- Preface
- Product Overview
- Command-Line Interfaces
- Configuring the Switch for the First Time
- Administering the Switch
- Configuring Virtual Switching Systems
- Configuring the Cisco IOS In-Service Software Upgrade Process
- Configuring the Cisco IOS XE In Service Software Upgrade Process
- Configuring Interfaces
- Checking Port Status and Connectivity
- Configuring Supervisor Engine Redundancy Using RPR and SSO on Supervisor Engine 6-E and Supervisor Engine 6L-E
- Configuring Supervisor Engine Redundancy Using RPR and SSO on Supervisor Engine 7-E, Supervisor Engine 7L-E, and Supervisor Engine 8-E
- Configuring Cisco NSF with SSO Supervisor Engine Redundancy
- Environmental Monitoring and Power Management
- Configuring Power over Ethernet
- Configuring the Catalyst 4500 Series Switch with Cisco Network Assistant
- Configuring VLANs, VTP, and VMPS
- Configuring IP Unnumbered Interface
- Configuring Layer 2 Ethernet Interfaces
- Configuring EVC-Lite
- Configuring Cisco IOS Auto Smartport Macros
- Configuring SmartPort Macros
- Configuring STP and MST
- Configuring Flex Links and MAC Address-Table Move Update
- Configuring Resilient Ethernet Protocol
- Configuring Optional STP Features
- Configuring EtherChannel and Link State Tracking
- Configuring IGMP Snooping and Filtering, and MVR
- Configuring IPv6 Multicast Listener Discovery Snooping
- Configuring 802.1Q Tunneling, VLAN Mapping, and Layer 2 Protocol Tunneling
- Configuring Cisco Discovery Protocol
- Configuring LLDP, LLDP-MED, and Location Service
- Configuring UDLD
- Configuring Unidirectional Ethernet
- Configuring Layer 3 Interfaces
- Configuring Cisco Express Forwarding
- Configuring Unicast Reverse Path Forwarding
- Configuring IP Multicast
- Configuring ANCP Client
- Configuring Bidirectional Forwarding Detection
- Configuring Policy-Based Routing
- Configuring VRF-lite
- Configuring Quality of Service
- Configuring Voice Interfaces
- Configuring Private VLANs
- Configuring MACsec Encryption
- Configuring 802.1X Port-Based Authentication
- Configuring the PPPoE Intermediate Agent
- Configuring Web-Based Authentication
- Configuring Wired Guest Access
- Configuring Port Security
- Configuring Auto Security
- Configuring Control Plane Policing and Layer 2 Control Packet QoS
- Configuring Dynamic ARP Inspection
- Configuring DHCP Snooping, IP Source Guard, and IPSG for Static Hosts
- Configuring DHCP Snooping, IP Source Guard, and IPSG for Static Hosts
- Configuring Network Security with ACLs
- Support for IPv6
- Port Unicast and Multicast Flood Blocking
- Configuring Storm Control
- Configuring SPAN and RSPAN
- Configuring Wireshark
- Configuring Enhanced Object Tracking
- Configuring System Message Logging
- Onboard Failure Logging (OBFL)
- Configuring SNMP
- Configuring NetFlow-lite
- Configuring Flexible NetFlow
- Configuring Ethernet OAM and CFM
- Configuring Y.1731 (AIS and RDI)
- Configuring Call Home
- Configuring Cisco IOS IP SLA Operations
- Configuring RMON
- Performing Diagnostics
- Configuring WCCP Version 2 Services
- Configuring MIB Support
- ROM Monitor
- Acronyms and Abbreviations
Configuring Auto Security
This chapter describes how to configure auto security on the Catalyst 4006 switch with Supervisor Engine III.
It consists of these sections:
Note For complete syntax and usage information for the switch commands used in this chapter, see the Cisco Catalyst 4500 Series Switch Command Reference and related publications at this location:
http://www.cisco.com/en/US/products/hw/switches/ps4324/index.html
If a command is not in the Catalyst 4500 Series Switch Command Reference, you can locate it in the Cisco IOS library. See related publications at this location:
http://www.cisco.com/en/US/products/ps6350/index.html
About Auto Security
Prior to Release IOS XE 3.6.0E and IOS 15.2(2)E, the Catalyst 4500 series switch offered IPv4 baseline security features (like Port Security), which must be enabled globally and on per port basis. Moreover, the baseline security feature CLIs for uplink ports differ from those for downlink CLIs.
