Security

This chapter contains the following sections:

TACACS+ Client

An organization can establish a Terminal Access Controller Access Control System (TACACS+) server to provide centralized security for all of its devices. In this way, authentication and authorization can be handled on a single server for all devices in the organization.

The device can act as a TACACS+ client that uses the TACACS+ server for the following services: The TACACS+ page enables configuring TACACS+ servers.

  • Authentication—Provides authentication of users logging onto the device by using usernames and user-defined passwords.

  • Authorization—Performed at login. After the authentication session is completed, an authorization session starts using the authenticated username. The TACACS+ server then checks user privileges.

  • Accounting—Enable accounting of login sessions using the TACACS+ server. This enables a system administrator to generate accounting reports from the TACACS+ server.

TACACS+ is supported only with IPv4.

To configure TACACS+ server parameters, follow these steps:

Procedure

Step 1

Click Security > TACACS+ Client.

Step 2

Enable TACACS+ Accounting if required.

Step 3

Enter the following default parameters:

Option Description
Key String Enter the default Key String used for communicating with all TACACS+ servers in Encrypted or Plaintext mode.

If you enter both a key string here and a key string for an individual TACACS+ server, the key string configured for the individual TACACS+ server takes precedence.

Timeout for Reply

Enter the amount of time that passes before the connection between the device and the TACACS+ server times out. If a value isn’t entered in the Add TACACS+ Server page for a specific server, the value is taken from this field.

Source IPv4 Interface

Select the device IPv4 source interface to be used in messages sent for communication with the TACACS+ server.

Source IPv6 Interface

Select the device IPv6 source interface to be used in messages sent for communication with the TACACS+ server.

Note 

If the Auto option is selected, the system takes the source IP address from the IP address defined on the outgoing interface.
Step 4

Click Apply. The TACACS+ default settings are added to the Running Configuration file. These are used if the equivalent parameters are not defined in the Add page.

The information for each TACACS server is displayed in the TACACS+ Server Table. The fields in this table are entered in the Add page except for the Status field. This field describes whether the server is connected or not to the device.

Step 5

To add a TACACS+ server, click Add.
Step 6

Enter the parameters.

Option Description
Server Definition Select one of the following ways to identify the TACACS+ server:

  • By IP address-If this is selected, enter the IP address of the server in the Server IP Address/Name field.

  • By name-If this is selected enter the name of the server in the Server IP Address/Name field.

IP Version

Select the supported IP version of the source address: IPv6 or IPv4.

IPv6 Address Type

Select the IPv6 address type (if IPv6 is used). The options are:

  • Link Local-The IPv6 address uniquely identifies hosts on a single network link. A link local address has a prefix of FE80, isn’t routable, and can be used for communication only on the local network. Only one link local address is supported. If a link local address exists on the interface, this entry replaces the address in the configuration.

  • Global-The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks.

Link Local Interface

Select the link local interface (if IPv6 Address Type Link Local is selected) from the list.

Server IP Address/Name

Enter the IP address or name of the TACACS+ server.

Priority

Enter the order in which this TACACS+ server is used. Zero is the highest priority TACACS+ server and is the first server used. If it can’t establish a session with the high priority server, the device tries the next highest priority server.

Key String

Enter the default key string used for authenticating and encrypting between the device and the TACACS+ server. This key must match the key configured on the TACACS+ server.

A key string is used to encrypt communications by using MD5. You can select the default key on the device, or the key can be entered in Encrypted or Plaintext form. If you don’t have an encrypted key string (from another device), enter the key string in plaintext mode and click Apply. The encrypted key string is generated and displayed.

Timeout for Reply

Select User Defined and enter the amount of time that passes before the connection between the device and the TACACS+ server times out. Select Use Default to use the default value displayed on the page.

Authentication IP Port

Enter the port number through which the TACACS+ session occurs.

Single Connection

Select to enable receiving all information in a single connection. If the TACACS+ server doesn’t support this, the device reverts to multiple connections.

Step 7

Click Apply. The TACACS+ server is added to the Running Configuration file of the device.

Step 8

To display sensitive data in plaintext form on this page, click Display Sensitive Data As Plaintext.

RADIUS Client

Remote Authorization Dial-In User Service (RADIUS) servers provide a centralized 802.1X or MAC-based network access control. The device can be configured to be a RADIUS client that can use a RADIUS server to provide centralized security, and as a RADIUS server. An organization can use the device as establish a Remote Authorization Dial-In User Service (RADIUS) server to provide centralized 802.1X or MAC-based network access control for all of its devices. In this way, authentication and authorization can be handled on a single server for all devices in the organization.

Use RADIUS in network environments that require access security. To set the RADIUS server parameters, follow these steps:

Procedure

Step 1

Click Security > RADIUS Client.

Step 2

Enter the RADIUS Accounting option. The following options are available:

  • Port Based Access Control (802 1X, MAC Based, Web Authentication)—Specifies that the RADIUS server is used for 802.1X port accounting.

  • Management Access—Specifies that the RADIUS server is used for user login accounting.

  • Both Port Based Access Control and Management Access—Specifies that the Radius server is used for both user login accounting and 802.1X port accounting.

  • None—Specifies that the RADIUS server is not used for accounting.
Step 3

Enter the default RADIUS parameters if required. Values entered in the Default Parameters are applied to all servers. If a value is not entered for a specific server (in the Add RADIUS Server page) the device uses the values in these fields.

  • Retries—Enter the number of transmitted requests that are sent to the RADIUS server before a failure is considered to have occurred.

  • Timeout for Reply—Enter the number of seconds that the device waits for an answer from the RADIUS server before retrying the query, or switching to the next server.

  • Dead Time—Enter the number of minutes that elapse before a non-responsive RADIUS server is bypassed for service requests. If the value is 0, the server is not bypassed.

  • Key String—Enter the default key string used for authenticating and encrypting between the device and the RADIUS server. This key must match the key configured on the RADIUS server. A key string is used to encrypt communications by using MD5. The key can be entered in Encrypted or Plaintext form. If you do not have an encrypted key string (from another device), enter the key string in plaintext mode and click Apply. The encrypted key string is generated and displayed.

This overrides the default key string if one has been defined.

  • Source IPv4 Interface—Select the device IPv4 source interface to be used in messages for communication with the RADIUS server.

  • Source IPv6 Interface—Select the device IPv6 source interface to be used in messages for communication with the RADIUS server.

Note 

If the Auto option is selected, the system takes the source IP address from the IP address defined on the outgoing interface.

Step 4

Click Apply. The RADIUS default settings for the device are updated in the Running Configuration file.

Step 5

To add a RADIUS server, click Add.

Step 6

Enter the values in the fields for each RADIUS server. To use the default values entered in the RADIUS page, select Use Default.

  • Server Definition—Select whether to specify the RADIUS server by IPaddress or name.

  • IP Version—Select the version of the IP address of the RADIUS server.

  • IPv6 Address Type—Select the IPv6 address type (if IPv6 is used). The options are:

    • Link Local—The IPv6 address uniquely identifies hosts on a single network link. A link local address has a prefix of FE80, is not routable, and can be used for communication only on the local network. Only one link local address is supported. If a link local address exists on the interface, this entry replaces the address in the configuration.

    • Global—The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks.

  • Link Local Interface—Select the link local interface (if IPv6 Address Type Link Local is selected) from the list. •

  • Server IP Address/Name—Enter the RADIUS server by IPaddress or name.

  • Priority—Enter the priority of the server. The priority determines the order the device attempts to contact the servers to authenticate a user. The device starts with the highest priority RADIUS server first. Zero is the highest priority.

  • Key String—Enter the key string used for authenticating and encrypting communication between the device and the RADIUS server. This key must match the key configured on the RADIUS server. It can be entered in Encrypted or Plaintext format. If Use Default is selected, the device attempts to authenticate to the RADIUS server by using the default Key String.

  • Timeout for Reply—Select User Defined and enter the number of seconds the device waits for an answer from the RADIUS server before retrying the query, or switching to the next server if the maximum number of retries made. If Use Default is selected, the device uses the default timeout value.

  • Authentication Port—Enter the UDP port number of the RADIUS server port for authentication requests

  • Accounting Port—Enter the UDP port number of the RADIUS server port for accounting requests.

  • Retries—Select User Defined and enter the number of requests that are sent to the RADIUS server before a failure is considered to have occurred. If Use Default is selected, the device uses the default value for the number of retries.

  • Dead Time—Select User Defined and enter the number of minutes that must pass before a non-responsive RADIUS server is bypassed for service requests. If Use Default is selected, the device uses the default value for the dead time. If you enter 0 minutes, there is no dead time.

  • Usage Type—Enter the RADIUS server authentication type. The options are:

    • Login—RADIUS server is used for authenticating users that ask to administer the device.

    • 802.1x—RADIUS server is used for 802.1x authentication.

    • All—RADIUS server is used for authenticating user that ask to administer the device and for 802.1X authentication.

Step 7

Click Apply. The RADIUS server definition is added to the Running Configuration file of the device.

Step 8

To display sensitive data in plaintext form on the page, click Display Sensitive Data As Plaintext.

RADIUS Server

An organization can use the device as a Remote Authorization Dial-In User Service (RADIUS) server to provide centralized 802.1X or MAC-based network access control for all of its devices. Thus, authentication and authorization can be handled on a single server for all devices.

When the device is configured as a RADIUS client, it can use the RADIUS server for the following services:

  • Authentication-Provides authentication of regular and 802.1X users by using usernames and user-defined passwords

  • Authorization-Performed at login After the authentication session is completed, an authorization session starts using the authenticated username. The RADIUS server then checks user privileges.

Accounting-Enable accounting of login sessions using the RADIUS server. This enables a system administrator to generate accounting reports from the RADIUS server. The user-configurable, TCP port used for RADIUS server accounting is the same TCP port that is used for RADIUS server authentication and authorization.

RADIUS Server Global Settings

The device can be configured as a RADIUS server. To set the RADIUS server global parameters, follow these steps:

Procedure

Step 1

Click Security > RADIUS Server > RADIUS Server Global Settings.

Step 2

Enter the following parameters:

  • RADIUS Server Status—Check to enable the RADIUS server feature status.

  • Authentication Port—Enter the UDP port number of the RADIUS server port for authentication requests.

  • Accounting Port—Enter the UDP port number of the RADIUS server port for accounting requests.

    Trap Settings

  • RADIUS Accounting Traps—Check to generate traps for RADIUS accounting events.

  • RADIUS Authentication Failure Traps—Check to generate traps for logins that failed.

  • RADIUS Authentication Success Traps—Check to generate traps for logins that succeeded.
Step 3

Click Apply. The RADIUS default settings for the device are updated in the Running Configuration file.

RADIUS Server Keys

To set the RADIUS server keys, follow these steps:

Procedure

Step 1

Click Security > RADIUS Server > RADIUS Server Keys.

Step 2

Enter the default RADIUS keys if required. Values entered in the Default Key are applied to all servers configured (in the Add RADIUS Server page) to use the default key.

  • Default Key—Enter the default key string used for authenticating and encrypting between the device and the RADIUS client. Select one of the following options:

    • Keep existing default key—For specified servers, the device attempts to authenticate the RADIUS client by using the existing, default Key String.

    • Encrypted—To encrypt communications by using MD5, enter the key in encrypted form.

    • Plaintext—Enter the key string in plaintext mode.

  • MD5 Digest—Displays the MD5 digest of the user-entered password.
Step 3

Click Apply. The RADIUS default settings for the device are updated in the Running Configuration file.

Step 4

To add a secret key, click Add and enter the following fields:

  • NAS Address—Address of switch containing RADIUS client.

  • Secret Key—Address of switch containing RADIUS client.

    • Use default Key—For specified servers, the device attempts to authenticate the RADIUS client by using the existing, default Key String.

    • Encrypted—To encrypt communications by using MD5, enter the key in encrypted form.

    • Plaintext—Enter the key string in plaintext mode.
Step 5

Click Apply. The key for the device is updated in the Running Configuration file.

RADIUS Server Groups

To set up a group of users that will be using the device as its RADIUS server, complete the following:

Procedure

Step 1

Click Security > RADIUS Server > RADIUS Server Groups.

Step 2

Click Add and enter the following fields:

  • Group Name—Enter a name for the group.

  • Privilege Level—Enter the management access privilege level of the group.

  • Time Range—Check to enable applying a time range to this group.

  • Time Range Name—If Time Range is selected, select the time range to be used. Click Edit to define a time range. This field is only displayed if a Time Range was previously created.

  • VLAN—Select the VLAN for the users:

    • None—No VLAN ID is sent.

    • VLAN ID—VLAN ID sent.

    • VLAN Name—VLAN name sent
Step 3

Click Apply. The RADIUS group definition is added to the Running Configuration file of the device.

RADIUS Server Users

To add a user, follow these steps:

Procedure

Step 1

Click Security > RADIUS Server > RADIUS Server Users.

The current users are displayed.
Step 2

Click Add.

  • User Name—Enter the name of a user.

  • Group Name—Select a previously defined group.

  • Password—Enter one of the following options:

    • Encrypted—A key string is used to encrypt communications by using MD5. To use encryption, enter the key in encrypted form.

    • Plaintext—If you don’t have an encrypted key string (from another device), enter the key string in plaintext mode. The encrypted key string is generated and displayed.

Step 3

Click Apply. The user definition is added to the Running Configuration file of the device.

RADIUS Server Accounting

The Radius server saves the last accounting logs in a cycle file on FLASH. These can be displayed.

To display RADIUS server accounting, complete the following steps:

Procedure

Step 1

Click Security > RADIUS Server > RADIUS Server Accounting.

RADIUS accounting events are displayed along with the following fields:

  • User Name—Name of a user.

  • Event Type—One of the following values:

    • Start—Session was started.

    • Stop—Session was stopped.

    • Date/Time Change—Date/time on the device was changed.

    • Reset—Device has reset at the specified time.

  • Authentication Method—Authentication method used by the user. Displays N/A if the Event Type is Date/Time Change or Reset.

  • NAS Address—Address of switch containing RADIUS client. Displays N/A if the Event Type is Date/Time Change or Reset.

  • User Address—If the authenticated user is the network administrator, this is its IP address; if the user is a station, this is its MAC address. Displays N/A if the Event Type is Date/Time Change or Reset.

  • Event Time—Time of event.
Step 2

To see additional details for a user/event, select the user/event and click Details.

The following fields are displayed:


Note

The fields in this page depend on the type of account viewed and the details received for it. Not all fields are always displayed.

  • Event Time—See above.

  • Event Type—See above.

  • User Name—See above.

  • Authentication Method—See above.

  • NAS IPv4 Address—See NAS Address above.

  • NAS Port—Port used on the switch at the NAS address

  • User Address—See above.

  • Accounting Session Time—See Event Time above.

  • Session Termination Reason—Displays reason for session termination, such as User Request.

RADIUS Server Rejected Users

To view the users who have attempted to authenticate using the RADIUS server and have been rejected, complete the following steps:

Procedure

Step 1

Click Security > RADIUS Server > RADIUS Rejected Users.

The rejected users are displayed along with the following fields:

  • Event Type—Displays one of the following options:

    • Rejected—User was rejected.

    • Time Change—Clock on device was changed by the administrator.

    • Reset—Device was reset by the administrator.

  • User Name—Name of the rejected user.

  • User Type—Displays one of the following authentication options relevant to the user:

    • Login—Management access user

    • 802.1x—802.1x network access user

    • N/A—For Reset event

  • Reason—Reason that the user was rejected.

  • Time—Time that the user was rejected.
Step 2

To see additional details for the rejected user, select the user and click Details.

The following fields are displayed:


Note

The fields in this page depend on the type of account viewed and the details received for it. Not all fields are always displayed.

  • Event Time—See above.

  • User Name—See above.

  • User Type—See above.

  • Rejection Reason—Reason that the user was rejected.

  • NAS IP Address—Address of the Network Accessed Server (NAS). The NAS is the switch running the RADIUS client.

To clear out the table of rejected users, click Clear.

RADIUS Server Unknown NAS Entries

To display authentication rejections due to NASs not being known to RADIUS server, complete the following:

Procedure

Step 1

Click Security > RADIUS Server > RADIUS Server Unknown NAS Entries.

The following fields are displayed:

  • Event Type

    • Unknown NAS—An unknown NAS event occurred.

    • Time Change—Clock on device was changed by the administrator.

    • Reset—Device was reset by the administrator.

  • IP Address—IP address of the unknown NAS.

  • Time—Timestamp of event
Step 2

Click Clear to delete an entry.

RADIUS Server Statistics

To display RADIUS server statistics, follow these steps:

Procedure

Step 1

Click Security > RADIUS Server > RADIUS Server Statistics.

