Configure Security for Cisco Catalyst Switch with Cisco Network Assistant

Introduction      Requirements      Configure Security for Cisco Catalyst Switch           Connect the PC to the Switch           Connect to the Switch with CNA      Configure Security Settings using a Security Wizard           Restrict Access to a Server           Restrict Access to a Network           Restrict Applications      Configure Port Security      Next Step      Troubleshoot the Procedure      Related Information

Download PDF   Configure Security for Cisco Catalyst Switch with Cisco Network Assistant

Introduction

This document explains how to configure security settings for Cisco Catalyst Switch with Cisco Network Assistant (CNA). This procedure applies to 2900XL, 2940, 2950, 2960, 2970, 3500XL, 3550, 3560, and 3750 model Catalyst switches.

Back to Top

Requirements

To perform the steps described in this document, you need to have these items:

• A straight- through Ethernet cable to connect your PC to the switch

• A Cisco Catalyst switch with Cisco IOS, that is installed and powered on

• A PC with CNA software installed on it

  Note: This document is based on CNA 5.2. If your PC does not have CNA installed, or if you need to upgrade your software, refer to Download and Install Cisco Network Assistant.

In addition, you must:

• Complete the steps in Configure the Catalyst Switch with Cisco Network Assistant document

• Complete the Worksheets as instructed in the Site Survey namely:

  1. LAN Addressing Worksheet

  2. Secure Server VLAN Addressing Worksheet

  3. Guest VLAN Addressing Worksheet

Back to Top

Configure Security for Cisco Catalyst Switch

This document explains how to configure security settings for a Cisco Catalyst Switch.

Connect the PC to the Switch

Follow these steps to connect the PC to the Cisco catalyst switch:

1. Connect a straight-through Ethernet cable from the PC to an available port on the Cisco Catalyst Switch.

2. Ensure that your PC has an IP address that matches the switch IP address. For example, if the IP address of the switch is 192.168.10.9, configure the PC with an IP address between 192.168.10.10 and 192.168.10.254. For more detailed instructions on how to configure an IP address on your PC, refer to Configure an IP Address on Your PC.

Connect to the Switch with CNA

Follow these steps to log in to the switch with CNA:

1. To launch CNA, go to Start > Programs > Cisco Network Assistant > Cisco Network Assistant.

2. When the Connect window opens, type Switch IP address in the Connect To field, and click Connect. For switch-IP-address , use the switch IP address that you entered in field L8-L12 of the LAN Addressing Worksheet.

   

3. In the Authentication window, enter the administrative user name and password information that you entered in fields B10 and B11 of your Internet Worksheet respectively.

   

   Click OK.

   Note: If you are unable to connect to the switch with CNA, see Troubleshoot the Procedure for help.

Back to Top

Configure Security Settings using a Security Wizard

CNA allows you, to configure security settings on your switch with a security wizard.

The security wizard allows you to configure three different levels of security:

1. Restrict Access to a Server

2. Restrict Access to a Network

3. Restrict Applications

   Note: The instructions in the wizard demonstrate how to set up security measures with the help of Access Control List (ACL) rules. To use this wizard, you need to know how the network is designed and you must be able to identify devices, servers, and networks to which the security restrictions applies.

Restrict Access to a Server

Follow these steps to restrict unauthorized users from accessing a specific server using the security wizard:

1. On the Features tab, click Configure > Security > Security Wizard.

   

2. On the Security Wizard window, click Next.

   

3. On the Security Wizard: Select Option window, select Restrict Access to a Server and click Next.

   

4. On the Security Wizard: Device Selector window, select Hostname of the switch from the drop-down menu and click Next.

   

5. On the Security Wizard: Specify Interface and Servers IP Addresses window, enter the Server IP addresses and the interface(s) to which the server is connected.

   • From the Interface list, select an interface to which the server is connected.

   • In the Servers IP Addresses field, enter the IP addresses of the servers for which you want to restrict access from unauthorized users. To specify multiple IP addresses, press Enter after you have entered an IP address and the Wizard adds a new row.

   • If you want to remove an IP address, select it from the Servers IP Addresses list and click Delete.

     Note: EtherChannel ports do not appear in the interface drop-down menu list.

   

   Click Next.

6. On the Security Wizard: Select Interfaces window, select one or more interfaces from the Available Interfaces list for which you want to block server access. Then click Add button. The interfaces that you select, move them to the Selected Interfaces list on the right. Click Next. If you do not want to apply restrictions to an interface that is listed in the Selected Interfaces list, select it and click Remove.

