Security Configuration Guide, Cisco IOS XE Release 3.6E ... · Security Configuration Guide, Cisco...

Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst3850 Switches)First Published: --

Last Modified: --

Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.comTel: 408 526-4000 800 553-NETS (6387)Fax: 408 527-0883

Text Part Number: OL-32606-01

C O N T E N T S

P r e f a c e Preface xxiii

Audience xxiii

Document Organization xxiii

Document Conventions xxv

Related Documentation xxvi

Changes to This Document xxvi

Obtaining Documentation and Submitting a Service Request xxvii

C H A P T E R 1 Using the Command-Line Interface 1

Information About Using the Command-Line Interface 1

Command Modes 1

Understanding Abbreviated Commands 3

No and Default Forms of Commands 3

CLI Error Messages 4

Configuration Logging 4

Using the Help System 4

How to Use the CLI to Configure Features 6

Configuring the Command History 6

Changing the Command History Buffer Size 6

Recalling Commands 6

Disabling the Command History Feature 7

Enabling and Disabling Editing Features 7

Editing Commands Through Keystrokes 8

Editing Command Lines That Wrap 9

Searching and Filtering Output of show and more Commands 10

Accessing the CLI on a Switch Stack 11

Accessing the CLI Through a Console Connection or Through Telnet 11

Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 iii

C H A P T E R 2 Preventing Unauthorized Access 13

Finding Feature Information 13

Preventing Unauthorized Access 13

C H A P T E R 3 Preventing Unauthorized Access 15


Preventing Unauthorized Access 15

C H A P T E R 4 Controlling Switch Access with Passwords and Privilege Levels 17


Restrictions for Controlling Switch Access with Passwords and Privileges 17

Information About Passwords and Privilege Levels 18

Default Password and Privilege Level Configuration 18

Additional Password Security 18

Password Recovery 19

Terminal Line Telnet Configuration 19

Username and Password Pairs 19

Privilege Levels 20

How to Control Switch Access with Passwords and Privilege Levels 20

Setting or Changing a Static Enable Password 20

Protecting Enable and Enable Secret Passwords with Encryption 22

Disabling Password Recovery 24

Setting a Telnet Password for a Terminal Line 25

Configuring Username and Password Pairs 27

Setting the Privilege Level for a Command 29

Changing the Default Privilege Level for Lines 31

Logging into and Exiting a Privilege Level 32

Monitoring Switch Access 33

Configuration Examples for Setting Passwords and Privilege Levels 33

Example: Setting or Changing a Static Enable Password 33

Example: Protecting Enable and Enable Secret Passwords with Encryption 33

Example: Setting a Telnet Password for a Terminal Line 34

Example: Setting the Privilege Level for a Command 34

Additional References 34

Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)iv OL-32606-01

Contents

C H A P T E R 5 Configuring TACACS+ 37


Prerequisites for TACACS+ 37

Information About TACACS+ 39

TACACS+ and Switch Access 39

TACACS+ Overview 39

TACACS+ Operation 41

Method List 42

TACACS+ Configuration Options 42

TACACS+ Login Authentication 42

TACACS+ Authorization for Privileged EXEC Access and Network Services 42

TACACS+ Accounting 43

Default TACACS+ Configuration 43

How to Configure Switch Access with TACACS+ 43

Identifying the TACACS+ Server Host and Setting the Authentication Key 43

Configuring TACACS+ Login Authentication 45

Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services 48

Starting TACACS+ Accounting 50

Establishing a Session with a Router if the AAA Server is Unreachable 51

Monitoring TACACS+ 52

Additional References for Configuring Secure Shell 52

Feature Information for TACACS+ 53

C H A P T E R 6 Configuring RADIUS 55


Prerequisites for Configuring RADIUS 55

Restrictions for Configuring RADIUS 56

Information about RADIUS 57

RADIUS and Switch Access 57

RADIUS Overview 57

RADIUS Operation 58

RADIUS Change of Authorization 59

Change-of-Authorization Requests 60

RFC 5176 Compliance 61

Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 v

Contents

Preconditions 62

CoA Request Response Code 62

Session Identification 62

CoA ACK Response Code 63

CoA NAK Response Code 63

CoA Request Commands 63

Session Reauthentication 64

Session Reauthentication in a Switch Stack 64

Session Termination 65

CoA Disconnect-Request 65

CoA Request: Disable Host Port 65

CoA Request: Bounce-Port 66

Stacking Guidelines for Session Termination 66

Stacking Guidelines for CoA-Request Bounce-Port 66

Stacking Guidelines for CoA-Request Disable-Port 67

Default RADIUS Configuration 67

RADIUS Server Host 67

RADIUS Login Authentication 68

AAA Server Groups 68

AAA Authorization 69

RADIUS Accounting 69

Vendor-Specific RADIUS Attributes 69

Vendor-Proprietary RADIUS Server Communication 81

How to Configure RADIUS 81

Identifying the RADIUS Server Host 81

Configuring RADIUS Login Authentication 84

Defining AAA Server Groups 86

Configuring RADIUS Authorization for User Privileged Access and Network Services 88

Starting RADIUS Accounting 90

Establishing a Session with a Router if the AAA Server is Unreachable 92

Configuring Settings for All RADIUS Servers 92

Configuring the Switch to Use Vendor-Specific RADIUS Attributes 93

Configuring the Switch for Vendor-Proprietary RADIUS Server Communication 95

Configuring CoA on the Switch 96

Configuring RADIUS Server Load Balancing 99

Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)vi OL-32606-01

Contents

Monitoring CoA Functionality 99

Configuration Examples for Controlling Switch Access with RADIUS 100

Examples: Identifying the RADIUS Server Host 100

Example: Using Two Different RADIUS Group Servers 100

Examples: Configuring the Switch to Use Vendor-Specific RADIUS Attributes 101

Example: Configuring the Switch for Vendor-Proprietary RADIUS Server Communication 101