Step 2

Select the Statistics Source from the following options:

    • Global—Statistics for all users

    • Specific NAS—Statistics for specific NAS
Step 3

Select the Refresh Rate.
Step 4

The following statistics will be displayed.

Incoming Packets on Authentication Port

Number of packets received on the authentication port.

Incoming Access-Requests from Unknown Addresses

Number of incoming access requests from unknown NAS addresses

Duplicate Incoming Access-Requests

Number of retransmitted packets received.

Sent Access-Accepts

Number of access accepts sent.

Sent Access-Rejects

Number of access rejects sent.

Sent Access-Challenges

Number of access challenges sent.

Incoming Malformed Access-Requests

Number of malformed access requests received.

Incoming Authentication-Requests with Bad Authenticator

Number of incoming packets with bad passwords.

Incoming Authentication Packets with Other Mistakes

Number of received incoming authentication packets with other mistakes.

Incoming Authentication Packets of Unknown Type

Number of received incoming authentication packets of unknown type

Incoming Packets on the Accounting Port

Number of incoming packets on the accounting port.

Incoming Authentication-Requests from Unknown Addresses

Number of incoming authentication requests from unknown addresses.

Incoming Duplicate Accounting-Requests

Number of incoming duplicate account requests.

Accounting-Responses Sent

Number of accounting responses sent.

Incoming Malformed Accounting-Requests

Number of malformed accounting requests.

Incoming Accounting-Requests with Bad Authenticator

Number of incoming accounting requests with bad authenticator.

Incoming Accounting Packets with Other Mistakes

Number of incoming accounting packets with other mistakes.

Incoming Not Recorded Accounting-Requests

Number of incoming accounting requests not recorded.

Incoming Accounting Packets of Unknown Type

Number of incoming accounting packets of unknown type.
Step 5

To clear the counters, click Clear Counters.

Step 6

To refresh the counters, click Refresh.

Login Settings

The default username/password is cisco/cisco. The first time that you log in with the default username and password, you’re required to enter a new password. Password complexity is enabled by default. If the password that you choose isn’t complex enough, then you will be prompted to create another password.

Procedure

Step 1

Click Security > Login Settings .

Step 2

In the Password Aging section, check Enable to enable the password aging. When the Password Aging checkbox is unchecked, the Password Aging Time is disabled.

Step 3

Next, configure the following:

Option Description
Password Aging Time

Enter the number of days. (Range: 1 - 365, Default: 180)

Note 

A warning message will appear 10 days prior to the password expiration date. From the expiration day and on, the user logging in will be forced to change the password and will not be granted access to the device until the password is changed.

Minimal Password Length

Enter the number of character for the password. (Range: 8- 64, Default: 8)

Recent Password Prevention

Enter a number for a recent password prevention. (Range: 3- 24, Default: 12)

Allowed Character Repetition

A character cannot be repeated consecutively. Enter a number for the allowed character repetition. (Range: 1- 16, Default: 3)

Minimal Number of Character Classes:

Enter a number for the minimal number of character classes. (Range: 0- 4, Default: 3)
Note 
The password complexity rules are as follows:

  • Minimal password length is 8 characters by default. Passwords are configurable with a range of 8-64.

  • Character Repetition: A character cannot be repeated consecutively. The minimum number of repetition allowed is 3 by default.

  • Recent password prevention: The password must be different than a number of previously used passwords on this account. 12 by default, configurable to 3-24.

  • Minimum number of character classes: The number of different character classes that must be included in the password (classes are: uppercase letter, lowercase letter, number and special character). The minimum number is 3 by default and is configurable to 0-4 (0 and 1 are functionally identical).

  • Any password established or altered by the user (hence "Secret") must be compared to the following file's list of common passwords. If the secret contains a word from the list, the user will receive the following error message and will need to re-enter an alternative password: "Password rejected- Passwords must not match words in the dictionary, and must not contain commonly used passwords".

  • Sequential characters – The password MUST NOT contain more than 2 sequential characters or numbers, or the reverse value of these sequences. Restriction also includes letters that are replaced with other characters, as follows: "$" for "s", "@" for "a", "0" for "o", "1" for "l", "!" for "i", "3" for "e". Examples for prohibited passwords: “efg123!$”, “abcd765%”, “kji!$378”, qr$58!230. Sequential letters are prohibited in any case combination (e.g. AbC or aBC).

  • Context specific words (project and vendor name) – The password MUST NOT contain the username or the words “cisco” or “cbs”, or derivatives of such. This restriction includes these words reversed or in any case. Restriction also includes letters that are replaced with other characters, as follows: "$" for "s", "@" for "a", "0" for "o", "1" for "l", "!" for "i", "3" for "e", is not permitted. For example, C!$c0678! is not permitted.

Login Lockdown

If the address of a device is known, a malicious user may attempt to perform a dictionary attack. A dictionary attack is an automated process to attempt to login by attempting thousands, or even millions, of credentials. The purpose of a dictionary attack is to actually gain management access to the device.

To prevent these attacks the device can be configured to limit the amount of login attempts allowed within a specific time range and by defining a quiet mode period following a specified number of failed attempts. If the specified number of connection attempts fails (attempt tries) within a specified time (within seconds), the device will not accept any additional login attempts for a specified period of time (block-for seconds). This can also occur when the user forgets his login credentials and tries to login several times resulting in login failure.


Note

Following a specified number of failed login attempts over a specified time period, the device will enter into quiet mode. The device will not accept any more connection requests during the quiet mode time, including telnet, SSH, SNMP, HTTP, or HTTPS. The device will restart accepting connection requests once the quiet mode period has ended. The start and conclusion of the quiet mode time will be indicated by a Syslog message.

The number of failed attempts should be counted throughout a period of time that is measured from each failed attempt. Failed attempts are not counted during the quiet period. When the quiet period expires, the count of failed attempts resumes. A quiet period can be ended before the timer expires by disabling the functionality.

Procedure

Step 1

In the Login Response Delay, check Enable to enable the login response delay.

Step 2

Next, configure the following:

Option Description

Response Delay Period

Enter a number in seconds to set the response delay period. (Range: 1- 10, Default: 1)

Quiet Period Enforcement

Check Enable to enforce quite period.

Quiet Period Length

Enter the number of seconds to set the quiet period length. (Range: 1- 65535, Default: 300)

Triggering Attempts

Enter the number of triggering attempts. (Range: 1- 100, Default 4)

Triggering Interval

Enter the number in seconds for triggering interval. (Range: 1- 3600, Default 60)

Quiet Period Access Profile

Note 

This link navigates to the Security → Management Access Method → Access Profiles page.
Console Only is the default setting.
Note 

This drop down contains an option for every existing access profile.

Login Protection Status

The Login Protection Status page will track and display any attempted attacks or login failures. (It will not distinguish if the login failure is a user who forgot his credentials or an actual attack). Click the Refresh button to refresh the data.

  • Quiet Mode Status- Can have either an active or inactive status.

  • Quiet Mode Remaining Time- This field is displayed only if the Quiet Mode Status is active.

  • Login Failures in the Last 60 Seconds- Displays the number of login failures during the time lapse defined by the "Quiet Period Length" Parameter. The ""Quiet Period Length"" is a value in seconds configured in the Security> Login Settings page.

In the Login Failure Table, the following will be displayed:

  • Username- the name of the user

  • IP Address- the IP address of the user

  • Service- the service being used. This can be either HTTP, HTTPS, Telnet, SSH or SNMP.

  • Count- the number of attempted login failures.

  • Most Recent Attempt Time- the most recent time that a failed login was attempted.

Key Management

This section describes how to configure key chains for applications and protocols, such as RIP.

Key Chain


Note

This feature is only supported on Sx550X/SG550XG devices.

To create a new key chain.

Procedure

Step 1

Click Security > Key Management > Key Chain Settings.

Step 2

To add a new key chain, click Add to open the Add Key Chain page and enter the following fields:

  • Key Chain-Name for the key chain.

  • Key Identifier-Integer identifier for the key chain.

  • Key String-Value of the key chain string. Enter one of the following options:

    • User Defined (Encrypted)-Enter an encrypted version.

    • User Defined (Plaintext)-Enter a plaintext version

      Note 

      Both the Accept Life Time and the Send LifeTime values can be entered. The Accept Life Time indicates when the key-identifier for receiving packets is valid. The Send Life Time indicates when the key-identifier for sending packets is valid.

  • Accept Life Time/Send Life Time-Specifies when packets with this key are accepted. Select one of the following options.

    • Always Valid-No limit to the life of the key-identifier

    • User Defined-Life of the key-chain is limited. If this option, is selected enter values in the following fields.

      Note 

      If you select User Defined, the system time must be set either manually or from SNTP. Otherwise, Accept Life Time and Send Life Times always fail.

      The following fields are relevant for the Accept Life Time and Send Life Time fields:

  • Start Date-Enter the earliest date that the key-identifier is valid.

  • Start Time-Enter the earliest time that the key-identifier is valid on the Start Date.

  • End Time-Specifies the last date that the key-identifier is valid. Select one of the following options.

    • Infinite-No limit to the life of the key-identifier

    • Duration-Life of the key-identifier is limited. If this option, is selected enter values in the following fields.

  • Duration-Length of time that the key identifier is valid. Enter the following fields:

    • Days-Number of days that the key-identifier is valid.

    • Hours-Number of hours that the key-identifier is valid.

    • Minutes-Number of minutes that the key-identifier is valid.

    • Seconds-Number of seconds that the key-identifier is valid.
Step 3

Click Apply. The settings are written to the Running Configuration file.

Key Settings

To add a key to an already existing key chain.

Procedure

Step 1

Click Security > Key Management > Key Settings.

Step 2

To add a new key string, click Add.

Step 3

Enter the following fields:

  • Key Chain-Name for the key chain.

  • Key Identifier-Integer identifier for the key chain.

  • Key String-Value of the key chain string. Enter one of the following options:

    • User Defined (Encrypted)-Enter an encrypted version.

    • User Defined (Plaintext)-Enter a plaintext version.

      Note 

      Both the Accept Life Time and the Send LifeTime values can be entered. The Accept Life Time indicates when the key-identifier for receiving packets is valid. The Send Life Time indicates when the key-chain for sending packets is valid. The fields are only described for the Accept Life Time. The Send Life Time has the same fields.

  • Accept Life Time-Specifies when packets with this key are accepted. Select one of the following options.

    • Always Valid-No limit to the life of the key-identifier

    • User Defined-Life of the key-chain is limited. If this option, is selected enter values in the following fields.

  • Start Date-Enter the earliest date that the key-identifier is valid.

  • Start Time-Enter the earliest time that the key-identifier is valid on the Start Date.

  • End Time-Specifies the latest time that the key-identifier is valid. Select one of the following options.

    • Infinite-No limit to the life of the key-identifier

    • Duration-Life of the key-identifier is limited. If this option, is selected enter values in the following fields.

  • Duration-Length of time that the key identifier is valid. Enter the following fields:

    • Days-Number of days that the key-identifier is valid.

    • Hours-Number of hours that the key-identifier is valid.

    • Minutes-Number of minutes that the key-identifier is valid.

    • Seconds-Number of seconds that the key-identifier is valid.
Step 4

Click Apply. The settings are written to the Running Configuration file.

Step 5

To always display sensitive data as plaintext (and not in encrypted form), click Display Sensitive Data as Plaintext.

Management Access Method

This section describes access rules for various management methods.

Access profiles determine how to authenticate and authorize users accessing the device through various access methods. Access Profiles can limit management access from specific sources.

Only users who pass both the active access profile and the management access authentication methods are given management access to the device.

There can only be a single access profile active on the device at one time.

Access profiles consist of one or more rules. The rules are executed in order of their priority within the access profile (top to bottom).

Rules are composed of filters that include the following elements:

  • Access Methods-Methods for accessing and managing the device:

    • Telnet

    • Secure Telnet (SSH)

    • Hypertext Transfer Protocol (HTTP)

    • Secure HTTP (HTTPS)

    • Simple Network Management Protocol (SNMP)

    • All of the above

  • Action-Permit or deny access to an interface or source address.

  • Interface-Which ports, LAGs, or VLANs are permitted to access or are denied access to the web-based configuration utility.

  • Source IP Address-IP addresses or subnets. Access to management methods might differ among user groups. For example, one user group might be able to access the device module only by using an HTTPS session, while another user group might be able to access the device module by using both HTTPS and Telnet sessions.

Access Profiles

The Access Profiles page displays the access profiles that are defined and enables selecting one access profile to be the active one.

When a user attempts to access the device through an access method, the device looks to see if the active access profile explicitly permits management access to the device through this method. If no match is found, access is denied.

When an attempt to access the device is in violation of the active access profile, the device generates a SYSLOG message to alert the system administrator of the attempt.

If a console-only access profile has been activated, the only way to deactivate it’s through a direct connection from the management station to the physical console port on the device.

For more information, see Profile Rules.

Use the Access Profiles page to create an access profile and to add its first rule. If the access profile only contains a single rule, you’re finished. To add more rules to the profile, use the Profile Rules page.

Procedure

Step 1

Click Security > Mgmt Access Method > Access Profiles.

This page displays all of the access profiles, active and inactive.
Step 2

To change the active access profile, select a profile from the Active Access Profile drop down menu and click Apply. This makes the chosen profile the active access profile.

Note 

A caution message appears if you selected Console Only. If you continue, you’re immediately disconnected from the web-based configuration utility and can access the device only through the console port. This only applies to device types that offer a console port.

Step 3

Click OK to select the active access profile or click Cancel to discontinue the action.

Step 4

Click Add to open the Add Access Profile page. The page allows you to configure a new profile and one rule.

Step 5

Enter the Access Profile Name. This name can contain up to 32 characters.
Step 6

Enter the parameters.

  • Rule Priority—Enter the rule priority. When the packet is matched to a rule, user groups are either granted or denied access to the device. The rule priority is essential to matching packets to rules, as packets are matched on a first-match basis. The highest priority is ‘1’.

  • Management Method—Select the management method for which the rule is defined. The options are:

    • All—Assigns all management methods to the rule

    • Telnet—Users requesting access to the device that meets the Telnet access profile criteria are permitted or denied access.

    • Secure Telnet (SSH)—Users requesting access to the device that meets the SSH access profile criteria, are permitted or denied access.

    • HTTP— Users requesting access to the device that meets the HTTP access profile criteria, are permitted or denied.

    • Secure HTTP (HTTPS)—Users requesting access to the device that meets the HTTPS access profile criteria, are permitted or denied.

    • SNMP—Users requesting access to the device that meets the SNMP access profile criteria are permitted or denied.

  • Action—Select the action attached to the rule. The options are:

    • Permit—Permits access to the device if the user matches the settings in the profile.

    • Deny—Denies access to the device if the user matches the settings in the profile

  • Applies to Interface—Select the interface attached to the rule. The options are:

    • All—Applies to all ports, VLANs, and LAGs

    • User Defined—Applies to selected interface.

  • Interface—Enter the interface number if User Defined was selected.

  • Applies to Source IP Address—Select the type of source IP address to which the access profile applies. The Source IP Address field is valid for a subnetwork. Select one of the following values:

    • All—Applies to all types of IP addresses

    • User Defined—Applies to only those types of IP addresses defined in the fields.

  • IP Version—Enter the version of the source IP address: Version 6 or Version 4.

  • IP Address—Enter the source IP address.

  • Mask—Select the format for the subnet mask for the source IP address, and enter a value in one of the fields:

    • Network Mask—Select the subnet to which the source IP address belongs and enter the subnet mask in dotted decimal format.

    • Prefix Length—Select the Prefix Length and enter the number of bits that comprise the source IP address prefix.
Step 7

Click Apply. The access profile is written to the Running Configuration file. You can now select this access profile as the active access profile.

Profile Rules

Access profiles can contain up to 128 rules to determine who is permitted to manage and access the device, and the access methods that may be used.

Each rule in an access profile contains an action and criteria (one or more parameters) to match. Each rule has a priority; rules with the lowest priority are checked first. If the incoming packet matches a rule, the action associated with the rule is performed. If no matching rule is found within the active access profile, the packet is dropped.

For example, you can limit access to the device from all IP addresses except IP addresses that are allocated to the IT management center. In this way, the device can still be managed and has gained another layer of security.

To add profile rules to an access profile, complete the following steps:

Procedure

Step 1

Click Security > Mgmt Access Method > Profile Rules.

Step 2

Select the Filter field, and an access profile. Click Go.

The selected access profile appears in the Profile Rule Table.
Step 3

Click Add to add a rule.

Step 4

Enter the parameters.

  • Access Profile Name—Select an access profile.

  • Rule Priority—Enter the rule priority. When the packet is matched to a rule, user groups are either granted or denied access to the device. The rule priority is essential to matching packets to rules, as packets are matched on a first-fit basis.

