Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS

Catalyst 2960-X Switch Security Configuration Guide, Cisco IOSRelease 15.0(2)EXFirst Published: July 10, 2013

Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.comTel: 408 526-4000 800 553-NETS (6387)Fax: 408 527-0883

Text Part Number: OL-29048-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITEDWARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITHTHE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain versionof the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.

NOTWITHSTANDINGANYOTHERWARRANTYHEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS"WITH ALL FAULTS.CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OFMERCHANTABILITY, FITNESS FORA PARTICULAR PURPOSEANDNONINFRINGEMENTORARISING FROMACOURSEOFDEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUTLIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERSHAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, networktopology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentionaland coincidental.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnershiprelationship between Cisco and any other company. (1110R)

2013 Cisco Systems, Inc. All rights reserved.

http://www.cisco.com/go/trademarkshttp://www.cisco.com/go/trademarks

C O N T E N T S

P r e f a c e Preface xxi

Document Conventions xxi

Related Documentation xxiii

Obtaining Documentation and Submitting a Service Request xxiii

C H A P T E R 1 Using the Command-Line Interface 1

Information About Using the Command-Line Interface 1

Command Modes 1

Understanding Abbreviated Commands 3

No and Default Forms of Commands 3

CLI Error Messages 4

Configuration Logging 4

Using the Help System 4

How to Use the CLI to Configure Features 6

Configuring the Command History 6

Changing the Command History Buffer Size 6

Recalling Commands 6

Disabling the Command History Feature 7

Enabling and Disabling Editing Features 7

Editing Commands Through Keystrokes 8

Editing Command Lines That Wrap 9

Searching and Filtering Output of show and more Commands 10

Accessing the CLI on a Switch Stack 11

Accessing the CLI Through a Console Connection or Through Telnet 11

C H A P T E R 2 Security Features Overview 13

Security Features Overview 13

Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 iii

C H A P T E R 3 Preventing Unauthorized Access 17

Finding Feature Information 17

Preventing Unauthorized Access 17

C H A P T E R 4 Controlling Switch Access with Passwords and Privilege Levels 19


Restrictions for Controlling Switch Access with Passwords and Privileges 19

Information About Passwords and Privilege Levels 20

Default Password and Privilege Level Configuration 20

Additional Password Security 20

Password Recovery 21

Terminal Line Telnet Configuration 21

Username and Password Pairs 21

Privilege Levels 22

How to Control Switch Access with Passwords and Privilege Levels 22

Setting or Changing a Static Enable Password 22

Protecting Enable and Enable Secret Passwords with Encryption 24

Disabling Password Recovery 26

Setting a Telnet Password for a Terminal Line 27

Configuring Username and Password Pairs 29

Setting the Privilege Level for a Command 31

Changing the Default Privilege Level for Lines 33

Logging into and Exiting a Privilege Level 34

Monitoring Switch Access 35

Configuration Examples for Setting Passwords and Privilege Levels 35

Example: Setting or Changing a Static Enable Password 35

Example: Protecting Enable and Enable Secret Passwords with Encryption 35

Example: Setting a Telnet Password for a Terminal Line 36

Example: Setting the Privilege Level for a Command 36

Additional References 36

C H A P T E R 5 Configuring TACACS+ 39


Prerequisites for TACACS+ 39

Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EXiv OL-29048-01

Contents

Information About TACACS+ 41

TACACS+ and Switch Access 41

TACACS+ Overview 41

TACACS+ Operation 43

Method List 44

TACACS+ Configuration Options 44

TACACS+ Login Authentication 44

TACACS+ Authorization for Privileged EXEC Access and Network Services 44

TACACS+ Accounting 45

Default TACACS+ Configuration 45

How to Configure TACACS+ 45

Identifying the TACACS+ Server Host and Setting the Authentication Key 45

Configuring TACACS+ Login Authentication 47

Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services 50

Starting TACACS+ Accounting 52

Establishing a Session with a Router if the AAA Server is Unreachable 53

Monitoring TACACS+ 54


Feature Information for TACACS+ 55

C H A P T E R 6 Configuring RADIUS 57


Prerequisites for Configuring RADIUS 57

Restrictions for Configuring RADIUS 58

Information about RADIUS 59

RADIUS and Switch Access 59

RADIUS Overview 59

RADIUS Operation 60

RADIUS Change of Authorization 61

Change-of-Authorization Requests 62

RFC 5176 Compliance 63

Preconditions 64

CoA Request Response Code 64

Session Identification 64

CoA ACK Response Code 65

Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 v

Contents

CoA NAK Response Code 65

CoA Request Commands 65

Session Reauthentication 66

Session Reauthentication in a Switch Stack 66

Session Termination 67

CoA Disconnect-Request 67

CoA Request: Disable Host Port 67

CoA Request: Bounce-Port 68

Stacking Guidelines for Session Termination 68

Stacking Guidelines for CoA-Request Bounce-Port 68

Stacking Guidelines for CoA-Request Disable-Port 69

Default RADIUS Configuration 69

RADIUS Server Host 69

RADIUS Login Authentication 70

AAA Server Groups 70

AAA Authorization 71

RADIUS Accounting 71

Vendor-Specific RADIUS Attributes 71

Vendor-Proprietary RADIUS Server Communication 83

How to Configure RADIUS 83

Identifying the RADIUS Server Host 83

Configuring RADIUS Login Authentication 86

Defining AAA Server Groups 88

Configuring RADIUS Authorization for User Privileged Access and Network Services 90

Starting RADIUS Accounting 92

Establishing a Session with a Router if the AAA Server is Unreachable 93

Configuring Settings for All RADIUS Servers 93

Configuring the Switch to Use Vendor-Specific RADIUS Attributes 95

Configuring the Switch for Vendor-Proprietary RADIUS Server Communication 97

Configuring CoA on the Switch 98

Configuring RADIUS Server Load Balancing 101

Monitoring CoA Functionality 101

Configuration Examples for Controlling Switch Access with RADIUS 102

Examples: Identifying the RADIUS Server Host 102

Example: Using Two Different RADIUS Group Servers 102

Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EXvi OL-29048-01

Contents

Examples: Configuring the Switch to Use Vendor-Specific RADIUS Attributes 103

Example: Configuring the Switch for Vendor-Proprietary RADIUS Server Communication 103