Feature Information for RADIUS 103

C H A P T E R 7 Configuring Kerberos 105


Prerequisites for Controlling Switch Access with Kerberos 105

Restrictions for Controlling Switch Access with Kerberos 106

Information about Kerberos 106

Kerberos and Switch Access 106

Kerberos Overview 106

Kerberos Operation 109

Authenticating to a Boundary Switch 109

Obtaining a TGT from a KDC 110

Authenticating to Network Services 110

How to Configure Kerberos 110

Monitoring the Kerberos Configuration 110


Feature Information for Kerberos 112

C H A P T E R 8 Configuring Local Authentication and Authorization 113


How to Configure Local Authentication and Authorization 113

Configuring the Switch for Local Authentication and Authorization 113

Monitoring Local Authentication and Authorization 116


Feature Information for Local Authentication and Authorization 117

C H A P T E R 9 Configuring Secure Shell (SSH) 119


Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 vii

Contents

Prerequisites for Configuring Secure Shell 119

Restrictions for Configuring Secure Shell 120

Information About Configuring Secure Shell 120

SSH and Switch Access 121

SSH Servers, Integrated Clients, and Supported Versions 121

SSH Configuration Guidelines 121

Secure Copy Protocol Overview 122

Secure Copy Protocol 122

How to Configure SSH 123

Setting Up the Switch to Run SSH 123

Configuring the SSH Server 124

Monitoring the SSH Configuration and Status 127


Feature Information for Configuring Secure Shell 128

C H A P T E R 1 0 Configuring Secure Socket Layer HTTP 129


Information about Secure Sockets Layer (SSL) HTTP 129

Secure HTTP Servers and Clients Overview 129

Certificate Authority Trustpoints 130

CipherSuites 131

Default SSL Configuration 132

SSL Configuration Guidelines 133

How to Configure Secure HTTP Servers and Clients 133

Configuring a CA Trustpoint 133

Configuring the Secure HTTP Server 135

Configuring the Secure HTTP Client 139

Monitoring Secure HTTP Server and Client Status 140


Feature Information for Secure Socket Layer HTTP 142

C H A P T E R 1 1 Configuring IPv4 ACLs 143


Prerequisites for Configuring IPv4 Access Control Lists 143

Restrictions for Configuring IPv4 Access Control Lists 144

Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)viii OL-32606-01

Contents

Information about Network Security with ACLs 145

Cisco TrustSec and ACLs 145

ACL Overview 145

Access Control Entries 146

ACL Supported Types 146

Supported ACLs 146

ACL Precedence 146

Port ACLs 147

Router ACLs 148

VLAN Maps 149

ACEs and Fragmented and Unfragmented Traffic 149

ACEs and Fragmented and Unfragmented Traffic Examples 150

ACLs and Switch Stacks 150

Active Switch and ACL Functions 151

Stack Member and ACL Functions 151

Active Switch Failure and ACLs 151

Standard and Extended IPv4 ACLs 151

IPv4 ACL Switch Unsupported Features 151

Access List Numbers 152

Numbered Standard IPv4 ACLs 153

Numbered Extended IPv4 ACLs 153

Named IPv4 ACLs 154

ACL Logging 154

Smart Logging 155

Hardware and Software Treatment of IP ACLs 155

VLAN Map Configuration Guidelines 155

VLAN Maps with Router ACLs 156

VLAN Maps and Router ACL Configuration Guidelines 156

Time Ranges for ACLs 157

IPv4 ACL Interface Considerations 158

How to Configure ACLs 158

Configuring IPv4 ACLs 158

Creating a Numbered Standard ACL 159

Creating a Numbered Extended ACL 160

Creating Named Standard ACLs 164

Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 ix

Contents

Creating Extended Named ACLs 165

Configuring Time Ranges for ACLs 167

Applying an IPv4 ACL to a Terminal Line 169

Applying an IPv4 ACL to an Interface 171

Creating Named MAC Extended ACLs 172

Applying a MAC ACL to a Layer 2 Interface 174

Configuring VLAN Maps 176

Creating a VLAN Map 178

Applying a VLAN Map to a VLAN 180

Configuring VACL Logging 181

Monitoring IPv4 ACLs 183

Configuration Examples for ACLs 184

Examples: Using Time Ranges with ACLs 184

Examples: Including Comments in ACLs 184

Examples: Troubleshooting ACLs 185

IPv4 ACL Configuration Examples 186

ACLs in a Small Networked Office 186

Examples: ACLs in a Small Networked Office 187

Example: Numbered ACLs 187

Examples: Extended ACLs 187

Examples: Named ACLs 188

Examples: Time Range Applied to an IP ACL 189

Examples: Configuring Commented IP ACL Entries 189

Examples: ACL Logging 190

Configuration Examples for ACLs and VLAN Maps 191

Example: Creating an ACL and a VLAN Map to Deny a Packet 191

Example: Creating an ACL and a VLAN Map to Permit a Packet 191

Example: Default Action of Dropping IP Packets and Forwarding MAC Packets 191

Example: Default Action of Dropping MAC Packets and Forwarding IP Packets 192

Example: Default Action of Dropping All Packets 192

Configuration Examples for Using VLAN Maps in Your Network 193

Example: Wiring Closet Configuration 193

Example: Restricting Access to a Server on Another VLAN 194

Example: Denying Access to a Server on Another VLAN 195

Configuration Examples of Router ACLs and VLAN Maps Applied to VLANs 195

Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)x OL-32606-01

Contents

Example: ACLs and Switched Packets 195

Example: ACLs and Bridged Packets 196

Example: ACLs and Routed Packets 197

Example: ACLs and Multicast Packets 197


Feature Information for IPv4 Access Control Lists 199

C H A P T E R 1 2 Configuring IPv6 ACLs 201


IPv6 ACLs Overview 201

Switch Stacks and IPv6 ACLs 202

Interactions with Other Features and Switches 202

Restrictions for IPv6 ACLs 203

Default Configuration for IPv6 ACLs 203

Configuring IPv6 ACLs 203

Attaching an IPv6 ACL to an Interface 207

Monitoring IPv6 ACLs 209


C H A P T E R 1 3 Configuring DHCP 213


Information About DHCP 213

DHCP Server 213

DHCP Relay Agent 213

DHCP Snooping 214

Option-82 Data Insertion 215

Cisco IOS DHCP Server Database 218

DHCP Snooping Binding Database 218

DHCP Snooping and Switch Stacks 220

How to Configure DHCP Features 220

Default DHCP Snooping Configuration 220

DHCP Snooping Configuration Guidelines 221

Configuring the DHCP Server 221

DHCP Server and Switch Stacks 221

Configuring the DHCP Relay Agent 221

Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 xi

Contents

Specifying the Packet Forwarding Address 223

Prerequisites for Configuring DHCP Snooping and Option 82 225

Enabling DHCP Snooping and Option 82 226

Enabling the Cisco IOS DHCP Server Database 230

Monitoring DHCP Snooping Information 230

Configuring DHCP Server Port-Based Address Allocation 230

Information About Configuring DHCP Server Port-Based Address Allocation 230

Default Port-Based Address Allocation Configuration 231

Port-Based Address Allocation Configuration Guidelines 231

Enabling the DHCP Snooping Binding Database Agent 231

Enabling DHCP Server Port-Based Address Allocation 233

Monitoring DHCP Server Port-Based Address Allocation 235


Feature Information for DHCP Snooping and Option 82 236

C H A P T E R 1 4 Configuring IP Source Guard 239


Information About IP Source Guard 239

IP Source Guard 239

IP Source Guard for Static Hosts 240

IP Source Guard Configuration Guidelines 241

How to Configure IP Source Guard 242

Enabling IP Source Guard 242

Configuring IP Source Guard for Static Hosts on a Layer 2 Access Port 243

Monitoring IP Source Guard 245


C H A P T E R 1 5 Configuring Dynamic ARP Inspection 247


Restrictions for Dynamic ARP Inspection 247

Understanding Dynamic ARP Inspection 249

Interface Trust States and Network Security 250

Rate Limiting of ARP Packets 251

Relative Priority of ARP ACLs and DHCP Snooping Entries 252

Logging of Dropped Packets 252

Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)xii OL-32606-01

Contents

Default Dynamic ARP Inspection Configuration 252

Relative Priority of ARP ACLs and DHCP Snooping Entries 253

Configuring ARP ACLs for Non-DHCP Environments 253

Configuring Dynamic ARP Inspection in DHCP Environments 256

Limiting the Rate of Incoming ARP Packets 259

Performing Dynamic ARP Inspection Validation Checks 261

Monitoring DAI 263

Verifying the DAI Configuration 264


C H A P T E R 1 6 Configuring IEEE 802.1x Port-Based Authentication 267


Information About 802.1x Port-Based Authentication 267

Port-Based Authentication Process 268

Port-Based Authentication Initiation and Message Exchange 270

Authentication Manager for Port-Based Authentication 272

Port-Based Authentication Methods 272

Per-User ACLs and Filter-Ids 273

Port-Based Authentication Manager CLI Commands 274

Ports in Authorized and Unauthorized States 275

Port-Based Authentication and Switch Stacks 276

802.1x Host Mode 277

802.1x Multiple Authentication Mode 277

Multi-auth Per User VLAN assignment 278

Limitation in Multi-auth Per User VLAN assignment 279

MAC Move 280

MAC Replace 280

802.1x Accounting 281

802.1x Accounting Attribute-Value Pairs 281

802.1x Readiness Check 282

Switch-to-RADIUS-Server Communication 282

802.1x Authentication with VLAN Assignment 283

802.1x Authentication with Per-User ACLs 284

802.1x Authentication with Downloadable ACLs and Redirect URLs 285

Cisco Secure ACS and Attribute-Value Pairs for the Redirect URL 287

Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 xiii

Contents

Cisco Secure ACS and Attribute-Value Pairs for Downloadable ACLs 287

VLAN ID-based MAC Authentication 288

802.1x Authentication with Guest VLAN 288

802.1x Authentication with Restricted VLAN 289

