step 3

Under Credentials, enter the Username (no matter what method was selected) or user the default username. This must match the username defined on the SSH server.

Step 4

If the By Password method was selected, enter a password (Encrypted or Plaintext) or leave the default encrypted password.

Step 5

Perform one of the following actions:

  • Apply—The selected authentication methods are associated with the access method.

  • Restore Default Credentials—The default username and password (anonymous) are restored.

  • Display Sensitive Data As Plaintext—Sensitive data for the current page appears as plaintext.

    The SSH User Key Table contains the following fields for each key:

  • Key Type—RSA or DSA.

  • Key Source—Auto Generated or User Defined.

  • Fingerprint—Fingerprint generated from the key.

Step 6

To handle an RSA or DSA key, select either RSA or DSA and perform one of the following actions:

  • Generate—Generate a new key.

  • Edit—Display the keys for copying/pasting to another device.

  • Delete—Delete the key.

  • Details—Display the Public and Private Key (Encrypted) for each SSH server type.

Note

 

The public/private keys are encrypted and stored in the device memory. The keys are part of the device configuration file, and the private key can be displayed to the user, in encrypted or plaintext form.


SSH Server Authentication

To enable SSH server authentication and define the trusted servers, follow these steps:

Procedure


Step 1

Click Security > SSH Client > SSH Server Authentication.

Step 2

Select Enable to enable SSH server authentication.

  • IPv4 Source Interface—Select the source interface whose IPv4 address will be used as the source IPv4 address for messages used in communication with IPv4 SSH servers.

  • IPv6 Source Interface—Select the source interface whose IPv6 address will be used as the source IPv6 address for messages used in communication with IPv6 SSH servers.

    Note

     

    If the Auto option is selected, the system takes the source IP address from the IP address defined on the outgoing interface.

Step 3

Click Apply.

Step 4

Click Add and enter the following fields for the Trusted SSH Server:

  • Server Definition—Select one of the following ways to identify the SSH server:

    • By IP address—If this is selected enter the IP address of the server in the fields below.

    • By name—If this is selected enter the name of the server in the Server IP Address/Name field.

  • IP Version—If you selected to specify the SSH server by IP address, select whether that IP address is an IPv4 or IPv6 address.

  • IPv6 Address Type—If the SSH server IP address is an IPv6 address, select the IPv6 address type. The options are:

    • Link Local —The IPv6 address uniquely identifies hosts on a single network link. A link local address has a prefix of FE80, isn’t routable, and can be used for communication only on the local network. Only one link local address is supported. If a link local address exists on the interface, this entry replaces the address in the configuration.

    • Global—The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks.

  • Link Local Interface—Select the link local interface from the list of interfaces.

  • Server IP Address/Name—Enter either the IP address of the SSH server or its name, depending on what was selected in Server Definition.

  • Fingerprint—Enter the fingerprint of the SSH server (copied from that server).

Step 5

Click Apply. The trusted server definition is stored in the Running Configuration file.


Change User Password on SSH Server

Changing the password on the SSH Client Server only affects the remote SSH server. To change the password on the SSH server, follow these steps:

Procedure


Step 1

Click Security > SSH Client > Change User Password on SSH Server.

Step 2

Enter the following fields:

  • Server Definition—Define the SSH server by selecting either By IP Address or By Name. Enter the server name or IP address of the server in the Server IP Address/Name field.

  • IP Version—If you selected to specify the SSH server by IP address, select whether that IP address is an IPv4 or IPv6 address.

  • IPv6 Address Type—If the SSH server IP address is an IPv6 address, select the IPv6 address type. The options are:

    • Link Local—The IPv6 address uniquely identifies hosts on a single network link. A link local address has a prefix of FE80, isn’t routable, and can be used for communication only on the local network. Only one link local address is supported. If a link local address exists on the interface, this entry replaces the address in the configuration.

    • Global—The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks.

  • Link Local Interface—Select the link local interface from the list of interfaces.

  • Server IP Address/Name—Enter either the IP address of the SSH server or its name, depending on what was selected in Server Definition.

  • Username—This must match the username on the server.

  • Old Password—This must match the password on the server.

  • New Password—Enter the new password and confirm it in the Confirm Password field.

Step 3

Click Apply. The password on the SSH server is modified.


TCP/UDP Services

The TCP/UDP Services page enables TCP or UDP-based services on the device, usually for security reasons.

The device offers the following TCP/UDP services:

  • HTTP-Enabled by factory default

  • HTTPS-Enabled by factory default

  • SNMP-Disabled by factory default

  • Telnet-Disabled by factory default

  • SSH-Disabled by factory default

To configure TCP/UDP services, follow these steps:

Procedure


Step 1

Click Security > TCP/UDP Services.

Step 2

Enable or disable the following TCP/UDP services on the displayed services.

  • HTTP Service-Indicates whether the HTTP service is enabled or disabled.

  • HTTPS Service-Indicates whether the HTTPS service is enabled or disabled.

  • SNMP Service-Indicates whether the SNMP service is enabled or disabled.

  • Telnet Service-Indicates whether the Telnet service is enabled or disabled.

  • SSH Service-Indicates whether the SSH server service is enabled or disabled.

Step 3

Click Apply. The services are written to the Running Configuration file.

The TCP Service Table displays the following fields for each service:

  • Service Name-Access method through which the device is offering the TCP service.

  • Type-IP protocol the service uses.

  • Local IP Address-Local IP address through which the device is offering the service.

  • Local Port-Local TCP port through which the device is offering the service.

  • Remote IP Address-IP address of the remote device that is requesting the service.

  • Remote Port-TCP port of the remote device that is requesting the service.

  • State-Status of the service.

    The UDP Service table displays the following information:

  • Service Name-Access method through which the device is offering the UDP service.

  • Type-IP protocol the service uses.

  • Local IP Address-Local IP address through which the device is offering the service.

  • Local Port-Local UDP port through which the device is offering the service.

  • Application Instance-The service instance of the UDP service.


Storm Control


Note


This setting is only available in the Advanced Mode view.


When Broadcast, Multicast, or Unknown Unicast frames are received, they are duplicated, and a copy is sent to all possible egress ports. This means that in practice they are sent to all ports belonging to the relevant VLAN. In this way, one ingress frame is turned into many, creating the potential for a traffic storm.

Storm protection enables you to limit the number of frames entering the device and to define the types of frames that are counted towards this limit.

When the rate of Broadcast, Multicast, or Unknown Unicast frames is higher than the user-defined threshold, frames received beyond the threshold are discarded.

Storm Control Settings

To define Storm Control, follow these steps:

Procedure


Step 1

Click Security > Storm Control > Storm Control Settings.

Step 2

Select a port and click Edit.

Step 3

Enter the parameters.

  • Interface—Select the port for which storm control is enabled.

    Unknown Unicast Storm Control

  • Storm Control State—Select to enable Storm Control for Unicast packets.

  • Rate Threshold—Enter the maximum rate at which unknown packets can be forwarded. This value can be entered By kbits/sec or By percentage of the total available bandwidth.

  • Trap on Storm—Select to send a trap when a storm occurs on a port. If this isn’t selected, the trap isn’t be sent.

  • Shutdown on Storm—Select to shut down a port when a storm occurs on the port. If this isn’t selected the extra traffic is discarded.

    Multicast Storm Control

  • Storm Control State—Select to enable Storm Control for Multicast packets.

  • Multicast Type—Select one of the following types of Multicast packets on which to implement storm control:

    • All—Enables storm control on all Multicast packets on the port.

    • Registered Multicast—Enables storm control only on registered Multicast addresses on the port.

    • Unregistered Multicast—Enables only unregistered Multicast storm control on the port.

  • Rate Threshold—Enter the maximum rate at which unknown packets can be forwarded. This value can be entered By kbits/sec or By percentage of the total available bandwidth.

  • Trap on Storm—Select to send a trap when a storm occurs on a port. If this isn’t selected, the trap isn’t sent.

  • Shutdown on Storm—Select to shut down a port when a storm occurs on the port. If this isn’t selected the extra traffic is discarded.

    Broadcast Storm Control

  • Storm Control State—Select to enable Storm Control for Broadcast packets.

  • Rate Threshold—Enter the maximum rate at which unknown packets can be forwarded. This value can be entered By kbits/sec or By percentage of the total available bandwidth.

  • Trap on Storm—Select to send a trap when a storm occurs on a port. If this isn’t selected, the trap isn’t sent.

  • Shutdown on Storm—Select to shut down a port when a storm occurs on the port. If this isn’t selected the extra traffic is discarded.

Step 4

Click Apply. Storm control is modified, and the Running Configuration file is updated.


Storm Control Statistics

To view Storm Control statistics, complete the following:

Procedure


Step 1

Click Security > Storm Control > Storm Control Statistics.

Step 2

Select an interface.

Step 3

Select the Refresh Rate— The available options are:

No Refresh

Statistics aren’t refreshed.

15 Sec

Statistics are refreshed every 15 seconds.

30 Sec

Statistics are refreshed every 30 seconds.

60 Sec

Statistics are refreshed every 60 seconds.

The following statistics are displayed for Unknown Unicast, Multicast and Broadcast Storm Control:

Multicast Traffic Type

(Only for Multicast Storm Control) All.

Bytes Passed

Number of bytes received.

Bytes Dropped

Number of bytes dropped because of storm control.

Last Drop Time

Time that the last byte was dropped.

Step 4

To clear all counters on all interfaces, click Clear All Interfaces Counters. To clear all counters on an interface, select it and click Clear Interface Counters.


Port Security


Note


Port security cannot be enabled on ports on which 802.1X is enabled or on ports that defined as SPAN destination.


Network security can be increased by limiting access on a port to users with specific MAC addresses. The MAC addresses can be either dynamically learned or statically configured.

Port security monitors received and learned packets. Access to locked ports is limited to users with specific MAC addresses.

Port Security has four modes:

  • Classic Lock—All learned MAC addresses on the port are locked, and the port doesn’t learn any new MAC addresses. The learned addresses aren’t subject to aging or relearning.

  • Limited Dynamic Lock—The device learns MAC addresses up to the configured limit of allowed addresses. After the limit is reached, the device doesn’t learn additional addresses. In this mode, the addresses are subject to aging and relearning.

  • Secure Permanent—Keeps the current dynamic MAC addresses associated with the port (as long as the configuration was saved to the Start configuration file). New MAC addresses can be learned as Permanent Secure ones up to the maximum addresses allowed on the port. Relearning and aging are disabled.