Feature Information for RADIUS 105

C H A P T E R 7 Configuring Local Authentication and Authorization 107


How to Configure Local Authentication and Authorization 107

Configuring the Switch for Local Authentication and Authorization 107

Monitoring Local Authentication and Authorization 110


Feature Information for Local Authentication and Authorization 111

C H A P T E R 8 Configuring Secure Shell (SSH) 113


Prerequisites for Configuring Secure Shell 113

Restrictions for Configuring Secure Shell 114

Information about SSH 114

SSH and Switch Access 115

SSH Servers, Integrated Clients, and Supported Versions 115

SSH Configuration Guidelines 115

Secure Copy Protocol Overview 116

Secure Copy Protocol 116

How to Configure SSH 117

Setting Up the Switch to Run SSH 117

Configuring the SSH Server 118

Monitoring the SSH Configuration and Status 121


Feature Information for SSH 122

C H A P T E R 9 Configuring Secure Socket Layer HTTP 125


Information about Secure Sockets Layer (SSL) HTTP 125

Secure HTTP Servers and Clients Overview 125

Certificate Authority Trustpoints 126

Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 vii

Contents

CipherSuites 127

Default SSL Configuration 128

SSL Configuration Guidelines 128

How to Configure Secure HTTP Servers and Clients 129

Configuring a CA Trustpoint 129

Configuring the Secure HTTP Server 131

Configuring the Secure HTTP Client 134

Monitoring Secure HTTP Server and Client Status 135


Feature Information for Secure Socket Layer HTTP 137

C H A P T E R 1 0 Configuring IPv4 ACLs 139


Prerequisites for Configuring IPv4 Access Control Lists 139

Restrictions for Configuring IPv4 Access Control Lists 140

Information about Network Security with ACLs 141

Cisco TrustSec and ACLs 141

ACL Overview 141

Access Control Entries 142

ACL Supported Types 142

Supported ACLs 142

ACL Precedence 142

Port ACLs 143

Router ACLs 144

VLAN Maps 145

ACEs and Fragmented and Unfragmented Traffic 145

ACEs and Fragmented and Unfragmented Traffic Examples 146

ACLs and Switch Stacks 146

Active Switch and ACL Functions 146

Stack Member and ACL Functions 147

Active Switch Failure and ACLs 147

Standard and Extended IPv4 ACLs 147

IPv4 ACL Switch Unsupported Features 147

Access List Numbers 148

Numbered Standard IPv4 ACLs 149

Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EXviii OL-29048-01

Contents

Numbered Extended IPv4 ACLs 149

Named IPv4 ACLs 150

ACL Logging 150

Smart Logging 151

Hardware and Software Treatment of IP ACLs 151

VLAN Map Configuration Guidelines 151

VLAN Maps with Router ACLs 152

VLAN Maps and Router ACL Configuration Guidelines 152

Time Ranges for ACLs 153

IPv4 ACL Interface Considerations 153

How to Configure ACLs 154

Configuring IPv4 ACLs 154

Creating a Numbered Standard ACL 154

Creating a Numbered Extended ACL 156

Creating Named Standard ACLs 160

Creating Extended Named ACLs 161

Configuring Time Ranges for ACLs 163

Applying an IPv4 ACL to a Terminal Line 165

Applying an IPv4 ACL to an Interface 167

Creating Named MAC Extended ACLs 168

Applying a MAC ACL to a Layer 2 Interface 170

Configuring VLAN Maps 172

Creating a VLAN Map 174

Applying a VLAN Map to a VLAN 176

Configuring VACL Logging 177

Monitoring IPv4 ACLs 179

Configuration Examples for ACLs 180

Examples: Using Time Ranges with ACLs 180

Examples: Including Comments in ACLs 180

Examples: Troubleshooting ACLs 181

IPv4 ACL Configuration Examples 182

ACLs in a Small Networked Office 182

Examples: ACLs in a Small Networked Office 183

Example: Numbered ACLs 183

Examples: Extended ACLs 183

Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 ix

Contents

Examples: Named ACLs 184

Examples: Time Range Applied to an IP ACL 185

Examples: Configuring Commented IP ACL Entries 185

Examples: ACL Logging 186

Configuration Examples for ACLs and VLAN Maps 187

Example: Creating an ACL and a VLAN Map to Deny a Packet 187

Example: Creating an ACL and a VLAN Map to Permit a Packet 187

Example: Default Action of Dropping IP Packets and Forwarding MAC Packets 187

Example: Default Action of Dropping MAC Packets and Forwarding IP Packets 188

Example: Default Action of Dropping All Packets 188

Configuration Examples for Using VLAN Maps in Your Network 189

Example: Wiring Closet Configuration 189

Example: Restricting Access to a Server on Another VLAN 190

Example: Denying Access to a Server on Another VLAN 190

Configuration Examples of Router ACLs and VLAN Maps Applied to VLANs 191

Example: ACLs and Switched Packets 191

Example: ACLs and Bridged Packets 192

Example: ACLs and Routed Packets 193

Example: ACLs and Multicast Packets 193


Feature Information for IPv4 Access Control Lists 195

C H A P T E R 1 1 Configuring IPv6 ACLs 197


IPv6 ACLs Overview 197

Switch Stacks and IPv6 ACLs 198

Interactions with Other Features and Switches 198

Restrictions for IPv6 ACLs 199

Default Configuration for IPv6 ACLs 199

Configuring IPv6 ACLs 200

Attaching an IPv6 ACL to an Interface 203

Monitoring IPv6 ACLs 205


C H A P T E R 1 2 Configuring DHCP 209

Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EXx OL-29048-01

Contents


Information About DHCP 209

DHCP Server 209

DHCP Relay Agent 209

DHCP Snooping 210

Option-82 Data Insertion 211

Cisco IOS DHCP Server Database 214

DHCP Snooping Binding Database 214

DHCP Snooping and Switch Stacks 216

How to Configure DHCP Features 216

Default DHCP Snooping Configuration 216

DHCP Snooping Configuration Guidelines 217

Configuring the DHCP Server 217

DHCP Server and Switch Stacks 217

Configuring the DHCP Relay Agent 218

Specifying the Packet Forwarding Address 219

Prerequisites for Configuring DHCP Snooping and Option 82 221

Enabling DHCP Snooping and Option 82 222

Enabling the Cisco IOS DHCP Server Database 226

Monitoring DHCP Snooping Information 226

Configuring DHCP Server Port-Based Address Allocation 226

Information About Configuring DHCP Server Port-Based Address Allocation 226

Default Port-Based Address Allocation Configuration 227

Port-Based Address Allocation Configuration Guidelines 227

Enabling the DHCP Snooping Binding Database Agent 227

Enabling DHCP Server Port-Based Address Allocation 229

Monitoring DHCP Server Port-Based Address Allocation 231


Feature Information for DHCP Snooping and Option 82 232

C H A P T E R 1 3 Configuring IP Source Guard 235


Information About IP Source Guard 235

IP Source Guard 235

IP Source Guard for Static Hosts 236

Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 xi

Contents

IP Source Guard Configuration Guidelines 237

How to Configure IP Source Guard 238

Enabling IP Source Guard 238

Configuring IP Source Guard for Static Hosts on a Layer 2 Access Port 239

Monitoring IP Source Guard 241


C H A P T E R 1 4 Configuring Dynamic ARP Inspection 243


Restrictions for Dynamic ARP Inspection 243

Understanding Dynamic ARP Inspection 245

Interface Trust States and Network Security 246

Rate Limiting of ARP Packets 247

Relative Priority of ARP ACLs and DHCP Snooping Entries 248

Logging of Dropped Packets 248

Default Dynamic ARP Inspection Configuration 248

Relative Priority of ARP ACLs and DHCP Snooping Entries 249

Configuring ARP ACLs for Non-DHCP Environments 249

Configuring Dynamic ARP Inspection in DHCP Environments 252

Limiting the Rate of Incoming ARP Packets 255

Performing Dynamic ARP Inspection Validation Checks 257

Monitoring DAI 259

Verifying the DAI Configuration 260


C H A P T E R 1 5 Configuring IEEE 802.1x Port-Based Authentication 263


Information About 802.1x Port-Based Authentication 263

Port-Based Authentication Process 264

Port-Based Authentication Initiation and Message Exchange 266

Authentication Manager for Port-Based Authentication 268

Port-Based Authentication Methods 268

Per-User ACLs and Filter-Ids 269

Port-Based Authentication Manager CLI Commands 269

Ports in Authorized and Unauthorized States 270

Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EXxii OL-29048-01

Contents

Port-Based Authentication and Switch Stacks 271

802.1x Host Mode 272

802.1x Multiple Authentication Mode 273

Multi-auth Per User VLAN assignment 273

Limitation in Multi-auth Per User VLAN assignment 274

MAC Move 275

MAC Replace 275

802.1x Accounting 276

802.1x Accounting Attribute-Value Pairs 276

802.1x Readiness Check 277

Switch-to-RADIUS-Server Communication 278

802.1x Authentication with VLAN Assignment 278

802.1x Authentication with Per-User ACLs 280

802.1x Authentication with Downloadable ACLs and Redirect URLs 281

Cisco Secure ACS and Attribute-Value Pairs for the Redirect URL 282

Cisco Secure ACS and Attribute-Value Pairs for Downloadable ACLs 282

VLAN ID-based MAC Authentication 283

802.1x Authentication with Guest VLAN 283

802.1x Authentication with Restricted VLAN 284

802.1x Authentication with Inaccessible Authentication Bypass 285

Inaccessible Authentication Bypass Support on Multiple-Authentication Ports 285

Inaccessible Authentication Bypass Authentication Results 286

Inaccessible Authentication Bypass Feature Interactions 286

802.1x Critical Voice VLAN 287