802.1x Authentication with Inaccessible Authentication Bypass 290

Inaccessible Authentication Bypass Support on Multiple-Authentication Ports 290

Inaccessible Authentication Bypass Authentication Results 291

Inaccessible Authentication Bypass Feature Interactions 291

802.1x Critical Voice VLAN 292

802.1x User Distribution 292

802.1x User Distribution Configuration Guidelines 293

IEEE 802.1x Authentication with Voice VLAN Ports 293

IEEE 802.1x Authentication with Port Security 294

IEEE 802.1x Authentication with Wake-on-LAN 294

IEEE 802.1x Authentication with MAC Authentication Bypass 295

Network Admission Control Layer 2 IEEE 802.1x Validation 296

Flexible Authentication Ordering 296

Open1x Authentication 297

Multidomain Authentication 297

Limiting Login for Users 299

802.1x Supplicant and Authenticator Switches with Network Edge Access Topology

(NEAT) 299

Voice Aware 802.1x Security 300

Common Session ID 301

How to Configure 802.1x Port-Based Authentication 301

Default 802.1x Authentication Configuration 301

802.1x Authentication Configuration Guidelines 303

802.1x Authentication 303

VLANAssignment, Guest VLAN, Restricted VLAN, and Inaccessible Authentication

Bypass 304

MAC Authentication Bypass 305

Maximum Number of Allowed Devices Per Port 305

Configuring 802.1x Readiness Check 305

Configuring Voice Aware 802.1x Security 307

Configuring 802.1x Violation Modes 309

Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)xiv OL-32606-01

Contents

Configuring 802.1x Authentication 311

Configuring 802.1x Port-Based Authentication 312

Configuring the Switch-to-RADIUS-Server Communication 314

Configuring the Host Mode 316

Configuring Periodic Re-Authentication 317

Changing the Quiet Period 319

Changing the Switch-to-Client Retransmission Time 320

Setting the Switch-to-Client Frame-Retransmission Number 321

Setting the Re-Authentication Number 323

Enabling MAC Move 324

Enabling MAC Replace 325

Configuring 802.1x Accounting 327

Configuring a Guest VLAN 328

Configuring a Restricted VLAN 330

Configuring Number of Authentication Attempts on a Restricted VLAN 331

Configuring 802.1x Inaccessible Authentication Bypass with Critical Voice VLAN 333

Example of Configuring Inaccessible Authentication Bypass 336

Configuring 802.1x Authentication with WoL 337

Configuring MAC Authentication Bypass 338

Configuring 802.1x User Distribution 339

Example of Configuring VLAN Groups 340

Configuring NAC Layer 2 802.1x Validation 341

Configuring Limiting Login for Users 343

Configuring an Authenticator Switch with NEAT 344

Configuring a Supplicant Switch with NEAT 346

Configuring 802.1x Authentication with Downloadable ACLs and Redirect URLs 349

Configuring Downloadable ACLs 349

Configuring a Downloadable Policy 351

Configuring VLAN ID-based MAC Authentication 354

Configuring Flexible Authentication Ordering 354

Configuring Open1x 356

Disabling 802.1x Authentication on the Port 358

Resetting the 802.1x Authentication Configuration to the Default Values 359

Monitoring 802.1x Statistics and Status 360

Additional References for IEEE 802.1x Port-Based Authentication 361

Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 xv

Contents

Feature Information for 802.1x Port-Based Authentication 362

C H A P T E R 1 7 Configuring Web-Based Authentication 363


Web-Based Authentication Overview 363

Device Roles 365

Host Detection 365

Session Creation 366

Authentication Process 366

Local Web Authentication Banner 367

Web Authentication Customizable Web Pages 369

Guidelines 369

Authentication Proxy Web Page Guidelines 371

Redirection URL for Successful Login Guidelines 372

Web-based Authentication Interactions with Other Features 372

Port Security 372

LAN Port IP 372

Gateway IP 373

ACLs 373

Context-Based Access Control 373

EtherChannel 373

How to Configure Web-Based Authentication 373

Default Web-Based Authentication Configuration 373

Web-Based Authentication Configuration Guidelines and Restrictions 374

Web-Based Authentication Configuration Task List 375

Configuring the Authentication Rule and Interfaces 375

Configuring AAA Authentication 378

Configuring Switch-to-RADIUS-Server Communication 380

Configuring the HTTP Server 381

Customizing the Authentication Proxy Web Pages 383

Specifying a Redirection URL for Successful Login 384

Configuring the Web-Based Authentication Parameters 385

Configuring a Web-Based Authentication Local Banner 386

Configuring Web-Based Authentication without SVI 388

Configuring Web-Based Authentication with VRF Aware 389

Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)xvi OL-32606-01

Contents

Removing Web-Based Authentication Cache Entries 391

Monitoring Web-Based Authentication Status 391

Feature Information for Web-Based Authentication 392

C H A P T E R 1 8 Configuring Port-Based Traffic Control 393

Overview of Port-Based Traffic Control 394


Information About Storm Control 394

Storm Control 394

How Traffic Activity is Measured 395

Traffic Patterns 395

How to Configure Storm Control 396

Configuring Storm Control and Threshold Levels 396

Configuring Small-Frame Arrival Rate 399


Information About Protected Ports 401

Protected Ports 401

Default Protected Port Configuration 402

Protected Ports Guidelines 402

How to Configure Protected Ports 402

Configuring a Protected Port 402

Monitoring Protected Ports 404

Where to Go Next 404


Feature Information 405


Information About Port Blocking 405

Port Blocking 405

How to Configure Port Blocking 406

Blocking Flooded Traffic on an Interface 406

Monitoring Port Blocking 408




Prerequisites for Port Security 409

Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 xvii

Contents

Restrictions for Port Security 410

Information About Port Security 410

Port Security 410

Types of Secure MAC Addresses 410

Sticky Secure MAC Addresses 410

Security Violations 411

Port Security Aging 412

Port Security and Switch Stacks 412

Default Port Security Configuration 413

Port Security Configuration Guidelines 413

Overview of Port-Based Traffic Control 414

How to Configure Port Security 415

Enabling and Configuring Port Security 415

Enabling and Configuring Port Security Aging 419


Information About Storm Control 422

Storm Control 422

How Traffic Activity is Measured 422

Traffic Patterns 423

How to Configure Storm Control 423

Configuring Storm Control and Threshold Levels 423

Configuring Small-Frame Arrival Rate 426


Information About Protected Ports 428

Protected Ports 428

Default Protected Port Configuration 429

Protected Ports Guidelines 429

How to Configure Protected Ports 429

Configuring a Protected Port 429

Monitoring Protected Ports 431





Information About Port Blocking 432

Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)xviii OL-32606-01

Contents

Port Blocking 432

How to Configure Port Blocking 433

Blocking Flooded Traffic on an Interface 433

Monitoring Port Blocking 435




Configuration Examples for Port Security 436



Information About Protocol Storm Protection 438

Protocol Storm Protection 438

Default Protocol Storm Protection Configuration 439

How to Configure Protocol Storm Protection 439

Enabling Protocol Storm Protection 439

Monitoring Protocol Storm Protection 440


C H A P T E R 1 9 Configuring IPv6 First Hop Security 443


Prerequisites for First Hop Security in IPv6 443

Restrictions for First Hop Security in IPv6 444

Information about First Hop Security in IPv6 444

How to Configure an IPv6 Snooping Policy 446

How to Attach an IPv6 Snooping Policy to an Interface 448

How to Attach an IPv6 Snooping Policy to a Layer 2 EtherChannel Interface 449

How to Attach an IPv6 Snooping Policy to VLANs Globally 450

How to Configure the IPv6 Binding Table Content 451

How to Configure an IPv6 Neighbor Discovery Inspection Policy 452

How to Attach an IPv6 Neighbor Discovery Inspection Policy to an Interface 454

How to Attach an IPv6 Neighbor Discovery Inspection Policy to a Layer 2 EtherChannel

Interface 456

How to Attach an IPv6 Neighbor Discovery Inspection Policy to VLANs Globally 457

How to Configure an IPv6 Router Advertisement Guard Policy 458

How to Attach an IPv6 Router Advertisement Guard Policy to an Interface 460

Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 xix

Contents

How to Attach an IPv6 Router Advertisement Guard Policy to a Layer 2 EtherChannel

Interface 461

How to Attach an IPv6 Router Advertisement Guard Policy to VLANs Globally 462

How to Configure an IPv6 DHCP Guard Policy 463

How to Attach an IPv6 DHCP Guard Policy to an Interface or a VLAN on an Interface 465

How to Attach an IPv6 DHCP Guard Policy to a Layer 2 EtherChannel Interface 467

How to Attach an IPv6 DHCP Guard Policy to VLANs Globally 468


C H A P T E R 2 0 Configuring Wireless Guest Access 471


Prerequisites for Guest Access 471

Restrictions for Guess Access 472

Information about Wireless Guest Access 472

Fast Secure Roaming 472

How to Configure Guest Access 473

Creating a Lobby Administrator Account 473

Configuring Guest User Accounts 474

Configuring Mobility Agent (MA) 475

Configuring Mobility Controller 477

Obtaining a Web Authentication Certificate 478

Displaying a Web Authentication Certificate 479

Choosing the Default Web Authentication Login Page 479

Choosing a Customized Web Authentication Login Page from an External Web Server 481