  • Management Method—Select the management method for which the rule is defined. The options are:

    • All—Assigns all management methods to the rule

    • Telnet—Users requesting access to the device that meets the Telnet access profile criteria are permitted or denied access.

    • Secure Telnet (SSH)—Users requesting access to the device that meets the Telnet access profile criteria, are permitted or denied access.

    • HTTP—Assigns HTTP access to the rule Users requesting access to the device that meets the HTTP access profile criteria, are permitted or denied.

    • Secure HTTP (HTTPS)—Users requesting access to the device that meets the HTTPS access profile criteria, are permitted or denied.

    • SNMP—Users requesting access to the device that meets the SNMP access profile criteria are permitted or denied.

  • Action—Select one of the following options.

    • Permit—Allow device access to users coming from the interface and IP source defined in this rule.

    • Deny—Deny device access to users coming from the interface and IP source defined in this rule.

  • Applies to Interface—Select the interface attached to the rule. The options are:

    • All—Applies to all ports, VLANs, and LAGs

    • User Defined—Applies only to the port, VLAN, or LAG selected.

  • Interface—Enter the interface number if the User Defined option is selected for the field above.

  • Applies to Source IP Address—Select the type of source IP address to which the access profile applies. The Source IP Address field is valid for a subnetwork. Select one of the following values:

    • All—Applies to all types of IP addresses

    • User Defined—Applies to only those types of IP addresses defined in the fields.

  • IP Version—Select the supported IP version of the source address: IPv6 or IPv4.

  • IP Address—Enter the source IP address.

  • Mask—Select the format for the subnet mask for the source IP address, and enter a value in one of the fields:

    • Network Mask—Select the subnet to which the source IP address belongs and enter the subnet mask in dotted decimal format.

    • Prefix Length—Select the Prefix Length and enter the number of bits that comprise the source IP address prefix.
Step 5

Click Apply, and the rule is added to the access profile.

Management Access Authentication

You can assign authentication methods to the various management access methods, such as SSH, Telnet, HTTP, and HTTPS. The authentication can be performed locally or on a server.

If authorization is enabled, both the identity and read/write privileges of the user are verified. If authorization isn’t enabled, only the identity of the user is verified.

The authorization/authentication method used is determined by the order that the authentication methods are selected. If the first authentication method isn’t available, the next selected method is used. For example, if the selected authentication methods are RADIUS and Local, and all configured RADIUS servers are queried in priority order and don’t reply, the user is authorized/authenticated locally.

If authorization is enabled, and an authentication method fails or the user has insufficient privilege level, the user is denied access to the device. In other words, if authentication fails for an authentication method, the device stops the authentication attempt; it doesn’t continue and doesn’t attempt to use the next authentication method.

Similarly, if authorization isn’t enabled, and authentication fails for a method, the device stops the authentication attempt.

To define authentication methods for an access method:

Procedure

Step 1

Click Security > Management Access Authentication.

Step 2

Enter the Application (type) of the management access method.
Step 3

Select Authorization to enable both authentication and authorization of the user by the list of methods described below. If the field is not selected, only authentication is performed. If Authorization is enabled, the read/write privileges of users are checked. This privilege level is set in the User Accounts page.

Step 4

Use the arrows to move the authentication method between the Optional Methods column and the Selected Methods column. The first method selected is the first method that is used.

  • RADIUS—User is authorized/authenticated on a RADIUS server. You must have configured one or more RADIUS servers. For the RADIUS server to grant access to the web-based configuration utility, the RADIUS server must return cisco-avpair = shell:priv-lvl=15.

  • TACACS+—User authorized/authenticated on the TACACS+ server. You must have configured one or more TACACS+ servers.

  • None—User is allowed to access the device without authorization/authentication.

  • Local—Username and password are checked against the data stored on the local device. These username and password pairs are defined in the User Accounts page.

    Note 

    The Local or None authentication method must always be selected last. All authentication methods selected after Local or None are ignored.

Step 5

Click Apply. The selected authentication methods are associated with the access method.

Secure Sensitive Data Management

SSD protects sensitive data on a device, such as passwords and keys, permits and denies access to sensitive data encrypted and in plain text based on user credentials and SSD rules, and protects configuration files containing sensitive data from being tampered with.

In addition, SSD enables the secure backup and sharing of configuration files containing sensitive data.

SSD provides users with the flexibility to configure the desired level of protection on their sensitive data; from no protection with sensitive data in plaintext, minimum protection with encryption based on the default passphrase, and better protection with encryption based on user-defined passphrase.

SSD grants read permission to sensitive data only to authenticated and authorized users, and according to SSD rules. A device authenticates and authorizes management access to users through the user authentication process.

Whether or not SSD is used, it is recommended that the administrator secure the authentication process by using the local authentication database, and/or secure the communication to the external authentication servers used in the user authentication process.

In summary, SSD protects sensitive data on a device with SSD rules, SSD properties, and user authentication. And SSD rules, SSD properties, and user authentication configurations of the device are themselves sensitive data protected by SSD.

SSD Properties

SSD properties are a set of parameters that, in conjunction with the SSD rules, define and control the SSD environment of a device. The SSD environment consists of these properties:

  • Controlling how the sensitive data is encrypted.

  • Controlling the strength of security on configuration files.

  • Controlling how the sensitive data is viewed within the current session.

To configure the SSD properties, follow these steps:

Procedure

Step 1

Click Security > Secure Sensitive Data Management > Properties.

The following field appears:

  • Current Local Passphrase Type—Displays whether the default passphrase or a user-defined passphrase is currently being used.
Step 2

In the Configuration File Passphrase Control—Select an option from the following:

  • Unrestricted (default)—The device includes its passphrase when creating a configuration file. This enables any device accepting the configuration file to learn the passphrase from the file.

  • Restricted—The device restricts its passphrase from being exported into a configuration file. Restricted mode protects the encrypted sensitive data in a configuration file from devices that do not have the passphrase. This mode should be used when a user does not want to expose the passphrase in a configuration file.

Step 3

Next, select to enable the Configuration File Integrity Control.
Step 4

Select a Read Mode for the current session

  • Plaintext —Users are permitted to access sensitive data in plaintext only. Users will also have read and write permission to SSD parameters.

  • Encrypted —Users are permitted to access sensitive data as encrypted only.
Step 5

Click Change Local Passphrase, and enter a new Local Passphrase:

  • Default—Use the devices default passphrase.

  • User Defined (Plaintext)—Enter a new passphrase.

  • Confirm Passphrase—Confirm the new passphrase.
Step 6

Click Apply. The settings are saved to the Running Configuration file.

SSD Rules

Only users with SSD read permission of Plaintext-only or Both are allowed to set SSD rules.

To configure SSD rules, follow these steps:

Procedure

Step 1

Click Security > Secure Sensitive Data Management > SSD Rules.

The currently-defined rules are displayed. The Rule Type field indicates whether the rule is a user-defined one or a default rule.

Step 2

To add a new rule, click Add. Enter the following fields:

  • User—This defines the user(s) to which the rule applies: Select one of the following options:

    • Specific User—Select and enter the specific user name to which this rule applies (this user does not necessarily have to be defined).

    • Default User (cisco)—Indicates that this rule applies to the default user.

    • Level 15—Indicates that this rule applies to all users with privilege level 15.

    • All—Indicates that this rule applies to all users.

  • Channel—This defines the security level of the input channel to which the rule applies: Select one of the following options:

    • Secure—Indicates that this rule applies only to secure channels (console, SCP, SSH and HTTPS), not including the SNMP and XML channels.

    • Insecure—Indicates that this rule applies only to insecure channels (Telnet, TFTP and HTTP), not including the SNMP and XML channels.

    • Secure XML SNMP—Indicates that this rule applies only to XML over HTTPS and SNMPv3 with privacy.

    • Insecure XML SNMP—Indicates that this rule applies only to XML over HTTP or and SNMPv1/v2and SNMPv3 without privacy.

  • Read Permission—The read permissions associated with the rule. These can be the following:

    • Exclude—Lowest read permission. Users are not permitted to get sensitive data in any form.

    • Plaintext Only—Higher read permission than above ones. Users are permitted to get sensitive data in plaintext only.

    • Encrypted Only—Middle read permission. Users are permitted to get sensitive data as encrypted only.

    • Both (Plaintext and Encrypted)—Highest read permission. Users have both encrypted and plaintext permissions and are permitted to get sensitive data as encrypted and in plaintext

  • Default Read Mode—All default read modes are subjected to the read permission of the rule. The following options exist, but some might be rejected, depending on the rule’s read permission.

    • Exclude—Do not allow reading the sensitive data.

    • Encrypted—Sensitive data is presented encrypted.

    • Plaintext—Sensitive data is presented as plaintext.
Step 3

Click Apply. The settings are saved to the Running Configuration file.

Step 4

The following actions can be performed on selected rules:

  • Add, Edit or Delete rules or Restore To Default.

  • Restore All Rules to Default—Restore a user-modified default rule to the default rule.

SSL Server

The Secure Socket Layer (SSL) feature is used to open an HTTPS session to the device. An HTTPS session may be opened with the default certificate that exists on the device. Some browsers generate warnings when using a default certificate, since this certificate is not signed by a Certification Authority (CA). It is best practice to have a certificate signed by a trusted CA. By default, the device contains a certificate that can be modified. HTTPS is enabled by default.

SSL Server Authentication Settings

A new certificate maybe required to replace the default certificate found on the device.

To create a new certificate, complete the following steps:

Procedure

Step 1

Click Security > SSL Server > SSL Server Authentication Settings.

Information appears for SSL Active Certificate Number 1 and 2 in the SSL Server Key Table. Select one of these fields.

These fields are defined in the Edit page except for the following fields:

  • Valid From—Specifies the date from which the certificate is valid.

  • Valid To—Specifies the date up to which the certificate is valid.

  • Certificate Source—Specifies whether the certificate was generated by the system (Auto Generated) or the user (User Defined).
Step 2

Select an active certificate.
Step 3

Click Generate Certificate Request. Select a certificate and click Details to view the following:

  • Certificate content in pem format

  • Certificate public key and fingerprint (Hex)

  • Certificate private key
Step 4

Enter the following fields:

  • Certificate ID—Select the active certificate.

  • Common Name—Specifies the fully-qualified device URL or IP address. If unspecified, defaults to the lowest IP address of the device (when the certificate is generated).

  • Organization Unit—Specifies the organization-unit or department name.

  • Organization Name—Specifies the organization name.

  • Location—Specifies the location or city name.

  • State—Specifies the state or province name.

  • Country—Specifies the country name.

  • Certificate Request—Displays the key created when the Generate Certificate Request button is pressed.
Step 5

Click Generate Certificate Request. This creates a key that must be entered on the Certification Authority (CA). Copy the certificate key from the Certificate Request field.

To import a certificate:
Step 6

Click Security > SSL Server > SSL Server Authentication Settings.
Step 7

Click Import Certificate.

Step 8

Enter the following fields:

  • Certificate ID—Select the active certificate.

  • Certificate Source—Displays that the certificate is user-defined.

  • Certificate—Copy in the received certificate.

  • Import RSA Key—Pair-Select to enable copying in the new RSA key-pair.

  • Public Key—Copy in the RSA public key.

  • Private Key (Encrypted)—Select and copy in the RSA private key in encrypted form.

  • Private Key (Plaintext)—Select and copy in the RSA private key in plain text form.
Step 9

Click Apply to apply the changes to the Running Configuration.

Step 10

Click Display Sensitive Data as Encrypted to display this key as encrypted. When this button is clicked, the private keys are written to the configuration file in encrypted form (when Apply is clicked). When the text is displayed in encrypted form, the button becomes Display Sensitive Data as Plaintext enabling you to view the text in plaintext again.

The Details button displays the certificate and RSA key pair. This is used to copy the certificate and RSA key-pair to another device (using copy/paste). To display the private key as plaintext, click Display Sensitive Data as Plaintext. If private keys is displayed as plaintext, click the Display Sensitive Data as Encrypted to display the key in encrypted form.

To create a new self-generated certificate on the device:
Step 11

Click Security > SSL Server > SSL Server Authentication Settings.
Step 12

Select a certificate and click Edit.

Step 13

Enter the following fields as required:

  • Regenerate RSA Key—Select to regenerate the RSA key.

  • Key Length—Select the required key length from the options.

  • Common Name—Enter a common name.

  • Organization Unit—Enter the name of the organization unit for the certificate.

  • Organization Name—Enter the name of the organization for the certificate.

  • Location—Enter the location of the organization unit for the certificate.

  • State—Enter the state of the organization unit for the certificate.

  • County—Enter the county of the organization unit for the certificate.

  • Duration—Enter the length of time that the certificate will be valid.
Step 14

Click Generate to apply the changes to the Running Configuration.

Create or Generate a New Certificate

A new self-signed certificate maybe required to replace the certificate found on the device. To create a new certificate, complete the following steps:

Procedure
Step 1

Select a certificate and click Edit.

Step 2

Enter the following fields:

  • Certificate ID—Select the certificate ID that is to be replaced.

  • Regenerate RSA Key—Check the checkbox to regenerate a RSA key.
  • Key Length—Select the key length from one of the 2 options (2048 bits of 3072 bits).

  • Common Name—Specifies the fully-qualified device URL or IP address. If unspecified, defaults to the lowest IP address of the device (when the certificate is generated).

  • Organization Unit—Specifies the organization-unit or department name.

  • Organization Name—Specifies the organization name.

  • Location—Specifies the location or city name.

  • State—Specifies the state or province name.

  • Country—Specifies the country name.

  • Duration—Define the duration of the certificate.
Step 3

Click Generate. The new certificate is generated and replaces existing one.

Step 4

If you wish to generate a new certificate request, select a certificate and click Generate Certificate Request.

Note 

A certificate request is a certificate that is exported to a CA for signing, and then imported back to the device as a signed certificate. A certificate signed by a CA is considered secure (compare to a self sign certificate which is not).

Step 5

Enter the following fields:

  • Certificate ID—Select the certificate ID that is to be replaced.

  • Common Name—Specifies the fully-qualified device URL or IP address. If unspecified, defaults to the lowest IP address of the device (when the certificate is generated).

  • Organization Unit—Specifies the organization-unit or department name.

  • Organization Name—Specifies the organization name.

  • Location—Specifies the location or city name.

  • State—Specifies the state or province name.

  • Country—Specifies the country name.

  • Certificate Request—Displays the key created when the Generate Certificate Request button is pressed.
Step 6

Click Generate Certificate Request. This creates a certificate that must be entered on the Certification Authority (CA). Copy the certificate key from the Certificate Request field.

Step 7

To import a certificate signed by a CA, select an active certificate and click Import Certificate.

Step 8

Enter the following fields:

  • Certificate ID—Select a certificate.

  • Certificate Source—Displays that the certificate is auto-generated.

  • Certificate—Copy in the received certificate.

  • Import RSA Key—Pair-Select to enable copying in the new RSA key-pair.

  • Public Key—Copy in the RSA public key.

  • Fingerprint(Hex)- Displays the certificate's fingerprint in Hex format.

  • Private Key (Encrypted)—Select and copy in the RSA private key in encrypted form.

  • Private Key (Plaintext)—Select and copy in the RSA private key in plain text form.
Step 9

Click Apply to apply the changes to the Running Configuration.

Step 10

Click the Details button to display the SSL certificate details.

Step 11

Next, click Display Sensitive Data as Encrypted to display this key as encrypted. When this button is clicked, the private keys are written to the configuration file in encrypted form (when Apply is clicked). When the text is displayed in encrypted form, the button becomes Display Sensitive Data as Plaintext enabling you to view the text in plaintext again.

SSH Server

The SSH Server feature enables a remote users to establish SSH sessions to the device. This is similar to establishing a telnet session, except the session is secured.

The device, as a SSH server, supports SSH User Authentication which authenticates a remote user either by password, or by public key. At the same time, the remote user as a SSH client can perform SSH Server Authentication to authenticate the device using the device public key (fingerprint).

SSH Server can operate in the following modes:

  • By Internally-generated RSA/DSA Keys (Default Setting)—An RSA and a DSA key are generated. Users log on the SSH Server application and are automatically authenticated to open a session on the device when they supply the IP address of the device.

  • Public Key Mode—Users are defined on the device. Their RSA/DSA keys are generated in an external SSH server application, such as PuTTY. The public keys are entered in the device. The users can then open an SSH session on the device through the external SSH server application.

SSH User Authentication

If you use the SSH User Authentication page to create an SSH username for a user who is already configured in the local user database. You can prevent additional authentication by configuring the Automatic Login feature, which works as follows:

  • Enabled—If a user is defined in the local database, and this user passed SSH Authentication using a public-key, the authentication by the local database username and password is skipped.


    Note

    The configured authentication method for this specific management method (console, Telnet, SSH and so on) must be Local (i.e. not RADIUS or TACACS+).