802.1x User Distribution 287

802.1x User Distribution Configuration Guidelines 288

IEEE 802.1x Authentication with Voice VLAN Ports 288

IEEE 802.1x Authentication with Port Security 289

IEEE 802.1x Authentication with Wake-on-LAN 289

IEEE 802.1x Authentication with MAC Authentication Bypass 290

Network Admission Control Layer 2 IEEE 802.1x Validation 291

Flexible Authentication Ordering 291

Open1x Authentication 292

Multidomain Authentication 292

Limiting Login for Users 294

Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 xiii

Contents

802.1x Supplicant and Authenticator Switches with Network Edge Access Topology

(NEAT) 294

Voice Aware 802.1x Security 295

Common Session ID 296

How to Configure 802.1x Port-Based Authentication 296

Default 802.1x Authentication Configuration 296

802.1x Authentication Configuration Guidelines 298

802.1x Authentication 298

VLANAssignment, Guest VLAN, Restricted VLAN, and Inaccessible Authentication

Bypass 299

MAC Authentication Bypass 300

Maximum Number of Allowed Devices Per Port 300

Configuring 802.1x Readiness Check 300

Configuring Voice Aware 802.1x Security 302

Configuring 802.1x Violation Modes 304

Configuring 802.1x Authentication 306

Configuring 802.1x Port-Based Authentication 307

Configuring the Switch-to-RADIUS-Server Communication 309

Configuring the Host Mode 311

Configuring Periodic Re-Authentication 312

Changing the Quiet Period 313

Changing the Switch-to-Client Retransmission Time 314

Setting the Switch-to-Client Frame-Retransmission Number 316

Setting the Re-Authentication Number 317

Enabling MAC Move 318

Enabling MAC Replace 319

Configuring 802.1x Accounting 321

Configuring a Guest VLAN 323

Configuring a Restricted VLAN 324

Configuring Number of Authentication Attempts on a Restricted VLAN 326

Configuring 802.1x Inaccessible Authentication Bypass with Critical Voice VLAN 328

Example of Configuring Inaccessible Authentication Bypass 331

Configuring 802.1x Authentication with WoL 332

Configuring MAC Authentication Bypass 333

Formatting a MAC Authentication Bypass Username and Password 334

Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EXxiv OL-29048-01

Contents

Configuring 802.1x User Distribution 335

Example of Configuring VLAN Groups 336

Configuring NAC Layer 2 802.1x Validation 337

Configuring Limiting Login for Users 339

Configuring an Authenticator Switch with NEAT 340

Configuring a Supplicant Switch with NEAT 342

Configuring 802.1x Authentication with Downloadable ACLs and Redirect URLs 345

Configuring Downloadable ACLs 345

Configuring a Downloadable Policy 347

Configuring VLAN ID-based MAC Authentication 350

Configuring Flexible Authentication Ordering 350

Configuring Open1x 352

Disabling 802.1x Authentication on the Port 354

Resetting the 802.1x Authentication Configuration to the Default Values 355

Monitoring 802.1x Statistics and Status 356


Feature Information for 802.1x Port-Based Authentication 358

C H A P T E R 1 6 Configuring Web-Based Authentication 359


Web-Based Authentication Overview 359

Device Roles 360

Host Detection 361

Session Creation 361

Authentication Process 362

Local Web Authentication Banner 362

Web Authentication Customizable Web Pages 365

Guidelines 365

Authentication Proxy Web Page Guidelines 367

Redirection URL for Successful Login Guidelines 368

Web-based Authentication Interactions with Other Features 368

Port Security 368

LAN Port IP 368

Gateway IP 369

ACLs 369

Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 xv

Contents

Context-Based Access Control 369

EtherChannel 369

How to Configure Web-Based Authentication 369

Default Web-Based Authentication Configuration 369

Web-Based Authentication Configuration Guidelines and Restrictions 370

Web-Based Authentication Configuration Task List 371

Configuring the Authentication Rule and Interfaces 371

Configuring AAA Authentication 373

Configuring Switch-to-RADIUS-Server Communication 375

Configuring the HTTP Server 377

Customizing the Authentication Proxy Web Pages 378

Specifying a Redirection URL for Successful Login 380

Configuring the Web-Based Authentication Parameters 381

Configuring a Web-Based Authentication Local Banner 382

Configuring Web-Based Authentication without SVI 384

Configuring Web-Based Authentication with VRF Aware 385

Removing Web-Based Authentication Cache Entries 387

Monitoring Web-Based Authentication Status 387

Feature Information for Web-Based Authentication 388

C H A P T E R 1 7 Configuring Port-Based Traffic Control 389

Overview of Port-Based Traffic Control 390


Information About Storm Control 390

Storm Control 390

How Traffic Activity is Measured 391

Traffic Patterns 391

How to Configure Storm Control 392

Configuring Storm Control and Threshold Levels 392

Configuring Small-Frame Arrival Rate 395


Information About Protected Ports 397

Protected Ports 397

Default Protected Port Configuration 398

Protected Ports Guidelines 398

Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EXxvi OL-29048-01

Contents

How to Configure Protected Ports 398

Configuring a Protected Port 398

Monitoring Protected Ports 400

Where to Go Next 400


Feature Information 401


Information About Port Blocking 402

Port Blocking 402

How to Configure Port Blocking 402

Blocking Flooded Traffic on an Interface 402

Monitoring Port Blocking 404




Prerequisites for Port Security 406

Restrictions for Port Security 406

Information About Port Security 406

Port Security 406

Types of Secure MAC Addresses 406

Sticky Secure MAC Addresses 407

Security Violations 407

Port Security Aging 408

Port Security and Switch Stacks 408

Default Port Security Configuration 409

Port Security Configuration Guidelines 409

Overview of Port-Based Traffic Control 411

How to Configure Port Security 411

Enabling and Configuring Port Security 411

Enabling and Configuring Port Security Aging 415


Information About Storm Control 418

Storm Control 418

How Traffic Activity is Measured 418

Traffic Patterns 419

Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 xvii

Contents

How to Configure Storm Control 419

Configuring Storm Control and Threshold Levels 419

Configuring Small-Frame Arrival Rate 422


Information About Protected Ports 424

Protected Ports 424

Default Protected Port Configuration 425

Protected Ports Guidelines 425

How to Configure Protected Ports 425

Configuring a Protected Port 425

Monitoring Protected Ports 427





Information About Port Blocking 429

Port Blocking 429

How to Configure Port Blocking 429

Blocking Flooded Traffic on an Interface 429

Monitoring Port Blocking 431




Configuration Examples for Port Security 432



Information About Protocol Storm Protection 434

Protocol Storm Protection 434

Default Protocol Storm Protection Configuration 435

How to Configure Protocol Storm Protection 435

Enabling Protocol Storm Protection 435

Monitoring Protocol Storm Protection 436


C H A P T E R 1 8 Configuring IPv6 First Hop Security 439

Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EXxviii OL-29048-01

Contents


Prerequisites for First Hop Security in IPv6 439

Restrictions for First Hop Security in IPv6 440

Information about First Hop Security in IPv6 440

How to Configure an IPv6 Snooping Policy 442

How to Attach an IPv6 Snooping Policy to an Interface 444

How to Attach an IPv6 Snooping Policy to a Layer 2 EtherChannel Interface 445

How to Attach an IPv6 Snooping Policy to VLANs Globally 446

How to Configure the IPv6 Binding Table Content 447

How to Configure an IPv6 Neighbor Discovery Inspection Policy 449

How to Attach an IPv6 Neighbor Discovery Inspection Policy to an Interface 451

How to Attach an IPv6 Neighbor Discovery Inspection Policy to a Layer 2 EtherChannel

Interface 452

How to Attach an IPv6 Neighbor Discovery Inspection Policy to VLANs Globally 453

How to Configure an IPv6 Router Advertisement Guard Policy 454

How to Attach an IPv6 Router Advertisement Guard Policy to an Interface 456

How toAttach an IPv6 Router Advertisement Guard Policy to a Layer 2 EtherChannel Interface

458

How to Configure an IPv6 DHCP Guard Policy 459

How to Attach an IPv6 DHCP Guard Policy to an Interface or a VLAN on an Interface 461

How to Attach an IPv6 DHCP Guard Policy to a Layer 2 EtherChannel Interface 462

How to Attach an IPv6 DHCP Guard Policy to VLANs Globally 463

How to Configure IPv6 Source Guard 464

How to Attach an IPv6 Source Guard Policy to an Interface 466


Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 xix

Contents

Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EXxx OL-29048-01

Contents

Preface

Document Conventions, page xxi

Related Documentation, page xxiii

Obtaining Documentation and Submitting a Service Request, page xxiii

Document ConventionsThis document uses the following conventions:

DescriptionConvention

Both the ^ symbol and Ctrl represent the Control (Ctrl) key on a keyboard. Forexample, the key combination^D orCtrl-Dmeans that you hold down the Controlkey while you press the D key. (Keys are indicated in capital letters but are notcase sensitive.)