Assigning Login, Login Failure, and Logout Pages per WLAN 483

Configuring AAA-Override 484

Configuring Client Load Balancing 485

Configuring Preauthentication ACL 486

Configuring IOS ACL Definition 487

Configuring Webpassthrough 488

Configuration Examples for Guest Access 489

Example: Creating a Lobby Ambassador Account 489

Example: Obtaining Web Authentication Certificate 489

Example: Displaying a Web Authentication Certificate 490

Example: Configuring Guest User Accounts 491

Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)xx OL-32606-01

Contents

Example: Configuring Mobility Controller 491

Example: Choosing the Default Web Authentication Login Page 492

Example: Choosing a CustomizedWeb Authentication Login Page from an IPv4 External Web

Server 493

Example: Assigning Login, Login Failure, and Logout Pages per WLAN 493

Example: Configuring AAA-Override 493

Example: Configuring Client Load Balancing 494

Example: Configuring Preauthentication ACL 494

Example: Configuring IOS ACL Definition 494

Example: Configuring Webpassthrough 494

Additional References for Guest Access 495

Feature History and Information for Guest Access 496

C H A P T E R 2 1 Configuring Intrusion Detection System 497


Information About Intrusion Detection System 497

How to Configure Intrusion Detection System 498

Configuring IDS Sensors 498

Monitoring Intrusion Detection System 499

Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 xxi

Contents

Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)xxii OL-32606-01

Contents

Preface

This book describes configuration information and examples for security management on the switch.

Audience, page xxiii

Document Organization, page xxiii

Document Conventions, page xxv

Related Documentation, page xxvi

Changes to This Document, page xxvi

Obtaining Documentation and Submitting a Service Request, page xxvii

AudienceThis guide is for the networking professional managing the Catalyst 3850 switch, hereafter referred to as theswitch module. Before using this guide, you should have experience working with the Cisco IOS softwareand be familiar with the concepts and terminology of Ethernet and local area networking.

Document OrganizationThis document is organized into the following chapters:

Table 1: Document Organization

DescriptionTitleChapter

Describes how to use the Cisco IOS command lineinterface.

Using the Command-Line InterfaceChapter 1

Describes how to prevent unauthorized users fromreconfiguring your device and viewing configurationinformation.

Preventing Unauthorized AccessChapter 2

Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 xxiii


Describes how to control switch access with passwordsand privilege levels.

Controlling Switch Access withPasswords and Privilege Levels

Chapter 3

Describes how to install, configure and troubleshootgeneral features for TACACS+.

Configuring TACACS+Chapter 4

Describes how to install, configure and troubleshootgeneral features for RADIUS.

Configuring RADIUSChapter 5

Describes how to install, configure and troubleshootgeneral features for Kerberos.

Configuring KerberosChapter 6

Describes how to install, configure and troubleshootgeneral features for Local Authentication andAuthorization.

Configuring Local Authenticationand Authorization

Chapter 7

Describes how to install, configure and troubleshootgeneral features for Secure Shell (SSH).

Configuring Secure Shell (SSH)Chapter 8

Describes how to install, configure and troubleshootgeneral features for Secure Socket Layer HTTP.

Configuring Secure Socket LayerHTTP

Chapter 9

Describes how to install, configure and troubleshootgeneral features for IPv4 ACLs.

Configuring IPv4 ACLsChapter 10

Describes how to install, configure and troubleshootgeneral features for IPv6 ACLs.

Configuring IPv6 ACLsChapter 11

Describes how to install, configure and troubleshootgeneral features for DHCP Snooping and Option 82.

Configuring DHCPChapter 12

Describes how to install, configure and troubleshootgeneral features for IP Source Guard.

Configuring IP Source GuardChapter 13

Describes hot to configure and monitor the DAI feature.Configuring Dynamic ARPInspection

Chapter 14

Describes how to install, configure and troubleshootgeneral features for IEEE 802.1x Port-BasedAuthentication.

Configuring IEEE 802.1xPort-Based Authentication

Chapter 15

Describes how to configure and troubleshoot WBA.Configuring Web-BasedAuthentication

Chapter 16

Describes how to configure and monitor variousport-based security features.

Configuring Port-Based TrafficControl

Chapter 17

Describes how to configure and monitor IPv6 policyfeatures.

Configuring IPv6 First HopSecurity

Chapter 18

Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)xxiv OL-32606-01

PrefaceDocument Organization


Describes how to configure and monitor guest accesson the embedded wireless controller.

ConfiguringWireless Guest AccessChapter 19

Describes how to configure the switch to operate withthe Cisco IDS.

Configuring Intrusion DetectionSystem

Chapter 20

Index

Document ConventionsThis publication uses these conventions to convey instructions and information:

Command descriptions use these conventions:

Commands and keywords are in boldface text.

Arguments for which you supply values are in italic.

Square brackets ([ ]) means optional elements.

Braces ({}) group required choices, and vertical bars ( | ) separate the alternative elements.

Braces and vertical bars within square brackets ([{ | }]) mean a required choice within an optionalelement.

Interactive examples use these conventions:

Terminal sessions and system displays are in screen font.

Information you enter is in boldface screen font

Nonprinting characters, such as passwords or tabs, are in angle brackets (< >).

Notes, cautions, and warnings use these conventions and symbols:

Means reader take note. Notes contain helpful suggestions or references to materials not contained in thismanual.

Note

Reader Alert Conventions

This document uses the following conventions for reader alerts:

Means reader take note. Notes contain helpful suggestions or references to material not covered in themanual.

Note

Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 xxv

PrefaceDocument Conventions

Means the following information will help you solve a problem.Tip

Means reader be careful. In this situation, you might do something that could result in equipment damageor loss of data.

Caution

Means the described action saves time. You can save time by performing the action described in theparagraph.

Timesaver

Means reader be warned. In this situation, you might perform an action that could result in bodilyinjury.

Warning

Related Documentation

Before installing or upgrading the switch, refer to the switch release notes.Note

Cisco Catalyst 3850 Series Switches documentation, located at:http://www.cisco.com/go/cat3850_docs

Cisco SFP and SFP+ modules documentation, including compatibility matrixes, located at:http://www.cisco.com/en/US/products/hw/modules/ps5455/tsd_products_support_series_home.html

Cisco Validated Designs documents, located at:http://www.cisco.com/go/designzone

Changes to This DocumentThis table lists the technical changes made to this document since it was first printed.

Table 2: Changes to This Document

Change SummaryDateRevision

Initial release of this document.July 2012OL-xxxxx-01

Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)xxvi OL-32606-01

PrefaceRelated Documentation

http://www.cisco.com/go/cat3850_docshttp://www.cisco.com/en/US/products/hw/modules/ps5455/tsd_products_support_series_home.htmlhttp://www.cisco.com/go/designzone

Obtaining Documentation and Submitting a Service RequestFor information on obtaining documentation, submitting a service request, and gathering additional information,see the monthlyWhat's New in Cisco Product Documentation, which also lists all new and revised Ciscotechnical documentation, at:

http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html

Subscribe to theWhat's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feedand set content to be delivered directly to your desktop using a reader application. The RSS feeds are a freeservice and Cisco currently supports RSS version 2.0.

Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 xxvii

PrefaceObtaining Documentation and Submitting a Service Request

http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html

Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)xxviii OL-32606-01

PrefaceObtaining Documentation and Submitting a Service Request

C H A P T E R 1Using the Command-Line Interface

Information About Using the Command-Line Interface, page 1

How to Use the CLI to Configure Features, page 6

Information About Using the Command-Line Interface

Command ModesThe Cisco IOS user interface is divided into many different modes. The commands available to you dependon whichmode you are currently in. Enter a questionmark (?) at the system prompt to obtain a list of commandsavailable for each command mode.

You can start a CLI session through a console connection, through Telnet, an SSH, or by using the browser.

When you start a session, you begin in user mode, often called user EXEC mode. Only a limited subset ofthe commands are available in user EXECmode. For example, most of the user EXEC commands are one-timecommands, such as show commands, which show the current configuration status, and clear commands,which clear counters or interfaces. The user EXEC commands are not saved when the switch reboots.

