Security Configuration Guide, Cisco DCNM for LAN, Release 6.x
Using the Layer 2 Security Audit Wizard
Downloads: This chapterpdf (PDF - 0.96MB) The complete bookPDF (PDF - 4.66MB) | The complete bookePub (ePub - 1.6MB) | Feedback

Using the Layer 2 Security Audit Wizard

Using the Layer 2 Security Audit Wizard

This chapter describes how to use the Layer 2 Security Audit Wizard.

This chapter includes the following sections:

Information About the Security Audit Wizard

The Security Audit Wizard allows you to examine the existing Layer 2 security features, such as port security, dynamic ARP inspection (DAI), DHCP snooping, IP Source Guard, and traffic storm control, configured on different devices. It also allows you to apply the configurations that are missing on the device.

Licensing Requirements for the Security Audit Wizard

The following table shows the licensing requirements for this feature:

Product

License Requirement

Cisco DCNM

The Security Audit Wizard requires a LAN Enterprise license. For a complete explanation of the Cisco DCNM licensing scheme and how to obtain and apply licenses, see the Cisco DCNM Installation and Licensing Guide, Release 5.x.

Cisco NX-OS

The Security Audit Wizard is not available in Cisco NX-OS. For a complete explanation of the Cisco NX-OS licensing scheme for your platform, see the Cisco NX-OS Licensing Guide.

Prerequisites for the Security Audit Wizard

The Security Audit Wizard has the following prerequisites:

You should be familiar with the following features before you use the Security Audit Wizard to change the security configuration:

  • Address Resolution Protocol (ARP)
  • DHCP snooping
  • Port security
  • IP Source Guard
  • Traffic storm control

You must enable the following features on the device that you want to perform the audit on:

  • DHCP snooping
  • Port security

Platform Support for the Security Audit Wizard

The following platform supports this feature. For platform-specific information, including guidelines and limitations, system defaults, and configuration limits, see the corresponding documentation.

Platform Documentation
Cisco Nexus 7000 Series Switches Cisco Nexus 7000 Series Switches Documentation

Configuring Layer 2 Security Using the Security Audit Wizard

You can use the Security Audit Wizard to configure Layer 2 security features such as port security, dynamic ARP inspection, DHCP snooping, IP Source Guard, and traffic storm control.

Procedure
    Step 1   From the toolbar, choose the icon.

    The Layer 2 Security Audit dialog box displays the welcome message with a list of steps to be performed.

    This figure shows the Security Audit dialog box.

    Figure 1. Security Audit Welcome Message



    Step 2   Click Next.

    The Layer 2 Security Audit dialog box displays a list of available interfaces in the network that you can choose to audit.

    This figure shows a list of available interfaces.

    Figure 2. Layer 2 Security Audit Wizard: Select Interfaces



    Step 3   From the Interfaces Available in Network area, choose the interfaces that you want to perform a security audit on and then click Add.
    Step 4   (Optional)Click Save to save your selection.
    Step 5   Click Next.

    The Layer 2 Security Audit dialog box displays a list of available VLANs in the network that you can choose to audit.

    This figure shows a list of available VLANs.

    Figure 3. Layer 2 Security Audit Wizard: Select VLANs



    Step 6   From the VLANs Available in Network area, choose the VLANs that you want to perform a security audit on and then click Add.
    Step 7   Click Next.

    The Layer 2 Security Audit dialog box displays a list of traffic storm control configuration issues that are reported during the audit.

    This figure shows a list of traffic storm control configuration issues reported by the wizard.

    Figure 4. Layer 2 Security Audit Wizard: List of Traffic Storm Control Configuration Issues



    Step 8   Click Next.

    The Layer 2 Security Audit dialog box displays a list of trust definition and IP Source Guard issues that are reported during the audit.

    This figure shows a list of trust definition and IP Source Guard issues.

    Figure 5. Layer 2 Security Audit Wizard: List of Trust Definition and IP Source Guard Issues



    Step 9   (Optional)Click Fix all to fix all the reported issues.
    Step 10   Click Next.

    The Layer 2 Security Audit dialog box displays a list of port security issues that are reported during the audit.

    This figure shows a list of port security issues.

    Figure 6. Layer 2 Security Audit Wizard: List of Port Security Issues



    Step 11   (Optional)Click Fix all to fix all the issues that are reported.
    Step 12   Click Next.