Beginning with Release IOS XE 3.6.0E and IOS 15.2(2)E, the Catalyst 4500 series switch supports Auto Security (AS), which provides a single line CLI, to enable base line security features.
AS supports the IPv4 baseline security features: DHCP Snooping, Dynamic ARP Inspection, and Port Security.
Feature Interaction
Auto security interacts with Port Security, DHCP snooping, DAI modules.
DHCP Snooping
Auto Security (AS) enables DHCP Snooping globally (with the ip dhcp snooping command) and also on VLANs 2-1005 (with the ip dhcp snooping vlan vlanid command).
AS configures trunk or DHCP server-facing port(s) as trusted (with the ip dhcp-snooping trust command).
Dynamic ARP Inspection
AS enables this feature globally on all VLANs present on the switch (with the ip arp inspection vlan vlanid) command.
AS configures the trunk port as trusted (with the ip arp inspection trust command).
Port Security
AS enables this feature on all the switch’s access ports (with the switchport port-security command).]
Configuring Auto Security
Enabling auto security globally
To enable auto security globally, perform this task:
|
|
|
---|---|---|
|
||
|
||
|
||
|
This example shows how to enable auto security globally:
Relevant baseline security feature CLI as shown in the output of the show auto security command is applied on or removed from access and trunk ports.
Disabling auto security globally
To disable auto security globally, perform this task:
|
|
|
---|---|---|
|
||
|
||
|
||
|
This example show how to dis-enable auto security globally:
Enabling Auto Security Feature for Access (End Hosts) or Trunk (Uplink) Ports
Use the auto security-port [host | uplink] command, to enable auto security for access (end hosts) and uplink ports:
|
|
|
---|---|---|
|
||
|
||
|
||
|
||
|
This example displays how to enable auto security for an uplink port:
This example shows how to configure a port as auto security-port uplink.
Use the show auto security and show running-config commands confirm the prior configuration.
This example shows how to configure a port as an auto-security port host.
Disabling Auto Security Feature for Access (End Hosts) or Uplink Ports
Use the no auto security-port command to disable auto security on a port:
This example shows how to disable auto security:
show command
Use the show auto security command, verify the status of auto-security on the interface and global level.
Use the show auto security [configuration] command, to view the CLIs that are applied with AS.
This example shows the output of the show auto security command when AS is enabled:
This example shows the output of the show auto security configuration command when AS is enabled:
Sample Output when Auto Security is Enabled
This example shows the output of the show auto security command when AS is enabled:
Sample Output when Auto Security is Disabled
This example shows the output of the show auto security command when AS is disabled:
Guidelines and Restrictions
- The auto security command has no parameters.
- Base line security CLIs (like port security) are not individually nvgen’d on interfaces that have auto security-port configured. This allows you to maintain consistency over reboots.
- After auto security-port is enabled on a port, you cannot change the CLIs of the baseline security features (Port Security, DAI, and DHCP Snooping).
For example, if you enter the following:
The port security configuration is rejected on the auto security port:
- Because you might need a different set of features on uplink ports, such as marking the port as a DHCP trusted port, you need to identify uplink and downlink ports and apply port mode specific configuration.
– Starting with Cisco IOS XE 3.6.0E (IOS 15.2.(2)E), all trunk ports are treated as uplink ports and all access port are treated as host ports.
– AS assumes that you will configure the port with data and voice VLANs.
– AS is not supported on routed or Layer 3 ports, dynamic ports, or VSL links.
- Enabling auto security should elicit system confirmation because the current baseline security configuration will be removed as the auto security configuration is applied. When auto security is globally enabled, existing configurations related to DAI, DHCP, and PSEC are removed and security violation may be triggered on the auto-security enabled port when incoming MACs exceed the limit.
When we issue auto security in global or interface config mode, any baseline security configuration on the interfaces or on the switch is removed and auto security configuration is applied. Disabling auto security does not restore the previous security configuration.