To have access to all commands, youmust enter privileged EXECmode. Normally, youmust enter a passwordto enter privileged EXEC mode. From this mode, you can enter any privileged EXEC command or enterglobal configuration mode.

Using the configurationmodes (global, interface, and line), you canmake changes to the running configuration.If you save the configuration, these commands are stored and used when the switch reboots. To access thevarious configuration modes, you must start at global configuration mode. From global configuration mode,you can enter interface configuration mode and line configuration mode .

This table describes the main command modes, how to access each one, the prompt you see in that mode, andhow to exit the mode.

Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches) OL-32606-01 1

Table 3: Command Mode Summary

About This ModeExit MethodPromptAccess MethodMode

Use this mode to

Changeterminalsettings.

Perform basictests.

Display systeminformation.

Enter logout orquit.Switch>

Begin a sessionusing Telnet, SSH,or console.

User EXEC

Use this mode toverify commandsthat you haveentered. Use apassword to protectaccess to this mode.

Enter disableto exit.Switch#

While in userEXEC mode, enterthe enablecommand.

Privileged EXEC

Use this mode toconfigure parametersthat apply to theentire switch.

To exit toprivilegedEXEC mode,enter exit orend, or pressCtrl-Z.

Switch(config)#While in privilegedEXEC mode, enterthe configurecommand.

Globalconfiguration

Use this mode toconfigure VLANparameters. WhenVTP mode istransparent, you cancreateextended-rangeVLANs (VLAN IDsgreater than 1005)and saveconfigurations in theswitch startupconfiguration file.

To exit toglobalconfigurationmode, enter theexit command.

To return toprivilegedEXEC mode,pressCtrl-Z orenter end.

Switch(config-vlan)#While in globalconfigurationmode, enter thevlan vlan-idcommand.

VLANconfiguration

Use this mode toconfigure parametersfor the Ethernetports.

Switch(config-if)#While in globalconfigurationmode, enter theinterface command(with a specificinterface).

Interfaceconfiguration

Security Configuration Guide, Cisco IOS XE Release 3.6E (Catalyst 3850 Switches)2 OL-32606-01

Using the Command-Line InterfaceCommand Modes

About This ModeExit MethodPromptAccess MethodMode

To exit toglobalconfigurationmode, enterexit.


Use this mode toconfigure parametersfor the terminal line.

To exit toglobalconfigurationmode, enterexit.


Switch(config-line)#While in globalconfigurationmode, specify a linewith the line vty orline consolecommand.

Line configuration

Understanding Abbreviated CommandsYou need to enter only enough characters for the switch to recognize the command as unique.

This example shows how to enter the show configuration privileged EXEC command in an abbreviated form:

Switch# show conf

No and Default Forms of CommandsAlmost every configuration command also has a no form. In general, use the no form to disable a feature orfunction or reverse the action of a command. For example, the no shutdown interface configuration commandreverses the shutdown of an interface. Use the command without the keyword no to reenable a disabled featureor to enable a feature that is disabled by default.

Configuration commands can also have a default form. The default form of a command returns the commandsetting to its default. Most commands are disabled by default, so the default form is the same as the no form.However, some commands are enabled by default and have variables set to certain default values. In thesecases, the default command enables the command and sets variables to their default values.


Using the Command-Line InterfaceUnderstanding Abbreviated Commands

CLI Error MessagesThis table lists some error messages that you might encounter while using the CLI to configure your switch.

Table 4: Common CLI Error Messages

How to Get HelpMeaningError Message

Reenter the command followed bya question mark (?) without anyspace between the command andthe question mark.

The possible keywords that you canenter with the command appear.

You did not enter enoughcharacters for your switch torecognize the command.

% Ambiguous command: "showcon"

Reenter the command followed bya question mark (?) with a spacebetween the command and thequestion mark.


You did not enter all of thekeywords or values required by thiscommand.

% Incomplete command.

Enter a questionmark (?) to displayall of the commands that areavailable in this command mode.


You entered the commandincorrectly. The caret (^) marks thepoint of the error.

% Invalid input detected at^ marker.

Configuration LoggingYou can log and view changes to the switch configuration. You can use the Configuration Change Loggingand Notification feature to track changes on a per-session and per-user basis. The logger tracks eachconfiguration command that is applied, the user who entered the command, the time that the command wasentered, and the parser return code for the command. This feature includes a mechanism for asynchronousnotification to registered applications whenever the configuration changes. You can choose to have thenotifications sent to the syslog.

Only CLI or HTTP changes are logged.Note

Using the Help SystemYou can enter a question mark (?) at the system prompt to display a list of commands available for eachcommand mode. You can also obtain a list of associated keywords and arguments for any command.


Using the Command-Line InterfaceCLI Error Messages

SUMMARY STEPS

1. help2. abbreviated-command-entry ?3. abbreviated-command-entry 4. ?5. command ?6. command keyword ?

DETAILED STEPS

PurposeCommand or Action

Obtains a brief description of the help system in anycommand mode.

help

Example:Switch# help

Step 1

Obtains a list of commands that begin with a particularcharacter string.

abbreviated-command-entry ?

Example:Switch# di?dir disable disconnect

Step 2

Completes a partial command name.abbreviated-command-entry

Example:Switch# sh confSwitch# show configuration

Step 3

Lists all commands available for a particular commandmode.

?

Example:Switch> ?

Step 4

Lists the associated keywords for a command.command ?

Example:Switch> show ?

Step 5

Lists the associated arguments for a keyword.command keyword ?

Example:Switch(config)# cdp holdtime ? Length of time (in sec) that receiver

Step 6

must keep this packet


Using the Command-Line InterfaceUsing the Help System

How to Use the CLI to Configure Features

Configuring the Command HistoryThe software provides a history or record of commands that you have entered. The command history featureis particularly useful for recalling long or complex commands or entries, including access lists. You cancustomize this feature to suit your needs.

Changing the Command History Buffer SizeBy default, the switch records ten command lines in its history buffer. You can alter this number for a currentterminal session or for all sessions on a particular line. This procedure is optional.

SUMMARY STEPS

1. terminal history [size number-of-lines]

DETAILED STEPS


Changes the number of command lines that the switch records duringthe current terminal session in privileged EXEC mode. You canconfigure the size from 0 to 256.

terminal history [size number-of-lines]

Example:Switch# terminal history size 200

Step 1

Recalling CommandsTo recall commands from the history buffer, perform one of the actions listed in this table. These actions areoptional.

The arrow keys function only on ANSI-compatible terminals such as VT100s.Note

SUMMARY STEPS

1. Ctrl-P or use the up arrow key2. Ctrl-N or use the down arrow key3. show history


Using the Command-Line InterfaceHow to Use the CLI to Configure Features

DETAILED STEPS


Recalls commands in the history buffer, beginningwith themost recent command.Repeat the key sequence to recall successively older commands.

Ctrl-P or use the up arrow keyStep 1

Returns to more recent commands in the history buffer after recalling commandswith Ctrl-P or the up arrow key. Repeat the key sequence to recall successivelymore recent commands.

Ctrl-N or use the down arrow keyStep 2

Lists the last several commands that you just entered in privileged EXEC mode.The number of commands that appear is controlled by the setting of the terminal

show history

Example:Switch# show history

Step 3

history global configuration command and the history line configurationcommand.

Disabling the Command History FeatureThe command history feature is automatically enabled. You can disable it for the current terminal session orfor the command line. This procedure is optional.

SUMMARY STEPS

1. terminal no history

DETAILED STEPS


Disables the feature during the current terminal session inprivileged EXEC mode.

terminal no history

Example:Switch# terminal no history

Step 1

Enabling and Disabling Editing FeaturesAlthough enhanced editing mode is automatically enabled, you can disable it and reenable it.

SUMMARY STEPS

1. terminal editing2. terminal no editing


Using the Command-Line InterfaceEnabling and Disabling Editing Features

DETAILED STEPS


Reenables the enhanced editing mode for the current terminalsession in privileged EXEC mode.

terminal editing

Example:Switch# terminal editing

Step 1

Disables the enhanced editing mode for the current terminalsession in privileged EXEC mode.

terminal no editing

Example:Switch# terminal no editing

Step 2

Editing Commands Through KeystrokesThe keystrokes help you to edit the command lines. These keystrokes are optional.