  • Not Enabled—After successful authentication by SSH public key, even if the username is configured in the local user database, the user is authenticated again, as per the configured authentication methods.

This feature is optional and can be configured on the Management Access Authentication. You do not have to work with user authentication in SSH.

To enable authentication and add a user.

Procedure

Step 1

Click Security > SSH Server > SSH User Authentication.

Step 2

Select the following fields:

  • SSH User Authentication by Password—Select to perform authentication of the SSH client user using the username/password configured in the local database (see User Accounts).

  • SSH User Authentication by Public Key—Select to perform authentication of the SSH client user using the public key.

  • Automatic Login—This field can be enabled if the SSH User Authentication by Public Key feature was selected.
Step 3

Click Apply. The settings are saved to the Running Configuration file.

The following fields are displayed for the configured users:

  • SSH User Name—User name of user.

  • Key Type—Whether this is an RSA or DSA key.

  • Fingerprint—Fingerprint generated from the public keys.
Step 4

Click Add to add a new user and enter the fields:

  • SSH User Name—Enter a user name.

  • Key Type—Select either RSA or DSA.

  • Public Key—Copy the public key generated by an external SSH client application (like PuTTY) into this text box.
Step 5

Click Apply to save the new user.

The following fields are displayed for all active users:

  • IP Address—IP address of the active user.

  • SSH User Name—User name of the active user.

  • SSH Version—Version of SSH used by the active user.

  • Cipher—Cipher of the active user.

  • Authentication Code—Authentication code of the active user.

SSH Server Authentication

A remote SSH client can perform SSH Server Authentication to ensure it’s establishing an SSH session to the expected SSH driver. To perform SSH Server Authentication, the remote SSH client must have a copy of the SSH server public key (or fingerprint) of the target SSH server.

The SSH Server Authentication Page generates/imports the private/public key for the device as an SSH server. A user should copy the SSH server public key (or fingerprint) of this device to the application if it’s to perform SSH Server Authentication on its SSH sessions. A public and private RSA and DSA key are automatically generated when the device is booted from factory defaults. Each key is also automatically created when the appropriate user-configured key is deleted by the user.

To regenerate an RSA or DSA key or to copy in an RSA/DSA key generated on another device:

Procedure

Step 1

Click Security > SSH Server > SSH Server Authentication.

The following fields are displayed for each key:

  • Key Type—RSA or DSA.

  • Key Source—Auto Generated or User Defined.

  • Fingerprint—Fingerprint generated from the key.
Step 2

Select either an RSA or DSA key.
Step 3

You can perform any of the following actions:

  • Generate—Generates a key of the selected type.

  • Edit—Enables you to copy in a key from another device. Enter the following fields:

    • Key Type—As described above

    • Public Key—Enter the public key.

    • Private Key—Select either Encrypted or Plaintext and enter the private key.

      Display Sensitive Data as Encrypted or Display Sensitive Data as Plaintext—Sets how sensitive data will be displayed.

  • Delete—Enables you to delete a key.

  • Details—Enables you to view the generated key. The Details window also enables you to click Display Sensitive Data as Plaintext. If this is clicked, the keys are displayed as plaintext and not in encrypted form. If the key is already being displayed as plaintext, you can click Display Sensitive Data as Encrypted. To display the text in encrypted form.

SSH Client

A SSH client helps the user manage a network composed of one or more switches in which various system files are stored on a central SSH server. When configuration files are transferred over a network, the Secure Copy (SCP), which is an application that utilizes the SSH protocol, ensures that sensitive data, such as username/password cannot be intercepted.

The SSH client, only communicates with a trusted SSH server. When SSH server authentication is disabled (the default setting), any SSH server is considered trusted. When SSH server authentication is enabled, the user must add an entry for the trusted servers to the Trusted SSH Servers Table.

In general the SSH protocol can be used for two purposes, file transfers and terminal access.

SSH User Authentication

When a device (SSH client) attempts to establish a SSH session to a SSH server, the SSH server uses various methods for client authentication. Use this page to select an SSH user authentication method, set a username and password on the device, if the password method is selected or generate an RSA or DSA key, if the public/private key method is selected.

To select an authentication method, and set the username/password/keys, follow these steps:

Procedure

Step 1

Click Security > SSH Client > SSH User Authentication.

Step 2

Select an SSH User Authentication Method. This is the global method defined for the secure copy (SCP). Select one of the options:

  • By Password—This is the default setting. If this is selected, enter a password or retain the default one.

  • By RSA Public Key—If this is selected, create an RSA public and Private key in the SSH User Key Table block.

  • By DSA Public Key—If this is selected, create a DSA public/private key in the SSH User Key Table block.
Step 3

Enter the Username (no matter what method was selected) or user the default username. This must match the username defined on the SSH server.

Step 4

If the By Password method was selected, enter a password (Encrypted or Plaintext) or leave the default encrypted password.
Step 5

Perform one of the following actions:

  • Apply—The selected authentication methods are associated with the access method.

  • Restore Default Credentials—The default username and password (anonymous) are restored.

  • Display Sensitive Data As Plaintext—Sensitive data for the current page appears as plaintext.

    The SSH User Key Table contains the following fields for each key:

  • Key Type—RSA or DSA.

  • Key Source—Auto Generated or User Defined.

  • Fingerprint—Fingerprint generated from the key.
Step 6

To handle an RSA or DSA key, select either RSA or DSA and perform one of the following actions:

  • Generate—Generate a new key.

  • Edit—Display the keys for copying/pasting to another device.

  • Delete—Delete the key.

  • Details—Display the keys.

SSH Server Authentication

To enable SSH server authentication and define the trusted servers, follow these steps:

Procedure

Step 1

Click Security > SSH Client > SSH Server Authentication.

Step 2

Select Enable to enable SSH server authentication.

  • IPv4 Source Interface—Select the source interface whose IPv4 address will be used as the source IPv4 address for messages used in communication with IPv4 SSH servers.

  • IPv6 Source Interface—Select the source interface whose IPv6 address will be used as the source IPv6 address for messages used in communication with IPv6 SSH servers.

    Note 

    If the Auto option is selected, the system takes the source IP address from the IP address defined on the outgoing interface.
Step 3

Click Apply.

Step 4

Click Add and enter the following fields for the Trusted SSH Server:

  • Server Definition—Select one of the following ways to identify the SSH server:

    • By IP address—If this is selected enter the IP address of the server in the fields below.

    • By name—If this is selected enter the name of the server in the Server IP Address/Name field.

  • IP Version—If you selected to specify the SSH server by IP address, select whether that IP address is an IPv4 or IPv6 address.

  • IPv6 Address Type—If the SSH server IP address is an IPv6 address, select the IPv6 address type. The options are:

    • Link Local—The IPv6 address uniquely identifies hosts on a single network link. A link local address has a prefix of FE80, isn’t routable, and can be used for communication only on the local network. Only one link local address is supported. If a link local address exists on the interface, this entry replaces the address in the configuration.

    • Global—The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks.

  • Link Local Interface—Select the link local interface from the list of interfaces.

  • Server IP Address/Name—Enter either the IP address of the SSH server or its name, depending on what was selected in Server Definition.

  • Fingerprint—Enter the fingerprint of the SSH server (copied from that server).
Step 5

Click Apply. The trusted server definition is stored in the Running Configuration file.

Change User Password on the SSH Server

To change the password on the SSH server, follow these steps:

Procedure

Step 1

Click Security > SSH Client > Change User Password on SSH Server.

Step 2

Enter the following fields:

  • Server Definition—Define the SSH server by selecting either By IP Address or By Name. Enter the server name or IP address of the server in the Server IP Address/Name field.

  • IP Version—If you selected to specify the SSH server by IP address, select whether that IP address is an IPv4 or IPv6 address.

  • IPv6 Address Type—If the SSH server IP address is an IPv6 address, select the IPv6 address type. The options are:

    • Link Local—The IPv6 address uniquely identifies hosts on a single network link. A link local address has a prefix of FE80, isn’t routable, and can be used for communication only on the local network. Only one link local address is supported. If a link local address exists on the interface, this entry replaces the address in the configuration.

    • Global—The IPv6 address is a global Unicast IPV6 type that is visible and reachable from other networks.

  • Link Local Interface—Select the link local interface from the list of interfaces.

  • Server IP Address/Name—Enter either the IP address of the SSH server or its name, depending on what was selected in Server Definition.

  • Username—This must match the username on the server.

  • Old Password—This must match the password on the server.

  • New Password—Enter the new password and confirm it in the Confirm Password field.
Step 3

Click Apply. The password on the SSH server is modified.

TCP/UDP Services

The TCP/UDP Services page enables TCP or UDP-based services on the device, usually for security reasons.

The device offers the following TCP/UDP services:

  • HTTP-Enabled by factory default

  • HTTPS-Enabled by factory default

  • SNMP-Disabled by factory default

  • Telnet-Disabled by factory default

  • SSH-Disabled by factory default

To configure TCP/UDP services, follow these steps:

Procedure

Step 1

Click Security > TCP/UDP Services.

Step 2

Enable or disable the following TCP/UDP services on the displayed services.

  • HTTP Service-Indicates whether the HTTP service is enabled or disabled.

  • HTTPS Service-Indicates whether the HTTPS service is enabled or disabled.

  • SNMP Service-Indicates whether the SNMP service is enabled or disabled.

  • Telnet Service-Indicates whether the Telnet service is enabled or disabled.

  • SSH Service-Indicates whether the SSH server service is enabled or disabled.
Step 3

Click Apply. The services are written to the Running Configuration file.

The TCP Service Table displays the following fields for each service:

  • Service Name-Access method through which the device is offering the TCP service.

  • Type-IP protocol the service uses.

  • Local IP Address-Local IP address through which the device is offering the service.

  • Local Port-Local TCP port through which the device is offering the service.

  • Remote IP Address-IP address of the remote device that is requesting the service.

  • Remote Port-TCP port of the remote device that is requesting the service.

  • State-Status of the service.

    The UDP Service table displays the following information:

  • Service Name-Access method through which the device is offering the UDP service.

  • Type-IP protocol the service uses.

  • Local IP Address-Local IP address through which the device is offering the service.

  • Local Port-Local UDP port through which the device is offering the service.

  • Application Instance-The service instance of the UDP service.

Storm Control

When Broadcast, Multicast, or Unknown Unicast frames are received, they are duplicated, and a copy is sent to all possible egress ports. This means that in practice they are sent to all ports belonging to the relevant VLAN. In this way, one ingress frame is turned into many, creating the potential for a traffic storm.

Storm protection enables you to limit the number of frames entering the device and to define the types of frames that are counted towards this limit.

When the rate of Broadcast, Multicast, or Unknown Unicast frames is higher than the user-defined threshold, frames received beyond the threshold are discarded.

Storm Control Settings

To define Storm Control, follow these steps:

Procedure

Step 1

Click Security > Storm Control > Storm Control Settings.

Step 2

Select a port and click Edit.
Step 3

Enter the parameters.

  • Interface—Select the port for which storm control is enabled.

    Unknown Unicast Storm Control

  • Storm Control State—Select to enable Storm Control for Unicast packets.

  • Rate Threshold—Enter the maximum rate at which unknown packets can be forwarded. This value can be entered By kbits/sec or By percentage of the total available bandwidth.

  • Trap on Storm—Select to send a trap when a storm occurs on a port. If this isn’t selected, the trap isn’t sent.

  • Shutdown on Storm—Select to shut down a port when a storm occurs on the port. If this isn’t selected extra traffic is discarded.

    Multicast Storm Control

  • Storm Control State—Select to enable Storm Control for Multicast packets.

  • Multicast Type—Select one of the following types of Multicast packets on which to implement storm control:

    • All—Enables storm control on all Multicast packets on the port

    • Registered Multicast—Enables storm control only on registered Multicast addresses on the port

    • Unregistered Multicast—Enables only unregistered Multicast storm control on the port

  • Rate Threshold—Enter the maximum rate at which unknown packets can be forwarded. This value can be entered By kbits/sec or By percentage of the total available bandwidth.

  • Trap on Storm—Select to send a trap when a storm occurs on a port. If this isn’t selected, the trap isn’t sent.

  • Shutdown on Storm—Select to shut down a port when a storm occurs on the port. If this isn’t selected extra traffic is discarded.

    Broadcast Storm Control

  • Storm Control State—Select to enable Storm Control for Broadcast packets.

  • Rate Threshold—Enter the maximum rate at which unknown packets can be forwarded. This value can be entered By kbits/sec or By percentage of the total available bandwidth.

  • Trap on Storm—Select to send a trap when a storm occurs on a port. If this isn’t selected, the trap isn’t sent.

  • Shutdown on Storm—Select to shut down a port when a storm occurs on the port. If this isn’t selected extra traffic is discarded.
Step 4

Click Apply. Storm control is modified, and the Running Configuration file is updated.

Storm Control Statistics

To view Storm Control statistics, complete the following:

Procedure

Step 1

Click Security > Storm Control > Storm Control Statistics.

Step 2

Select an interface.
Step 3

Enter the Refresh Rate—Select the how often the statistics should be refreshed. The available options are:

No Refresh

Statistics aren’t refreshed.

15 Sec

Statistics are refreshed every 15 seconds.

30 Sec

Statistics are refreshed every 30 seconds.

60 Sec

Statistics are refreshed every 60 seconds.

The following statistics are displayed for Unknown Unicast, Multicast and Broadcast Storm Control:

Multicast Traffic Type

(Only for Multicast traffic) Registered or Unregistered.

Bytes Passed

Number of bytes received.

Bytes Dropped

Number of bytes dropped because of storm control.

Last Drop Time

Time that the last byte was dropped.
Step 4

To clear all counters on all interfaces, click Clear All Interfaces Counters. To clear all counters on an interface, select it and click Clear Interface Counters.

Port Security


Note

Port security cannot be enabled on ports on which 802.1X is enabled or on ports that defined as SPAN destination.

Network security can be increased by limiting access on a port to users with specific MAC addresses. The MAC addresses can be either dynamically learned or statically configured.

Port security monitors received and learned packets. Access to locked ports is limited to users with specific MAC addresses.

Port Security has four modes:

  • Classic Lock—All learned MAC addresses on the port are locked, and the port doesn’t learn any new MAC addresses. The learned addresses aren’t subject to aging or relearning.

  • Limited Dynamic Lock—The device learns MAC addresses up to the configured limit of allowed addresses. After the limit is reached, the device doesn’t learn additional addresses. In this mode, the addresses are subject to aging and relearning.

  • Secure Permanent—Keeps the current dynamic MAC addresses associated with the port (as long as the configuration was saved to the Start configuration file). New MAC addresses can be learned as Permanent Secure ones up to the maximum addresses allowed on the port. Relearning and aging are disabled.

  • Secure Delete on Reset—Deletes the current dynamic MAC addresses associated with the port after reset. New MAC addresses can be learned as Delete-On-Reset ones up to the maximum addresses allowed on the port. Relearning and aging are disabled.

When a frame from a new MAC address is detected on a port where it’s not authorized (the port is classically locked, and there’s a new MAC address, or the port is dynamically locked, and the maximum number of allowed addresses has been exceeded), the protection mechanism is invoked, and one of the following actions can take place:

  • Frame is discarded.

  • Frame is forwarded.

  • Port is shut down.

When the secure MAC address is seen on another port, the frame is forwarded, but the MAC address isn’t learned on that port.

In addition to one of these actions, you can also generate traps, and limit their frequency and number to avoid overloading the devices.

To configure port security, complete the following:

Procedure

Step 1

Click Security > Port Security.

Step 2

Select an interface to be modified, and click Edit.
Step 3

Enter the parameters.

  • Interface—Select the interface name.

  • Interface Status—Select to lock the port.

  • Learning Mode—Select the type of port locking. To configure this field, the Interface Status must be unlocked. The Learning Mode field is enabled only if the Interface Status field is locked. To change the Learning Mode, the Lock Interface must be cleared. After the mode is changed, the Lock Interface can be reinstated. The options are:

    • Classic Lock—Locks the port immediately, regardless of the number of addresses that have already been learned.

    • Limited Dynamic Lock—Locks the port by deleting the current dynamic MAC addresses associated with the port. The port learns up to the maximum addresses allowed on the port. Both relearning and aging of MAC addresses are enabled.

    • Secure Permanent—Keeps the current dynamic MAC addresses associated with the port and learns up to the maximum number of addresses allowed on the port (set by Max No. of Addresses Allowed). Relearning and aging are disabled.

    • Secure Delete on Reset—Deletes the current dynamic MAC addresses associated with the port after reset. New MAC addresses can be learned as Delete-On-Reset ones up to the maximum addresses allowed on the port. Relearning and aging are disabled.