   Note: In this step, you have configured to restrict any user from accessing the server specified in step 5 on a particular interface(s). If you want to deny access to the server using specific Source IP address of the host or network then, proceed to step 7 else go to step 8.

   

7. On the Security Wizard: Specify IP Addresses window, In the Source IP Address field, enter the IP address that you want to use, with a subnet mask, for the host or network for which you want to restrict server access. From the Source Subnet Mask list, select a subnet mask to be used with the source IP address. Click Next.

   For example if you want to restrict Guest Vlan users who can access any of your servers use the IP address of the Guest VLAN that you entered in field L6D of the Guest VLAN Addressing Worksheet.

   Note: You must enter a value in either the Selected Interfaces list of the previous step or in the IP Addresses table in this step; both are not allowed to have empty values.

   

8. In the Warning: Security Wizard window, click OK.

   

9. On the Security Wizard: Summary of Configuration screen, click Next.

   

10. On the Security Wizard: Save Existing Configuration screen, make sure you select the checkbox and then click Finish button.

    

11. In the Info: Security Wizard window, click OK.

    

Restrict Access to a Network

Follow these steps to restrict Network access using the security wizard:

1. On the Features tab, click Configure > Security > Security Wizard.

   

2. On the Security Wizard window, click Next.

   

3. On the Security Wizard: Select Option window, select Restrict Access to a Network and click Next.

   

4. On the Security Wizard: Device Selector window, select Hostname of the switch from the drop-down menu and click Next.

   

5. On the Security Wizard: Select Interfaces window, select one or more interfaces from the Available Interfaces list for which you want to restrict Network access. Then click the Add button. The interfaces that you select, move them to the Selected Interfaces list on the right. Click Next. If you do not want to apply restrictions to an interface that is listed in the Selected Interfaces list, select it and click Remove.

   Note: The ACLs created, applies to these interfaces to restrict the network access which you can specify in next step.

   

6. On the Security Wizard: Specify Network window enter these values:

   • In the IP Address field, enter the IP address of a network with a subnet mask to which you want to apply access restrictions. For example, if you want to restrict Guest Vlan users from accessing servers in the Server Vlan, use the IP address of the Secure Server VLAN that you entered in field L6C of the Secure Server VLAN Addressing Worksheet.

   • In the Subnet Mask list, select the subnet mask that is associated with the network IP address.

   

7. On the Security Wizard: Specify Network window enter these values:

   • In the Source IP Address field, enter the IP address that you want to use, with a subnet mask, for the host or network for which you want to restrict network access. For example, if you want to restrict network access to Guest Vlan, use the IP address of the Guest VLAN that you entered in field L6D of the Guest VLAN Addressing Worksheet.

   • From the Source Subnet Mask list, select a subnet mask to be used with the source IP address. If the device you selected is a Catalyst 2950 switch, you must use the source subnet mask that you selected for the first row in any subsequent rows.

   Note: After you enter a valid IP address in the Source IP Address field, the Wizard adds another row to this table if, you enter an IP address and select a subnet mask. Do not press Enter. Select a subnet mask, enter an IP address, and then press Enter. You can then add more IP addresses as needed.

   

8. In the Warning: Security Wizard window, click OK.

   

9. On the Security Wizard: Summary of Configuration screen, click Next.

   

10. On the Security Wizard: Save Existing Configuration screen, make sure you select the checkbox and then click Finish button.

    

11. In the Info: Security Wizard window, click OK.

    

Restrict Applications

Follow these steps to restrict or block applications in your network using the security wizard:

1. On the Features tab, click Configure > Security > Security Wizard.

   

2. On the Security Wizard window, click Next.

   

3. On the Security Wizard: Select Option window, select Restrict Applications and click Next.

   

4. On the Security Wizard: Specify Applications window, select the applications that you want to block from the Available Applications list. Then click Add. The applications that you select, move them to the Selected Applications list.

   Note: To define a new entry in the Available Applications list, click Define New button and enter the name and port number of the application you want to block.

   

5. On the Security Wizard: Device Selector window, select Hostname of the switch from the drop-down menu and click Next.

   

6. On the Security Wizard: Select Interfaces window, select one or more interfaces from the Available Interfaces list, for which you want to block the applications that you have already selected in the previous step. Then click Add. The interfaces that you select, move them to the Selected Interfaces list. Click Next.