Table 5: Editing Commands

DescriptionEditing Commands

Moves the cursor back one character.Ctrl-B or use the left arrow key

Moves the cursor forward one character.Ctrl-F or use the right arrow key

Moves the cursor to the beginning of the commandline.

Ctrl-A

Moves the cursor to the end of the command line.Ctrl-E

Moves the cursor back one word.Esc B

Moves the cursor forward one word.Esc F

Transposes the character to the left of the cursor withthe character located at the cursor.

Ctrl-T

Erases the character to the left of the cursor.Delete or Backspace key

Deletes the character at the cursor.Ctrl-D



Deletes all characters from the cursor to the end ofthe command line.

Ctrl-K

Deletes all characters from the cursor to the beginningof the command line.

Ctrl-U or Ctrl-X

Deletes the word to the left of the cursor.Ctrl-W

Deletes from the cursor to the end of the word.Esc D

Capitalizes at the cursor.Esc C

Changes the word at the cursor to lowercase.Esc L

Capitalizes letters from the cursor to the end of theword.

Esc U

Designates a particular keystroke as an executablecommand, perhaps as a shortcut.

Ctrl-V or Esc Q

Scrolls down a line or screen on displays that arelonger than the terminal screen can display.

TheMore prompt is used for any output thathas more lines than can be displayed on theterminal screen, including show commandoutput. You can use the Return and Spacebar keystrokes whenever you see the Moreprompt.

Note

Return key

Scrolls down one screen.Space bar

Redisplays the current command line if the switchsuddenly sends a message to your screen.

Ctrl-L or Ctrl-R

Editing Command Lines That WrapYou can use a wraparound feature for commands that extend beyond a single line on the screen. When thecursor reaches the right margin, the command line shifts ten spaces to the left. You cannot see the first tencharacters of the line, but you can scroll back and check the syntax at the beginning of the command. Thekeystroke actions are optional.

To scroll back to the beginning of the command entry, press Ctrl-B or the left arrow key repeatedly. You canalso press Ctrl-A to immediately move to the beginning of the line.


The following example shows how to wrap a command line that extends beyond a single line on the screen.



SUMMARY STEPS

1. access-list2. Ctrl-A3. Return key

DETAILED STEPS


Displays the global configuration command entry that extends beyondone line.

access-list

Example:

Switch(config)# access-list 101 permit tcp

Step 1

When the cursor first reaches the end of the line, the line is shifted tenspaces to the left and redisplayed. The dollar sign ($) shows that theline has been scrolled to the left. Each time the cursor reaches the endof the line, the line is again shifted ten spaces to the left.

10.15.22.25 255.255.255.0 10.15.22.35Switch(config)# $ 101 permit tcp10.15.22.25 255.255.255.0 10.15.22.35255.25Switch(config)# $t tcp 10.15.22.25255.255.255.0 131.108.1.20 255.255.255.0eqSwitch(config)# $15.22.25 255.255.255.010.15.22.35 255.255.255.0 eq 45

Checks the complete syntax.Ctrl-AStep 2

Example:Switch(config)# access-list 101 permit tcp10.15.22.25 255.255.255.0 10.15.2$

The dollar sign ($) appears at the end of the line to show that the linehas been scrolled to the right.

Execute the commands.Return keyStep 3

The software assumes that you have a terminal screen that is 80 columnswide. If you have a different width, use the terminal width privilegedEXEC command to set the width of your terminal.

Use line wrapping with the command history feature to recall andmodify previous complex command entries.

Searching and Filtering Output of show and more CommandsYou can search and filter the output for show andmore commands. This is useful when you need to sortthrough large amounts of output or if you want to exclude output that you do not need to see. Using thesecommands is optional.

SUMMARY STEPS

1. {show |more} command | {begin | include | exclude} regular-expression


Using the Command-Line InterfaceSearching and Filtering Output of show and more Commands

DETAILED STEPS


Searches and filters the output.{show |more} command | {begin | include | exclude}regular-expression

Step 1

Expressions are case sensitive. For example, if you enter| exclude output, the lines that contain output are notdisplayed, but the lines that contain output appear.Example:

Switch# show interfaces | include protocolVlan1 is up, line protocol is upVlan10 is up, line protocol is downGigabitEthernet1/0/1 is up, line protocol is downGigabitEthernet1/0/2 is up, line protocol is up

Accessing the CLI on a Switch StackYou can access the CLI through a console connection, through Telnet, a SSH, or by using the browser.

You manage the switch stack and the stack member interfaces through the active switch. You cannot managestack members on an individual switch basis. You can connect to the active switch through the console portor the Ethernet management port of one or more stack members. Be careful with using multiple CLI sessionson the active switch. Commands that you enter in one session are not displayed in the other sessions. Therefore,it is possible to lose track of the session from which you entered commands.

We recommend using one CLI session when managing the switch stack.Note

If you want to configure a specific stack member port, you must include the stack member number in the CLIcommand interface notation.

To debug the standby switch, use the session standby ios privileged EXEC command from the active switchto access the IOS console of the standby switch. To debug a specific stack member, use the session switchstack-member-number privileged EXEC command from the active switch to access the diagnostic shell ofthe stack member. For more information about these commands, see the switch command reference.

Accessing the CLI Through a Console Connection or Through TelnetBefore you can access the CLI, you must connect a terminal or a PC to the switch console or connect a PC tothe Ethernet management port and then power on the switch, as described in the hardware installation guidethat shipped with your switch.

If your switch is already configured, you can access the CLI through a local console connection or through aremote Telnet session, but your switch must first be configured for this type of access.

You can use one of these methods to establish a connection with the switch:

Connect the switch console port to a management station or dial-up modem, or connect the Ethernetmanagement port to a PC. For information about connecting to the console or Ethernet managementport, see the switch hardware installation guide.


Using the Command-Line InterfaceAccessing the CLI on a Switch Stack

Use any Telnet TCP/IP or encrypted Secure Shell (SSH) package from a remote management station.The switch must have network connectivity with the Telnet or SSH client, and the switch must have anenable secret password configured.

The switch supports up to 16 simultaneous Telnet sessions. Changes made by one Telnet user arereflected in all other Telnet sessions.

The switch supports up to five simultaneous secure SSH sessions.

After you connect through the console port, through the Ethernet management port, through a Telnetsession or through an SSH session, the user EXEC prompt appears on the management station.


Using the Command-Line InterfaceAccessing the CLI Through a Console Connection or Through Telnet

C H A P T E R 2Preventing Unauthorized Access

Finding Feature Information, page 13

Preventing Unauthorized Access, page 13

Finding Feature InformationYour software release may not support all the features documented in this module. For the latest caveats andfeature information, see Bug Search Tool and the release notes for your platform and software release. Tofind information about the features documented in this module, and to see a list of the releases in which eachfeature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support.To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is notrequired.

Preventing Unauthorized AccessYou can prevent unauthorized users from reconfiguring your switch and viewing configuration information.Typically, you want network administrators to have access to your switch while you restrict access to userswho dial from outside the network through an asynchronous port, connect from outside the network througha serial port, or connect through a terminal or workstation from within the local network.

To prevent unauthorized access into your switch, you should configure one or more of these security features:

At a minimum, you should configure passwords and privileges at each switch port. These passwordsare locally stored on the switch. When users attempt to access the switch through a port or line, theymust enter the password specified for the port or line before they can access the switch.

For an additional layer of security, you can also configure username and password pairs, which arelocally stored on the switch. These pairs are assigned to lines or ports and authenticate each user beforethat user can access the switch. If you have defined privilege levels, you can also assign a specificprivilege level (with associated rights and privileges) to each username and password pair.

If you want to use username and password pairs, but you want to store them centrally on a server insteadof locally, you can store them in a database on a security server. Multiple networking devices can thenuse the same database to obtain user authentication (and, if necessary, authorization) information.


http://www.cisco.com/go/cfn

You can also enable the login enhancements feature, which logs both failed and unsuccessful loginattempts. Login enhancements can also be configured to block future login attempts after a set numberof unsuccessful attempts are made. For more information, see the Cisco IOS Login Enhancementsdocumentation.

Related Topics

Configuring Username and Password Pairs, on page 27TACACS+ and Switch Access, on page 39Setting a Telnet Password for a Terminal Line, on page 25Configuring Username and Password Pairs, on page 27TACACS+ and Switch Access, on page 39Setting a Telnet Password for a Terminal Line, on page 25


Preventing Unauthorized AccessPreventing Unauthorized Access

C H A P T E R 3Preventing Unauthorized Access


Preventing Unauthorized Access, page 15



Preventing Unauthorized AccessYou can prevent unauthorized users from reconfiguring your switch and viewing configuration information.Typically, you want network administrators to have access to your switch while you restrict access to userswho dial from outside the network through an asynchronous port, connect from outside the network througha serial port, or connect through a terminal or workstation from within the local network.

To prevent unauthorized access into your switch, you should configure one or more of these security features:

At a minimum, you should configure passwords and privileges at each switch port. These passwordsare locally stored on the switch. When users attempt to access the switch through a port or line, theymust enter the password specified for the port or line before they can access the switch.

For an additional layer of security, you can also configure username and password pairs, which arelocally stored on the switch. These pairs are assigned to lines or ports and authenticate each user beforethat user can access the switch. If you have defined privilege levels, you can also assign a specificprivilege level (with associated rights and privileges) to each username and password pair.

If you want to use username and password pairs, but you want to store them centrally on a server insteadof locally, you can store them in a database on a security server. Multiple networking devices can thenuse the same database to obtain user authentication (and, if necessary, authorization) information.



You can also enable the login enhancements feature, which logs both failed and unsuccessful loginattempts. Login enhancements can also be configured to block future login attempts after a set numberof unsuccessful attempts are made. For more information, see the Cisco IOS Login Enhancementsdocumentation.

Related Topics

Configuring Username and Password Pairs, on page 27TACACS+ and Switch Access, on page 39Setting a Telnet Password for a Terminal Line, on page 25Configuring Username and Password Pairs, on page 27TACACS+ and Switch Access, on page 39Setting a Telnet Password for a Terminal Line, on page 25


Preventing Unauthorized AccessPreventing Unauthorized Access

C H A P T E R 4Controlling Switch Access with Passwords andPrivilege Levels


Restrictions for Controlling Switch Access with Passwords and Privileges, page 17

Information About Passwords and Privilege Levels, page 18

How to Control Switch Access with Passwords and Privilege Levels, page 20

Monitoring Switch Access, page 33

Configuration Examples for Setting Passwords and Privilege Levels, page 33

Additional References, page 34



Restrictions for Controlling Switch Access with Passwordsand Privileges

The following are the restrictions for controlling switch access with passwords and privileges:

Disabling password recovery will not work if you have set the switch to boot up manually by using theboot manual global configuration command. This command produces the boot loader prompt (switch:)after the switch is power cycled.



Related Topics

Disabling Password Recovery, on page 24Password Recovery, on page 19

Information About Passwords and Privilege Levels

Default Password and Privilege Level ConfigurationA simple way of providing terminal access control in your network is to use passwords and assign privilegelevels. Password protection restricts access to a network or network device. Privilege levels define whatcommands users can enter after they have logged into a network device.

This table shows the default password and privilege level configuration.

Table 6: Default Password and Privilege Levels

Default SettingFeature

No password is defined. The default is level 15(privileged EXEC level). The password is notencrypted in the configuration file.

Enable password and privilege level

No password is defined. The default is level 15(privileged EXEC level). The password is encryptedbefore it is written to the configuration file.

Enable secret password and privilege level

No password is defined.Line password

Additional Password SecurityTo provide an additional layer of security, particularly for passwords that cross the network or that are storedon a Trivial File Transfer Protocol (TFTP) server, you can use either the enable password or enable secretglobal configuration commands. Both commands accomplish the same thing; that is, you can establish anencrypted password that users must enter to access privileged EXECmode (the default) or any privilege levelyou specify.

We recommend that you use the enable secret command because it uses an improved encryption algorithm.

If you configure the enable secret command, it takes precedence over the enable password command; thetwo commands cannot be in effect simultaneously.

If you enable password encryption, it applies to all passwords including username passwords, authenticationkey passwords, the privileged command password, and console and virtual terminal line passwords.

Related Topics

Protecting Enable and Enable Secret Passwords with Encryption, on page 22Example: Protecting Enable and Enable Secret Passwords with Encryption, on page 33


Controlling Switch Access with Passwords and Privilege LevelsInformation About Passwords and Privilege Levels

Password RecoveryBy default, any end user with physical access to the switch can recover from a lost password by interruptingthe boot process while the switch is powering on and then by entering a new password.

The password-recovery disable feature protects access to the switch password by disabling part of thisfunctionality. When this feature is enabled, the end user can interrupt the boot process only by agreeing to setthe system back to the default configuration. With password recovery disabled, you can still interrupt the bootprocess and change the password, but the configuration file (config.text) and the VLAN database file (vlan.dat)are deleted.

If you disable password recovery, we recommend that you keep a backup copy of the configuration file on asecure server in case the end user interrupts the boot process and sets the system back to default values. Donot keep a backup copy of the configuration file on the switch. If the switch is operating in VTP transparentmode, we recommend that you also keep a backup copy of the VLAN database file on a secure server. Whenthe switch is returned to the default system configuration, you can download the saved files to the switch byusing the Xmodem protocol.

To re-enable password recovery, use the service password-recovery global configuration command.

Related Topics

Disabling Password Recovery, on page 24Restrictions for Controlling Switch Access with Passwords and Privileges, on page 17

Terminal Line Telnet ConfigurationWhen you power-up your switch for the first time, an automatic setup program runs to assign IP informationand to create a default configuration for continued use. The setup program also prompts you to configure yourswitch for Telnet access through a password. If you did not configure this password during the setup program,you can configure it when you set a Telnet password for a terminal line.

Related Topics

Setting a Telnet Password for a Terminal Line, on page 25Example: Setting a Telnet Password for a Terminal Line, on page 34

Username and Password PairsYou can configure username and password pairs, which are locally stored on the switch. These pairs areassigned to lines or ports and authenticate each user before that user can access the switch. If you have definedprivilege levels, you can also assign a specific privilege level (with associated rights and privileges) to eachusername and password pair.

Related Topics

Configuring Username and Password Pairs, on page 27


Controlling Switch Access with Passwords and Privilege LevelsPassword Recovery

Privilege LevelsCisco devices use privilege levels to provide password security for different levels of switch operation. Bydefault, the Cisco IOS software operates in two modes (privilege levels) of password security: user EXEC(Level 1) and privileged EXEC (Level 15). You can configure up to 16 hierarchical levels of commands foreach mode. By configuring multiple passwords, you can allow different sets of users to have access to specifiedcommands.

Privilege Levels on Lines

Users can override the privilege level you set using the privilege level line configuration command by loggingin to the line and enabling a different privilege level. They can lower the privilege level by using the disablecommand. If users know the password to a higher privilege level, they can use that password to enable thehigher privilege level. You might specify a high level or privilege level for your console line to restrict lineusage.

For example, if you want many users to have access to the clear line command, you can assign it level 2 securityand distribute the level 2 password fairly widely. But if you want more restricted access to the configurecommand, you can assign it level 3 security and distribute that password to a more restricted group of users.

Command Privilege Levels

When you set a command to a privilege level, all commands whose syntax is a subset of that command arealso set to that level. For example, if you set the show ip traffic command to level 15, the show commandsand show ip commands are automatically set to privilege level 15 unless you set them individually to differentlevels.

Related Topics

Setting the Privilege Level for a Command, on page 29Example: Setting the Privilege Level for a Command, on page 34Changing the Default Privilege Level for Lines, on page 31Logging into and Exiting a Privilege Level, on page 32

How to Control Switch Access with Passwords and PrivilegeLevels

Setting or Changing a Static Enable PasswordThe enable password controls access to the privileged EXEC mode. Follow these steps to set or change astatic enable password:


Controlling Switch Access with Passwords and Privilege LevelsPrivilege Levels

SUMMARY STEPS

1. enable2. configure terminal3. enable password password4. end5. show running-config6. copy running-config startup-config

DETAILED STEPS


Enables privileged EXEC mode. Enter your password if prompted.enable

Example:

Switch> enable

Step 1

Enters the global configuration mode.configure terminal

Example:

Switch# configure terminal

Step 2

Defines a new password or changes an existing password for access toprivileged EXEC mode.

enable password password

Example:

Switch(config)# enable password

Step 3

By default, no password is defined.

For password, specify a string from 1 to 25 alphanumeric characters. Thestring cannot start with a number, is case sensitive, and allows spaces butsecret321ignores leading spaces. It can contain the question mark (?) character ifyou precede the question mark with the key combination Crtl-v whenyou create the password; for example, to create the password abc?123,do this:

1 Enter abc.

2 Enter Crtl-v.

3 Enter ?123.

When the system prompts you to enter the enable password, you neednot precede the question mark with the Ctrl-v; you can simply enterabc?123 at the password prompt.


Controlling Switch Access with Passwords and Privilege LevelsSetting or Changing a Static Enable Password


Returns to privileged EXEC mode.end

Example:

Switch(config)# end

Step 4

Verifies your entries.show running-config

Example:

Switch# show running-config

Step 5

(Optional) Saves your entries in the configuration file.copy running-config startup-config

Example:

Switch# copy running-config

Step 6

startup-config

Related Topics

Example: Setting or Changing a Static Enable Password, on page 33

Protecting Enable and Enable Secret Passwords with EncryptionFollow these steps to establish an encrypted password that users must enter to access privileged EXEC mode(the default) or any privilege level you specify:

SUMMARY STEPS

1. enable2. configure terminal3. Use one of the following:

enable password [level level]{password | encryption-type encrypted-password}

enable secret [level level]{password | encryption-type encrypted-password}

4. service password-encryption5. end6. show running-config7. copy running-config startup-config


Controlling Switch Access with Passwords and Privilege LevelsProtecting Enable and Enable Secret Passwords with Encryption

DETAILED STEPS



Example:

Switch> enable

Step 1


Example:


Step 2

Use one of the following:Step 3 Defines a new password or changes an existing password foraccess to privileged EXEC mode.

enable password [level level]{password | encryption-typeencrypted-password}

Defines a secret password, which is saved using a nonreversibleencryption method.

(Optional) For level, the range is from 0 to 15. Level 1 isnormal user EXEC mode privileges. The default level is 15(privileged EXEC mode privileges).

enable secret [level level]{password | encryption-typeencrypted-password}

For password, specify a string from 1 to 25 alphanumericcharacters. The string cannot start with a number, is case

Example:Switch(config)# enable passwordexample102

sensitive, and allows spaces but ignores leading spaces. Bydefault, no password is defined.

(Optional) For encryption-type, only type 5, a Ciscoproprietary encryption algorithm, is available. If you specifyor

Switch(config)# enable secret level 1password secret123sample

an encryption type, you must provide an encryptedpasswordan encrypted password that you copy fromanother switch configuration.

If you specify an encryption type and then enter a cleartext password, you can not re-enter privileged EXECmode. You cannot recover a lost encrypted password byany method.

Note

(Optional) Encrypts the password when the password is defined orwhen the configuration is written.

service password-encryption

Example:

Switch(config)# service

Step 4

Encryption prevents the password from being readable in theconfiguration file.

password-encryption


Controlling Switch Access with Passwords and Privilege LevelsProtecting Enable and Enable Secret Passwords with Encryption



Example:

Switch(config)# end

Step 5


Example:


Step 6


Example:


Step 7

startup-config

Related Topics

Additional Password Security, on page 18

Example: Protecting Enable and Enable Secret Passwords with Encryption, on page 33

Disabling Password RecoveryFollow these steps to disable password recovery to protect the security of your switch:

Before You Begin

If you disable password recovery, we recommend that you keep a backup copy of the configuration file on asecure server in case the end user interrupts the boot process and sets the system back to default values. Donot keep a backup copy of the configuration file on the switch. If the switch is operating in VTP transparentmode, we recommend that you also keep a backup copy of the VLAN database file on a secure server. Whenthe switch is returned to the default system configuration, you can download the saved files to the switch byusing the Xmodem protocol.

SUMMARY STEPS

1. enable2. configure terminal3. system disable password recovery switch {all | }4. end


Controlling Switch Access with Passwords and Privilege LevelsDisabling Password Recovery

DETAILED STEPS



Example:

Switch> enable

Step 1


Example:


Step 2

Disables password recovery.system disable password recovery switch {all| }

Step 3

all - Sets the configuration on switches in stack.

Example:

Switch(config)# system disable password

- Sets the configuration on the Switch Number selected.

This setting is saved in an area of the flash memory that is accessibleby the boot loader and the Cisco IOS image, but it is not part of thefile system and is not accessible by any user.

recovery switch all


Example:

Switch(config)# end

Step 4

What to Do Next

To remove disable password recovery, use the no system disable password recovery switch all globalconfiguration command.

Related Topics

Password Recovery, on page 19

Restrictions for Controlling Switch Access with Passwords and Privileges, on page 17

Setting a Telnet Password for a Terminal LineBeginning in user EXEC mode, follow these steps to set a Telnet password for the connected terminal line:

Before You Begin

Attach a PC or workstation with emulation software to the switch console port, or attach a PC to theEthernet management port.


Controlling Switch Access with Passwords and Privilege LevelsSetting a Telnet Password for a Terminal Line

The default data characteristics of the console port are 9600, 8, 1, no parity. You might need to pressthe Return key several times to see the command-line prompt.

SUMMARY STEPS

1. enable2. configure terminal3. line vty 0 154. password password5. end6. show running-config7. copy running-config startup-config

DETAILED STEPS


If a password is required for access to privileged EXECmode, you will be prompted for it.

Note

Enters privileged EXEC mode.

enable

Example:

Switch> enable

Step 1


Example:


Step 2

Configures the number of Telnet sessions (lines), and enters lineconfiguration mode.

line vty 0 15

Example:

Switch(config)# line vty 0 15

Step 3

There are 16 possible sessions on a command-capable Switch. The0 and 15 mean that you are configuring all 16 possible Telnetsessions.

Sets a Telnet password for the line or lines.password passwordStep 4

Example:

Switch(config-line)# password abcxyz543

For password, specify a string from 1 to 25 alphanumeric characters.The string cannot start with a number, is case sensitive, and allowsspaces but ignores leading spaces. By default, no password isdefined.


Example:

Switch(config-line)# end

Step 5


Controlling Switch Access with Passwords and Privilege LevelsSetting a Telnet Password for a Terminal Line



Example:


Step 6


Example:


Step 7

startup-config

Related Topics

Preventing Unauthorized Access, on page 13Preventing Unauthorized Access, on page 13Terminal Line Telnet Configuration, on page 19

Example: Setting a Telnet Password for a Terminal Line, on page 34

Configuring Username and Password PairsFollow these steps to configure username and password pairs:

SUMMARY STEPS

1. enable2. configure terminal3. username name [privilege level] {password encryption-type password}4. Use one of the following:

line console 0

line vty 0 15

5. login local6. end7. show running-config8. copy running-config startup-config


Controlling Switch Access with Passwords and Privilege LevelsConfiguring Username and Password Pairs

DETAILED STEPS



Example:

Switch> enable

Step 1


Example:


Step 2

Sets the username, privilege level, and password for each user.username name [privilege level] {passwordencryption-type password}

Step 3

For name, specify the user ID as one word or the MAC address.Spaces and quotation marks are not allowed.

Example:

Switch(config)# username adamsample You can configure a maximum of 12000 clients each, for bothusername and MAC filter.privilege 1 password secret456

Switch(config)# username 111111111111mac attribute

(Optional) For level, specify the privilege level the user has aftergaining access. The range is 0 to 15. Level 15 gives privilegedEXEC mode access. Level 1 gives user EXEC mode access.

For encryption-type, enter 0 to specify that an unencryptedpassword will follow. Enter 7 to specify that a hidden passwordwill follow.

For password, specify the password the user must enter to gainaccess to the Switch. The password must be from 1 to 25characters, can contain embedded spaces, and must be the lastoption specified in the username command.

Enters line configuration mode, and configures the console port (line0) or the VTY lines (line 0 to 15).

Date post:	09-May-2018
Category:	Documents
Upload:	ngomien
View:	287 times
Download:	7 times

Security Configuration Guide, Cisco IOS XE Release 3.6E ... · Security Configuration Guide, Cisco...

Documents