  • Max No. of Addresses Allowed—Enter the maximum number of MAC addresses that can be learned on the port if Limited Dynamic Lock learning mode is selected. The number 0 indicates that only static addresses are supported on the interface.

  • Action on Violation—Select an action to be applied to packets arriving on a locked port. The options are:

    • Discard—Discards packets from any unlearned source

    • Forward—Forwards packets from an unknown source without learning the MAC address

    • Shutdown—Discards packets from any unlearned source, and shuts down the port The port remains shut down until reactivated, or until the device is rebooted.

  • Trap—Select to enable traps when a packet is received on a locked port. This is relevant for lock violations. For Classic Lock, this is any new address received. For Limited Dynamic Lock, this is any new address that exceeds the number of allowed addresses.

  • Trap Frequency—Enter minimum time (in seconds) that elapses between traps.
Step 4

Click Apply. Port security is modified, and the Running Configuration file is updated.

802.1X Authentication

802.1x authentication restricts unauthorized clients from connecting to a LAN through publicity-accessible ports. 802.1x authentication is a client-server model. In this model, network devices have the following specific roles.

  • Client or supplicant

  • Authenticator

  • Authentication server

A network device can be either a client/supplicant, authenticator or both per port.

802.1X Authentication Properties

The Properties page is used to globally enable port/device authentication. For authentication to function, it must be activated both globally and individually on each port.

To define port-based authentication, follow these steps:

Procedure

Step 1

Click Security > 802.1X Authentication > Properties.

Step 2

Enter the parameters.

  • Port-Based Authentication—Enable or disable port-based authentication.

  • Authentication Method—Select the user authentication methods. The options are:

    • RADIUS, None—Perform port authentication first by using the RADIUS server. If no response is received from RADIUS, then no authentication is performed, and the session is permitted.

    • RADIUS—Authenticate the user on the RADIUS server. If no authentication is performed, the session isn’t permitted.

    • None—Don’t authenticate the user. Permit the session.

  • Guest VLAN—Select to enable the use of a guest VLAN for unauthorized ports. If a guest VLAN is enabled, all unauthorized ports automatically join the VLAN selected in the Guest VLAN ID field. If a port is later authorized, it’s removed from the guest VLAN.

    The guest VLAN can be defined as a layer 3 interface (assigned an IP address) like any other VLAN. However, device management isn’t available via the guest VLAN IP address.

  • Guest VLAN ID—Select the guest VLAN from the list of VLANs.

  • Guest VLAN Timeout—Define a time period as either Immediate or enter a value in User Defined. This value is used as follows:

    After linkup, if the software doesn’t detect the 802.1X supplicant, or the authentication has failed, the port is added to the guest VLAN, only after the Guest VLAN timeout period has expired.

    If the port state changes from Authorized to Not Authorized, the port is added to the guest VLAN only after the Guest VLAN timeout has expired.

  • Trap Settings—To enable traps, select one of more of the following options:

    • 802.1x Authentication Failure Traps—Select to generate a trap if 802.1x authentication fails.

    • 802.1x Authentication Success Traps—Select to generate a trap if 802.1x authentication succeeds.

    • MAC Authentication Failure Traps—Select to generate a trap if MAC authentication fails.

    • MAC Authentication Success Traps—Select to generate a trap if MAC authentication succeeds.

    • Supplicant Authentication Failure Traps—Select to generate a trap if supplicant authentication fails.

    • Supplicant Authentication Success Traps—Select to generate a trap if supplicant authentication succeeds.

    • Web Authentication Failure Traps—Select to generate a trap if Web authentication fails.

    • Web Authentication Success Traps—Select to generate a trap if Web authentication succeeds.

    • Web Authentication Quiet Traps—Select to generate a trap if a quiet period commences.

      The VLAN Authentication Table displays all VLANs, and indicates whether authentication has been enabled on them.
Step 3

Click Apply. The 802.1X properties are written to the Running Configuration file.

To change Enable or Disable authentication on a VLAN, click Edit and select VLAN and either Enable or Disable.

Port Authentication

The Port Authentication page enables configuration of parameters for each port. Since some of the configuration changes are only possible while the port is in Force Authorized state, such as host authentication, it’s recommended that you change the port control to Force Authorized before making changes. When the configuration is complete, return the port control to its previous state.


Note

A port with 802.1x defined on it can’t become a member of a LAG.
802.1x and Port Security can’t be enabled on same port at same time. If you enable port security on an interface, the Administrative Port Control can’t be changed to Auto mode.

To define 802.1X authentication:

Procedure

Step 1

Click Security > 802.1X Authentication > Port Authentication.

This page displays authentication settings for all ports.

In addition to the fields described on the Add page, the following fields are displayed for each port:

  • Supplicant Status—Either Authorized or Unauthorized for an interface on which 802.1x supplicant has been enabled.

  • Supplicant Credentials—Name of the credential structure used for the supplicant interface, so the possible value is any name or N/A if the supplicant isn’t enabled. If a port has a configured supplicant credential name, the value for the port control parameters is Supplicant. This value overrides any other port control information received from the port.

Step 2

Select a port and click Edit.
Step 3

Enter the parameters.

  • Interface—Select a port.

  • Current Port Control—Displays the current port authorization state. If the state is Authorized, the port is either authenticated or the Administrative Port Control is Force Authorized. Conversely, if the state is Unauthorized, then the port is either not authenticated or the Administrative Port Control is Force Unauthorized. If supplicant is enabled on an interface, the current port control is Supplicant.

  • Administrative Port Control—Select the Administrative Port Authorization state. The options are:

    • Force Unauthorized—Denies the interface access by moving the interface into the unauthorized state. The device doesn’t provide authentication services to the client through the interface.

    • Auto—Enables port-based authentication and authorization on the device. The interface moves between an authorized or unauthorized state based on the authentication exchange between the device and the client.

    • Force Authorized—Authorizes the interface without authentication.

  • RADIUS VLAN Assignment—Select to enable Dynamic VLAN assignment on the selected port.

    • Disable—Feature is not enabled.

    • Reject—If the RADIUS server authorized the supplicant, but didn’t provide a supplicant VLAN, the supplicant is rejected.

    • Static—If the RADIUS server authorized the supplicant, but didn’t provide a supplicant VLAN, the supplicant is accepted.

  • Guest VLAN—Select to enable using a guest VLAN for unauthorized ports.

  • Open Access—Select to successfully authenticate the port even though authentication fails.

  • 802.1X Based Authentication—Select to enable 802.1X authentication on the port.

  • MAC-Based Authentication—Select to enable port authentication based on the supplicant MAC address. Only 8 MAC-based authentications can be used on the port.

    Note 

    For MAC authentication to succeed, the RADIUS server supplicant username and password must be the supplicant MAC address. The MAC address must be in lower case letters and entered without the. Or - separators; for example: 0020aa00bbcc.

  • Web-Based Authentication—Select to enable web-based authentication based on the supplicant MAC address.

  • Periodic Reauthentication—Select to enable port reauthentication attempts after the specified Reauthentication Period.

  • Reauthentication Period—Enter the number of seconds after which the selected port is reauthenticated.

  • Reauthenticate Now—Select to enable immediate port reauthentication.

  • Authenticator State—Displays the defined port authorization state. The options are:

    • Initialize—In process of coming up.

    • Force-Authorized—Controlled port state is set to Force-Authorized (forward traffic).

    • Force-Unauthorized—Controlled port state is set to Force-Unauthorized (discard traffic).

      Note 

      If the port isn’t in Force-Authorized or Force-Unauthorized, it’s in Auto Mode and the authenticator displays the state of the authentication in progress. After the port is authenticated, the state is shown as Authenticated.

  • Time Range—Select to enable limiting authentication to a specific time range.

  • Time Range Name—If Time Range is selected, click the Edit button to be redirected to the time range page and select the time range name to be used.

  • Maximum WBA Login Attempts—Enter the maximum number of login attempts allowed for web-based authentication. Select either Infinite for no limit or User Defined to set a limit.

  • Maximum WBA Silence Period—Enter the maximum length of the silent period for web-based authentication allowed on the interface. Select either Infinite for no limit or User Defined to set a limit.

  • Max Hosts—Enter the maximum number of authorized hosts allowed on the interface.

    Select either Infinite for no limit, or User Defined to set a limit.

    Note 

    Set this value to 1 to simulate single-host mode for web-based authentication in multi-sessions mode.

  • Quiet Period—Enter the length of the quiet period.

  • Resending EAP—Enter the number of seconds that the device waits for a response to an Extensible Authentication Protocol (EAP) request/identity frame from the supplicant (client) before resending the request.

  • Max EAP Requests—Enter the maximum number of EAP requests that will be sent. If a response isn’t received after the defined period (supplicant timeout), the authentication process is restarted.

  • EAP Max Retries—Enter the maximum number of EAP retries that can be sent.

  • EAP Timeout—Enter the maximum time that is waited for EAP responses before timeout occurs.

  • Supplicant Timeout—Enter the number of seconds that lapses before EAP requests are resent to the supplicant.

  • Server Timeout—Enter the number of seconds that lapses before the device resends a request to the authentication server.

  • Supplicant—Select to enable 802.1X.

  • Credentials—Select credentials from the drop-down list to use for this supplicant. This parameter is available only if supplicant is enabled on the interface. Edit links to the Supplicant Credentials page where credentials can be configured.

  • Supplicant Held Timeout—Enter the time period during which the supplicant waits before restarting authentication after receiving the FAIL response from the RADIUS server.

Step 4

Click Apply. The port settings are written to the Running Configuration file.

Host and Session Authentication

The Host and Session Authentication page enables defining the mode in which 802.1X operates on the port and the action to perform if a violation has been detected.

To define 802.1X advanced settings for ports, complete the following steps:

Procedure

Step 1

Click Security > 802.1X Authentication > Host and Session Authentication.

The authentication parameters are described for all ports. All fields except the following are described in the Edit page.

  • Number of Violations—Displays the number of packets that arrive on the interface in single-host mode, from a host whose MAC address isn’t the supplicant MAC address.

Step 2

Select a port, and click Edit.
Step 3

Enter the parameters.

  • Interface—Enter a port number for which host authentication is enabled.

  • Host Authentication—Select from one of the following modes.

    • Single Host—A port is authorized if there is an authorized client. Only one host can be authorized on a port.

    • Multiple Host (802.1x)—A port is authorized if there is if there is at least one authorized client.

    • Multiple Sessions—Unlike the single-host and multi-host modes, a port in the multi-session mode does not have an authentication status. This status is assigned to each client connected to the port.

    Single Host Violation Settings—Can only be chosen if host authentication is Single Host.

  • Action on Violation—Select the action to be applied to packets arriving in Single Session/Single Host mode, from a host whose MAC address isn’t the supplicant MAC address. The options are:

    • Protect (Discard)—Discards the packets.

    • Restrict (Forward)—Forwards the packets.

    • Shutdown—Discards the packets and shuts down the port. The ports remain shut down until reactivated, or until the device is rebooted.

  • Traps—Select to enable traps.

  • Trap Frequency—Defines how often traps are sent to the host. This field can be defined only if multiple hosts are disabled.
Step 4

Click Apply. The settings are written to the Running Configuration file.

Supplicant Credentials

In addition to its capacity as an 802.1x authenticator, the switch itself can be configured as an 802.1x supplicant seeking port access permission from a neighbor. The supplicant supports the EAP MD5-Challenge method specified by RFC3748. The method authenticates a client by its name and password. When the supplicant is enabled on an interface, the interface becomes unauthorized. When the 802.1X authentication process succeeds, the interface state is changed to authorized. This page enables creating and configuring credentials that can be used by an interface configured as an 802.1x supplicant.

To add a supplicant’s credentials, complete the following steps:

Procedure

Step 1

Click Security > 802.1X Authentication > Supplicant Credentials.

Step 2

Click Add.

Step 3

Enter the following fields:

  • Credential Name—Name by which to identify the credential.

  • User Name—Enter the user name associated with the credential name.

  • Description—Enter text describing the user.

  • Password—Select the type of password: Encrypted or Plaintext and add the password.
Step 4

Click Apply and the settings are saved to the Running Configuration file.

MAC-Based Authentication Settings

MAC-based authentication is an alternative to 802.1X authentication that allows network access to devices (such as printers and IP phones) that do not have the 802.1X supplicant capability. MAC-based authentication uses the MAC address of the connecting device to grant or deny network access.

To configure MAC-based authentication, complete the following steps:

Procedure

Step 1

Click Security 802.1X Authentication > MAC-Based Authentication Settings
Step 2

Enter the following fields:

  • MAC Authentication Type—Select one of the following options:

    • EAP—Use RADIUS with EAP encapsulation for the traffic between the switch (RADIUS client) and the RADIUS server, which authenticates a MAC-based supplicant.

    • RADIUS—Use RADIUS without EAP encapsulation for the traffic between the switch (RADIUS client) and the RADIUS server, which authenticates a MAC-based supplicant.

    Username Format

    In MAC-based authentication, the supplicant's username is based on the supplicant device MAC address. The following defines the format of this MAC-based username, which is sent from the switch to the RADIUS server, as part of the authentication process.

  • Group Size—Number of ASCII characters between delimiters of the MAC address sent as a user name.

  • Group Separator—Character used as a delimiter between the defined groups of characters in the MAC address.

  • Case—Send user name in lower or upper case.

    MAC Authentication Password

  • Password—Defines the password that the switch uses for authentication via the RADIUS server. Select one of the following options:

    • Use default (Username)—Select this to use the defined username as the password.

    • Encrypted—Define a password in encrypted format.

    • Plaintext—Define a password in plaintext format.

  • Password MD5 Digest—Displays the MD5 Digest password.
Step 3

Click Apply and the settings are saved to the Running Configuration file. Click Display Sensitive Data as Plaintext to display the password if it is encrypted.

Authenticated Hosts

To view details about authenticated users, click. Security > 802.1X Authentication > Authenticated Hosts.

This page displays the following fields:

  • User Name—Supplicant names that authenticated on each port.

  • Port—Number of the port

  • Session Time (DD:HH:MM:SS)—Amount of time that the supplicant was authenticated and authorized access at the port.

  • Authentication Method—Method by which the last session was authenticated.

  • Authentication Server—RADIUS server

  • MAC Address—Displays the supplicant MAC address.

  • VLAN ID—Port’s VLAN

Locked Clients

To view clients who have been locked out because of failed login attempts and to unlock a locked client, follow these steps:

Procedure

Step 1

Click Security > 802.1X Authentication > Locked Client.

The following fields are displayed:

  • Interface—Port that is locked.

  • MAC Address—Displays the MAC address of locked station

  • Remaining Time (Sec)—The time remaining for the port to be locked.
Step 2

Select a port.
Step 3

Click Unlock.

Web Authentication Customization

This page enables designing web-based authentication pages in various languages.

You can add up to 4 languages.


Note

Up to 5 HTTP users and one HTTPS user can request web-based authentication at the same time. When these users are authenticated, more users can request authentication.

To add a language for web-based authentication, complete the following:

Procedure

Step 1

Click Security > 802.1X Authentication > Web Authentication Customization.

Step 2

Click Add.

Step 3

Select a language from the Language drop-down list.
Step 4

Select Set as Default Display Language if this language is the default language. the default language pages are displayed if the end user does not select a language.

Step 5

Click Apply and the settings are saved to the Running Configuration file.

To customize the web-authentication pages:
Step 6

Click Security > 802.1X Authentication > Web Authentication Customization.

This page displays the languages that can be customized.
Step 7

Click Edit Login Page.

Step 8

Click Edit labeled 1. The following fields are displayed:

  • Language—Displays the page’s language.

  • Color Scheme—Select one of the contrast options.

    If the Custom color scheme is selected, the following options are available:

    • Page Background Color—Enter the ASCII code of the background color. The selected color is shown in the Text field.

    • Page Text Color—Enter the ASCII code of the text color. The selected color is shown in the Text field.

    • Header and Footer Background Color—Enter the ASCII code of the header and footer background color. The selected color is shown in the Text field.

    • Header and Footer Text Color—Enter the ASCII code of the header and footer text color. The selected color is shown in the Text field.

    • Hyperlink Color—Enter the ASCII code of the hyperlink color. The selected color is shown in the Text field.

  • Current Logo Image—Displays the name of the file containing the current logo image.

  • Logo Image—Select one of the following options:

    • None—No logo

    • Default—Use the default logo.

    • Other—Select to enter a customized logo.

      If the Other logo option is selected, the following options are available:

    • Logo Image Filename—Enter the logo file name or Browse to the image.

    • Application Text—Enter text to accompany the logo.

    • Window Title Text—Enter a title for the Login page.
Step 9

Click Apply and the settings are saved to the Running Configuration file.

Step 10

Click Edit labeled 2. The following fields are displayed:

  • Invalid User Credentials—Enter the text of the message to be displayed when the end user enters an invalid username or password.