   Note: : If you do not want to apply restrictions to an interface that is listed in the Selected Interfaces list, select it and click Remove.

   

7. In the Warning: Security Wizard window, click OK.

   

8. On the Security Wizard: Summary of Configuration screen, click Next.

   

9. On the Security Wizard: Save Existing Configuration screen, make sure you select the checkbox and then click Finish button.

   

10. In the Info: Security Wizard window, click OK.

    

Back to Top

Configure Port Security

You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port. You can also secure a port for which a user-specified action occurs whenever an address-security violation occurs. If a security violation occurs, you can configure the port to go either into shutdown mode or restrictive mode.

Follow these steps to configure Port Security:

1. On the Features tab, click Configure > Security > Port Security.

   

2. On the Port Security window, select the device from the Hostname drop down menu and then click on the Security Configuration tab. The window shows the list of Eligible ports and shows whether port security is enabled or not. To enable port security on a particular switch port, click the Security Status field for the respective port and select Enabled from the drop-down list.

   For example to enable security on port Fa0/6, click on Security Status field for Fa0/6 and select Enabled from the drop-down list.

   

3. To enable Sticky Behavior on the switch port, click the Sticky Behavior field for the respective port and select Enabled drop-down list. For example to enable security on port Fa0/6, click on Security Status field for Fa0/6 and select Enabled from drop-down list.

   Sticky behavior: Sticky behavior shows whether a sticky MAC address is enabled or not. A sticky MAC address is a secure MAC address , either dynamic or static, that can be saved in the configuration file. If saved, it still exists when the switch reloads. The port sticky-learns the source address of the incoming packets and automatically assigns them as secure addresses. This continues until the table contains the maximum number of secure addresses allowed for the port. If a secure address is deleted from the address table, the port begins sticky learning again. See also Secure address.

   

4. The Maximum address Count filed by default, displays the maximum number of secure addresses that can be associated with this port. Change the setting by clicking in the cell and entering a new value range from 1-5120. By default the value is 1 which means, that one station has the full bandwidth of the port.

   

5. The Violation Acton field by default displays that the switch port is in Shutdown mode. You can configure the port to one of these settings.

   • Shutdown. After a security violation, the port is immediately shut down.

   • Restrict. After a security violation, a trap is sent to the network management station.

   • Protect. When the number of secure addresses reaches the maximum allowed on the port, all packets with unknown addresses are dropped.

   Click inside the cell to change the setting and choose Shutdown, Restrict, or Protect.

   

6. Click Apply.

   

7. On the Port Security window, click Secure Address tab.

   Secure address: A secure address is a manually entered unicast address that does not age and also it is retained when the switch reloads. There is only one destination port for a secure address, but more than one secure addresses can be associated with the port. The switch does not forward packets to a secure port if the destination address is not a secure address associated with the port. The number of devices on a secured port can range from 1 to 132. You can assign the addresses for the devices on the port or the switch can sticky-learn them. Sticky-learning is when the address table for a secured port does not contain a full complement of secure addresses. See also Sticky behavior.

   

8. Click Create.

   

9. In the Create Secure Address window enter this information:

   • In the Address field, enter the MAC address in the format hhhh.hhhh.hhhh. Use hexadecimal numbers.

   • In the Address type field, select either Static or Sticky from the drop-down list. If you select Static, you return the port to the default setting of not secure. If you select Sticky, you enable sticky learning on the interface.

   • In the Port list, select the interface that you want to make secure.

   • In the VLAN ID field, enter a VLAN ID if the selected interface is a trunk port.

   Note: This field is available only if the Cisco IOS image running on the device permits a VLAN assignment.

   Click OK.

   

10. Click Apply.

    

Back to Top

Next Step

You have completed this procedure.

To make other changes to your switch, refer to Switch Support Page.

To configure other devices in your network, refer to the Configuration Overview Page.

Back to Top

Troubleshoot the Procedure

This section provides information about common problems that you may encounter. If this information does not solve your problem, contact the SMB Technical Assistance Center (SMB TAC) for assistance.

Back to Top

Related Information

• Cable Descriptions
• Configure the Catalyst Express 500 Switch
• Configure the Catalyst Switch with Cisco Network Assistant
• Configure an IP Address on Your PC
• Add a New Ethernet Switch