  • Secure Delete on Reset—Deletes the current dynamic MAC addresses associated with the port after reset. New MAC addresses can be learned as Delete-On-Reset ones up to the maximum addresses allowed on the port. Relearning and aging are disabled.

When a frame from a new MAC address is detected on a port where it’s not authorized (the port is classically locked, and there’s a new MAC address, or the port is dynamically locked, and the maximum number of allowed addresses has been exceeded), the protection mechanism is invoked, and one of the following actions can take place:

  • Frame is discarded.

  • Frame is forwarded.

  • Port is shut down.

When the secure MAC address is seen on another port, the frame is forwarded, but the MAC address isn’t learned on that port.

In addition to one of these actions, you can also generate traps, and limit their frequency and number to avoid overloading the devices.

To configure port security, complete the following:

Procedure


Step 1

Click Security > Port Security.

Step 2

Select an interface to be modified, and click Edit.

Step 3

Enter the parameters.

  • Interface—Select the interface name.

  • Interface Status—Select to lock the port.

  • Learning Mode—Select the type of port locking. To configure this field, the Interface Status must be unlocked. The Learning Mode field is enabled only if the Interface Status field is locked. To change the Learning Mode, the Lock Interface must be cleared. After the mode is changed, the Lock Interface can be reinstated. The options are:

    • Classic Lock—Locks the port immediately, regardless of the number of addresses that have already been learned.

    • Limited Dynamic Lock—Locks the port by deleting the current dynamic MAC addresses associated with the port. The port learns up to the maximum addresses allowed on the port. Both relearning and aging of MAC addresses are enabled.

    • Secure Permanent—Keeps the current dynamic MAC addresses associated with the port and learns up to the maximum number of addresses allowed on the port (set by Max No. of Addresses Allowed). Relearning and aging are disabled.

    • Secure Delete on Reset—Deletes the current dynamic MAC addresses associated with the port after reset. New MAC addresses can be learned as Delete-On-Reset ones up to the maximum addresses allowed on the port. Relearning and aging are disabled.

  • Max No. of Addresses Allowed—Enter the maximum number of MAC addresses that can be learned on the port if Limited Dynamic Lock learning mode is selected. The number 0 indicates that only static addresses are supported on the interface.

  • Action on Violation—Select an action to be applied to packets arriving on a locked port. The options are:

    • Discard—Discards packets from any unlearned source

    • Forward—Forwards packets from an unknown source without learning the MAC address

    • Shutdown—Discards packets from any unlearned source, and shuts down the port The port remains shut down until reactivated, or until the device is rebooted.

  • Trap—Select to enable traps when a packet is received on a locked port. This is relevant for lock violations. For Classic Lock, this is any new address received. For Limited Dynamic Lock, this is any new address that exceeds the number of allowed addresses.

  • Trap Frequency—Enter minimum time (in seconds) that elapses between traps.

Step 4

Click Apply. Port security is modified, and the Running Configuration file is updated.


802.1X Authentication

802.1x authentication restricts unauthorized clients from connecting to a LAN through publicity-accessible ports. 802.1x authentication is a client-server model. In this model, network devices have the following specific roles.

  • Client or supplicant - a device, such as a PC or laptop, that is attempting to attach to the network.

  • Authenticator - a network device, such as a Catalyst 1200 or Catalyst 1300 switch, that provides a connection between the Supplicant and the network. It relays the authentication data between the Supplicant and the Authentication Server.

  • Authentication server - A trusted server, such as a RADIUS server, that receives and responds to authentication requests from the Authenticator. It notifies the Authenticator if it should or shouldn't allow the Supplicant on the network and any special information or settings related to the device or the user authenticating to the switch.

A network device can be either a client/supplicant, authenticator or both per port.

Properties

The Properties page is used to globally enable port/device authentication. For authentication to function, it must be activated both globally and individually on each port.

To define port-based authentication, follow these steps:

Procedure


Step 1

Click Security > 802.1X Authentication > Properties.

Step 2

Enter the parameters.

  • Port-Based Authentication—Enable or disable port-based authentication.

  • Authentication Method—Select the user authentication methods. The options are:

    • RADIUS, None—Perform port authentication first by using the RADIUS server. If no response is received from RADIUS, then no authentication is performed, and the session is permitted.

    • RADIUS—Authenticate the user on the RADIUS server. If no authentication is performed, the session isn’t permitted.

    • None—Don’t authenticate the user. Permit the session.

  • Guest VLAN—Select to enable the use of a guest VLAN for unauthorized ports. If a guest VLAN is enabled, all unauthorized ports automatically join the VLAN selected in the Guest VLAN ID field. If a port is later authorized, it’s removed from the guest VLAN. The guest VLAN can be defined as a layer 3 interface (assigned an IP address) like any other VLAN. However, device management isn’t available via the guest VLAN IP address.

  • Guest VLAN ID—Select the guest VLAN from the list of VLANs.

  • Guest VLAN Timeout—Define a time period as either Immediate or enter a value in User Defined. This value is used as follows:

    After linkup, if the software doesn’t detect the 802.1X supplicant, or the authentication has failed, the port is added to the guest VLAN, only after the Guest VLAN timeout period has expired.

    If the port state changes from Authorized to Not Authorized, the port is added to the guest VLAN only after the Guest VLAN timeout has expired.

  • Trap Settings—To enable traps, select one of more of the following options:

    • 802.1x Authentication Failure Traps—Select to generate a trap if 802.1x authentication fails.

    • 802.1x Authentication Success Traps—Select to generate a trap if 802.1x authentication succeeds.

    • MAC Authentication Failure Traps—Select to generate a trap if MAC authentication fails.

    • MAC Authentication Success Traps—Select to generate a trap if MAC authentication succeeds.

    • Supplicant Authentication Failure Traps—Select to generate a trap if supplicant authentication fails.

    • Supplicant Authentication Success Traps—Select to generate a trap if supplicant authentication succeeds.

    • Web Authentication Failure Traps—Select to generate a trap if Web authentication fails.

    • Web Authentication Success Traps—Select to generate a trap if Web authentication succeeds.

    • Web Authentication Quiet Traps—Select to generate a trap if a quiet period commences.

      The VLAN Authentication Table displays all VLANs, and indicates whether authentication has been enabled on them.

Step 3

Click Apply. The 802.1X properties are written to the Running Configuration file.

To change Enable or Disable authentication on a VLAN, click Edit and select VLAN and either Enable or Disable.


Port Authentication

The Port Authentication page enables configuration of parameters for each port. Since some of the configuration changes are only possible while the port is in Force Authorized state, such as host authentication, it’s recommended that you change the port control to Force Authorized before making changes. When the configuration is complete, return the port control to its previous state.


Note


A port with 802.1x defined on it can’t become a member of a LAG.
802.1x and Port Security can’t be enabled on same port at same time. If you enable port security on an interface, the Administrative Port Control can’t be changed to Auto mode.


To define 802.1X authentication:

Procedure


Step 1

Click Security > 802.1X Authentication > Port Authentication.

Step 2

Select a port and click Edit.

Step 3

Enter the parameters.

  • Interface—Select a port.

  • Current Port Control—Displays the current port authorization state. If the state is Authorized, the port is either authenticated or the Administrative Port Control is Force Authorized. Conversely, if the state is Unauthorized, then the port is either not authenticated or the Administrative Port Control is Force Unauthorized. If supplicant is enabled on an interface, the current port control is Supplicant.

  • Administrative Port Control—Select the Administrative Port Authorization state. The options are:

    • Force Unauthorized—Denies the interface access by moving the interface into the unauthorized state. The device doesn’t provide authentication services to the client through the interface.

    • Auto—Enables port-based authentication and authorization on the device. The interface moves between an authorized or unauthorized state based on the authentication exchange between the device and the client.

    • Force Authorized—Authorizes the interface without authentication.

  • Guest VLAN—Select to enable using a guest VLAN for unauthorized ports.

  • Periodic Reauthentication—Select to enable port reauthentication attempts after the specified Reauthentication Period.

  • Reauthentication Period—Enter the number of seconds after which the selected port is reauthenticated.

  • Reauthenticate Now—Select to enable immediate port reauthentication.

  • Authenticator State—Displays the defined port authorization state. The options are:

    • Initialize—In process of coming up.

    • Force-Authorized—Controlled port state is set to Force-Authorized (forward traffic).

    • Force-Unauthorized—Controlled port state is set to Force-Unauthorized (discard traffic).

      Note

       

      If the port isn’t in Force-Authorized or Force-Unauthorized, it’s in Auto Mode and the authenticator displays the state of the authentication in progress. After the port is authenticated, the state is shown as Authenticated.

  • Time Range—Select to enable limiting authentication to a specific time range.

  • Time Range Name—If Time Range is selected, click the Edit button to be redirected to the time range page and select the time range name to be used.

  • Max Hosts—Enter the maximum number of authorized hosts allowed on the interface.

    Select either Infinite for no limit, or User Defined to set a limit.

    Note

     

    Set this value to 1 to simulate single-host mode for web-based authentication in multi-sessions mode.

  • Quiet Period—Enter the length of the quiet period.

  • Resending EAP—Enter the number of seconds that the device waits for a response to an Extensible Authentication Protocol (EAP) request/identity frame from the supplicant (client) before resending the request.

  • Max EAP Requests—Enter the maximum number of EAP requests that will be sent. If a response isn’t received after the defined period (supplicant timeout), the authentication process is restarted.

  • Supplicant Timeout—Enter the number of seconds that lapses before EAP requests are resent to the supplicant.

  • Server Timeout—Enter the number of seconds that lapses before the device resends a request to the authentication server.

Step 4

Click Apply. The port settings are written to the Running Configuration file.


Host and Session Authentication

The Host and Session Authentication page enables defining the mode in which 802.1X operates on the port and the action to perform if a violation has been detected.

To define 802.1X advanced settings for ports, complete the following steps:

Procedure


Step 1

Click Security > 802.1X Authentication > Host and Session Authentication.

Step 2

Select a port, and click Edit.

Step 3

Enter the parameters.

  • Interface—Enter a port number for which host authentication is enabled.

  • Host Authentication—Select from one of the following modes.

    • Single Host—A port is authorized if there is an authorized client. Only one host can be authorized on a port.

    • Multiple Host (802.1X)—A port is authorized if there is if there is at least one authorized client.

    • Multiple Sessions—Unlike the single-host and multi-host modes, a port in the multi-session mode does not have an authentication status. This status is assigned to each client connected to the port.

    Single Host Violation Settings—Can only be chosen if host authentication is Single Host.