^ or Ctrl

Commands and keywords and user-entered text appear in bold font.bold font

Document titles, new or emphasized terms, and arguments for which you supplyvalues are in italic font.

Italic font

Terminal sessions and information the system displays appear in courier font.Courier font

Bold Courier font indicates text that the user must enter.Bold Courier font

Elements in square brackets are optional.[x]

An ellipsis (three consecutive nonbolded periods without spaces) after a syntaxelement indicates that the element can be repeated.

...

A vertical line, called a pipe, indicates a choice within a set of keywords orarguments.

|

Optional alternative keywords are grouped in brackets and separated by verticalbars.

[x | y]

Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 xxi

DescriptionConvention

Required alternative keywords are grouped in braces and separated by verticalbars.

{x | y}

Nested set of square brackets or braces indicate optional or required choiceswithin optional or required elements. Braces and a vertical bar within squarebrackets indicate a required choice within an optional element.

[x {y | z}]

A nonquoted set of characters. Do not use quotation marks around the string orthe string will include the quotation marks.

string

Nonprinting characters such as passwords are in angle brackets.< >

Default responses to system prompts are in square brackets.[ ]

An exclamation point (!) or a pound sign (#) at the beginning of a line of codeindicates a comment line.

!, #

Reader Alert Conventions

This document may use the following conventions for reader alerts:

Means reader take note. Notes contain helpful suggestions or references to material not covered in themanual.

Note

Means the following information will help you solve a problem.Tip

Means reader be careful. In this situation, you might do something that could result in equipment damageor loss of data.

Caution

Means the described action saves time. You can save time by performing the action described in theparagraph.

Timesaver

IMPORTANT SAFETY INSTRUCTIONS

This warning symbol means danger. You are in a situation that could cause bodily injury. Before youwork on any equipment, be aware of the hazards involved with electrical circuitry and be familiar withstandard practices for preventing accidents. Use the statement number provided at the end of each warningto locate its translation in the translated safety warnings that accompanied this device. Statement 1071

SAVE THESE INSTRUCTIONS

Warning

Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EXxxii OL-29048-01

PrefaceDocument Conventions

Related Documentation

Before installing or upgrading the switch, refer to the switch release notes.Note

Cisco Validated Designs documents, located at:http://www.cisco.com/go/designzone

Obtaining Documentation and Submitting a Service RequestFor information on obtaining documentation, submitting a service request, and gathering additional information,see the monthlyWhat's New in Cisco Product Documentation, which also lists all new and revised Ciscotechnical documentation, at:

http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html

Subscribe to theWhat's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feedand set content to be delivered directly to your desktop using a reader application. The RSS feeds are a freeservice and Cisco currently supports RSS version 2.0.

Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 xxiii

PrefaceRelated Documentation

http://www.cisco.com/go/designzonehttp://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html

Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EXxxiv OL-29048-01

PrefaceObtaining Documentation and Submitting a Service Request

C H A P T E R 1Using the Command-Line Interface

Information About Using the Command-Line Interface, page 1

How to Use the CLI to Configure Features, page 6

Information About Using the Command-Line Interface

Command ModesThe Cisco IOS user interface is divided into many different modes. The commands available to you dependon whichmode you are currently in. Enter a questionmark (?) at the system prompt to obtain a list of commandsavailable for each command mode.

You can start a CLI session through a console connection, through Telnet, an SSH, or by using the browser.

When you start a session, you begin in user mode, often called user EXEC mode. Only a limited subset ofthe commands are available in user EXECmode. For example, most of the user EXEC commands are one-timecommands, such as show commands, which show the current configuration status, and clear commands,which clear counters or interfaces. The user EXEC commands are not saved when the switch reboots.

To have access to all commands, youmust enter privileged EXECmode. Normally, youmust enter a passwordto enter privileged EXEC mode. From this mode, you can enter any privileged EXEC command or enterglobal configuration mode.

Using the configurationmodes (global, interface, and line), you canmake changes to the running configuration.If you save the configuration, these commands are stored and used when the switch reboots. To access thevarious configuration modes, you must start at global configuration mode. From global configuration mode,you can enter interface configuration mode and line configuration mode .

This table describes the main command modes, how to access each one, the prompt you see in that mode, andhow to exit the mode.

Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 1

Table 1: Command Mode Summary

About This ModeExit MethodPromptAccess MethodMode

Use this mode to

Changeterminalsettings.

Perform basictests.

Display systeminformation.

Enter logout orquit.Switch>

Begin a sessionusing Telnet, SSH,or console.

User EXEC

Use this mode toverify commandsthat you haveentered. Use apassword to protectaccess to this mode.

Enter disableto exit.Switch#

While in userEXEC mode, enterthe enablecommand.

Privileged EXEC

Use this mode toconfigure parametersthat apply to theentire switch.

To exit toprivilegedEXEC mode,enter exit orend, or pressCtrl-Z.

Switch(config)#While in privilegedEXEC mode, enterthe configurecommand.

Globalconfiguration

Use this mode toconfigure VLANparameters. WhenVTP mode istransparent, you cancreateextended-rangeVLANs (VLAN IDsgreater than 1005)and saveconfigurations in theswitch startupconfiguration file.

To exit toglobalconfigurationmode, enter theexit command.

To return toprivilegedEXEC mode,pressCtrl-Z orenter end.

Switch(config-vlan)#While in globalconfigurationmode, enter thevlan vlan-idcommand.

VLANconfiguration

Use this mode toconfigure parametersfor the Ethernetports.

Switch(config-if)#While in globalconfigurationmode, enter theinterface command(with a specificinterface).

Interfaceconfiguration

Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX2 OL-29048-01

Using the Command-Line InterfaceCommand Modes

About This ModeExit MethodPromptAccess MethodMode

To exit toglobalconfigurationmode, enterexit.


Use this mode toconfigure parametersfor the terminal line.

To exit toglobalconfigurationmode, enterexit.


Switch(config-line)#While in globalconfigurationmode, specify a linewith the line vty orline consolecommand.

Line configuration

Understanding Abbreviated CommandsYou need to enter only enough characters for the switch to recognize the command as unique.

This example shows how to enter the show configuration privileged EXEC command in an abbreviated form:

Switch# show conf

No and Default Forms of CommandsAlmost every configuration command also has a no form. In general, use the no form to disable a feature orfunction or reverse the action of a command. For example, the no shutdown interface configuration commandreverses the shutdown of an interface. Use the command without the keyword no to reenable a disabled featureor to enable a feature that is disabled by default.

Configuration commands can also have a default form. The default form of a command returns the commandsetting to its default. Most commands are disabled by default, so the default form is the same as the no form.However, some commands are enabled by default and have variables set to certain default values. In thesecases, the default command enables the command and sets variables to their default values.


Using the Command-Line InterfaceUnderstanding Abbreviated Commands

CLI Error MessagesThis table lists some error messages that you might encounter while using the CLI to configure your switch.

Table 2: Common CLI Error Messages

How to Get HelpMeaningError Message

Reenter the command followed bya question mark (?) without anyspace between the command andthe question mark.

The possible keywords that you canenter with the command appear.

You did not enter enoughcharacters for your switch torecognize the command.

% Ambiguous command: "showcon"

Reenter the command followed bya question mark (?) with a spacebetween the command and thequestion mark.


You did not enter all of thekeywords or values required by thiscommand.

% Incomplete command.

Enter a questionmark (?) to displayall of the commands that areavailable in this command mode.


You entered the commandincorrectly. The caret (^) marks thepoint of the error.

% Invalid input detected at^ marker.

Configuration LoggingYou can log and view changes to the switch configuration. You can use the Configuration Change Loggingand Notification feature to track changes on a per-session and per-user basis. The logger tracks eachconfiguration command that is applied, the user who entered the command, the time that the command wasentered, and the parser return code for the command. This feature includes a mechanism for asynchronousnotification to registered applications whenever the configuration changes. You can choose to have thenotifications sent to the syslog.

Only CLI or HTTP changes are logged.Note

Using the Help SystemYou can enter a question mark (?) at the system prompt to display a list of commands available for eachcommand mode. You can also obtain a list of associated keywords and arguments for any command.