    The Layer 2 Security Audit dialog box displays a list of DHCP snooping and DAI issues that are reported during the audit.

    This figure shows a list of DHCP snooping and DAI issues.

    Figure 7. Layer 2 Security Audit Wizard: List of DHCP Snooping and DAI Issues



    Step 13   (Optional)Click Fix all to fix all the issues that are reported.
    Step 14   Click Next.

    The Layer 2 Security Audit dialog box displays the summary of the configurations to be applied on the device.

    This figure shows a summary of the configurations.

    Figure 8. Layer 2 Security Audit Wizard: Configuration Summary



    Step 15   Click Finish to apply all the configuration settings to the device.

    Field Descriptions for the Security Audit Wizard

    This section describes the fields for the Security Audit Wizard:

    Security Audit Wizard: Select Interfaces

    Table 1  Security Audit Wizard: Select Interfaces

    Field

    Description

    Interface

    Interface ID.

    Description

    Interface description.

    Type

    Type of interface.

    Security Audit Wizard: Select VLANs

    Table 2  Security Audit Wizard: Select VLANs

    Field

    Description

    VLAN ID

    VLAN ID.

    VLAN Name

    Name of the VLAN.

    Security Audit Wizard: Apply Traffic Storm Control Configurations

    Table 3  Security Audit Wizard: Apply Traffic Storm Control Configurations

    Field

    Description

    Interface

    Interface ID.

    Unicast

    Value assigned for unicast traffic control.

    Multicast

    Value assigned for multicast traffic control.

    Broadcast

    Value assigned for broadcast traffic control.

    Security Audit Wizard: Apply Trust Definitions and IP Source Guard

    Table 4  Security Audit Wizard: Apply Trust Definitions and IP Source Guard

    Field

    Description

    Interface

    Interface ID.

    DHCP Trust State

    Trust state of the interface. Trusted interfaces are configured to receive traffic from within the network. This field indicates whether DHCP Trust State is enabled.

    ARP Trust State

    Trust state of the interface. Trusted interfaces are configured to receive traffic from within the network. This field indicates whether ARP Trust State is enabled.

    IP Source Guard

    Whether IP Source Guard is enabled.

    Security Audit Wizard: Port Security

    Table 5  Security Audit Wizard: Port Security

    Field

    Description

    Interface

    Interface ID.

    Port Type

    Whether the interface type is Access or Trunk.

    Port Security

    Global port type for the device.

    Maximum Number of Secure Addresses

    Maximum number of addresses that can be bound to a port.

    Stickiness

    Whether stickiness is enabled for the host address.

    Violation Action

    Violation action configured in the port security-enabled interface. Valid values are protect, restrict, and shutdown. The default violation action is shutdown.

    Port Security Capable

    Whether the port can be configured for port security.

    Security Audit Wizard: DHCP Snooping and DAI

    Table 6  Security Audit Wizard: DHCP Snooping and DAI

    Field

    Description

    VLAN ID

    VLAN ID.

    VLAN Name

    Name of the VLAN.

    DHCP Snooping

    Whether DHCP snooping is enabled for the VLAN. By default, this checkbox is unchecked.

    DAI

    Whether DAI is enabled for the VLAN. By default, this checkbox is unchecked.

    Additional References for the Security Audit Wizard

    This section includes additional information related to using the Security Audit Wizard.

    Related Documents

    Related Topic

    Document Title

    Cisco NX-OS Licensing

    Cisco NX-OS Licensing Guide

    Cisco DCNM Licensing

    Cisco DCNM Installation and Licensing Guide, Release 5.x

    Feature History for the Security Audit Wizard

    This table lists the release history for this feature.



    Table 7 Feature History for the Security Audit Wizard

    Feature Name

    Releases

    Feature Information

    Security Audit Wizard

    5.2(1)

    No change from Release 5.1.

    Security Audit Wizard

    5.1(1)

    No change from Release 5.0.

    Security Audit Wizard

    5.0(2)

    No change from Release 4.2.

    Security Audit Wizard

    4.2(1)

    No change from Release 4.1.

    Security Audit Wizard

    4.1(1)

    No change from Release 4.0.

    Security Audit Wizard

    4.0(1)

    This feature was introduced.