Configuring Auto Security
This chapter describes how to configure auto security on the Catalyst 4006 switch with Supervisor Engine III.
It consists of these sections:
Note For complete syntax and usage information for the switch commands used in this chapter, see the Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location:
http://www.cisco.com/en/US/products/hw/switches/ps4324/index.html
If a command is not in the Catalyst 4500 Series Switch Command Reference, you can locate it in the Cisco IOS library. See related publications at this location:
http://www.cisco.com/en/US/products/ps6350/index.html
About Auto Security
Prior to Release IOS XE 3.6.0E and IOS 15.2(2)E, the Catalyst 4500 series switch offered IPv4 baseline security features (like Port Security), which must be enabled globally and on per port basis. Moreover, the baseline security feature CLIs for uplink ports differ from those for downlink CLIs.
Beginning with Release IOS XE 3.6.0E and IOS 15.2(2)E, the Catalyst 4500 series switch supports Auto Security (AS), which provides a single line CLI, to enable base line security features.
AS supports the IPv4 baseline security features: DHCP Snooping, Dynamic ARP Inspection, and Port Security.
Feature Interaction
Auto security interacts with Port Security, DHCP snooping, DAI modules.
DHCP Snooping
Auto Security (AS) enables DHCP Snooping globally (with the ip dhcp snooping command) and also on VLANs 2-1005 (with the ip dhcp snooping vlan vlanid command).
AS configures trunk or DHCP server-facing port(s) as trusted (with the ip dhcp-snooping trust command).
Dynamic ARP Inspection
AS enables this feature globally on all VLANs present on the switch (with the ip arp inspection vlan vlanid) command.
AS configures the trunk port as trusted (with the ip arp inspection trust command).
Port Security
AS enables this feature on all the switch’s access ports (with the switchport port-security command).]
Configuring Auto Security
Enabling auto security globally
To enable auto security globally, perform this task:
|
|
|
Step 1 |
Switch#
configure terminal
|
Enters global configuration mode. |
Step 2 |
Switch(config)#
auto security
|
Enables auto security globally. |
Step 3 |
|
Returns to privileged EXEC mode. |
Step 4 |
Switch#
show running-config | i security
|
(Optional) Saves your entries in the configuration file. |
This example shows how to enable auto security globally:
Switch(config)# auto security
Switch# show running-config | i security
Relevant baseline security feature CLI as shown in the output of the show auto security command is applied on or removed from access and trunk ports.
Disabling auto security globally
To disable auto security globally, perform this task:
|
|
|
Step 1 |
Switch#
configure terminal
|
Enters global configuration mode. |
Step 2 |
Switch(config)#
no auto security
|
Dis-enables auto security globally. |
Step 3 |
|
Returns to privileged EXEC mode. |
Step 4 |
Switch#
show running-config | isecurity
|
(Optional) Saves your entries in the configuration file. |
This example show how to dis-enable auto security globally:
Switch(config)# no auto security
Switch# show auto security
Auto Security is Disabled globally
AutoSecure is Enabled on below interface(s):
--------------------------------------------
Enabling Auto Security Feature for Access (End Hosts) or Trunk (Uplink) Ports
Use the auto security-port [host | uplink] command, to enable auto security for access (end hosts) and uplink ports:
|
|
|
Step 1 |
Switch#
configure terminal
|
Enters global configuration mode. |
Step 2 |
Switch(config)#
interface interface
|
Enters interface mode |
Step 3 |
Switch(config-if)#
auto security-port [host | uplink]
|
Enables auto security on host or uplink ports. |
Step 4 |
|
Returns to privileged EXEC mode. |
Step 5 |
Switch#
show auto security
|
Displays the status of auto security. |
This example displays how to enable auto security for an uplink port:
This example shows how to configure a port as auto security-port uplink.
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# int g1/0/15
Switch(config-if)# switchport mode trunk
Switch(config-if)# auto security-port uplink
Use the show auto security and show running-config commands confirm the prior configuration.
Switch# show auto security
Auto Security is Enabled globally
AutoSecure is Enabled on below interface(s):
--------------------------------------------
Switch# show running-config int g1/0/15
Building configuration...
Current configuration : 127 bytes
interface GigabitEthernet1/0/15
switchport trunk encapsulation dot1q
auto security-port uplink
This example shows how to configure a port as an auto-security port host.
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# int g1/0/18
Switch(config-if)# switchport mode access
Switch(config-if)# auto security-port host
Use the auto security and show running-config commands to confirm the prior configuration.
Switch# show auto security
Auto Security is Enabled globally
AutoSecure is Enabled on below interface(s):
--------------------------------------------
Switch# show run int g1/0/18
Building configuration...
Current configuration : 165 bytes
interface GigabitEthernet1/0/18
switchport access vlan 20
Disabling Auto Security Feature for Access (End Hosts) or Uplink Ports
Use the no auto security-port command to disable auto security on a port:
|
|
|
Step 1 |
Switch#
configure terminal
|
Enters global configuration mode. |
Step 2 |
Switch(config)#
interface interface
|
Enters interface mode |
Step 3 |
Switch(config-if)#
no auto security-port
|
Disables auto security on a port. |
Step 4 |
|
Exits to EXEC mode. |
Step 5 |
Switch(config)# do show run int interface
|
Verifies auto security-port being disabled. |
Step 6 |
|
Returns to privileged EXEC mode. |
This example shows how to disable auto security:
Switch# show run int g1/0/15
Building configuration...
Current configuration : 137 bytes
interface GigabitEthernet1/0/15
switchport trunk encapsulation dot1q
auto security-port uplink
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)# int g1/0/15
Switch(config-if)# no auto security-port
Switch# show run int g1/0/15
Building configuration...
Current configuration : 110 bytes
interface GigabitEthernet1/0/15
switchport trunk encapsulation dot1q
show command
Use the show auto security command, verify the status of auto-security on the interface and global level.
Use the show auto security [configuration] command, to view the CLIs that are applied with AS.
This example shows the output of the show auto security command when AS is enabled:
Switch# show auto security
Auto Security is Enabled globally
AutoSecurity is Enabled on below interface(s):
--------------------------------------------
This example shows the output of the show auto security configuration command when AS is enabled:
Switch# show auto security configuration
%AutoSecurity provides a single CLI config 'auto security'
to enable Base-line security Features like
DHCP snooping, ARP inspection and Port-Security
Auto Security CLIs applied globally:
-----------------------------------
ip dhcp snooping vlan 2-1005
no ip dhcp snooping information option
ip arp inspection vlan 2-1005
ip arp inspection validate src-mac dst-mac ip
Auto Security CLIs applied on Access Port:
------------------------------------------
switchport port-security maximum 2
switchport port-security maximum vlan access 1
switchport port-security maximum vlan voice 1
switchport port-security violation restrict
switchport port-security aging time 2
switchport port-security aging type inactivity
ip arp inspection limit rate 100
ip dhcp snooping limit rate 100
Auto Security CLIs applied on Trunk Port:
-----------------------------------------
switchport port-security maximum 100
switchport port-security violation restrict
Sample Output when Auto Security is Enabled
This example shows the output of the show auto security command when AS is enabled:
Switch# show auto security
Auto Security is Enabled globally
AutoSecure is Enabled on below interface(s):
--------------------------------------------
Sample Output when Auto Security is Disabled
This example shows the output of the show auto security command when AS is disabled:
Switch# show auto security
Auto Security is Disabled globally
AutoSecure is Enabled on below interface(s):
--------------------------------------------
Guidelines and Restrictions
- The auto security command has no parameters.
- Base line security CLIs (like port security) are not individually nvgen’d on interfaces that have auto security-port configured. This allows you to maintain consistency over reboots.
- After auto security-port is enabled on a port, you cannot change the CLIs of the baseline security features (Port Security, DAI, and DHCP Snooping).
For example, if you enter the following:
interface GigabitEthernet2/0/24
The port security configuration is rejected on the auto security port:
Switch(config)# int g2/0/24
Switch(config-if)# switchport port-security maximum 4
%Command Rejected: 'auto security' enabled port
- Because you might need a different set of features on uplink ports, such as marking the port as a DHCP trusted port, you need to identify uplink and downlink ports and apply port mode specific configuration.
– Starting with Cisco IOS XE 3.6.0E (IOS 15.2.(2)E), all trunk ports are treated as uplink ports and all access port are treated as host ports.
– AS assumes that you will configure the port with data and voice VLANs.
– AS is not supported on routed or Layer 3 ports, dynamic ports, or VSL links.
- Enabling auto security should elicit system confirmation because the current baseline security configuration will be removed as the auto security configuration is applied. When auto security is globally enabled, existing configurations related to DAI, DHCP, and PSEC are removed and security violation may be triggered on the auto-security enabled port when incoming MACs exceed the limit.
When we issue auto security in global or interface config mode, any baseline security configuration on the interfaces or on the switch is removed and auto security configuration is applied. Disabling auto security does not restore the previous security configuration.