Security Configuration Guide, Cisco DCNM for LAN, Release 5.x
Using the Layer 2 Security Audit Wizard
Downloads: This chapterpdf (PDF - 0.96MB) The complete bookPDF (PDF - 4.35MB) | Feedback

Using the Layer 2 Security Audit Wizard

Using the Layer 2 Security Audit Wizard

This chapter describes how to use the Layer 2 Security Audit Wizard.

This chapter includes the following sections:

Information About the Security Audit Wizard

The Security Audit Wizard allows you to examine the existing Layer 2 security features, such as port security, dynamic ARP inspection (DAI), DHCP snooping, IP Source Guard, and traffic storm control, configured on different devices. It also allows you to apply the configurations that are missing on the device.

Licensing Requirements for the Security Audit Wizard

The following table shows the licensing requirements for this feature:

Product

License Requirement

Cisco DCNM

The Security Audit Wizard requires a LAN Enterprise license. For a complete explanation of the Cisco DCNM licensing scheme and how to obtain and apply licenses, see the Cisco DCNM Installation and Licensing Guide, Release 5.x.

Cisco NX-OS

The Security Audit Wizard is not available in Cisco NX-OS. For a complete explanation of the Cisco NX-OS licensing scheme for your platform, see the Cisco NX-OS Licensing Guide.

Prerequisites for the Security Audit Wizard

The Security Audit Wizard has the following prerequisites:

You should be familiar with the following features before you use the Security Audit Wizard to change the security configuration:


  • Address Resolution Protocol (ARP)

  • DHCP snooping

  • Port security

  • IP Source Guard

  • Traffic storm control

You must enable the following features on the device that you want to perform the audit on:


  • DHCP snooping

  • Port security

Platform Support for the Security Audit Wizard

The following platform supports this feature. For platform-specific information, including guidelines and limitations, system defaults, and configuration limits, see the corresponding documentation.

Platform Documentation
Cisco Nexus 7000 Series Switches Cisco Nexus 7000 Series Switches Documentation

Configuring Layer 2 Security Using the Security Audit Wizard

You can use the Security Audit Wizard to configure Layer 2 security features such as port security, dynamic ARP inspection, DHCP snooping, IP Source Guard, and traffic storm control.

Procedure
Step 1   From the toolbar, choose the icon.

The Layer 2 Security Audit dialog box displays the welcome message with a list of steps to be performed.

This figure shows the Security Audit dialog box.

Figure 1. Security Audit Welcome Message



Step 2   Click Next.

The Layer 2 Security Audit dialog box displays a list of available interfaces in the network that you can choose to audit.

This figure shows a list of available interfaces.

Figure 2. Layer 2 Security Audit Wizard: Select Interfaces



Step 3   From the Interfaces Available in Network area, choose the interfaces that you want to perform a security audit on and then click Add.
Step 4   (Optional)Click Save to save your selection.
Step 5   Click Next.

The Layer 2 Security Audit dialog box displays a list of available VLANs in the network that you can choose to audit.

This figure shows a list of available VLANs.

Figure 3. Layer 2 Security Audit Wizard: Select VLANs



Step 6   From the VLANs Available in Network area, choose the VLANs that you want to perform a security audit on and then click Add.
Step 7   Click Next.

The Layer 2 Security Audit dialog box displays a list of traffic storm control configuration issues that are reported during the audit.

This figure shows a list of traffic storm control configuration issues reported by the wizard.

Figure 4. Layer 2 Security Audit Wizard: List of Traffic Storm Control Configuration Issues



Step 8   Click Next.

The Layer 2 Security Audit dialog box displays a list of trust definition and IP Source Guard issues that are reported during the audit.

This figure shows a list of trust definition and IP Source Guard issues.

Figure 5. Layer 2 Security Audit Wizard: List of Trust Definition and IP Source Guard Issues



Step 9   (Optional)Click Fix all to fix all the reported issues.
Step 10   Click Next.

The Layer 2 Security Audit dialog box displays a list of port security issues that are reported during the audit.