Using the Command-Line InterfaceCLI Error Messages

SUMMARY STEPS

1. help2. abbreviated-command-entry ?3. abbreviated-command-entry 4. ?5. command ?6. command keyword ?

DETAILED STEPS

PurposeCommand or Action

Obtains a brief description of the help system in anycommand mode.

help

Example:Switch# help

Step 1

Obtains a list of commands that begin with a particularcharacter string.

abbreviated-command-entry ?

Example:Switch# di?dir disable disconnect

Step 2

Completes a partial command name.abbreviated-command-entry

Example:Switch# sh confSwitch# show configuration

Step 3

Lists all commands available for a particular commandmode.

?

Example:Switch> ?

Step 4

Lists the associated keywords for a command.command ?

Example:Switch> show ?

Step 5

Lists the associated arguments for a keyword.command keyword ?

Example:Switch(config)# cdp holdtime ? Length of time (in sec) that receiver

Step 6

must keep this packet


Using the Command-Line InterfaceUsing the Help System

How to Use the CLI to Configure Features

Configuring the Command HistoryThe software provides a history or record of commands that you have entered. The command history featureis particularly useful for recalling long or complex commands or entries, including access lists. You cancustomize this feature to suit your needs.

Changing the Command History Buffer SizeBy default, the switch records ten command lines in its history buffer. You can alter this number for a currentterminal session or for all sessions on a particular line. This procedure is optional.

SUMMARY STEPS

1. terminal history [size number-of-lines]

DETAILED STEPS


Changes the number of command lines that the switch records duringthe current terminal session in privileged EXEC mode. You canconfigure the size from 0 to 256.

terminal history [size number-of-lines]

Example:Switch# terminal history size 200

Step 1

Recalling CommandsTo recall commands from the history buffer, perform one of the actions listed in this table. These actions areoptional.

The arrow keys function only on ANSI-compatible terminals such as VT100s.Note

SUMMARY STEPS

1. Ctrl-P or use the up arrow key2. Ctrl-N or use the down arrow key3. show history


Using the Command-Line InterfaceHow to Use the CLI to Configure Features

DETAILED STEPS


Recalls commands in the history buffer, beginningwith themost recent command.Repeat the key sequence to recall successively older commands.

Ctrl-P or use the up arrow keyStep 1

Returns to more recent commands in the history buffer after recalling commandswith Ctrl-P or the up arrow key. Repeat the key sequence to recall successivelymore recent commands.

Ctrl-N or use the down arrow keyStep 2

Lists the last several commands that you just entered in privileged EXEC mode.The number of commands that appear is controlled by the setting of the terminal

show history

Example:Switch# show history

Step 3

history global configuration command and the history line configurationcommand.

Disabling the Command History FeatureThe command history feature is automatically enabled. You can disable it for the current terminal session orfor the command line. This procedure is optional.

SUMMARY STEPS

1. terminal no history

DETAILED STEPS


Disables the feature during the current terminal session inprivileged EXEC mode.

terminal no history

Example:Switch# terminal no history

Step 1

Enabling and Disabling Editing FeaturesAlthough enhanced editing mode is automatically enabled, you can disable it and reenable it.

SUMMARY STEPS

1. terminal editing2. terminal no editing


Using the Command-Line InterfaceEnabling and Disabling Editing Features

DETAILED STEPS


Reenables the enhanced editing mode for the current terminalsession in privileged EXEC mode.

terminal editing

Example:Switch# terminal editing

Step 1

Disables the enhanced editing mode for the current terminalsession in privileged EXEC mode.

terminal no editing

Example:Switch# terminal no editing

Step 2

Editing Commands Through KeystrokesThe keystrokes help you to edit the command lines. These keystrokes are optional.


Table 3: Editing Commands

DescriptionEditing Commands

Moves the cursor back one character.Ctrl-B or use the left arrow key

Moves the cursor forward one character.Ctrl-F or use the right arrow key

Moves the cursor to the beginning of the commandline.

Ctrl-A

Moves the cursor to the end of the command line.Ctrl-E

Moves the cursor back one word.Esc B

Moves the cursor forward one word.Esc F

Transposes the character to the left of the cursor withthe character located at the cursor.

Ctrl-T

Erases the character to the left of the cursor.Delete or Backspace key

Deletes the character at the cursor.Ctrl-D



Deletes all characters from the cursor to the end ofthe command line.

Ctrl-K

Deletes all characters from the cursor to the beginningof the command line.

Ctrl-U or Ctrl-X

Deletes the word to the left of the cursor.Ctrl-W

Deletes from the cursor to the end of the word.Esc D

Capitalizes at the cursor.Esc C

Changes the word at the cursor to lowercase.Esc L

Capitalizes letters from the cursor to the end of theword.

Esc U

Designates a particular keystroke as an executablecommand, perhaps as a shortcut.

Ctrl-V or Esc Q

Scrolls down a line or screen on displays that arelonger than the terminal screen can display.

TheMore prompt is used for any output thathas more lines than can be displayed on theterminal screen, including show commandoutput. You can use the Return and Spacebar keystrokes whenever you see the Moreprompt.

Note

Return key

Scrolls down one screen.Space bar

Redisplays the current command line if the switchsuddenly sends a message to your screen.

Ctrl-L or Ctrl-R

Editing Command Lines That WrapYou can use a wraparound feature for commands that extend beyond a single line on the screen. When thecursor reaches the right margin, the command line shifts ten spaces to the left. You cannot see the first tencharacters of the line, but you can scroll back and check the syntax at the beginning of the command. Thekeystroke actions are optional.

To scroll back to the beginning of the command entry, press Ctrl-B or the left arrow key repeatedly. You canalso press Ctrl-A to immediately move to the beginning of the line.


The following example shows how to wrap a command line that extends beyond a single line on the screen.



SUMMARY STEPS

1. access-list2. Ctrl-A3. Return key

DETAILED STEPS


Displays the global configuration command entry that extends beyondone line.

access-list

Example:

Switch(config)# access-list 101 permit tcp

Step 1

When the cursor first reaches the end of the line, the line is shifted tenspaces to the left and redisplayed. The dollar sign ($) shows that theline has been scrolled to the left. Each time the cursor reaches the endof the line, the line is again shifted ten spaces to the left.

10.15.22.25 255.255.255.0 10.15.22.35Switch(config)# $ 101 permit tcp10.15.22.25 255.255.255.0 10.15.22.35255.25Switch(config)# $t tcp 10.15.22.25255.255.255.0 131.108.1.20 255.255.255.0eqSwitch(config)# $15.22.25 255.255.255.010.15.22.35 255.255.255.0 eq 45

Checks the complete syntax.Ctrl-AStep 2

Example:Switch(config)# access-list 101 permit tcp10.15.22.25 255.255.255.0 10.15.2$

The dollar sign ($) appears at the end of the line to show that the linehas been scrolled to the right.

Execute the commands.Return keyStep 3

The software assumes that you have a terminal screen that is 80 columnswide. If you have a different width, use the terminal width privilegedEXEC command to set the width of your terminal.

Use line wrapping with the command history feature to recall andmodify previous complex command entries.

Searching and Filtering Output of show and more CommandsYou can search and filter the output for show andmore commands. This is useful when you need to sortthrough large amounts of output or if you want to exclude output that you do not need to see. Using thesecommands is optional.

SUMMARY STEPS

1. {show |more} command | {begin | include | exclude} regular-expression


Using the Command-Line InterfaceSearching and Filtering Output of show and more Commands

DETAILED STEPS


Searches and filters the output.{show |more} command | {begin | include | exclude}regular-expression

Step 1

Expressions are case sensitive. For example, if you enter| exclude output, the lines that contain output are notdisplayed, but the lines that contain output appear.Example:

Switch# show interfaces | include protocolVlan1 is up, line protocol is upVlan10 is up, line protocol is downGigabitEthernet1/0/1 is up, line protocol is downGigabitEthernet1/0/2 is up, line protocol is up

Accessing the CLI on a Switch StackYou can access the CLI through a console connection, through Telnet, a SSH, or by using the browser.