  • Action on Violation—Select the action to be applied to packets arriving in Single Session/Single Host mode, from a host whose MAC address isn’t the supplicant MAC address. The options are:

    • Protect (Discard)—Discards the packets.

    • Restrict (Forward)—Forwards the packets.

    • Shutdown—Discards the packets and shuts down the port. The ports remain shut down until reactivated, or until the device is rebooted.

  • Traps—Select to enable traps.

  • Trap Frequency—Defines how often traps are sent to the host. This field can be defined only if multiple hosts are disabled.

Step 4

Click Apply. The settings are written to the Running Configuration file.

The Host and Session Authentication Table will display the number of violations under the Number of Violations column.


Supplicant Credentials

In addition to its capacity as an 802.1x authenticator, the switch itself can be configured as an 802.1x supplicant seeking port access permission from a neighbor. The supplicant supports the EAP MD5-Challenge method specified by RFC3748. The method authenticates a client by its name and password. When the supplicant is enabled on an interface, the interface becomes unauthorized. When the 802.1X authentication process succeeds, the interface state is changed to authorized. This page enables creating and configuring credentials that can be used by an interface configured as an 802.1x supplicant.


Note


When configuring a switch interface as an 802.1x supplicant, please be aware that ISE policy that is based on supplicant source MAC will not work as expected (for example redirect ACLs and downloadable ACLs).


To add a supplicant’s credentials, complete the following steps:

Procedure


Step 1

Click Security > 802.1X Authentication > Supplicant Credentials.

Step 2

Click Add.

Step 3

Enter the following fields:

  • Credential Name—Name by which to identify the credential.

  • User Name—Enter the user name associated with the credential name.

  • Description—Enter text describing the user.

  • Password—Select the type of password: Encrypted or Plaintext and add the password.

Step 4

Click Apply and the settings are saved to the Running Configuration file.

Step 5

Click Display Sensitive Data as Plaintext to display the supplicant credentials as plaintext.


MAC-Based Authentication Settings

MAC-based authentication is an alternative to 802.1X authentication that allows network access to devices (such as printers and IP phones) that do not have the 802.1X supplicant capability. MAC-based authentication uses the MAC address of the connecting device to grant or deny network access.

To configure MAC-based authentication, complete the following steps:

Procedure


Step 1

Click Security > 802.1X Authentication > MAC-Based Authentication Settings

Step 2

Enter the following fields:

  • MAC Authentication Type—Select one of the following options:

    • EAP—Use RADIUS with EAP encapsulation for the traffic between the switch (RADIUS client) and the RADIUS server, which authenticates a MAC-based supplicant.

    • RADIUS—Use RADIUS without EAP encapsulation for the traffic between the switch (RADIUS client) and the RADIUS server, which authenticates a MAC-based supplicant.

    Username Format

    In MAC-based authentication, the supplicant's username is based on the supplicant device MAC address. The following defines the format of this MAC-based username, which is sent from the switch to the RADIUS server, as part of the authentication process.

  • Group Size—Number of ASCII characters between delimiters of the MAC address sent as a user name.

  • Group Separator—Character used as a delimiter between the defined groups of characters in the MAC address.

  • Case—Send user name in lower or upper case.

    MAC Authentication Password

  • Password—Defines the password that the switch uses for authentication via the RADIUS server. Select one of the following options:

    • Use default (Username)—Select this to use the defined username as the password.

    • Encrypted—Define a password in encrypted format.

    • Plaintext—Define a password in plaintext format.

  • Password MD5 Digest—Displays the MD5 Digest password.

Step 3

Click Apply and the settings are saved to the Running Configuration file. Click Display Sensitive Data as Plaintext to display the password if it is encrypted.


Authenticated Hosts

To view details about authenticated users, click. Security > 802.1X Authentication > Authenticated Hosts.

This page displays the following fields:

  • User Name—Supplicant names that authenticated on each port.

  • Port—Number of the port

  • Session Time (DD:HH:MM:SS)—Amount of time that the supplicant was authenticated and authorized access at the port.

  • Authentication Method—Method by which the last session was authenticated. Possible values are 802.1x, MAC or Web.

  • Authentication Server—RADIUS server. Possible values are Remote, Local or None.

  • MAC Address—Displays the supplicant MAC address.

  • VLAN ID—Port’s VLAN


Note


Click on the Authenticated Sessions Table button to view more details on authenticated session per device interface.


Locked Clients

To view clients who have been locked out because of failed login attempts and to unlock a locked client, follow these steps:

Procedure


Step 1

Click Security > 802.1X Authentication > Locked Client.

The following fields are displayed:

  • Interface—Port that is locked.

  • MAC Address—Displays the MAC address of locked station

  • Remaining Time (Sec)—The time remaining for the port to be locked.

Step 2

Select a port.

Step 3

Click Unlock.


Web Authentication Customization

This page enables designing web-based authentication pages in various languages.

You can add up to 4 languages.


Note


Up to 5 HTTP users and one HTTPS user can request web-based authentication at the same time. When these users are authenticated, more users can request authentication.


To add a language for web-based authentication, complete the following:

Procedure


Step 1

Click Security > 802.1X Authentication > Web Authentication Customization.

Step 2

Click Add.

Step 3

Select a language from the Language drop-down list.

Step 4

Check Set as Default Display Language if this language is the default language. the default language pages are displayed if the end user does not select a language.

Step 5

Click Apply and the settings are saved to the Running Configuration file.

To customize the web-authentication pages:

Step 6

Click Security > 802.1X Authentication > Web Authentication Customization.

This page displays the languages that can be customized.

Step 7

Click Edit Login Page.

Step 8

Click the Edit label 1. The following fields are displayed:

  • Language—Displays the page’s language.

  • Color Scheme—Select one of the contrast options.

    If the Custom color scheme is selected, the following options are available:

    • Page Background Color—Enter the ASCII code of the background color. The selected color is shown in the Text field.

    • Page Text Color—Enter the ASCII code of the text color. The selected color is shown in the Text field.

    • Header and Footer Background Color—Enter the ASCII code of the header and footer background color. The selected color is shown in the Text field.

    • Header and Footer Text Color—Enter the ASCII code of the header and footer text color. The selected color is shown in the Text field.

    • Hyperlink Color—Enter the ASCII code of the hyperlink color. The selected color is shown in the Text field.

  • Current Logo Image—Displays the name of the file containing the current logo image.

  • Logo Image—Select one of the following options:

    • None—No logo

    • Default—Use the default logo.

    • Other—Select to enter a customized logo.

      If the Other logo option is selected, the following options are available:

    • Logo Image Filename—Enter the logo file name or Browse to the image.

  • Application Text—Enter text to accompany the logo.

  • Window Title Text—Enter a title for the Login page.

Step 9

Click Apply and the settings are saved to the Running Configuration file.

Step 10

Click Edit label 2. The following fields are displayed:

  • Invalid User Credentials—Enter the text of the message to be displayed when the end user enters an invalid username or password.

  • Service Not Available—Enter the text of the message to be displayed when the authentication service isn’t available.

Step 11

Click Apply and the settings are saved to the Running Configuration file.

Step 12

Click Edit label 3. The following fields are displayed:

  • Welcome Message—Enter the text of the message to be displayed when the end user logs on.

  • Instructional Message—Enter the instructions to be displayed to the end user.

  • RADIUS Authentication—Displays whether RADIUS authentication is enabled. If so, the username and password must be included in the login page.

  • Username Textbox—Select for a username textbox to be displayed.

  • Username Textbox Label—Select the label to be displayed before the username textbox.

  • Password Textbox—Select for a password textbox to be displayed.

  • Password Textbox Label—Select the label to be displayed before the password textbox.

  • Language Selection—Select to enable the end user to select a language.

  • Language Dropdown Label—Enter the label of the language selection dropdown.

  • Login Button Label—Enter the label of the login button.

  • Login Progress Label—Enter the text that will be displayed during the login process.

Step 13

Click Apply and the settings are saved to the Running Configuration file.

Step 14

Click Edit label 4. The following fields are displayed:

  • Terms and Conditions—Select to enable a terms and conditions text box.

  • Terms and Conditions Warning—Enter the text of the message to be displayed as instructions to enter the terms and conditions.

  • Terms and Conditions Content—Enter the text of the message to be displayed as terms and conditions.

Step 15

Click Apply and the settings are saved to the Running Configuration file.

Step 16

In Edit label 5, the following fields are displayed:

  • Copyright—Select to enable displaying copyright text.

  • Copyright Text—Enter the copyright text.

Step 17

Click Apply and the settings are saved to the Running Configuration file.

Step 18

Click Edit Success Page.

Step 19

Click Edit on the right side of the page.

Step 20

Enter the Success Message, which is the text that will be displayed if the end user successfully logs in.

Step 21

Click Apply and the settings are saved to the Running Configuration file.

To preview the login or success message, click Preview.

To set the default language of the GUI interface as the default language for Web-based authentication, click Set Default Display Language.


Authenticated Sessions


Note


This setting is only available in Advanced Mode.


To view the details on the authenticated sessions on an interface, complete the following steps:

Procedure


Step 1

Navigate to Security > 802.1X Authentication > Authenticated Sessions.

Step 2

To filter the Authenticated Sessions Table, select the Unit and Interface from the drop-down menus and click Go.

Step 3

The Authenticated Sessions Table displays the following fields for all of the 802.1x authenticated session on the interface.

  • Port – the port ID for which the information is being displayed.

  • User Name – The Supplicant name used to authenticated in this session.

  • Mac Address – Displays the supplicant MAC address.

  • Status – The current status of the session. Can be either Authorized or Unauthorized

  • Authentication Method – Method by which the session was authenticated.

  • Common Session ID – The session ID that uniquely identifies this session.

Step 4

To view more details of a specific session, check the desired session and click Details. The popup will display the following fields, in addition to the fields that appear in the main table:

  • Supplicant IP Address – The IP address of the supplicant.

  • Reason – The reason that authorization failed. Will appear only if the session status is set to Unauthorized.

  • Host Authentication – The authentication mode configured on the interface.

  • Session Time – The time this session is active.

  • Accounting Session ID – The session Accounting session ID.

  • VLAN ID – VLAN ID applied to the interface by this session.

  • Tagging – Displays the mode of the VLAN ID as tagged or untagged.

  • ACL Name 1: The name of the 1st ACL applied to the interface in this session.

  • ACL Type 1: The type of the ACL applied to the interface in this session. Can be filter-ID; redirect or downloadable

  • Redirect URL – the redirect URL provided for this session. This field will appear only if the ACL type is redirect.

Note

 

Multiple ACLs may be applied in the same session. In this case additional information will be displayed such as the ACL Name 2… ACL Name 3 etc.


Denial of Service Prevention

A Denial of Service (DoS) attack is a hacker attempt to make a device unavailable to its users.

DoS attacks saturate the device with external communication requests, so that it cannot respond to legitimate traffic. These attacks usually lead to a device CPU overload.

One method of resisting DoS attacks employed by the device is the use of Secure Core Technology (SCT), which is enabled by default and cannot be disabled. The Cisco device is an advanced device that handles management traffic, protocol traffic and snooping traffic, in addition to end-user (TCP) traffic. SCT ensures that the device receives and processes management and protocol traffic, no matter how much total traffic is received. This is done by rate-limiting TCP traffic to the CPU.

Security Suite Settings


Note


Before activating DoS Prevention, you must unbind all Access Control Lists (ACLs) or advanced QoS policies that are bound to a port. ACL and advanced QoS policies aren’t active when a port has DoS Protection enabled on it.


To configure DoS Prevention global settings and monitor SCT:

Procedure


Step 1

Click Security > Denial of Service Prevention > Security Suite Settings.

CPU Protection Mechanism: Enabled indicates that SCT is enabled.

Step 2

Click Details beside CPU Utilization to go to the  CPU Utilization page and view CPU resource utilization information.

Step 3

Click Edit beside TCP SYN Protection to set the feature.

Step 4

Configure the DoS Prevention settings:

  • Disable-Disable all types of Denial of Service features (except device level TCP SYN protection).

  • System-Level Prevention-Enable preventing attacks from Stacheldraht Distribution, Invasor Trojan, Back Orifice Trojan and Martian Addresses.

  • System-Level and Interface-Level Prevention-In addition to the system-level prevention, you can enable and configure the following interface-level settings: Syn Filtering, Syn Rate Protection, ICMP Filtering and IP Fragmented.

Step 5

If System-Level Prevention or System-Level and Interface-Level Prevention is selected, enable one or more of the following Denial of Service Protection options:

  • Stacheldraht Distribution-Discards TCP packets with source TCP port equal to 16660.

  • Invasor Trojan-Discards TCP packets with destination TCP port equal to 2140 and source TCP port equal to 1024.

  • Back Orifice Trojan-Discards UDP packets with destination UDP port equal to 31337 and source UDP port equal to 1024.

Step 6

Click the following as required:

Step 7

Click Apply. The Denial of Service prevention Security Suite settings are written to the Running Configuration file.


SYN Protection

The network ports might be used by hackers to attack the device in a SYN attack, which consumes TCP resources (buffers) and CPU power.

Since the CPU is protected using SCT, TCP traffic to the CPU is limited. However, if one or more ports are attacked with a high rate of SYN packets, the CPU receives only the attacker packets, thus creating Denial-of-Service.

When using the SYN protection feature, the CPU counts the SYN packets ingressing from each network port to the CPU per second.

To configure SYN protection, follow these steps:

Procedure


Step 1

Click Security > Denial of Service Prevention > SYN Protection.

Step 2

Enter the parameters.

  • Block SYN-FIN Packets-Select to enable the feature. All TCP packets with both SYN and FIN flags are dropped on all ports.

  • SYN Protection Mode-Select between three modes:

    • Disable-The feature is disabled on a specific interface.

    • Report-Generates a SYSLOG message. The status of the port is changed to Attacked when the threshold is passed

    • Block and Report-When a TCP SYN attack is identified, TCP SYN packets destined for the system are dropped and the status of the port is changed to Blocked.

  • SYN Protection Threshold-Number of SYN packets per second before SYN packets will be blocked (deny SYN with MAC-to-me rule will be applied on the port).

  • SYN Protection Period-Time in seconds before unblocking the SYN packets (the deny SYN with MAC-to-me rule is unbound from the port).

Step 3

Click Apply. SYN protection is defined, and the Running Configuration file is updated.

The SYN Protection Interface Table displays the following fields for every port or LAG (as requested by the user).

  • Current Status-Interface status. The possible values are:

    • Normal-No attack was identified on this interface.

    • Blocked-Traffic isn’t forwarded on this interface.

    • Attacked-Attack was identified on this interface.

  • Last Attack-Date of last SYN-FIN attack identified by the system and the system action.


Martian Addresses


Note


This setting is only available in the Advanced Mode view.


The Martian Addresses page enables entering IP addresses that indicate an attack if they are seen on the network. Packets from these addresses are discarded. The device supports a set of reserved Martian addresses that are illegal from the point of view of the IP protocol. The supported reserved Martian addresses are:

  • Addresses defined to be illegal in the Martian Addresses page.

  • Addresses that are illegal from the point of view of the protocol, such as loopback addresses, including addresses within the following ranges:

    • 0.0.0.0/8 (Except 0.0.0.0/32 as a Source Address)-Addresses in this block refer to source hosts on this network.

    • 127.0.0.0/8-Used as the Internet host loopback address

    • 192.0.2.0/24-Used as the TEST-NET in documentation and example codes

    • 224.0.0.0/4 (As a Source IP Address)-Used in IPv4 Multicast address assignments, and was formerly known as Class D Address Space.

    • 240.0.0.0/4 (Except 255.255.255.255/32 as a Destination Address)-Reserved address range, and was formerly known as Class E Address Space.

You can also add new Martian Addresses for DoS prevention. Packets that have a Martian address are discarded.

To define Martian addresses, follow these steps:

Procedure


Step 1

Click Security > Denial of Service Prevention > Martian Addresses.

Step 2

Select Reserved Martian Addresses and click Apply to include the reserved Martian Addresses in the System Level Prevention list.

Step 3

To add a Martian address, click Add.

Step 4

Enter the parameters.

  • IP Version-Indicates the supported IP version. Currently, support is only offered for IPv4.

  • IP Address-Enter an IP address to reject. The possible values are:

    • From Reserved List-Select a well-known IP address from, the reserved list.

    • New IP Address-Enter an IP address.

  • Mask-Enter the mask of the IP address to define a range of IP addresses to reject. The values are:

    • Network Mask-Network mask in dotted decimal format

    • Prefix Length-Enter the prefix of the IP address to define the range of IP addresses for which Denial of Service prevention is enabled.

Step 5

Click Apply.


SYN Filtering


Note


This setting is only available in the Advanced Mode view.


The SYN Filtering page enables filtering TCP packets that contain a SYN flag, and are destined for one or more ports.

To define a SYN filter, complete the following steps:

Procedure


Step 1

Click Security > Denial of Service Prevention > SYN Filtering.

Step 2

Click Add.

Step 3

Enter the parameters.

  • Interface—Select the interface on which the filter is defined.

  • IPv4 Address—Enter the IP address for which the filter is defined, or select All addresses.

  • Network Mask—Enter the network mask for which the filter is enabled in IP address format. Enter one of the following:

    • Mask—Network mask in dotted decimal format

    • Prefix length—Enter the Prefix length of the IP address to define the range of IP addresses for which Denial of Service prevention is enabled.

  • TCP Port—Select the destination TCP port being filtered:

    • Known ports—Select a port from the list.

    • User Defined—Enter a port number.

    • All ports—Select to indicate that all ports are filtered.

Step 4

Click Apply. The SYN filter is defined, and the Running Configuration file is updated.


SYN Rate Protection


Note


This setting is only available in the Advanced Mode view.


The SYN Rate Protection page enables limiting the number of SYN packets received on the ingress port. This can mitigate the effect of a SYN flood against servers, by rate limiting the number of new connections opened to handle packets.

To define SYN rate protection, complete the following steps:

Procedure


Step 1

Click Security > Denial of Service Prevention > SYN Rate Protection.

Step 2

Click Add.

Step 3

Enter the parameters.

  • Interface—Select the interface on which the rate protection is being defined.

  • IP Address—Enter the IP address for which the SYN rate protection is user defined or select All addresses. If you enter the IP address, enter either the mask or prefix length.

  • Network Mask—Select the format for the subnet mask for the source IP address, and enter a value in one of the fields:

    • Mask—Select the subnet to which the source IP address belongs and enter the subnet mask in dotted decimal format.

    • Prefix length—Select the Prefix length and enter the number of bits that comprise the source IP address prefix.

  • SYN Rate Limit—Enter the number of SYN packets that be received.

Step 4

Click Apply. The SYN rate protection is defined, and the Running Configuration is updated.


ICMP Filtering


Note


This setting is only available in the Advanced Mode view.


The ICMP Filtering page enables the blocking of ICMP packets from certain sources. This can reduce the load on the network in an ICMP attack.

To configure the ICMP filtering, complete the following steps:

Procedure


Step 1

Click Security > Denial of Service Prevention > ICMP Filtering.

Step 2

Click Add.

Step 3

Enter the parameters.

  • Interface—Select the interface on which the ICMP filtering is being defined.

  • IP Address—Enter the IPv4 address for which the ICMP packet filtering is activated or select All addresses to block ICMP packets from all source addresses. If you enter the IP address, enter either the mask or prefix length.

  • Network Mask—Select the format for the subnet mask for the source IP address, and enter a value in one of the fields:

    • Mask—Select the subnet to which the source IP address belongs and enter the subnet mask in dotted decimal format.

    • Prefix length—Select the Prefix length and enter the number of bits that comprise the source IP address prefix.

Step 4

Click Apply. The ICMP filtering is defined, and the Running Configuration is updated.


IP Fragments Filtering


Note


This setting is only available in the Advanced Mode view.


IP fragmentation occurs when the data of the network layer is too large to be transmitted over the data link layer in one piece. Then the data of the network layer is split into several pieces (fragments), and this process is called IP fragmentation.

To configure fragmented IP filtering and block fragmented IP packets, complete the following steps:

Procedure


Step 1

Click Security > Denial of Service Prevention > IP Fragments Filtering.

Step 2

Click Add.

Step 3

Enter the parameters.

  • Interface—Select the interface on which the IP fragmentation is being defined.

  • IP Address—Enter an IP network from which the fragmented IP packets are filtered or select All addresses to block IP fragmented packets from all addresses. If you enter the IP address, enter either the mask or prefix length.

  • Network Mask—Select the format for the subnet mask for the source IP address, and enter a value in one of the fields:

    • Mask—Select the subnet to which the source IP address belongs and enter the subnet mask in dotted decimal format.

    • Prefix length—Select the Prefix length and enter the number of bits that comprise the source IP address prefix.

Step 4

Click Apply. The IP fragmentation is defined, and the Running Configuration file is updated.


IP Source Guard

IP Source Guard is a security feature that can be used to prevent traffic attacks caused when a host tries to use the IP address of its neighbor.

When IP Source Guard is enabled, the device only transmits client IP traffic to IP addresses contained in the DHCP Snooping Binding database. This includes both addresses added by DHCP Snooping and manually-added entries. If the packet matches an entry in the database, the device forwards it. If not, it is dropped.

If IP Source Guard is enabled on a port then:

  • DHCP packets allowed by DHCP Snooping are permitted

  • If source IP address filtering is enabled:

    • IPv4 traffic: Only traffic with a source IP address that is associated with the port is permitted.

    • Non IPv4 traffic: Permitted (Including ARP packets).

Properties

To enable IP Source Guard globally:

Procedure


Step 1

Click Security > IP Source Guard > Properties.

Step 2

Select Enable to enable IP Source Guard globally.

Step 3

Click Apply to enable IP Source Guard.


Interface Settings

If IP Source Guard is enabled on an untrusted port/LAG, DHCP packets, allowed by DHCP Snooping, are transmitted. If source IP address filtering is enabled, packet transmission is permitted as follows:

  • IPv4 traffic—Only IPv4 traffic with a source IP address that is associated with the specific port is permitted.

  • Non IPv4 traffic—All non-IPv4 traffic is permitted.

To configure IP Source Guard on interfaces:

Procedure


Step 1

Click Security > IP Source Guard > Interface Settings.

Step 2

Select port/LAG from the Filter field and click Go. The ports/LAGs on this unit are displayed along with the following:

  • IP Source Guard—Indicates whether IP Source Guard is enabled on the port.

  • DHCP Snooping Trusted Interface—Indicates whether this is a DHCP trusted interface.

Step 3

Select the port/LAG and click Edit. Select Enable in the IP Source Guard field to enable IP Source Guard on the interface.

Step 4

Click Apply to copy the setting to the Running Configuration file.


Binding Database

IP Source Guard uses the DHCP Snooping - to check packets from untrusted ports. If the device attempts to write too many entries to the DHCP Snooping -, the excessive entries are maintained in an inactive status. Entries are deleted when their lease time expires and so inactive entries may be made active.

See DHCP Relay.


Note


The page only displays the entries in the DHCP Snooping - defined on IP-Source-Guard-enabled ports.


To view the DHCP Snooping - and see TCAM resources consumed, complete the following:

Procedure


Step 1

Click Security > IP Source Guard > Binding Database.

The Supported IP Format and TCAM Resources Consumed will be displayed.

Step 2

The DHCP Snooping uses TCAM resources for managing the database. Complete the Insert Inactive field to select how frequently the device should attempt to activate inactive entries. It has the following options:

  • Retry Frequency—The frequency with which the TCAM resources are checked.

  • Never-Never try to reactivate inactive addresses.

Step 3

Click Apply to save the above changes to the Running Configuration and/or Retry Now to check TCAM resources.

The following entries are displayed:

  • VLAN ID—VLAN on which packet is expected.

  • MAC Address—MAC address to be matched.

  • IP Address—IP address to be matched.

  • Interface—Interface on which packet is expected.

  • Status—Displays whether interface is active.

  • Type—Displays whether entry is dynamic or static.

  • Reason—If the interface isn’t active, displays the reason. The following reasons are possible:

    • No Problem—Interface is active.

    • No Snoop VLAN—DHCP Snooping isn’t enabled on the VLAN.

    • Trusted Port—Port has become trusted.

    • Resource Problem—TCAM resources are exhausted.

Step 4

To see a subset of these entries, you can filter the data by selecting a subset and entering the relevant search criteria and click Retry Now.


ARP Inspection

ARP enables IP communication within a Layer 2 Broadcast domain by mapping IP addresses to a MAC addresses.

A malicious user can attack hosts, switches, and routers connected to a Layer 2 network by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts on the subnet. This can happen because ARP allows a gratuitous reply from a host even if an ARP request was not received. After the attack, all traffic from the device under attack flows through the attacker's computer and then to the router, switch, or host.

Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which are on the same subnet. Their IP, MAC addresses are shown in parentheses; for example, Host A uses IP address IA and MAC address MA. When Host A needs to communicate with Host B at the IP layer, it broadcasts an ARP request for the MAC address associated with IP address IB. Host B responds with an ARP reply. The switch and Host A update their ARP cache with the MAC and IP of Host B.

Host C can poison the ARP caches of the switch, Host A, and Host B by broadcasting forged ARP responses with bindings for a host with an IP address of IA (or IB) and a MAC address of MC. Hosts with poisoned ARP caches use the MAC address MC as the destination MAC address for traffic intended for IA or IB, which enables Host C intercepts that traffic. Because Host C knows the true MAC addresses associated with IA and IB, it can forward the intercepted traffic to those hosts by using the correct MAC address as the destination. Host C has inserted itself into the traffic stream from Host A to Host B, the classic man-in-the-middle attack.

ARP Inspection Properties

To configure ARP Inspection properties:

Procedure


Step 1

Click Security > ARP Inspection > Properties.

Enter the following fields:

  • ARP Inspection Status-Select to enable ARP Inspection.

  • ARP Packet Validation-Select to enable validation checks.

  • Log Buffer Interval-Select one of the following options:

    • Retry Frequency-Enable sending SYSLOG messages for dropped packets. Entered the frequency with which the messages are sent.

    • Never-Disabled SYSLOG dropped packet messages.

Step 2

Click Apply. The settings are defined, and the Running Configuration file is updated.


ARP Inspection Interfaces Settings

Packets from untrusted ports/LAGs are checked against the ARP Access Rules table and the DHCP Snooping Binding database if DHCP Snooping is enabled.

By default, ports/LAGs are ARP Inspection untrusted.

To change the ARP trusted status of a port/LAG:

Procedure


Step 1

Click Security > ARP Inspection > Interface Settings.

The ports/LAGs and their ARP trusted/untrusted status are displayed.

Step 2

To set a port/LAG as trusted or untrusted, select the port/LAG and click Edit.

Step 3

Select Trusted or Untrusted and click Apply to save the settings to the Running Configuration file.


ARP Access Control

To add entries to the ARP Inspection table:

Procedure


Step 1

Click Security > ARP Inspection > ARP Access Control.

Step 2

To add an entry, click Add.

Step 3

Enter the fields:

  • ARP Access Control Name-Enter a user-created name.

  • IP Address-IP address of packet.

  • MAC Address-MAC address of packet.

Step 4

Click Apply. The settings are defined, and the Running Configuration file is updated.


ARP Access Control Rules

To add more rules to a previously-created ARP Access Control group:

Procedure


Step 1

Click Security > ARP Inspection > ARP Access Control Rules.

The ARP Access Control Rule Table displays, with the currently-defined access rules.

To select a specific group, select Filter, select the control name and click Go.

Step 2

To add more rules to a group, click Add.

Step 3

Select an ARP Access Control Name and enter the fields:

  • IP Address-IP address of packet.

  • MAC Address-MAC address of packet.

Step 4

Click Apply. The settings are defined, and the Running Configuration file is updated.


ARP Inspection VLAN Settings

To enable ARP Inspection on VLANs and associate Access Control Groups with a VLAN:

Procedure


Step 1

Click Security > ARP Inspection > VLAN Settings.

Step 2

To enable ARP Inspection on a VLAN, move the VLAN from the Available VLANs list to the Enabled VLANs list.

Step 3

To associate an ARP Access Control group with a VLAN, click Add. Select the VLAN number and select a previously-defined ARP Access Control Name.

Step 4

Click Apply. The settings are defined, and the Running Configuration file is updated.


IPv6 First Hop Security

IPv6 First Hop Security (FHS) is a suite of features designed to secure link operations in an IPv6-enabled network. It is based on the Neighbor Discovery Protocol and DHCPv6 messages.

In this feature, a Layer 2 switch filters Neighbor Discovery Protocol messages, DHCPv6 messages and user data messages according to a number of different rules.

IPv6 First Hop Security Components

IPv6 First Hop Security includes the following features:

  • IPv6 First Hop Security Common

  • RA Guard

  • ND Inspection

  • Neighbor Binding Integrity

  • DHCPv6 Guard

  • IPv6 Source Guard

These components can be enabled or disabled on VLANs. There are two empty, pre-defined policies per each feature with the following names: vlan_default and port_default. The first one is attached to each VLAN that is not attached to a user-defined policy and the second one is connected to each interface and VLAN that is not attached to a user-defined policy.

FHS Settings

Use the FHS Settings page to enable the FHS Common feature on a specified group of VLANs and to set the global configuration value for logging of dropped packets. If required, a policy can be added. The packet drop logging can be added to the system-defined default policy.

To configure IPv6 First Hop Security common parameters:

Procedure


Step 1

Click Security > IPv6 First Hop Security > FHS Settings.

The currently defined policies are displayed. For each policy, its Policy Type is displayed, which indicates whether it’s a default or user-defined policy.

Step 2

Enter the following global configuration fields:

  • FHS VLAN List—Enter one or more VLANs on which IPv6 First Hop Security is enabled.

  • Packet Drop Logging—Select to create a SYSLOG when a packet is dropped by a First Hop Security policy. This is the global default value if no policy is defined.

Step 3

Click Apply to add the settings to the Running Configuration file.

Step 4

Create a FHS policy if required by clicking Add.

Enter the following fields:

  • Policy Name—Enter a user-defined policy name.

  • Packet Drop Logging—Select to create a SYSLOG when a packet is dropped as a result of a First Hop Security feature within this policy.

    • Inherited—Use the value from the VLAN or the global configuration.

    • Enable—Create a SYSLOG when a packet is dropped as a result of First Hop Security.

    • Disable—Don’t create a SYSLOG when a packet is dropped as a result of First Hop Security.

Step 5

Click Apply to add the settings to the Running Configuration file.

Step 6

To attach this policy to an interface:


RA Guard Settings

The IPv6 RA Guard feature enables network administrators to block or reject unwanted or rogue RA Guard messages that arrive at the network device platform. Devices use RAs to announce themselves on the link. The IPv6 RA Guard feature examines these RAs and eliminates RAs sent by unauthorized devices.

All RA and router redirect messages are blocked on the port when in host mode. The RA guard feature compares configuration data on the Layer 2 (L2) device to data in the received RA frame. After validating the content of the RA frame and router redirect frame against the configuration, the L2 device forwards the RA to its unicast or multicast destination. If the RA frame content is not validated, the RA is dropped

Use the RA Guard Settings page to enable the RA Guard feature on a specified group of VLANs and to set the global configuration values for this feature. If required, a policy can be added or the system-defined default RA Guard policies can be configured in this page.

To configure RA Guard:

Procedure


Step 1

Click Security > IPv6 First Hop Security > RA Guard Settings.

The currently defined policies are displayed. For each policy, its Policy Type is displayed, which indicates whether it’s a default or user-defined policy.

Step 2

In the RA Guard VLAN List, enter one or more VLANs on which RA Guard is enabled.

Step 3

Next, configure the following:

  • Minimum Hop Limit— Indicates if the RA Guard policy checks the maximum hop limit of the packet received. Select from one of the following:

    • No Limit—Disables verification of the lower boundary of the hop-count limit.

    • User Defined—Verifies that the hop-count limit is less than or equal to this value. The value of the high boundary must be equal or greater than the value of the low boundary.

  • Maximum Hop Limit— Indicates if the RA Guard policy checks the maximum hop limit of the packet received. Select from one of the following:

    • No Limit—Disables verification of the high boundary of the hop-count limit.

    • User Defined—Verifies that the hop-count limit is less than or equal to this value. The value of the high boundary must be equal or greater than the value of the low boundary.

  • Managed Configuration Flag— his field specifies verification of the advertised Managed Address Configuration flag within an IPv6 RA Guard policy. Select from one of the following:
    • No Verification—Disables verification of the advertised Managed Address Configuration flag.

    • On—Enables verification of the advertised Managed Address Configuration flag.

    • Off—The value of the flag must be 0.

  • Other Configuration Flag— This field specifies verification of the advertised Other Configuration flag within an IPv6 RA Guard policy. Select from one of the following:
    • No Verification—Disables verification of the advertised Other Configuration flag.

    • On—Enables verification of the advertised Managed Other flag.

    • Off—The value of the flag must be 0.

  • Minimal Router Preference—This field indicates whether the RA Guard policy will verify the minimum advertised Default Router Preference value in RA messages within an RA Guard policy. Select from one of the following:
    • No Verification—Disables verification of the low boundary of Advertised Default Router Preference.

    • Low—Specifies the minimum allowed Advertised Default Router Preference value.

    • Medium—Specifies the minimum allowed Advertised Default Router Preference value.

    • High—Specifies the minimum allowed Advertised Default Router Preference value.

  • Maximal Router Preference—This field indicates whether the RA Guard policy will verify the maximum advertised Default Router Preference value in RA messages within an RA Guard policy. Select from one of the following:
    • No Verification—Disables verification of the high boundary of Advertised Default Router Preference.

    • Low—Specifies the maximum allowed Advertised Default Router Preference value.

    • Medium—Specifies the maximum allowed Advertised Default Router Preference value.

    • High—Specifies the maximum allowed Advertised Default Router Preference value.

Step 4

To add a policy to the RA Guard Policy Table, click Add and enter the fields:

  • Policy Name—Enter a user-defined policy name.

  • Device Role—Displays one of the following options to specify the role of the device attached to the port for RA Guard.

    • Inherited—Device role is inherited from either the VLAN or system default (client).

    • Host—Device role is host.

    • Router—Device role is router.

  • Managed Configuration Flag—This field specifies verification of the advertised Managed Address Configuration flag within an IPv6 RA Guard policy.

    • Inherited—Feature is inherited from either the VLAN or system default (client).

    • No Verification—Disables verification of the advertised Managed Address Configuration flag.

    • On—Enables verification of the advertised Managed Address Configuration flag.

    • Off—The value of the flag must be 0.

  • Other Configuration Flag—This field specifies verification of the advertised Other Configuration flag within an IPv6 RA Guard policy.

    • Inherited—Feature is inherited from either the VLAN or system default (client).

    • No Verification—Disables verification of the advertised Other Configuration flag.

    • On—Enables verification of the advertised Managed Other flag.

    • Off—The value of the flag must be 0.

  • RA Address List—Specify the list of addresses to filter:

    • Inherited—Value is inherited from either the VLAN or system default (no verification).

    • No Verification—Advertised addresses aren’t verified.

    • Match List—IPv6 address list to be matched.

  • RA Prefix List—Specify the list of addresses to filter:

    • Inherited—Value is inherited from either the VLAN or system default (no verification).

    • No Verification—Advertised prefixes aren’t verified.

    • Match List—Prefix list to be matched.

  • Minimal Hop Limit—Indicates if the RA Guard policy checks that the minimum hop limit of the packet received.

    • Inherited—Feature is inherited from either the VLAN or system default (client).

    • No Limit—Disables verification of the lower boundary of the hop count limit.

    • User Defined—Verifies that the hop-count limit is greater than or equal to this value.

  • Maximal Hop Limit—Indicates if the RA Guard policy checks that the maximum hop limit of the packet received.

    • Inherited—Feature is inherited from either the VLAN or system default (client).

    • No Limit—Disables verification of the high boundary of the hop-count limit.

    • User Defined—Verifies that the hop-count limit is less than or equal to this value. The value of the high boundary must be equal or greater than the value of the low boundary.

  • Minimal Router Preference—This field indicates whether the RA Guard policy verifies the minimum advertised Default Router Preference value in RA messages within an RA Guard policy.

    • Inherited—Feature is inherited from either the VLAN or system default (client).

    • No Verification—Disables verification of the low boundary of Advertised Default Router Preference.

    • Low—Specifies the minimum allowed Advertised Default Router Preference value. The following values are acceptable: low, medium, and high (see RFC4191).

    • Medium—Specifies the minimum allowed Advertised Default Router Preference value. The following values are acceptable: low, medium, and high (see RFC4191).

    • High—Specifies the minimum allowed Advertised Default Router Preference value. The following values are acceptable: low, medium, and high (see RFC4191).

  • Maximal Router Preference—This field indicates whether the RA Guard policy verifies the maximum advertised Default Router Preference value in RA messages within an RA Guard policy.

    • Inherited—Feature is inherited from either the VLAN or system default (client).

    • No Verification—Disables verification of the high boundary of Advertised Default Router Preference.

    • Low—Specifies the maximum allowed Advertised Default Router Preference value. The following values are acceptable: low, medium, and high (see RFC4191).

    • Medium—Specifies the maximum allowed Advertised Default Router Preference value. The following values are acceptable: low, medium, and high (see RFC4191).

    • High—Specifies the maximum allowed Advertised Default Router Preference value. The following values are acceptable: low, medium, and high (see RFC4191).

Step 5

Click Apply to add the settings to the Running Configuration file.

Step 6

To configure system-defined default policies or existing user defined policy select the policy in the policy table and click Edit.

Step 7

To attach this policy to an interface:


DHCPv6 Guard Settings

Use the DHCPv6 Guard Settings page to enable the DHCPv6 Guard feature on a specified group of VLANs and to set the global configuration values for this feature. If required, a policy can be added or the system-defined default DHCPv6 Guard policies can be configured in this page.

To configure DHCPv6 Guard:

Procedure


Step 1

Click Security > IPv6 First Hop Security > DHCPv6 Guard Settings.

The currently defined policies are displayed. For each policy, its Policy Type is displayed, which indicates whether it’s a default or user-defined policy.

Step 2

Enter the following global configuration fields:

  • DHCPv6 Guard VLAN List—Enter one or more VLANs on which DHCPv6 Guard is enabled.

  • Device Role—Displays the device role. See definition in the Add page.

  • Minimal Preference—This field indicates whether the DHCPv6 Guard policy checks the minimum advertised preference value of the packet received.

    • No Verification—Disables verification of the minimum advertised preference value of the packet received.

    • User Defined—Verifies that the advertised preference value is greater than or equal to this value. This value must be less than the Maximal Preference value.

  • Maximal Preference—This field indicates whether the DHCPv6 Guard policy checks the maximum advertised preference value of the packet received. This value must be greater than the Minimal Preference value.

    • No Verification—Disables verification of the lower boundary of the hop count limit.

    • User Defined—Verifies that the advertised preference value is less than or equal to this value.

Step 3

Click Apply to add the settings to the Running Configuration file.

The existing policies are displayed. The fields are displayed below except for the Policy Type field. This displays whether the policy is user-defined or a default one.

Step 4

If required, click Add to create a DHCPv6 policy.

Step 5

Enter the following fields:

  • Policy Name—Enter a user-defined policy name.

  • Device Role—Select either Server or Client to specify the role of the device attached to the port for DHCPv6 Guard.

    • Inherited—Role of device is inherited from either the VLAN or system default (client).

    • Client—Role of device is client.

    • Server—Role of device is server.

  • Match Reply Prefixes—Select to enable verification of the advertised prefixes in received DHCP reply messages within a DHCPv6 Guard policy.

    • Inherited—Value is inherited from either the VLAN or system default (no verification).

    • No Verification—Advertised prefixes aren’t verified.

    • Match List—IPv6 prefix list to be matched.

  • Match Server Address—Select to enable verification of the DHCP server's and relay’s IPv6 address in received DHCP reply messages within a DHCPv6 Guard policy.

    • Inherited—Value is inherited from either the VLAN or system default (no verification).

    • No Verification—Disables verification of the DHCP server's and relay’s IPv6 address.

    • Match List— IPv6 prefix list to be matched.

  • Minimal Preference—This field indicates whether the DHCPv6 Guard policy checks the minimum advertised preference value of the packet received.

    • Inherited—Minimal preference is inherited from either the VLAN or system default (client).

    • No Verification—Disables verification of the minimum advertised preference value of the packet received.

    • User Defined—Verifies that the advertised preference value is greater than or equal to this value. This value must be less than the Maximal Preference value.

  • Maximal Preference—This field indicates whether the DHCPv6 Guard policy checks the maximum advertised preference value of the packet received. This value must be greater than the Minimal Preference value.

    • Inherited—Minimal preference is inherited from either the VLAN or system default (client).

    • No Verification—Disables verification of the lower boundary of the hop count limit.

    • User Defined—Verifies that the advertised preference value is less than or equal to this value.

Step 6

Click Apply to add the settings to the Running Configuration file.

Step 7

To attach this policy to an interface:


ND Inspection Settings

Use the Neighbor Discovery (ND) Inspection Settings page to enable the ND Inspection feature on a specified group of VLANs and to set the global configuration values for this feature. If required, a policy can be added or the system-defined default ND Inspection policies can be configured in this page.

To configure ND Inspection:

Procedure


Step 1

Click Security > IPv6 First Hop Security > ND Inspection Settings.

The existing policies are displayed. The fields are displayed below except for the Policy Type field. This displays whether the policy is user-defined or a default one.

Step 2

Enter the following global configuration fields:

  • ND Inspection VLAN List—Enter one or more VLANs on which ND Inspection is enabled.

  • Device Role—Displays the device role that is explained below.

  • Drop Unsecure—Select to enable dropping messages with no CGA or RSA Signature option within an IPv6 ND Inspection policy.

  • Minimal Security Level—If unsecure messages aren’t dropped, select the security level below which messages aren’t forwarded.

    • No Verification—Disables verification of the security level.

    • User Defined—Specify the security level of the message to be forwarded.

  • Validate Source MAC—Select to globally enable checking source MAC address against the link-layer address.

Step 3

Click Apply to add the settings to the Running Configuration file.

Step 4

If required, click Add to create an ND Inspection policy.

Step 5

Enter the following fields:

  • Policy Name—Enter a user-defined policy name.

  • Device Role—Select one of the following to specify the role of the device attached to the port for ND Inspection.

    • Inherited—Role of device is inherited from either the VLAN or system default (client).

    • Host—Role of device is host.

    • Router—Role of device is router.

  • Drop Unsecure—Select one of following options:

    • Inherited—Inherit value from VLAN or system default (disabled).

    • Enable—Enable dropping messages with no CGA or RSA Signature option within an IPv6 ND Inspection policy.

    • Disable—Disable dropping messages with no CGA or RSA Signature option within an IPv6 ND Inspection policy.

  • Minimal Security Level—If unsecure messages aren’t dropped, select the security level below which messages aren’t forwarded.

    • Inherited—Inherit value from VLAN or system default (disabled).

    • No Verification—Disables verification of the security level.

    • User Defined—Specify the security level of the message to be forwarded.

  • Validate Source MAC—Specify whether to globally enable checking source MAC address against the link-layer address:

    • Inherited—Inherit value from VLAN or system default (disabled).

    • Enable—Enable checking source MAC address against the link-layer address.

    • Disable—Disable checking source MAC address against the link-layer address.

Step 6

Click Apply to add the settings to the Running Configuration file.

Step 7

To attach this policy to an interface:


Neighbor Binding Settings

The Neighbor Binding table is a database table of IPv6 neighbors connected to a device is created from information sources, such as Neighbor Discovery Protocol (NDP) snooping. This database, or binding, table is used by various IPv6 guard features to prevent spoofing and redirect attacks.

Use the Neighbor Binding Settings page to enable the Neighbor Binding feature on a specified group of VLANs and to set the global configuration values for this feature. If required, a policy can be added or the system-defined default Neighbor Binding policies can be configured in this page.

To configure Neighbor Binding:

Procedure


Step 1

Click Security > IPv6 First Hop Security > Neighbor Binding Settings.

Step 2

Enter the following global configuration fields:

Neighbor Binding VLAN List

Enter one or more VLANs on which Neighbor Binding is enabled.

Device Role

Displays the device global default role (Perimeter).

Neighbor Binding Lifetime

Enter the length of time that addresses remain in the Neighbor Bindings table.

Neighbor Binding Logging

Select to enable logging of Neighbor Binding table main events.

Address Prefix Validation

Select to enable IPv6 Source Guard validation of addresses.

Global Address Binding Configuration

Binding from NDP Messages

To change the global configuration of allowed configuration methods of global IPv6 addresses within an IPv6 Neighbor Binding policy, select one of the following options:

  • Any—Any configuration methods (stateless and manual) are allowed for global IPv6 bound from NDP messages.

  • Stateless—Only stateless auto configuration is allowed for global IPv6 bound from NDP messages.

  • Disable—Binding from NDP messages is disabled.

Binding from DHCPv6 Messages

Binding from DHCPv6 is allowed.

Neighbor Binding Entry Limits

Entries per VLAN

Select No Limit to use global value, or to set no limit on the number of entries. Select User Defined to set a special value for this policy.

Entries per Interface

Select No Limit to use global value, or to set no limit on the number of entries. Select User Defined to set a special value for this policy.

Entries per MAC Address

Select No Limit to use global value, or to set no limit on the number of entries. Select User Defined to set a special value for this policy.

Step 3

Click Apply to add the settings to the Running Configuration file.

Step 4

If required, click Add to create a Neighbor Binding policy.

Step 5

Enter the following fields:

Policy Name

Enter a user-defined policy name.

Device Role

Select one of the following options to specify the role of the device attached to the port for the Neighbor Binding policy.

  • Inherited—Role of device is inherited from either the VLAN or system default (client).

  • Perimeter—Port is connected to devices not supporting IPv6 First Hop Security.

  • Internal—Port is connected to devices supporting IPv6 First Hop Security.

Neighbor Binding Logging

Select one of the following options to specify logging:

  • Inherited—Logging option is the same as the global value.

  • Enable—Enable logging of Binding table main events.

  • Disable—Disable logging of Binding table main events.

Address Prefix Validation

Select one of the following options to specify validation of addresses:

  • Inherited—Validation option is the same as the global value.

  • Enable—Enable validation of addresses.

  • Disable—Disable validation of addresses

Global Address Binding Configuration

Inherit Address Binding Settings

Enable to use the global address binding settings.

Binding from NDP Messages

To change the global configuration of allowed configuration methods of global IPv6 addresses within an IPv6 Neighbor Binding policy, select one of the following options:

  • Any—Any configuration methods (stateless and manual) are allowed for global IPv6 bound from NDP messages.

  • Stateless—Only stateless auto configuration is allowed for global IPv6 bound from NDP messages.

  • Disable—Binding from NDP messages is disabled.

Binding from DHCPv6 Messages

Select to enable binding from DHCPv6.

Neighbor Binding Entry Limits

Entries per VLAN

Select Inherited to use global value, No Limit to set no limit on the number of entries and User Defined to set a special value for this policy.

Entries per Interface

Select Inherited to use global value, No Limit to set no limit on the number of entries and User Defined to set a special value for this policy.

Entries per MAC Address

Select Inherited to use global value, No Limit to set no limit on the number of entries and User Defined to set a special value for this policy.

Step 6

Click Apply to add the settings to the Running Configuration file.

Step 7

To attach this policy to an interface:

Attach Policy to VLAN

Click to jump to Policy Attachment (VLAN) page where you can attach this policy to a VLAN.

Attach Policy to Interface

Click to jump to Policy Attachment (Port) page where you can attach this policy to a port.


IPv6 Source Guard Settings

Use the IPv6 Source Guard Settings page to enable the IPv6 Source Guard feature on a specified group of VLANs. If required, a policy can be added or the system-defined default IPv6 Source Guard policies can be configured in this page.

To configure IPv6 Source Guard:

Procedure


Step 1

Click Security > IPv6 First Hop Security > IPv6 Source Guard Settings.

The existing policies are displayed. The fields are displayed below except for the Policy Type field. This displays whether the policy is user-defined or a default one.

Step 2

Enter the following global configuration fields:

  • IPv6 Source Guard VLAN List—Enter one or more VLANs on which IPv6 Source Guard is enabled.

  • Port Trust—Displays that by default the policies are for untrusted ports. This can be changed per policy.

Step 3

Click Apply to apply the new settings.

Step 4

If required, click Add to create a First Hop Security policy.

Step 5

Enter the following fields:

  • Policy Name—Enter a user-defined policy name.

  • Port Trust—Select the port trust status of the policy:

    • Inherited—When policy is attached to a port it’s untrusted).

    • Trusted—When policy is attached to a port it’s trusted.

Step 6

Click Apply to attach the policy.

Step 7

To attach this policy to an interface click Attach Policy to Interface.


Policy Attachment (VLAN)

To attach a policy to one or more VLANs:

Procedure


Step 1

Click Security > IPv6 First Hop Security > Policy Attachment (VLAN).

The list of policies that are already attached are displayed along with their Policy Type, Policy Name and VLAN List.

Step 2

To filter the policies, check Filter, select the Policy Type from the drop-down menu and click Go.

Step 3

To attach a policy to a VLAN, click Add and enter the following fields:

  • Policy Type—Select the policy type to attach to the interface.

  • Policy Name—Select the name of the policy to attach to the interface.

  • VLAN List—Select the VLANs to which the policy is attached.

Step 4

Click Apply to add the settings to the Running Configuration file.


Policy Attachment (Port)

To attach a policy to one or more ports or LAGs:

Procedure


Step 1

Click Security > IPv6 First Hop Security > Policy Attachment (Port).

The list of policies that are already attached are displayed along with their Interface, Policy Type, Policy Name and VLAN List.

Step 2

Check Filter to activate the filter and select the policy type from the drop-down list. Next, click Go to filter the data.

Step 3

To attach a policy to a port or LAG, click Add and enter the following fields:

  • Interface—Select the interface on which the policy will be attached.

  • Policy Type—Select the policy type to attach to the interface.

  • Policy Name—Select the name of the policy to attach to the interface.

  • VLAN List—Select the VLANs to which the policy is attached.

Step 4

Click Apply to add the settings to the Running Configuration file.


Neighbor Binding Table

To view entries in the Neighbor Binding table:

Procedure


Step 1

Click Security > IPv6 First Hop Security > Neighbor Binding Table

Step 2

Select one of the following clear table options:

  • None- Clears none.
  • Static Only—Clear all static entries in the table.

  • Dynamic Only—Clear all dynamic entries in the table.

  • All Dynamic & Static—Clear all dynamic and static entries in the table.

    The following fields are displayed for each policy (only fields not on Add page are displayed:

  • Origin—Protocol that added the IPv6 address (only available for dynamic entries):
    • Static—Added manually.

    • NDP—Learnt from Neighbor Discovery Protocol messages.

    • DHCP—Learnt from DHCPv6 protocol messages.

  • State—State of the entry:
    • Tentative—The new host IPv6 address is under validation. Since its lifetime is less than 1 sec its expiration time is not displayed.

    • Valid—The host IPv6 address was bound.

  • Expiry Time (Sec.)—Remaining time in seconds until the entry will be removed, if it is not confirmed.

  • TCAM Overflow—Entries marked as No have not been added to the TCAM because TCAM overflow.

Step 3

To add a policy, click Add and enter the following fields:

  • VLAN ID—VLAN ID of the entry.

  • IPv6 Address—Source IPv6 address of the entry.

  • Interface—Port or LAG on which a packet is received.

  • MAC Address—Neighbor MAC address of the packet.

Step 4

Click Apply to add the settings to the Running Configuration file.


Neighbor Prefix Table

You can add static prefixes for global IPv6 addresses bound from NDP messages in the Neighbor Prefix table. Dynamic entries are learned.

To add entries to the Neighbor Prefix table:

Procedure


Step 1

Click Security > IPv6 First Hop Security > Neighbor Prefix Table.

Step 2

Select one of the following options in the Clear Table field to clear the Neighbor Prefix table:

  • None—Clears none.
  • Static Only—Clear only static entries.

  • Dynamic Only—Clear only dynamic entries.

  • All Dynamic & Static—Clear static and dynamic entries.

Step 3

The following fields are displayed for the exiting entries.

  • VLAN ID—VLAN on which the prefixes are relevant

  • IPv6 Prefix—IPv6 prefix.

  • Prefix Length—IPv6 prefix length.

  • Origin—Entry is dynamic (learned) or static (manually configured).

  • Autoconfig—The prefix can be used for stateless configuration.

  • Expiry Time (Sec)—Length of time entry will remain before being deleted.

Step 4

Click Add to add a new entry to the table and enter the above fields for the new entry.

Step 5

Configure the following fields:

  • VLAN ID—Select the VLAN ID on which the prefixes are relevant.

  • IPv6 Prefix—Enter the IPv6 prefix.

  • Prefix Length—Enter the IPv6 prefix length.

  • Autoconfig—Check to enable autoconfig for a stateless configuration.


FHS Status

To display the global configuration for the FHS features:

Procedure


Step 1

Click Security > IPv6 First Hop Security > FHS Status.

Step 2

Select a port, LAG or VLAN for which the FHS state is reported.

Step 3

The following fields are displayed for the selected interface:

FHS Status

FHS State on Current VLAN

Is FHS enabled on the current VLAN

Packet Drop Logging

Is this feature enabled for the current interface (at the level of global configuration or in a policy attached to the interface)

RA Guard Status

RA Guard State on Current VLAN

Is RA Guard enabled on the current VLAN?

Device Role

RA device role.

Managed Configuration Flag

Is verification of the managed configuration flag enabled?

Other Configuration Flag

Is verification of the other configuration flag enabled?

RA Address List

RA address list to be matched.

RA Prefix List

RA prefix list to be matched.

Minimal Hop Limit

Is minimum RA hop limit verification enabled?

Maximal Hop Limit

Is maximum RA hop limit verification enabled?

Minimal Router Preference

Is minimum router preference verification enabled?

Maximal Router Preference

Is maximum router preference verification enabled?

DHCPv6 Guard Status

DHCPv6 Guard State on Current VLAN

Is DHCPv6 Guard enabled on the current VLAN?

Device Role

DHCP device role

Match Reply Prefixes

Is DHCP reply prefixes verification enabled?

Match Server Address

Is DHCP server addresses verification enabled?

Minimal Preference

Is verification of the minimal preference enabled?

Maximal Preference

Is verification of the maximum preference enabled?

ND Inspection Status

ND Inspection State on Current VLAN

Is ND Inspection enabled on the current VLAN?

Device Role

ND Inspection device role.

Drop Unsecure

Are unsecure messages dropped?

Minimal Security Level

If unsecure messages aren’t dropped, what is the minimum security level for packets to be forwarded?

Validate Source MAC

Is source MAC address verification enabled?

Neighbor Binding Status

Neighbor Binding State on Current VLAN

Is Neighbor Binding enabled on the current VLAN?

Device Role

Neighbor Binding device role.

Logging Binding

Is logging of Neighbor Binding table events enabled?

Address Prefix Validation

Is address prefix validation enabled?

Global Address Configuration

Which messages are validated?

Max Entries per VLAN

Maximum number of dynamic Neighbor Binding table entries per VLAN allowed.

Max Entries per Interface

Maximum number of Neighbor Binding table entries per interface allowed.

Max Entries per MAC Address

Maximum number of Neighbor Binding table entries per MAC address allowed.

IPv6 Source Guard Status

IPv6 Source Guard State on Current VLAN

Is IPv6 Source Guard enabled on the current VLAN?

Port Trust

Whether the port is trusted and how it received its trusted status.


FHS Statistics

To display FHS statistics:

Procedure


Step 1

Click Security > IPv6 First Hop Security > FHS Statistics.

Step 2

Select the Refresh Rate, the time period that passes before the statistics are refreshed.

Step 3

The following global overflow counters are displayed:

Neighbor Binding Table

Number of entries that could not be added to this table because the table reached its maximum size.

Neighbor Prefix Table

Number of entries that could not be added to this table because the table reached its maximum size.

TCAM

Number of entries that could not be added because of TCAM overflow.

Step 4

Select an interface (Port or LAG) and the following fields are displayed:

NDP (Neighbor Discovery Protocol) Messages

The number of received and dropped messages are displayed for the following types of messages:

  • RA—Router Advertisement messages

  • REDIR—Redirect messages

  • NS—Neighbor Solicitation messages.

  • NA—Neighbor Advertisement messages.

  • RS—Router Solicitation message.

DHCPv6 Messages

The number of received and dropped messages are displayed for the following types of DHCPv6 messages:

  • ADV— Advertise messages

  • REP—Reply messages

  • REC—Reconfigure messages

  • REL-REP—Relay reply messages

  • LEAS-REP—Lease query reply messages

  • RLS—Released messages

  • DEC—Decline messages

The following fields are displayed in the FHS Dropped Message Table

Feature

Type of message dropped (DHCPv6 Guard, RA Guard and so on).

Count

Number of messages dropped.

Reason

Reason that the messages dropped.

Step 5

Click Clear Interface Counters or Clear All Interface Counters or Clear Global Counters to clear the counters.

Step 6

Click Refresh to refresh the counters.


Certificate Settings


Note


This setting is only available in the Advanced Mode view.


The Cisco Business Dashboard Probe (CBD) and Plug-n-Play (PNP) features require CA certificates to establish HTTPS communication with the CBD or PNP servers. The Certificate Settings feature allows these applications and device managers to do the following:

  • Install trusted CA certificates and to remove certificates that are no longer wanted.

  • Statically add certificates to the device configuration file.

  • Manage a revocation list of untrusted certificates.

In addition, the Certificate Settings feature can be used to import intermediate certificates that create the device HTTPS server certificate chain. For more details, please see SSL Server Authentication Settings.


Note


The validity of the certificates is based on the system clock. Use the default system clock or it doesn’t provide proper validation. Therefore, make sure that the system clock is based on a device Real-time clock (if supported) or was actively set since the last reboot (preferably via SNTP service). If the system clock isn’t based on RTC or wasn’t set since last reboot validation of the certificate fails, even if the system clock is within the validity date of the certificate.
Dynamic Certificates

The CBD and PNP applications can install dynamic trusted certificates to the device memory. The installed certificate must include the following attributes:

  • Certificate name—A string that is used to identify the certificate.

  • Owner—The application name that installed the certificate (for example, PNP, CBD)

  • The certificate itself in PEM format

An application can also delete a specific or all dynamic certificates installed by that application.

Considerations

  • Up to 512 dynamic certificates can be installed on the device.

  • Dynamic certificates are removed when the device reboots.

Static Certificates

If an application wants to add a certificate that won’t be deleted on reset, or if a user of the switch wants to add a certificate, they can add a static certificate including an intermediate certificate(s) used to sign the device HTTPS server certificate. These certificates are saved in the device running configuration and can be copied to the startup configuration.

Adding a static certificate requires providing the following attributes:

  • Certificate name—This is a string that is used to identify the certificate.

  • Owner—the name of the application that installed the certificate (for example, PNP, CBD), or "static" if the certificate is added by a user.

  • The certificate itself in PEM format.

Considerations

  • Up to 256 static certificates can be installed on the device.

  • It is possible for identical certificates to be added by different applications or users as long as the names used to identify them are different.

CA Certificate Setting

Users can access information on all installed certificates (dynamic and static). The following information is displayed per each certificate:

Procedure


Step 1

Click Security > Certificate Settings > CA Certificate Settings.

Step 2

To import a new certificate, click Add and complete the following:

  • Certificate Name—Enter the name of the certificate.

  • Certificate Type — Select the type of certificate- root (the default) or intermediate (part of device HTTPs server certificate chain).

  • Certificate—Paste the certificate in PEM format (including the begin and end marker lines).

Step 3

Click Apply to apply the new settings.

Step 4

To view the details of an existing certificate, select the certificate from the list and click Details. The following will be displayed:

Option Description

Certificate Name

The name or unique identifier of the certificate.

Type

This can be signer, static or dynamic.

CA Type Can be either Root or Intermediate or N/A (for the signer certificate).

Owner

This can be signer, static, CBD or PNP

Version

The version of the certificate.

Serial Number

The serial number of the certificate.

Status

The status of the certificate.

Valid From

The date and time from which certificate is valid,

Valid To

The date and time until which the certificate is valid.

Issuer

The entity or CA that signed the certificate.

Subject

Distinguished name (DN) information for the certificate.

Public Key Type

The type of the public key.

Public Key Length

The length (in bits) of the public key.

Signature Algorithm

The cryptographic algorithm used by the CA to sign the certificate.

Certificate

The certificate details in PEM format.

Step 5

You can use the following filters to find a specific certificate.

  • Type equals to—Check this box and select Signer, Static, or Dynamic from the drop-down list, to filter by these certificate types.

  • Owner equals to—Paste the certificate in PEM format (including the begin and end marker lines).

Step 6

To remove one or more certificates select the certificate(s) and press Delete. Only Static certificates can be deleted.


CA Certificate Revocation List

If a certificate becomes untrusted for any reason, it can be added to the revocation list by the user or one of the applications. If a certificate is included in the revocation list, it is considered non-valid and the device will not allow it to be used. Adding a certificate to the revocation list will not remove the revoked certificate from the certificate database. It will only update its status to Not Valid (Revoked). When a certificate is removed from the revocation list, its status is automatically updated in the certificate database. There is no need to re-install it.

To add or remove a certificate to/from the revocation list, complete the following:

Procedure


Step 1

Click Security > Certificate Settings > CA Certificate Revocation List.

Step 2

Click Add to open the Add Revoked Certificate dialog box

Step 3

Provide the following details:

  • Issuer—The string identifying the issuer (for example: "C=US, O=MyTrustOrg, CN=MyCommonName") (0-160 chars).

  • Serial Number—The serial number of the revoked certificate. This is a string of hexadecimal pairs (length 2-40).

Step 4

Click Apply to add the certificate.

Considerations

  • Up to 512 certificates can be added to the revocation list.

  • All certificates that match the entry in the revocation list are considered not valid (even if they are identified under different names in the certificate database).

Step 5

To delete an existing certificate, select the certificate from the Revoked CA Certificate Table and click Delete.