  • Service Not Available—Enter the text of the message to be displayed when the authentication service isn’t available.
Step 11

Click Apply and the settings are saved to the Running Configuration file.

Step 12

Click Edit labeled 3. The following fields are displayed:

  • Welcome Message—Enter the text of the message to be displayed when the end user logs on.

  • Instructional Message—Enter the instructions to be displayed to the end user.

  • RADIUS Authentication—Displays whether RADIUS authentication is enabled. If so, the username and password must be included in the login page.

  • Username Textbox—Select for a username textbox to be displayed.

  • Username Textbox Label—Select the label to be displayed before the username textbox.

  • Password Textbox—Select for a password textbox to be displayed.

  • Password Textbox Label—Select the label to be displayed before the password textbox.

  • Language Selection—Select to enable the end user to select a language.

  • Language Dropdown Label—Enter the label of the language selection dropdown.

  • Login Button Label—Enter the label of the login button.

  • Login Progress Label—Enter the text that will be displayed during the login process.
Step 13

Click Apply and the settings are saved to the Running Configuration file.

Step 14

Click Edit labeled 4. The following fields are displayed:

  • Terms and Conditions—Select to enable a terms and conditions text box.

  • Terms and Conditions Warning—Enter the text of the message to be displayed as instructions to enter the terms and conditions.

  • Terms and Conditions Content—Enter the text of the message to be displayed as terms and conditions.
Step 15

Click Apply and the settings are saved to the Running Configuration file.

Step 16

Edit labeled 5. The following fields are displayed:

  • Copyright—Select to enable displaying copyright text.

  • Copyright Text—Enter the copyright text.
Step 17

Click Apply and the settings are saved to the Running Configuration file.

Step 18

Click Edit Success Page.

Step 19

Click the Edit button on the right side of the page.
Step 20

Enter the Success Message, which is the text that will be displayed if the end user successfully logs in.
Step 21

Click Apply and the settings are saved to the Running Configuration file.

To preview the login or success message, click Preview.

To set the default language of the GUI interface as the default language for Web-based authentication, click Set Default Display Language.

Denial of Service Prevention

A Denial of Service (DoS) attack is a hacker attempt to make a device unavailable to its users.

DoS attacks saturate the device with external communication requests, so that it cannot respond to legitimate traffic. These attacks usually lead to a device CPU overload.

One method of resisting DoS attacks employed by the device is the use of Secure Core Technology (SCT), which is enabled by default and cannot be disabled. The Cisco device is an advanced device that handles management traffic, protocol traffic and snooping traffic, in addition to end-user (TCP) traffic. SCT ensures that the device receives and processes management and protocol traffic, no matter how much total traffic is received. This is done by rate-limiting TCP traffic to the CPU.

Security Suite Settings


Note

Before activating DoS Prevention, you must unbind all Access Control Lists (ACLs) or advanced QoS policies that are bound to a port. ACL and advanced QoS policies aren’t active when a port has DoS Protection enabled on it.

To configure DoS Prevention global settings and monitor SCT:

Procedure

Step 1

Click Security > Denial of Service Prevention > Security Suite Settings.

CPU Protection Mechanism: Enabled indicates that SCT is enabled.
Step 2

Click Details beside CPU Utilization to go to the  CPU Utilization page and view CPU resource utilization information.

Step 3

Click Edit beside TCP SYN Protection to set the feature.

Step 4

Configure the DoS Prevention settings:

  • Disable-Disable all types of Denial of Service features (except device level TCP SYN protection).

  • System-Level Prevention-Enable preventing attacks from Stacheldraht Distribution, Invasor Trojan, Back Orifice Trojan and Martian Addresses.

  • System-Level and Interface-Level Prevention-In addition to the system-level prevention, you can enable and configure the following interface-level settings: Syn Filtering, Syn Rate Protection, ICMP Filtering and IP Fragmented.

Step 5

If System-Level Prevention or System-Level and Interface-Level Prevention is selected, enable one or more of the following Denial of Service Protection options:

  • Stacheldraht Distribution-Discards TCP packets with source TCP port equal to 16660.

  • Invasor Trojan-Discards TCP packets with destination TCP port equal to 2140 and source TCP port equal to 1024.

  • Back Orifice Trojan-Discards UDP packets with destination UDP port equal to 31337 and source UDP port equal to 1024.
Step 6

Click the following as required:
Step 7

Click Apply. The Denial of Service prevention Security Suite settings are written to the Running Configuration file.

SYN Protection

The network ports might be used by hackers to attack the device in a SYN attack, which consumes TCP resources (buffers) and CPU power.

Since the CPU is protected using SCT, TCP traffic to the CPU is limited. However, if one or more ports are attacked with a high rate of SYN packets, the CPU receives only the attacker packets, thus creating Denial-of-Service.

When using the SYN protection feature, the CPU counts the SYN packets ingressing from each network port to the CPU per second.

To configure SYN protection, follow these steps:

Procedure

Step 1

Click Security > Denial of Service Prevention > SYN Protection.

Step 2

Enter the parameters.

  • Block SYN-FIN Packets-Select to enable the feature. All TCP packets with both SYN and FIN flags are dropped on all ports.

  • SYN Protection Mode-Select between three modes:

    • Disable-The feature is disabled on a specific interface.

    • Report-Generates a SYSLOG message. The status of the port is changed to Attacked when the threshold is passed

    • Block and Report-When a TCP SYN attack is identified, TCP SYN packets destined for the system are dropped and the status of the port is changed to Blocked.

  • SYN Protection Threshold-Number of SYN packets per second before SYN packets will be blocked (deny SYN with MAC-to-me rule will be applied on the port).

  • SYN Protection Period-Time in seconds before unblocking the SYN packets (the deny SYN with MAC-to-me rule is unbound from the port).

Step 3

Click Apply. SYN protection is defined, and the Running Configuration file is updated.

The SYN Protection Interface Table displays the following fields for every port or LAG (as requested by the user).

  • Current Status-Interface status. The possible values are:

    • Normal-No attack was identified on this interface.

    • Blocked-Traffic isn’t forwarded on this interface.

    • Attacked-Attack was identified on this interface.

  • Last Attack-Date of last SYN-FIN attack identified by the system and the system action.

Martian Addresses

The Martian Addresses page enables entering IP addresses that indicate an attack if they are seen on the network. Packets from these addresses are discarded. The device supports a set of reserved Martian addresses that are illegal from the point of view of the IP protocol. The supported reserved Martian addresses are:

  • Addresses defined to be illegal in the Martian Addresses page

  • Addresses that are illegal from the point of view of the protocol, such as loopback addresses, including addresses within the following ranges:

    • 0.0.0.0/8 (Except 0.0.0.0/32 as a Source Address)-Addresses in this block refer to source hosts on this network.

    • 127.0.0.0/8-Used as the Internet host loopback address

    • 192.0.2.0/24-Used as the TEST-NET in documentation and example codes

    • 224.0.0.0/4 (As a Source IP Address)-Used in IPv4 Multicast address assignments, and was formerly known as Class D Address Space.

    • 240.0.0.0/4 (Except 255.255.255.255/32 as a Destination Address)-Reserved address range, and was formerly known as Class E Address Space.

You can also add new Martian Addresses for DoS prevention. Packets that have a Martian address are discarded.

To define Martian addresses, follow these steps:

Procedure

Step 1

Click Security > Denial of Service Prevention > Martian Addresses.

Step 2

Select Reserved Martian Addresses and click Apply to include the reserved Martian Addresses in the System Level Prevention list.

Step 3

To add a Martian address click Add.

Step 4

Enter the parameters.

  • IP Version-Indicates the supported IP version. Currently, support is only offered for IPv4.

  • IP Address-Enter an IP address to reject. The possible values are:

    • From Reserved List-Select a well-known IP address from the reserved list.

    • New IP Address-Enter an IP address.

  • Mask-Enter the mask of the IP address to define a range of IP addresses to reject. The values are:

    • Network Mask-Network mask in dotted decimal format

    • Prefix Length-Enter the prefix of the IP address to define the range of IP addresses for which Denial of Service prevention is enabled.

Step 5

Click Apply.

SYN Filtering

The SYN Filtering page enables filtering TCP packets that contain a SYN flag, and are destined for one or more ports.

To define a SYN filter, complete the following steps:

Procedure

Step 1

Click Security > Denial of Service Prevention > SYN Filtering.

Step 2

Click Add.

Step 3

Enter the parameters.

  • Interface—Select the interface on which the filter is defined.

  • IPv4 Address—Enter the IP address for which the filter is defined, or select All addresses.

  • Network Mask—Enter the network mask for which the filter is enabled in IP address format. Enter one of the following:

    • Mask—Network mask in dotted decimal format

    • Prefix length—Enter the Prefix length of the IP address to define the range of IP addresses for which Denial of Service prevention is enabled.

  • TCP Port—Select the destination TCP port being filtered:

    • Known ports—Select a port from the list.

    • User Defined—Enter a port number.

    • All ports—Select to indicate that all ports are filtered.
Step 4

Click Apply. The SYN filter is defined, and the Running Configuration file is updated.

SYN Rate Protection

The SYN Rate Protection page enables limiting the number of SYN packets received on the ingress port. This can mitigate the effect of a SYN flood against servers, by rate limiting the number of new connections opened to handle packets.

To define SYN rate protection, complete the following steps:

Procedure

Step 1

Click Security > Denial of Service Prevention > SYN Rate Protection.

Step 2

Click Add.

Step 3

Enter the parameters.

  • Interface—Select the interface on which the rate protection is being defined.

  • IP Address—Enter the IP address for which the SYN rate protection is defined or select All addresses. If you enter the IP address, enter either the mask or prefix length.

  • Network Mask—Select the format for the subnet mask for the source IP address, and enter a value in one of the fields:

    • Mask—Select the subnet to which the source IP address belongs and enter the subnet mask in dotted decimal format.

    • Prefix length—Select the Prefix length and enter the number of bits that comprise the source IP address prefix.

  • SYN Rate Limit—Enter the number of SYN packets that be received.
Step 4

Click Apply. The SYN rate protection is defined, and the Running Configuration is updated.

ICMP Filtering

The ICMP Filtering page enables the blocking of ICMP packets from certain sources. This can reduce the load on the network in case of an ICMP attack.

To configure the ICMP filtering, complete the following steps:

Procedure

Step 1

Click Security > Denial of Service Prevention > ICMP Filtering.

Step 2

Click Add.

Step 3

Enter the parameters.

  • Interface—Select the interface on which the ICMP filtering is being defined.

  • IP Address—Enter the IPv4 address for which the ICMP packet filtering is activated or select All addresses to block ICMP packets from all source addresses. If you enter the IP address, enter either the mask or prefix length.

  • Network Mask—Select the format for the subnet mask for the source IP address, and enter a value in one of the field:

    • Mask—Select the subnet to which the source IP address belongs and enter the subnet mask in dotted decimal format.

    • Prefix length—Select the Prefix length and enter the number of bits that comprise the source IP address prefix.
Step 4

Click Apply. The ICMP filtering is defined, and the Running Configuration is updated.

IP Fragments Filtering

IP fragmentation occurs when the data of the network layer is too large to be transmitted over the data link layer in one piece. Then the data of the network layer is split into several pieces (fragments), and this process is called IP fragmentation.

To configure fragmented IP filtering and block fragmented IP packets, complete the following steps:

Procedure

Step 1

Click Security > Denial of Service Prevention > IP Fragments Filtering.

Step 2

Click Add.

Step 3

Enter the parameters.

  • Interface—Select the interface on which the IP fragmentation is being defined.

  • IP Address—Enter an IP network from which the fragmented IP packets is filtered or select All addresses to block IP fragmented packets from all addresses. If you enter the IP address, enter either the mask or prefix length.

  • Network Mask—Select the format for the subnet mask for the source IP address, and enter a value in one of the fields:

    • Mask—Select the subnet to which the source IP address belongs and enter the subnet mask in dotted decimal format.

    • Prefix length—Select the Prefix length and enter the number of bits that comprise the source IP address prefix.
Step 4

Click Apply. The IP fragmentation is defined, and the Running Configuration file is updated.

IP Source Guard

IP Source Guard is a security feature that can be used to prevent traffic attacks caused when a host tries to use the IP address of its neighbor.

When IP Source Guard is enabled, the device only transmits client IP traffic to IP addresses contained in the DHCP Snooping Binding database. This includes both addresses added by DHCP Snooping and manually-added entries. If the packet matches an entry in the database, the device forwards it. If not, it is dropped.

If IP Source Guard is enabled on a port then:

  • DHCP packets allowed by DHCP Snooping are permitted

  • If source IP address filtering is enabled:

    • IPv4 traffic: Only traffic with a source IP address that is associated with the port is permitted.

    • Non IPv4 traffic: Permitted (Including ARP packets).

IP Source Guard Properties

To enable IP Source Guard globally:

Procedure

Step 1

Click Security > IP Source Guard > Properties.
Step 2

Select Enable to enable IP Source Guard globally.

Step 3

Click Apply to enable IP Source Guard.

Interface Settings

If IP Source Guard is enabled on an untrusted port/LAG, DHCP packets, allowed by DHCP Snooping, are transmitted. If source IP address filtering is enabled, packet transmission is permitted as follows:

  • IPv4 traffic—Only IPv4 traffic with a source IP address that is associated with the specific port is permitted.

  • Non IPv4 traffic—All non-IPv4 traffic is permitted.

To configure IP Source Guard on interfaces:

Procedure

Step 1

Click Security > IP Source Guard > Interface Settings.
Step 2

Select port/LAG from the Filter field and click Go. The ports/LAGs on this unit are displayed along with the following:

  • IP Source Guard—Indicates whether IP Source Guard is enabled on the port.

  • DHCP Snooping Trusted Interface—Indicates whether this is a DHCP trusted interface.
Step 3

Select the port/LAG and click Edit. Select Enable in the IP Source Guard field to enable IP Source Guard on the interface.

Step 4

Click Apply to copy the setting to the Running Configuration file.

IP Source Guard Binding Database

IP Source Guard uses the DHCP Snooping - to check packets from untrusted ports. If the device attempts to write too many entries to the DHCP Snooping -, the excessive entries are maintained in an inactive status. Entries are deleted when their lease time expires and so inactive entries may be made active.

See DHCP Snooping/Relay.


Note

The page only displays the entries in the DHCP Snooping - defined on IP-Source-Guard-enabled ports.

To view the DHCP Snooping - and see TCAM resources consumed, complete the following:

Procedure

Step 1

Click Security > IP Source Guard > Binding Database.

The Supported IP Format and TCAM Resources Consumed will be displayed.
Step 2

The DHCP Snooping uses TCAM resources for managing the database. Complete the Insert Inactive field to select how frequently the device should attempt to activate inactive entries. It has the following options:

  • Retry Frequency—The frequency with which the TCAM resources are checked.

  • Never-Never try to reactivate inactive addresses.
Step 3

Click Apply to save the above changes to the Running Configuration and/or Retry Now to check TCAM resources.

The following entries are displayed:

  • VLAN ID—VLAN on which packet is expected.

  • MAC Address—MAC address to be matched.

  • IP Address—IP address to be matched.

  • Interface—Interface on which packet is expected.

  • Status—Displays whether interface is active.

  • Type—Displays whether entry is dynamic or static.

  • Reason—If the interface isn’t active, displays the reason. The following reasons are possible:

    • No Problem—Interface is active.

    • No Snoop VLAN—DHCP Snooping isn’t enabled on the VLAN.

    • Trusted Port—Port has become trusted.

    • Resource Problem—TCAM resources are exhausted.
Step 4

To see a subset of these entries, enter the relevant search criteria and click Go.

ARP Inspection

ARP enables IP communication within a Layer 2 Broadcast domain by mapping IP addresses to a MAC addresses.

A malicious user can attack hosts, switches, and routers connected to a Layer 2 network by poisoning the ARP caches of systems connected to the subnet and by intercepting traffic intended for other hosts on the subnet. This can happen because ARP allows a gratuitous reply from a host even if an ARP request was not received. After the attack, all traffic from the device under attack flows through the attacker's computer and then to the router, switch, or host.

Hosts A, B, and C are connected to the switch on interfaces A, B and C, all of which are on the same subnet. Their IP, MAC addresses are shown in parentheses; for example, Host A uses IP address IA and MAC address MA. When Host A needs to communicate with Host B at the IP layer, it broadcasts an ARP request for the MAC address associated with IP address IB. Host B responds with an ARP reply. The switch and Host A update their ARP cache with the MAC and IP of Host B.