Youmanage the switch stack and the stack member interfaces through the . You cannot manage stack memberson an individual switch basis. You can connect to the through the console port or the Ethernet managementport of one or more stack members. Be careful with using multiple CLI sessions on the . Commands that youenter in one session are not displayed in the other sessions. Therefore, it is possible to lose track of the sessionfrom which you entered commands.

We recommend using one CLI session when managing the switch stack.Note

If you want to configure a specific stack member port, you must include the stack member number in the CLIcommand interface notation.

Accessing the CLI Through a Console Connection or Through TelnetBefore you can access the CLI, you must connect a terminal or a PC to the switch console or connect a PC tothe Ethernet management port and then power on the switch, as described in the hardware installation guidethat shipped with your switch.

If your switch is already configured, you can access the CLI through a local console connection or through aremote Telnet session, but your switch must first be configured for this type of access.

You can use one of these methods to establish a connection with the switch:

Connect the switch console port to a management station or dial-up modem, or connect the Ethernetmanagement port to a PC. For information about connecting to the console or Ethernet managementport, see the switch hardware installation guide.

Use any Telnet TCP/IP or encrypted Secure Shell (SSH) package from a remote management station.The switch must have network connectivity with the Telnet or SSH client, and the switch must have anenable secret password configured.


Using the Command-Line InterfaceAccessing the CLI on a Switch Stack

The switch supports up to 16 simultaneous Telnet sessions. Changes made by one Telnet user arereflected in all other Telnet sessions.

The switch supports up to five simultaneous secure SSH sessions.

After you connect through the console port, through the Ethernet management port, through a Telnetsession or through an SSH session, the user EXEC prompt appears on the management station.


Using the Command-Line InterfaceAccessing the CLI Through a Console Connection or Through Telnet

C H A P T E R 2Security Features Overview

Security Features Overview, page 13

Security Features OverviewThe switch supports a LAN base image or a LAN lite image with a reduced feature set, depending on switchhardware. The security features are as follows:

IPv6 First Hop SecurityA suite of security features to be applied at the first hop switch to protectagainst vulnerabilities inherent in IPv6 networks. These include, Binding Integrity Guard (BindingTable), Router Advertisement Guard (RA Guard), DHCP Guard, IPv6 Neighbor Discovery Inspection(ND Guard), and IPv6 Source Guard.

Web AuthenticationAllows a supplicant (client) that does not support IEEE 802.1x functionality tobe authenticated using a web browser.

To use Web Authentication, the switch must be running the LAN Base image.Note

Local Web Authentication BannerA custom banner or an image file displayed at a web authenticationlogin screen.

IEEE 802.1x Authentication with ACLs and the RADIUS Filter-Id Attribute

To use Web Authentication, the switch must be running the LAN Base image.Note

Password-protected access (read-only and read-write access) to management interfaces (device manager,Network Assistant, and the CLI) for protection against unauthorized configuration changes

Multilevel security for a choice of security level, notification, and resulting actions

Static MAC addressing for ensuring security

Protected port option for restricting the forwarding of traffic to designated ports on the same switch


Port security option for limiting and identifying MAC addresses of the stations allowed to access theport

VLAN aware port security option to shut down the VLAN on the port when a violation occurs,insteadof shutting down the entire port.

Port security aging to set the aging time for secure addresses on a port.

Protocol storm protection to control the rate of incoming protocol traffic to a switch by dropping packetsthat exceed a specified ingress rate.

BPDU guard for shutting down a Port Fast-configured port when an invalid configuration occurs.

Standard and extended IP access control lists (ACLs) for defining inbound security policies on Layer 2interfaces (port ACLs).

Extended MAC access control lists for defining security policies in the inbound direction on Layer 2interfaces.

Source and destination MAC-based ACLs for filtering non-IP traffic.

DHCP snooping to filter untrusted DHCP messages between untrusted hosts and DHCP servers.

IP source guard to restrict traffic on nonrouted interfaces by filtering traffic based on the DHCP snoopingdatabase and IP source bindings

Dynamic ARP inspection to prevent malicious attacks on the switch by not relaying invalid ARP requestsand responses to other ports in the same VLAN

IEEE 802.1x port-based authentication to prevent unauthorized devices (clients) from gaining access tothe network. These 802.1x features are supported:

Multidomain authentication (MDA) to allow both a data device and a voice device, such as an IPphone (Cisco or non-Cisco), to independently authenticate on the same IEEE 802.1x-enabled switchport.

To use MDA, the switch must be running the LAN Base image.Note

Dynamic voice virtual LAN (VLAN) for MDA to allow a dynamic voice VLAN on anMDA-enabled port.

VLAN assignment for restricting 802.1x-authenticated users to a specified VLAN.

Support for VLAN assignment on a port configured for multi-auth mode. The RADIUS serverassigns a VLAN to the first host to authenticate on the port, and subsequent hosts use the sameVLAN. Voice VLAN assignment is supported for one IP phone.

To use this feature, the switch must be running the LAN Base image. Multi-auth hostmode is not supported in LAN Lite image.

Note

Port security for controlling access to 802.1x ports.

Voice VLAN to permit a Cisco IP Phone to access the voice VLAN regardless of the authorizedor unauthorized state of the port.


Security Features OverviewSecurity Features Overview

IP phone detection enhancement to detect and recognize a Cisco IP phone.

Guest VLAN to provide limited services to non-802.1x-compliant users.

Restricted VLAN to provide limited services to users who are 802.1x compliant, but do not havethe credentials to authenticate via the standard 802.1x processes.

To use authentication with restricted VLANs, the switch must be running the LANBaseimage.

Note

802.1x accounting to track network usage.

802.1x with wake-on-LAN to allow dormant PCs to be powered on based on the receipt of a specificEthernet frame.

802.1x readiness check to determine the readiness of connected end hosts before configuring IEEE802.1x on the switch.

To use 802.1x readiness check, the switch must be running the LAN Base image.Note

Voice aware 802.1x security to apply traffic violation actions only on the VLAN onwhich a securityviolation occurs.

To use voice aware 802.1x authentication, the switch must be running the LAN Baseimage.

Note

MAC authentication bypass (MAB) to authorize clients based on the client MAC address.

To use MAC authentication bypass, the switch must be running the LAN Base image.Note

Network Admission Control (NAC) Layer 2 802.1x validation of the antivirus condition or postureof endpoint systems or clients before granting the devices network access.

To use NAC, the switch must be running the LAN Base image.Note

Network Edge Access Topology (NEAT) with 802.1X switch supplicant, host authorization withCISP, and auto enablement to authenticate a switch outside a wiring closet as a supplicant to anotherswitch.

IEEE 802.1x with open access to allow a host to access the network before being authenticated.

IEEE 802.1x authentication with downloadable ACLs and redirect URLs to allow per-user ACLdownloads from a Cisco Secure ACS server to an authenticated switch.



Support for dynamic creation or attachment of an auth-default ACL on a port that has no configuredstatic ACLs.

To use this feature, the switch must be running the LAN Base image.Note

Flexible-authentication sequencing to configure the order of the authentication methods that a porttries when authenticating a new host.

Multiple-user authentication to allow more than one host to authenticate on an 802.1x-enabledport.

TACACS+, a proprietary feature for managing network security through a TACACS server for bothIPv4 and IPv6.

RADIUS for verifying the identity of, granting access to, and tracking the actions of remote users throughauthentication, authorization, and accounting (AAA) services for both IPv4 and IPv6.

Enhancements to RADIUS, TACACS+, and SSH to function over IPv6.

Secure Socket Layer (SSL) Version 3.0 support for the HTTP 1.1 server authentication, encryption, andmessage integrity and HTTP client authentication to allow secure HTTP communications (requires thecryptographic version of the software).

IEEE 802.1x Authentication with ACLs and the RADIUS Filter-Id Attribute.

Support for IP source guard on static hosts.

RADIUS Change of Authorization (CoA) to change the attributes of a certain session after it isauthenticated.When there is a change in policy for a user or user group in AAA, administrators can sendthe RADIUS CoA packets from the AAA server, such as Cisco Identity Services Engine, or Cisco SecureACS to reinitialize authentication, and apply to the new policies.

IEEE 802.1x User Distribution to allow deployments with multiple VLANs (for a group of users) toimprove scalability of the network by load balancing users across different VLANs. Authorized usersare assigned to the least populated VLAN in the group, assigned by RADIUS server.