This figure shows a list of port security issues.

Figure 6. Layer 2 Security Audit Wizard: List of Port Security Issues



Step 11   (Optional)Click Fix all to fix all the issues that are reported.
Step 12   Click Next.

The Layer 2 Security Audit dialog box displays a list of DHCP snooping and DAI issues that are reported during the audit.

This figure shows a list of DHCP snooping and DAI issues.

Figure 7. Layer 2 Security Audit Wizard: List of DHCP Snooping and DAI Issues



Step 13   (Optional)Click Fix all to fix all the issues that are reported.
Step 14   Click Next.

The Layer 2 Security Audit dialog box displays the summary of the configurations to be applied on the device.

This figure shows a summary of the configurations.

Figure 8. Layer 2 Security Audit Wizard: Configuration Summary



Step 15   Click Finish to apply all the configuration settings to the device.

Field Descriptions for the Security Audit Wizard

This section describes the fields for the Security Audit Wizard:

Security Audit Wizard: Select Interfaces

Table 1  Security Audit Wizard: Select Interfaces

Field

Description

Interface

Interface ID.

Description

Interface description.

Type

Type of interface.

Security Audit Wizard: Select VLANs

Table 2  Security Audit Wizard: Select VLANs

Field

Description

VLAN ID

VLAN ID.

VLAN Name

Name of the VLAN.

Security Audit Wizard: Apply Traffic Storm Control Configurations

Table 3  Security Audit Wizard: Apply Traffic Storm Control Configurations

Field

Description

Interface

Interface ID.

Unicast

Value assigned for unicast traffic control.

Multicast

Value assigned for multicast traffic control.

Broadcast

Value assigned for broadcast traffic control.

Security Audit Wizard: Apply Trust Definitions and IP Source Guard

Table 4  Security Audit Wizard: Apply Trust Definitions and IP Source Guard

Field

Description

Interface

Interface ID.

DHCP Trust State

Trust state of the interface. Trusted interfaces are configured to receive traffic from within the network. This field indicates whether DHCP Trust State is enabled.

ARP Trust State

Trust state of the interface. Trusted interfaces are configured to receive traffic from within the network. This field indicates whether ARP Trust State is enabled.

IP Source Guard

Whether IP Source Guard is enabled.

Security Audit Wizard: Port Security

Table 5  Security Audit Wizard: Port Security

Field

Description

Interface

Interface ID.

Port Type

Whether the interface type is Access or Trunk.

Port Security

Global port type for the device.

Maximum Number of Secure Addresses

Maximum number of addresses that can be bound to a port.

Stickiness

Whether stickiness is enabled for the host address.

Violation Action

Violation action configured in the port security-enabled interface. Valid values are protect, restrict, and shutdown. The default violation action is shutdown.

Port Security Capable

Whether the port can be configured for port security.

Security Audit Wizard: DHCP Snooping and DAI

Table 6  Security Audit Wizard: DHCP Snooping and DAI

Field

Description

VLAN ID

VLAN ID.

VLAN Name

Name of the VLAN.

DHCP Snooping

Whether DHCP snooping is enabled for the VLAN. By default, this checkbox is unchecked.

DAI

Whether DAI is enabled for the VLAN. By default, this checkbox is unchecked.

Additional References for the Security Audit Wizard

This section includes additional information related to using the Security Audit Wizard.

Related Documents

Related Topic

Document Title

Cisco NX-OS Licensing

Cisco NX-OS Licensing Guide

Cisco DCNM Licensing

Cisco DCNM Installation and Licensing Guide, Release 5.x

Feature History for the Security Audit Wizard

This table lists the release history for this feature.


Table 7 Feature History for the Security Audit Wizard

Feature Name

Releases

Feature Information

Security Audit Wizard

5.2(1)

No change from Release 5.1.

Security Audit Wizard

5.1(1)

No change from Release 5.0.

Security Audit Wizard

5.0(2)

No change from Release 4.2.

Security Audit Wizard

4.0(1)

This feature was introduced.