Host C can poison the ARP caches of the switch, Host A, and Host B by broadcasting forged ARP responses with bindings for a host with an IP address of IA (or IB) and a MAC address of MC. Hosts with poisoned ARP caches use the MAC address MC as the destination MAC address for traffic intended for IA or IB, which enables Host C intercepts that traffic. Because Host C knows the true MAC addresses associated with IA and IB, it can forward the intercepted traffic to those hosts by using the correct MAC address as the destination. Host C has inserted itself into the traffic stream from Host A to Host B, the classic man-in-the-middle attack.

ARP Inspection Properties

To configure ARP Inspection properties:

Procedure

Step 1

Click Security > ARP Inspection > Properties.

Enter the following fields:

  • ARP Inspection Status-Select to enable ARP Inspection.

  • ARP Packet Validation-Select to enable validation checks.

  • Log Buffer Interval-Select one of the following options:

    • Retry Frequency-Enable sending SYSLOG messages for dropped packets. Entered the frequency with which the messages are sent.

    • Never-Disabled SYSLOG dropped packet messages.
Step 2

Click Apply. The settings are defined, and the Running Configuration file is updated.

ARP Inspection Interfaces Settings

Packets from untrusted ports/LAGs are checked against the ARP Access Rules table and the DHCP Snooping Binding database if DHCP Snooping is enabled (see the DHCP Snooping Binding Database).

By default, ports/LAGs are ARP Inspection untrusted.

To change the ARP trusted status of a port/LAG:

Procedure

Step 1

Click Security > ARP Inspection > Interface Settings.

The ports/LAGs and their ARP trusted/untrusted status are displayed.
Step 2

To set a port/LAG as trusted or untrusted, select the port/LAG and click Edit.

Step 3

Select Trusted or Untrusted and click Apply to save the settings to the Running Configuration file.

ARP Access Control

To add entries to the ARP Inspection table:

Procedure

Step 1

Click Security > ARP Inspection > ARP Access Control.

Step 2

To add an entry, click Add.

Step 3

Enter the fields:

  • ARP Access Control Name-Enter a user-created name.

  • IP Address-IP address of packet.

  • MAC Address-MAC address of packet.
Step 4

Click Apply. The settings are defined, and the Running Configuration file is updated.

ARP Access Control Rules

To add more rules to a previously-created ARP Access Control group:

Procedure

Step 1

Click Security > ARP Inspection > ARP Access Control Rules.

The ARP Access Control Rule Table displays, with the currently-defined access rules.

To select a specific group, select Filter, select the control name and click Go.

Step 2

To add more rules to a group, click Add.

Step 3

Select an ARP Access Control Name and enter the fields:

  • IP Address-IP address of packet.

  • MAC Address-MAC address of packet.
Step 4

Click Apply. The settings are defined, and the Running Configuration file is updated.

ARP Inspection VLAN Settings

To enable ARP Inspection on VLANs and associate Access Control Groups with a VLAN:

Procedure

Step 1

Click Security > ARP Inspection > VLAN Settings.

Step 2

To enable ARP Inspection on a VLAN, move the VLAN from the Available VLANs list to the Enabled VLANs list.
Step 3

To associate an ARP Access Control group with a VLAN, click Add. Select the VLAN number and select a previously-defined ARP Access Control Name.

Step 4

Click Apply. The settings are defined, and the Running Configuration file is updated.

IPv6 First Hop Security

IPv6 First Hop Secuity (FHS) is a suite of features designed to secure link operations in an IPv6-enabled network. It is based on the Neighbor Discovery Protocol and DHCPv6 messages.

In this feature, a Layer 2 switch filters Neighbor Discovery Protocol messages, DHCPv6 messages and user data messages according to a number of different rules.

IPv6 First Hop Security Components

IPv6 First Hop Security includes the following features:

  • IPv6 First Hop Security Common

  • RA Guard

  • ND Inspection

  • Neighbor Binding Integrity

  • DHCPv6 Guard

  • IPv6 Source Guard

These components can be enabled or disabled on VLANs. There are two empty, pre-defined policies per each feature with the following names: vlan_default and port_default. The first one is attached to each VLAN that is not attached to a user-defined policy and the second one is connected to each interface and VLAN that is not attached to a user-defined policy.

FHS Settings

Use the FHS Settings page to enable the FHS Common feature on a specified group of VLANs and to set the global configuration value for logging of dropped packets. If required, a policy can be added. The packet drop logging can be added to the system-defined default policy.

To configure IPv6 First Hop Security common parameters:

Procedure

Step 1

Click Security > IPv6 First Hop Security > FHS Settings.

The currently defined policies are displayed. For each policy, its Policy Type is displayed, which indicates whether it’s a default or user-defined policy.

Step 2

Enter the following global configuration fields:

  • FHS VLAN List—Enter one or more VLANs on which IPv6 First Hop Security is enabled.

  • Packet Drop Logging—Select to create a SYSLOG when a packet is dropped by a First Hop Security policy. This is the global default value if no policy is defined.

Step 3

Click Apply to add the settings to the Running Configuration file.

Step 4

Create a FHS policy if required by clicking Add.

Enter the following fields:

  • Policy Name—Enter a user-defined policy name.

  • Packet Drop Logging—Select to create a SYSLOG when a packet is dropped as a result of a First Hop Security feature within this policy.

    • Inherited—Use the value from the VLAN or the global configuration.

    • Enable—Create a SYSLOG when a packet is dropped as a result of First Hop Security.

    • Disable—Don’t create a SYSLOG when a packet is dropped as a result of First Hop Security.
Step 5

Click Apply to add the settings to the Running Configuration file.

Step 6

To attach this policy to an interface:

RA Guard Settings

Use the RA Guard Settings page to enable the RA Guard feature on a specified group of VLANs and to set the global configuration values for this feature. If required, a policy can be added or the system-defined default RA Guard policies can be configured in this page.

To configure RA Guard:

Procedure

Step 1

Click Security > IPv6 First Hop Security > RA Guard Settings.

The currently defined policies are displayed. For each policy, its Policy Type is displayed, which indicates whether it’s a default or user-defined policy.

Step 2

Enter the following global configuration field:

  • RA Guard VLAN List—Enter one or more VLANs on which RA Guard is enabled.

    Enter the other configuration fields that are described below.
Step 3

To add a policy, click Add and enter the fields:

  • Policy Name—Enter a user-defined policy name.

  • Device Role—Displays one of the following options to specify the role of the device attached to the port for RA Guard.

    • Inherited—Device role is inherited from either the VLAN or system default (client).

    • Host—Device role is host.

    • Router—Device role is router.

  • Managed Configuration Flag—This field specifies verification of the advertised Managed Address Configuration flag within an IPv6 RA Guard policy.

    • Inherited—Feature is inherited from either the VLAN or system default (client).

    • No Verification—Disables verification of the advertised Managed Address Configuration flag.

    • On—Enables verification of the advertised Managed Address Configuration flag.

    • Off—The value of the flag must be 0.

  • Other Configuration Flag—This field specifies verification of the advertised Other Configuration flag within an IPv6 RA Guard policy.

    • Inherited—Feature is inherited from either the VLAN or system default (client).

    • No Verification—Disables verification of the advertised Other Configuration flag.

    • On—Enables verification of the advertised Managed Other flag.

    • Off—The value of the flag must be 0.

  • RA Address List—Specify the list of addresses to filter:

    • Inherited—Value is inherited from either the VLAN or system default (no verification).

    • No Verification—Advertised addresses aren’t verified.

    • Match List—IPv6 address list to be matched.

  • RA Prefix List—Specify the list of addresses to filter:

    • Inherited—Value is inherited from either the VLAN or system default (no verification).

    • No Verification—Advertised prefixes aren’t verified.

    • Match List—Prefix list to be matched.

  • Minimal Hop Limit—Indicates if the RA Guard policy checks that the minimum hop limit of the packet received.

    • Inherited—Feature is inherited from either the VLAN or system default (client).

    • No Limit—Disables verification of the lower boundary of the hop count limit.

    • User Defined—Verifies that the hop-count limit is greater than or equal to this value.

  • Maximal Hop Limit—Indicates if the RA Guard policy checks that the maximum hop limit of the packet received.

    • Inherited—Feature is inherited from either the VLAN or system default (client).

    • No Limit—Disables verification of the high boundary of the hop-count limit.

    • User Defined—Verifies that the hop-count limit is less than or equal to this value. The value of the high boundary must be equal or greater than the value of the low boundary.

  • Minimal Router Preference—This field indicates whether the RA Guard policy verifies the minimum advertised Default Router Preference value in RA messages within an RA Guard policy.

    • Inherited—Feature is inherited from either the VLAN or system default (client).

    • No Verification—Disables verification of the low boundary of Advertised Default Router Preference.

    • Low—Specifies the minimum allowed Advertised Default Router Preference value. The following values are acceptable: low, medium, and high (see RFC4191).

    • Medium—Specifies the minimum allowed Advertised Default Router Preference value. The following values are acceptable: low, medium, and high (see RFC4191).

    • High—Specifies the minimum allowed Advertised Default Router Preference value. The following values are acceptable: low, medium, and high (see RFC4191).

  • Maximal Router Preference—This field indicates whether the RA Guard policy verifies the maximum advertised Default Router Preference value in RA messages within an RA Guard policy.

    • Inherited—Feature is inherited from either the VLAN or system default (client).

    • No Verification—Disables verification of the high boundary of Advertised Default Router Preference.

    • Low—Specifies the maximum allowed Advertised Default Router Preference value. The following values are acceptable: low, medium, and high (see RFC4191).

    • Medium—Specifies the maximum allowed Advertised Default Router Preference value. The following values are acceptable: low, medium, and high (see RFC4191).

    • High—Specifies the maximum allowed Advertised Default Router Preference value. The following values are acceptable: low, medium, and high (see RFC4191).

Step 4

Click Apply to add the settings to the Running Configuration file.

Step 5

To configure system-defined default policies or existing user defined policy select the policy in the policy table and click Edit.
Step 6

To attach this policy to an interface:

DHCPv6 Guard Settings

Use the DHCPv6 Guard Settings page to enable the DHCPv6 Guard feature on a specified group of VLANs and to set the global configuration values for this feature. If required, a policy can be added or the system-defined default DHCPv6 Guard policies can be configured in this page.

To configure DHCPv6 Guard:

Procedure

Step 1

Click Security > IPv6 First Hop Security > DHCPv6 Guard Settings.

The currently defined policies are displayed. For each policy, its Policy Type is displayed, which indicates whether it’s a default or user-defined policy.

Step 2

Enter the following global configuration fields:

  • DHCPv6 Guard VLAN List—Enter one or more VLANs on which DHCPv6 Guard is enabled.

  • Device Role—Displays the device role. See definition in the Add page.

  • Minimal Preference—This field indicates whether the DHCPv6 Guard policy checks the minimum advertised preference value of the packet received.

    • No Verification—Disables verification of the minimum advertised preference value of the packet received.

    • User Defined—Verifies that the advertised preference value is greater than or equal to this value. This value must be less than the Maximal Preference value.

  • Maximal Preference—This field indicates whether the DHCPv6 Guard policy checks the maximum advertised preference value of the packet received. This value must be greater than the Minimal Preference value.

    • No Verification—Disables verification of the lower boundary of the hop count limit.

    • User Defined—Verifies that the advertised preference value is less than or equal to this value.
Step 3

Click Apply to add the settings to the Running Configuration file.

The existing policies are displayed. The fields are displayed below except for the Policy Type field. This displays whether the policy is user-defined or a default one.

Step 4

If required, click Add to create a DHCPv6 policy.

Step 5

Enter the following fields:

  • Policy Name—Enter a user-defined policy name.

  • Device Role—Select either Server or Client to specify the role of the device attached to the port for DHCPv6 Guard.

    • Inherited—Role of device is inherited from either the VLAN or system default (client).

    • Client—Role of device is client.

    • Server—Role of device is server.

  • Match Reply Prefixes—Select to enable verification of the advertised prefixes in received DHCP reply messages within a DHCPv6 Guard policy.

    • Inherited—Value is inherited from either the VLAN or system default (no verification).

    • No Verification—Advertised prefixes aren’t verified.

    • Match List—IPv6 prefix list to be matched.

  • Match Server Address—Select to enable verification of the DHCP server's and relay’s IPv6 address in received DHCP reply messages within a DHCPv6 Guard policy.

    • Inherited—Value is inherited from either the VLAN or system default (no verification).

    • No Verification—Disables verification of the DHCP server's and relay’s IPv6 address.

    • Match List— IPv6 prefix list to be matched.

  • Minimal Preference—This field indicates whether the DHCPv6 Guard policy checks the minimum advertised preference value of the packet received.

    • Inherited—Minimal preference is inherited from either the VLAN or system default (client).

    • No Verification—Disables verification of the minimum advertised preference value of the packet received.

    • User Defined—Verifies that the advertised preference value is greater than or equal to this value. This value must be less than the Maximal Preference value.

  • Maximal Preference—This field indicates whether the DHCPv6 Guard policy checks the maximum advertised preference value of the packet received. This value must be greater than the Minimal Preference value.

    • Inherited—Minimal preference is inherited from either the VLAN or system default (client).

    • No Verification—Disables verification of the lower boundary of the hop count limit.

    • User Defined—Verifies that the advertised preference value is less than or equal to this value.
Step 6

Click Apply to add the settings to the Running Configuration file.

Step 7

To attach this policy to an interface:

ND Inspection Settings

Use the Neighbor Discovery (ND) Inspection Settings page to enable the ND Inspection feature on a specified group of VLANs and to set the global configuration values for this feature. If required, a policy can be added or the system-defined default ND Inspection policies can be configured in this page.

To configure ND Inspection:

Procedure

Step 1

Click Security > IPv6 First Hop Security > ND Inspection Settings.

The existing policies are displayed. The fields are displayed below except for the Policy Type field. This displays whether the policy is user-defined or a default one.

Step 2

Enter the following global configuration fields:

  • ND Inspection VLAN List—Enter one or more VLANs on which ND Inspection is enabled.

  • Device Role—Displays the device role that is explained below.

  • Drop Unsecure—Select to enable dropping messages with no CGA or RSA Signature option within an IPv6 ND Inspection policy.

  • Minimal Security Level—If unsecure messages aren’t dropped, select the security level below which messages aren’t forwarded.

    • No Verification—Disables verification of the security level.

    • User Defined—Specify the security level of the message to be forwarded.

  • Validate Source MAC—Select to globally enable checking source MAC address against the link-layer address.
Step 3

Click Apply to add the settings to the Running Configuration file.

Step 4

If required, click Add to create an ND Inspection policy.

Step 5

Enter the following fields:

  • Policy Name—Enter a user-defined policy name.

  • Device Role—Select one of the following to specify the role of the device attached to the port for ND Inspection.

    • Inherited—Role of device is inherited from either the VLAN or system default (client).

    • Host—Role of device is host.

    • Router—Role of device is router.

  • Drop Unsecure—Select one of following options:

    • Inherited—Inherit value from VLAN or system default (disabled).

    • Enable—Enable dropping messages with no CGA or RSA Signature option within an IPv6 ND Inspection policy.

    • Disable—Disable dropping messages with no CGA or RSA Signature option within an IPv6 ND Inspection policy.

  • Minimal Security Level—If unsecure messages aren’t dropped, select the security level below which messages aren’t forwarded.

    • Inherited—Inherit value from VLAN or system default (disabled).

    • No Verification—Disables verification of the security level.

    • User Defined—Specify the security level of the message to be forwarded.

  • Validate Source MAC—Specify whether to globally enable checking source MAC address against the link-layer address:

    • Inherited—Inherit value from VLAN or system default (disabled).

    • Enable—Enable checking source MAC address against the link-layer address.

    • Disable—Disable checking source MAC address against the link-layer address.
Step 6

Click Apply to add the settings to the Running Configuration file.

Step 7

To attach this policy to an interface:

Neighbor Binding Settings

The Neighbor Binding table is a database table of IPv6 neighbors connected to a device is created from information sources, such as Neighbor Discovery Protocol (NDP) snooping. This database, or binding, table is used by various IPv6 guard features to prevent spoofing and redirect attacks.

Use the Neighbor Binding Settings page to enable the Neighbor Binding feature on a specified group of VLANs and to set the global configuration values for this feature. If required, a policy can be added or the system-defined default Neighbor Binding policies can be configured in this page.

To configure Neighbor Binding:

Procedure

Step 1

Click Security > IPv6 First Hop Security > Neighbor Binding Settings.

Step 2

Enter the following global configuration fields:

Neighbor Binding VLAN List

Enter one or more VLANs on which Neighbor Binding is enabled.

Device Role

Displays the device global default role (Perimeter).

Neighbor Binding Lifetime

Enter the length of time that addresses remain in the Neighbor Bindings table.

Neighbor Binding Logging

Select to enable logging of Neighbor Binding table main events.

Address Prefix Validation

Select to enable IPv6 Source Guard validation of addresses.

Global Address Binding Configuration

Binding from NDP Messages

To change the global configuration of allowed configuration methods of global IPv6 addresses within an IPv6 Neighbor Binding policy, select one of the following options:

  • Any—Any configuration methods (stateless and manual) are allowed for global IPv6 bound from NDP messages.

  • Stateless—Only stateless auto configuration is allowed for global IPv6 bound from NDP messages.

  • Disable—Binding from NDP messages is disabled.

Binding from DHCPv6 Messages

Binding from DHCPv6 is allowed.

Neighbor Binding Entry Limits

Entries per VLAN

Select Inherited to use global value, No Limit to set no limit on the number of entries and User Defined to set a special value for this policy.

Entries per Interface

Select Inherited to use global value, No Limit to set no limit on the number of entries and User Defined to set a special value for this policy.

Entries per MAC Address

Select Inherited to use global value, No Limit to set no limit on the number of entries and User Defined to set a special value for this policy.

Step 3

Click Apply to add the settings to the Running Configuration file.

Step 4

If required, click Add to create a Neighbor Binding policy.

Step 5

Enter the following fields:

Policy Name

Enter a user-defined policy name.

Device Role

Select one of the following options to specify the role of the device attached to the port for the Neighbor Binding policy.

  • Inherited—Role of device is inherited from either the VLAN or system default (client).

  • Perimeter—Port is connected to devices not supporting IPv6 First Hop Security.

  • Internal—Port is connected to devices supporting IPv6 First Hop Security.

Neighbor Binding Logging

Select one of the following options to specify logging:

  • Inherited—Logging option is the same as the global value.

  • Enable—Enable logging of Binding table main events.

  • Disable—Disable logging of Binding table main events.

Address Prefix Validation

Select one of the following options to specify validation of addresses:

  • Inherited—Validation option is the same as the global value.

  • Enable—Enable validation of addresses.

  • Disable—Disable validation of addresses

Global Address Binding Configuration

Inherit Address Binding Settings

Enable to use the global address binding settings.

Binding from NDP Messages

To change the global configuration of allowed configuration methods of global IPv6 addresses within an IPv6 Neighbor Binding policy, select one of the following options:

  • Any—Any configuration methods (stateless and manual) are allowed for global IPv6 bound from NDP messages.

  • Stateless—Only stateless auto configuration is allowed for global IPv6 bound from NDP messages.

  • Disable—Binding from NDP messages is disabled.

Binding from DHCPv6 Messages

Select to enable binding from DHCPv6.

Neighbor Binding Entry Limits

Entries per VLAN

Select Inherited to use global value, No Limit to set no limit on the number of entries and User Defined to set a special value for this policy.

Entries per Interface

Select Inherited to use global value, No Limit to set no limit on the number of entries and User Defined to set a special value for this policy.

Entries per MAC Address

Select Inherited to use global value, No Limit to set no limit on the number of entries and User Defined to set a special value for this policy.

Step 6

Click Apply to add the settings to the Running Configuration file.

Step 7

To attach this policy to an interface:

Attach Policy to VLAN

Click to jump to Policy Attachment (VLAN) page where you can attach this policy to a VLAN.

Attach Policy to Interface

Click to jump to Policy Attachment (Port) page where you can attach this policy to a port.

IPv6 Source Guard Settings

Use the IPv6 Source Guard Settings page to enable the IPv6 Source Guard feature on a specified group of VLANs. If required, a policy can be added or the system-defined default IPv6 Source Guard policies can be configured in this page.

To configure IPv6 Source Guard:

Procedure

Step 1

Click Security > IPv6 First Hop Security > IPv6 Source Guard Settings.

The existing policies are displayed. The fields are displayed below except for the Policy Type field. This displays whether the policy is user-defined or a default one.

Step 2

Enter the following global configuration fields:

  • IPv6 Source Guard VLAN List—Enter one or more VLANs on which IPv6 Source Guard is enabled.

  • Port Trust—Displays that by default the policies are for untrusted ports. This can be changed per policy.
Step 3

If required, click Add to create a First Hop Security policy.

Step 4

Enter the following fields:

  • Policy Name—Enter a user-defined policy name.

  • Port Trust—Select the port trust status of the policy:

    • Inherited—When policy is attached to a port it’s untrusted).

    • Trusted—When policy is attached to a port it’s trusted.
Step 5

Click Apply to attach the policy.

Step 6

To attach this policy to an interface click Attach Policy to Interface.

Policy Attachment (VLAN)

To attach a policy to one or more VLANs:

Procedure

Step 1

Click Security > IPv6 First Hop Security > Policy Attachment (VLAN).

The list of policies that are already attached are displayed along with their Policy Type, Policy Name and VLAN List.
Step 2

To attach a policy to a VLAN, click Add and enter the following fields:

  • Policy Type—Select the policy type to attach to the interface.

  • Policy Name—Select the name of the policy to attach to the interface.

  • VLAN List—Select the VLANs to which the policy is attached.
Step 3

Click Apply to add the settings to the Running Configuration file.

Policy Attachment (Port)

To attach a policy to one or more ports or LAGs:

Procedure

Step 1

Click Security > IPv6 First Hop Security > Policy Attachment (Port).

The list of policies that are already attached are displayed along with their Interface, Policy Type, Policy Name and VLAN List.

Step 2

To attach a policy to a port or LAG, click Add and enter the following fields:

  • Interface—Select the interface on which the policy will be attached.

  • Policy Type—Select the policy type to attach to the interface.

  • Policy Name—Select the name of the policy to attach to the interface.

  • VLAN List—Select the VLANs to which the policy is attached.
Step 3

Click Apply to add the settings to the Running Configuration file.

Neighbor Binding Table

To view entries in the Neighbor Binding table:

Procedure

Step 1

Click Security > IPv6 First Hop Security > Neighbor Binding Table
Step 2

Select one of the following clear table options:

  • Static Only—Clear all static entries in the table.

  • Dynamic Only—Clear all dynamic entries in the table.

  • All Dynamic & Static—Clear all dynamic and static entries in the table.

    The following fields are displayed for each policy (only fields not on Add page are displayed:

  • Origin—Protocol that added the IPv6 address (only available for dynamic entries):

    • Static—Added manually.

    • NDP—Learnt from Neighbor Discovery Protocol messages

    • DHCP—Learnt from DHCPv6 protocol messages

  • State—State of the entry:

    • Tentative—The new host IPv6 address is under validation. Since its lifetime is less than 1 sec its expiration time isn’t displayed.

    • Valid—The host IPv6 address was bound.

  • Expiry Time (Sec.)—Remaining time in seconds until the entry will be removed, if it’s not confirmed.

  • TCAM Overflow—Entries marked as No don’t have a TCAM overflow.
Step 3

To add a policy, click Add and enter the following fields:

  • VLAN ID—VLAN ID of the entry.

  • IPv6 Address—Source IPv6 address of the entry.

  • Interface—Port on which packet is received.

  • MAC Address—Neighbor MAC address of the packet.
Step 4

Click Apply to add the settings to the Running Configuration file.

Neighbor Prefix Table

You can add static prefixes for global IPv6 addresses bound from NDP messages in the Neighbor Prefix table. Dynamic entries are learned.

To add entries to the Neighbor Prefix table:

Procedure

Step 1

Click Security > IPv6 First Hop Security > Neighbor Prefix Table.
Step 2

Select one of the following options in the Clear Table field to clear the Neighbor Prefix table:

  • Static Only—Clear only static entries.

  • Dynamic Only—Clear only dynamic entries.

  • All Dynamic & Static—Clear static and dynamic entries.
Step 3

The following fields are displayed for the exiting entries:

  • VLAN ID—VLAN on which the prefixes are relevant.

  • IPv6 Prefix—IPv6 prefix.

  • Prefix Length—IPv6 prefix length.

  • Origin—Entry is dynamic (learned) or static (manually configured).

  • Autoconfig—The prefix can be used for stateless configuration.

  • Expiry Time (Sec)—Length of time entry remains before being deleted.
Step 4

Click Add to add a new entry to the table and enter the above fields for the new entry.

FHS Status

To display the global configuration for the FHS features:

Procedure

Step 1

Click Security > IPv6 First Hop Security > FHS Status.
Step 2

Select a port, LAG or VLAN for which the FHS state is reported.
Step 3

The following fields are displayed for the selected interface:

FHS Status

FHS State on Current VLAN

Is FHS enabled on the current VLAN

Packet Drop Logging

Is this feature enabled for the current interface (at the level of global configuration or in a policy attached to the interface)

RA Guard Status

RA Guard State on Current VLAN

Is RA Guard enabled on the current VLAN?

Device Role

RA device role.

Managed Configuration Flag

Is verification of the managed configuration flag enabled?

Other Configuration Flag

Is verification of the other configuration flag enabled?

RA Address List

RA address list to be matched.

RA Prefix List

RA prefix list to be matched.

Minimal Hop Limit

Is minimum RA hop limit verification enabled?

Maximal Hop Limit

Is maximum RA hop limit verification enabled?

Minimal Router Preference

Is minimum router preference verification enabled?

Maximal Router Preference

Is maximum router preference verification enabled?

DHCPv6 Guard Status

DHCPv6 Guard State on Current VLAN

Is DHCPv6 Guard enabled on the current VLAN?

Device Role

DHCP device role

Match Reply Prefixes

Is DHCP reply prefixes verification enabled?

Match Server Address

Is DHCP server addresses verification enabled?

Minimal Preference

Is verification of the minimal preference enabled?

Maximal Preference

Is verification of the maximum preference enabled?

ND Inspection Status

ND Inspection State on Current VLAN

Is ND Inspection enabled on the current VLAN?

Device Role

ND Inspection device role.

Drop Unsecure

Are unsecure messages dropped?

Minimal Security Level

If unsecure messages aren’t dropped, what is the minimum security level for packets to be forwarded?

Validate Source MAC

Is source MAC address verification enabled?

Neighbor Binding Status

Neighbor Binding State on Current VLAN

Is Neighbor Binding enabled on the current VLAN?

Device Role

Neighbor Binding device role.

Logging Binding

Is logging of Neighbor Binding table events enabled?

Address Prefix Validation

Is address prefix validation enabled?

Global Address Configuration

Which messages are validated?

Max Entries per VLAN

Maximum number of dynamic Neighbor Binding table entries per VLAN allowed.

Max Entries per Interface

Maximum number of Neighbor Binding table entries per interface allowed.

Max Entries per MAC Address

Maximum number of Neighbor Binding table entries per MAC address allowed.

IPv6 Source Guard Status

IPv6 Source Guard State on Current VLAN

Is IPv6 Source Guard enabled on the current VLAN?

Port Trust

Whether the port is trusted and how it received its trusted status.

FHS Statistics

To display FHS statistics:

Procedure

Step 1

Click Security > IPv6 First Hop Security > FHS Statistics.
Step 2

Select the Refresh Rate, the time period that passes before the statistics are refreshed.
Step 3

The following global overflow counters are displayed:

Neighbor Binding Table

Number of entries that could not be added to this table because the table reached its maximum size.

Neighbor Prefix Table

Number of entries that could not be added to this table because the table reached its maximum size.

TCAM

Number of entries that could not be added because of TCAM overflow.
Step 4

Select an interface and the following fields are displayed:

NDP (Neighbor Discovery Protocol) Messages

The number of received and dropped messages are displayed for the following types of messages:

  • RA—Router Advertisement messages

  • REDIR—Redirect messages

  • NS—Neighbor Solicitation messages.

  • NA—Neighbor Advertisement messages.

  • RS—Router Solicitation message.

DHCPv6 Messages

The number of received and dropped messages are displayed for the following types of DHCPv6 messages:

  • ADV— Advertise messages

  • REP—Reply messages

  • REC—Reconfigure messages

  • REL-REP—Relay reply messages

  • LEAS-REP—Lease query reply messages

  • RLS—Released messages

  • DEC—Decline messages

The following fields are displayed in the FHS Dropped Message Table

Feature

Type of message dropped (DHCPv6 Guard, RA Guard and so on).

Count

Number of messages dropped.

Reason

Reason that the messages dropped.
Step 5

Click Clear Interface Counters or Clear All Interface Counters or Clear Global Counters to clear the counters.

Step 6

Click Refresh to refresh the counters.

Certificate Settings

The Cisco Business Dashboard Probe (CBD) and Plug-n-Play (PNP) features require CA certificates to establish HTTPS communication with the CBD or PNP servers. The Certificate Settings feature allows these applications and device managers to do the following:

  • Install trusted CA certificates and to remove certificates that are no longer wanted

  • Statically add certificates to device configuration file

  • Manage a revocation list of untrusted certificates


Note
The validity of the certificates is based on the system clock. Use the default system clock or it does not provide proper validation. Therefore, make sure the system clock is based on device Real time clock (if supported) or was actively set since the last reboot (preferably via SNTP service). If the system clock is not based on RTC or was not set since last reboot validation of certificate will fail, even if the system clock is within the validity date of the certificate.
Dynamic Certificates

The CBD and PNP applications can install dynamic trusted certificates to the device memory. The installed certificate must include the following attributes:

  • Certificate name - A string that is used to identify the certificate.

  • Owner - The application name that installed the certificate (for example, PNP, CBD)

  • The certificate itself in PEM format.

An application can also delete a specific or all dynamic certificates installed by that application.

Considerations

  • Up to 512 dynamic certificates can be installed on the device.

  • Dynamic certificates are removed when the device reboots

Static Certificates

If an application wants to add a certificate that will not be deleted on reset, or if a user of the switch wants to add a certificate, they can add a static certificate. These certificates are saved in the device running configuration and can be copied to the startup configuration.

Adding a static certificate requires providing the following attributes:

  • Certificate name - This is a string that is used to identify the certificate.

  • Owner - the name of the application that installed the certificate (for example, PNP, CBD), or "static" if certificate is added by a user.

  • The certificate itself in PEM format.

Considerations

  • Up to 256 static certificates can be installed on the device.

  • It is possible for identical certificates to be added by different applications or users as long as the names used to identify them are different.

CA Certificate Setting

Users can access information on all installed certificates (dynamic and static). The following information is displayed per each certificate:

Procedure

Step 1

Click Security > Certificate Settings > CA Certificate Settings.

Step 2

To import a new certificate, click Add and complete the following:

  • Certificate Name—Enter the name of the certificate.

  • Certificate—Paste the certificate in PEM format (including the begin and end marker lines).

Step 3

Click Apply to apply the new settings.

Step 4

To view the details of an existing certificate, select the certificate from the list and click Details. The following will be displayed:

Option Description

Certificate Name

The name or unique identifier of the certificate.

Type

This can be signer, static or dynamic.

Owner

This can be signer, static, CBD or PNP

Version

The version of the certificate.

Serial Number

The serial number of the certificate.

Status

The status of the certificate.

Valid From

The date and time from which certificate is valid,

Valid To

The date and time until which the certificate is valid.

Issuer

The entity or CA that signed the certificate.

Subject

Distinguished name (DN) information for the certificate.

Public Key Type

The type of the public key.

Public Key Length

The length (in bits) of the public key.

Signature Algorithm

The cryptographic algorithm used by the CA to sign the certificate.

Certificate

The certificate details in PEM format.
Step 5

You can use the following filters to find a specific certificate.

  • Type equals to—Check this box and select Signer, Static, or Dynamic from the drop-down list, to filter by these certificate types.

  • Owner equals to—Paste the certificate in PEM format (including the begin and end marker lines).

Step 6

To remove one or more certificates select the certificate(s) and press Delete. Only Static certificates can be deleted.

CA Revocation List

If a certificate becomes untrusted for any reason, it can be added to the revocation list by the user or one of the applications. If a certificate is included in the revocation list, it is considered non-valid and the device will not allow it to be used. Adding a certificate to the revocation list will not remove the revoked certificate from the certificate database. It will only update its status to Not Valid (Revoked). When a certificate is removed from the revocation list, its status is automatically updated in the certificate database. There is no need to re-install it.

To add or remove a certificate to/from the revocation list, complete the following:

Procedure

Step 1

Click Security > Certificate Settings > CA Certificate Revocation List.

Step 2

Click Add to open the Add Revoked Certificate dialog box

Step 3

Provide the following details:

  • Issuer—The string identifying the issuer (for example: "C=US, O=MyTrustOrg, CN=MyCommonName") (1-160 chars).

  • Serial Number—The serial number of the revoked certificate. This is a string of hexadecimal pairs (length 2-32).
Step 4

Click Apply to add the certificate.

Considerations

  • Up to 512 certificates can be added to the revocation list.

  • All certificates that match the entry in the revocation list are considered not valid (even if they are identified under different names in the certificate database).

Step 5

To delete an existing certificate, select the certificate from the Revoked CA Certificate Table and click Delete. Next, click Apply to apply the new settings.