Support for critical VLAN with multiple-host authentication so that when a port is configured formulti-auth, and an AAA server becomes unreachable, the port is placed in a critical VLAN in order tostill permit access to critical resources.

Support for Network Edge Access Topology (NEAT) to change the port host mode and to apply astandard port configuration on the authenticator switch port.

VLAN-ID based MAC authentication to use the combined VLAN and MAC address information foruser authentication to prevent network access from unauthorized VLANs.

MAC move to allow hosts (including the hosts connected behind an IP phone) to move across portswithin the same switch without any restrictions to enable mobility. With MAC move, the switch treatsthe reappearance of the same MAC address on another port in the same way as a completely new MACaddress.

Support for 3DES and AES with version 3 of the Simple Network Management Protocol (SNMPv3).This release adds support for the 168-bit Triple Data Encryption Standard (3DES) and the 128-bit,192-bit, and 256-bit Advanced Encryption Standard (AES) encryption algorithms to SNMPv3.

Support for Cisco TrustSec SXP protocol in LAN Base image only.



C H A P T E R 3Preventing Unauthorized Access

Finding Feature Information, page 17

Preventing Unauthorized Access, page 17

Finding Feature InformationYour software release may not support all the features documented in this module. For the latest caveats andfeature information, see Bug Search Tool and the release notes for your platform and software release. Tofind information about the features documented in this module, and to see a list of the releases in which eachfeature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support.To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is notrequired.

Preventing Unauthorized AccessYou can prevent unauthorized users from reconfiguring your switch and viewing configuration information.Typically, you want network administrators to have access to your switch while you restrict access to userswho dial from outside the network through an asynchronous port, connect from outside the network througha serial port, or connect through a terminal or workstation from within the local network.

To prevent unauthorized access into your switch, you should configure one or more of these security features:

At a minimum, you should configure passwords and privileges at each switch port. These passwordsare locally stored on the switch. When users attempt to access the switch through a port or line, theymust enter the password specified for the port or line before they can access the switch.

For an additional layer of security, you can also configure username and password pairs, which arelocally stored on the switch. These pairs are assigned to lines or ports and authenticate each user beforethat user can access the switch. If you have defined privilege levels, you can also assign a specificprivilege level (with associated rights and privileges) to each username and password pair.

If you want to use username and password pairs, but you want to store them centrally on a server insteadof locally, you can store them in a database on a security server. Multiple networking devices can thenuse the same database to obtain user authentication (and, if necessary, authorization) information.


http://www.cisco.com/go/cfn

You can also enable the login enhancements feature, which logs both failed and unsuccessful loginattempts. Login enhancements can also be configured to block future login attempts after a set numberof unsuccessful attempts are made. For more information, see the Cisco IOS Login Enhancementsdocumentation.

Related Topics

Configuring Username and Password Pairs, on page 29TACACS+ and Switch Access, on page 41Setting a Telnet Password for a Terminal Line, on page 27


Preventing Unauthorized AccessPreventing Unauthorized Access

C H A P T E R 4Controlling Switch Access with Passwords andPrivilege Levels

Finding Feature Information, page 19

Restrictions for Controlling Switch Access with Passwords and Privileges, page 19

Information About Passwords and Privilege Levels, page 20

How to Control Switch Access with Passwords and Privilege Levels, page 22

Monitoring Switch Access, page 35

Configuration Examples for Setting Passwords and Privilege Levels, page 35

Additional References, page 36

Finding Feature InformationYour software release may not support all the features documented in this module. For the latest caveats andfeature information, see Bug Search Tool and the release notes for your platform and software release. Tofind information about the features documented in this module, and to see a list of the releases in which eachfeature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support.To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is notrequired.

Restrictions for Controlling Switch Access with Passwordsand Privileges

The following are the restrictions for controlling switch access with passwords and privileges:

Disabling password recovery will not work if you have set the switch to boot up manually by using theboot manual global configuration command. This command produces the boot loader prompt (switch:)after the switch is power cycled.


http://www.cisco.com/go/cfn

Related Topics

Disabling Password Recovery, on page 26Password Recovery, on page 21

Information About Passwords and Privilege Levels

Default Password and Privilege Level ConfigurationA simple way of providing terminal access control in your network is to use passwords and assign privilegelevels. Password protection restricts access to a network or network device. Privilege levels define whatcommands users can enter after they have logged into a network device.

This table shows the default password and privilege level configuration.

Table 4: Default Password and Privilege Levels

Default SettingFeature

No password is defined. The default is level 15(privileged EXEC level). The password is notencrypted in the configuration file.

Enable password and privilege level

No password is defined. The default is level 15(privileged EXEC level). The password is encryptedbefore it is written to the configuration file.

Enable secret password and privilege level

No password is defined.Line password

Additional Password SecurityTo provide an additional layer of security, particularly for passwords that cross the network or that are storedon a Trivial File Transfer Protocol (TFTP) server, you can use either the enable password or enable secretglobal configuration commands. Both commands accomplish the same thing; that is, you can establish anencrypted password that users must enter to access privileged EXECmode (the default) or any privilege levelyou specify.

We recommend that you use the enable secret command because it uses an improved encryption algorithm.

If you configure the enable secret command, it takes precedence over the enable password command; thetwo commands cannot be in effect simultaneously.

If you enable password encryption, it applies to all passwords including username passwords, authenticationkey passwords, the privileged command password, and console and virtual terminal line passwords.

Related Topics

Protecting Enable and Enable Secret Passwords with Encryption, on page 24Example: Protecting Enable and Enable Secret Passwords with Encryption, on page 35


Controlling Switch Access with Passwords and Privilege LevelsInformation About Passwords and Privilege Levels

Password RecoveryBy default, any end user with physical access to the switch can recover from a lost password by interruptingthe boot process while the switch is powering on and then by entering a new password.

The password-recovery disable feature protects access to the switch password by disabling part of thisfunctionality. When this feature is enabled, the end user can interrupt the boot process only by agreeing to setthe system back to the default configuration. With password recovery disabled, you can still interrupt the bootprocess and change the password, but the configuration file (config.text) and the VLAN database file (vlan.dat)are deleted.

If you disable password recovery, we recommend that you keep a backup copy of the configuration file on asecure server in case the end user interrupts the boot process and sets the system back to default values. Donot keep a backup copy of the configuration file on the switch. If the switch is operating in VTP transparentmode, we recommend that you also keep a backup copy of the VLAN database file on a secure server. Whenthe switch is returned to the default system configuration, you can download the saved files to the switch byusing the Xmodem protocol.

To re-enable password recovery, use the service password-recovery global configuration command.

Related Topics

Disabling Password Recovery, on page 26Restrictions for Controlling Switch Access with Passwords and Privileges, on page 19

Terminal Line Telnet ConfigurationWhen you power-up your switch for the first time, an automatic setup program runs to assign IP informationand to create a default configuration for continued use. The setup program also prompts you to configure yourswitch for Telnet access through a password. If you did not configure this password during the setup program,you can configure it when you set a Telnet password for a terminal line.

Related Topics

Setting a Telnet Password for a Terminal Line, on page 27Example: Setting a Telnet Password for a Terminal Line, on page 36

Username and Password PairsYou can configure username and password pairs, which are locally stored on the switch. These pairs areassigned to lines or ports and authenticate each user before that user can access the switch. If you have definedprivilege levels, you can also assign a specific privilege level (with associated rights and privileges) to eachusername and password pair.

Related Topics

Configuring Username and Password Pairs, on page 29


Controlling Switch Access with Passwords and Privilege LevelsPassword Recovery

Privilege LevelsCisco switches (and other devices) use privilege levels to provide password security for different levels ofswitch operation. By default, the Cisco IOS software operates in two modes (privilege levels) of passwordsecurity: user EXEC (Level 1) and privileged EXEC (Level 15). You can configure up to 16 hierarchicallevels of commands for each mode. By configuring multiple passwords, you can allow different sets of usersto have access to specified commands.

Privilege Levels on Lines

Users can override the privilege level you set using the privilege level line configuration command by loggingin to the line and enabling a different privilege level. They can lower the privilege level by using the disablecommand. If users know the password to a higher privilege level, they can use that password to enable thehigher privilege level. You might specify a high level or privilege level for your console line to restrict lineusage.

For example, if you want many users to have access to the clear line command, you can assign it level 2 securityand distribute the level 2 password fairly widely. But if you want more restricted access to the configurecommand, you can assign it level 3 security and distribute that password to a more restricted group of users.

Command Privilege Levels

When you set a command to a privilege level, all commands whose syntax is a subset of that command arealso set to that level. For example, if you set the show ip traffic command to level 15, the show commandsand show ip commands are automatically set to privilege level 15 unless you set them individually to differentlevels.

Related Topics

Setting the Privilege Level for a Command, on page 31Example: Setting the Privilege Level for a Command, on page 36Changing the Default Privilege Level for Lines, on page 33Logging into and Exiting a Privilege Level, on page 34

How to Control Switch Access with Passwords and PrivilegeLevels

Setting or Changing a Static Enable PasswordThe enable password controls access to the privileged EXEC mode. Follow these steps to set or change astatic enable password:


Controlling Switch Access with Passwords and Privilege LevelsPrivilege Levels

SUMMARY STEPS

1. enable2. configure terminal3. enable password password4. end5. show running-config6. copy running-config startup-config

DETAILED STEPS


Enables privileged EXEC mode. Enter your password if prompted.enableStep 1

Example:

Switch> enable

Enters the global configuration mode.configure terminal

Example:

Switch# configure terminal

Step 2

Defines a new password or changes an existing password for access toprivileged EXEC mode.

enable password password

Example:

Switch(config)# enable password

Step 3

By default, no password is defined.

For password, specify a string from 1 to 25 alphanumeric characters. Thestring cannot start with a number, is case sensitive, and allows spaces butsecret321

ignores leading spaces. It can contain the question mark (?) character ifyou precede the question mark with the key combination Crtl-v whenyou create the password; for example, to create the password abc?123,do this:

1 Enter abc.

2 Enter Crtl-v.

3 Enter ?123.

When the system prompts you to enter the enable password, you neednot precede the question mark with the Ctrl-v; you can simply enterabc?123 at the password prompt.


Controlling Switch Access with Passwords and Privilege LevelsSetting or Changing a Static Enable Password


Returns to privileged EXEC mode.end

Example:

Switch(config)# end

Step 4

Verifies your entries.show running-config

Example:

Switch# show running-config

Step 5

(Optional) Saves your entries in the configuration file.copy running-config startup-config

Example:

Switch# copy running-config

Step 6

startup-config

Related Topics

Example: Setting or Changing a Static Enable Password, on page 35

Protecting Enable and Enable Secret Passwords with EncryptionFollow these steps to establish an encrypted password that users must enter to access privileged EXEC mode(the default) or any privilege level you specify:

SUMMARY STEPS

1. enable2. configure terminal3. Use one of the following:

enable password [level level]{password | encryption-type encrypted-password}

enable secret [level level]{password | encryption-type encrypted-password}

4. service password-encryption5. end6. show running-config7. copy running-config startup-config


Controlling Switch Access with Passwords and Privilege LevelsProtecting Enable and Enable Secret Passwords with Encryption

DETAILED STEPS



Example:

Switch> enable


Example:


Step 2

Use one of the following:Step 3 Defines a new password or changes an existing password foraccess to privileged EXEC mode.

enable password [level level]{password | encryption-typeencrypted-password}

Defines a secret password, which is saved using a nonreversibleencryption method.

(Optional) For level, the range is from 0 to 15. Level 1 isnormal user EXEC mode privileges. The default level is 15(privileged EXEC mode privileges).

enable secret [level level]{password | encryption-typeencrypted-password}

For password, specify a string from 1 to 25 alphanumericcharacters. The string cannot start with a number, is case

Example:Switch(config)# enable passwordexample102

sensitive, and allows spaces but ignores leading spaces. Bydefault, no password is defined.

(Optional) For encryption-type, only type 5, a Ciscoproprietary encryption algorithm, is available. If you specifyor

Switch(config)# enable secret level 1password secret123sample

an encryption type, you must provide an encryptedpasswordan encrypted password that you copy fromanother switch configuration.

If you specify an encryption type and then enter a cleartext password, you can not re-enter privileged EXECmode. You cannot recover a lost encrypted password byany method.

Note

(Optional) Encrypts the password when the password is defined or whenthe configuration is written.

service password-encryption

Example:

Switch(config)# service

Step 4

Encryption prevents the password from being readable in theconfiguration file.

password-encryption


Controlling Switch Access with Passwords and Privilege LevelsProtecting Enable and Enable Secret Passwords with Encryption



Example:

Switch(config)# end

Step 5


Example:


Step 6


Example:


Step 7

startup-config

Related Topics

Additional Password Security, on page 20

Example: Protecting Enable and Enable Secret Passwords with Encryption, on page 35

Disabling Password RecoveryFollow these steps to disable password recovery to protect the security of your switch:

Before You Begin

If you disable password recovery, we recommend that you keep a backup copy of the configuration file on asecure server in case the end user interrupts the boot process and sets the system back to default values. Donot keep a backup copy of the configuration file on the switch. If the switch is operating in VTP transparentmode, we recommend that you also keep a backup copy of the VLAN database file on a secure server. Whenthe switch is returned to the default system configuration, you can download the saved files to the switch byusing the Xmodem protocol.

SUMMARY STEPS

1. enable2. configure terminal3. system disable password recovery switch {all | }4. end


Controlling Switch Access with Passwords and Privilege LevelsDisabling Password Recovery

DETAILED STEPS



Example:

Switch> enable


Example:


Step 2

Disables password recovery.system disable password recovery switch {all| }

Step 3

all - Sets the configuration on switches in stack.

Example:

Switch(config)# system disable password

- Sets the configuration on the Switch Number selected.

This setting is saved in an area of the flash memory that is accessibleby the boot loader and the Cisco IOS image, but it is not part of thefile system and is not accessible by any user.

recovery switch all


Example:

Switch(config)# end

Step 4

What to Do Next

To remove disable password recovery, use the no system disable password recovery switch all globalconfiguration command.

Related Topics

Password Recovery, on page 21

Restrictions for Controlling Switch Access with Passwords and Privileges, on page 19

Setting a Telnet Password for a Terminal LineBeginning in user EXEC mode, follow these steps to set a Telnet password for the connected terminal line:

Before You Begin

Attach a PC or workstation with emulation software to the switch console port, or attach a PC to theEthernet management port.


Controlling Switch Access with Passwords and Privilege LevelsSetting a Telnet Password for a Terminal Line

The default data characteristics of the console port are 9600, 8, 1, no parity. You might need to pressthe Return key several times to see the command-line prompt.

SUMMARY STEPS

1. enable2. configure terminal3. line vty 0 154. password password5. end6. show running-config7. copy running-config startup-config

DETAILED STEPS


If a password is required for access to privileged EXECmode, you will be prompted for it.

Note

Enters privileged EXEC mode.

enable

Example:

Switch> enable

Step 1


Example:


Step 2

Configures the number of Telnet sessions (lines), and enters lineconfiguration mode.

line vty 0 15

Example:

Switch(config)# line vty 0 15

Step 3

There are 16 possible sessions on a command-capable Switch. The0 and 15 mean that you are configuring all 16 possible Telnetsessions.

Sets a Telnet password for the line or lines.password passwordStep 4

Example:

Switch(config-line)# password abcxyz543

For password, specify a string from 1 to 25 alphanumeric characters.The string cannot start with a number, is case sensitive, and allowsspaces but ignores leading spaces. By default, no password isdefined.


Example:

Switch(config-line)# end

Step 5


Controlling Switch Access with Passwords and Privilege LevelsSetting a Telnet Password for a Terminal Line



Example:


Step 6


Example:


Step 7

startup-config

Related Topics

Preventing Unauthorized Access, on page 17Terminal Line Telnet Configuration, on page 21

Example: Setting a Telnet Password for a Terminal Line, on page 36

Configuring Username and Password PairsFollow these steps to configure username and password pairs:

SUMMARY STEPS

1. enable2. configure terminal3. username name [privilege level] {password encryption-type password}4. Use one of the following:

line console 0

line vty 0 15

5. login local6. end7. show running-config8. copy running-config startup-config

Catalyst 2960-X Switch Security Configu

Documents

Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS