Config# no restrict web-mgmt | Cisco Systems OL-5650-02 manual

Chapter 1 Controlling CSS Access

Controlling Administrative Access to the CSS

•no restrict xml - Enables the transfer of XML configuration files to the CSS through unsecure HTTP connections (disabled by default).

•no restrict web-mgmt- Enables Device Management user interface access to the CSS (disabled by default).

Note Disable Telnet access when you want to use the Secure Shell Host (SSH) server. For information about configuring SSH, refer to Chapter 2, Configuring the Secure Shell Daemon Protocol.

For example, to enable Device Management user interface access, enter:

(config)# no restrict web-mgmt

Refer to the Cisco Content Services Switch Administration Guide for details on configuring the Simple Network Management Protocol (SNMP) features on your CSS. For details on making web-based configuration changes to the CSS using Extensible Markup Language (XML), refer to the Cisco Content Services Switch Administration Guide. For details on using the Device Management user interface, refer to the Cisco Content Services Switch Device Management User’s Guide.

Disabling Administrative Access to the CSS

To disable console, FTP, SNMP, SSH, Telnet, user database, secure and unsecure XML, and web management access to the CSS, use the following restrict commands:

•restrict console - Disables console access to the CSS (enabled by default).

•restrict ftp - Disables FTP access to the CSS (enabled by default).

•restrict snmp - Disables SNMP access to the CSS (enabled by default).

•restrict ssh - Disables SSHD access to the CSS (enabled by default).

•restrict telnet - Disables Telnet access to the CSS (enabled by default).

•restrict user-database- Prevents users from clearing the running-config file and creating or modifying usernames. Only administrator and technician users can perform these tasks (enabled by default).

		Cisco Content Services Switch Security Configuration Guide
		Cisco Content Services Switch Security Configuration Guide
	OL-5650-02			1-11
	OL-5650-02			1-11

Image 35

Cisco Systems OL-5650-02 manual Disabling Administrative Access to the CSS, Config# no restrict web-mgmt

Contents

Cisco Content Services Switch Security Configuration Guide Cisco Content Services Switch Security Configuration Guide Iii N T E N T S ACL Overview Configuring the CSS as a Client of a Radius Server Configuring Firewall Load Balancing Vii Example of Fwlb Viii B L E S OL-5650-02 Preface Xii How to Use This GuideAudience Xiii Related Documentation Xiv Rmon Document Title Description Xvi Symbols and Conventions Xvii Obtaining DocumentationCisco.com Xviii Documentation FeedbackDocumentation DVD Ordering Documentation Xix Reporting Security Problems in Cisco ProductsCisco Product Security Overview Cisco Technical Support Website Obtaining Technical Assistance Xxi Submitting a Service Request Xxii Definitions of Service Request Severity Xxiii Xxiv Controlling CSS Access Config# username-offdm bobo password secret Changing the Administrative Username and Password Config# username picard password captain superuser Creating Usernames and Passwords Controlling CSS Access Creating Usernames and Passwords Config# username picard password flute superuser Config# username picard password captain superuser NwbnnnrConfig# no username picard Controlling Remote User Access to the CSS Configuring Virtual Authentication #config virtual authentication secondary local Configuring Console Authentication#config virtual authentication primary tacacs #config no console authentication #config console authentication primary tacacs#config console authentication secondary local Enabling Administrative Access to the CSS Controlling Administrative Access to the CSS Config# no restrict web-mgmt Disabling Administrative Access to the CSS Config# restrict telnet Controlling CSS Network Traffic Through Access Control Lists ACL Overview ACL ACL Configuration Quick Start Config-acl7#apply circuit-VLAN1 Config-acl7#clause 10 deny any any destination range 20Config-acl7#clause 15 permit any any destination any Creating an ACL Deleting an ACL Config# acl disableConfig-acl7#remove circuit-VLAN1 Configuring Clauses Cisco Content Services Switch Security Configuration Guide Variables Options Parameters Destination content ownername/ rulename for an Variables OptionsParameters Show group ? Variables Options Parameters Prefer Adding a Clause When ACLs are Globally Enabled Deleting a Clause Config-acl7remove circuit-VLAN1Config-acl7apply circuit-VLAN1 Applying an ACL to a Circuit or DNS Queries Removing an ACL from Circuits or DNS Queries Enabling ACLs on the CSS Showing ACLs Disabling ACLs on the CSS Field Description Logging ACL Activity Setting the Show ACL Counters to Zero Config-acl7#clause 1 log disable Config-acl7#clause 1 log enable ACL Example Config# no logging subsystem acl Configuring Network Qualifier Lists for ACLs Adding Networks to an NQL Creating an NQLDescribing an NQL Config-nqlbypassnql#no ip address 192.168.0.0/16 Config# logging subsystem nql level debug-7 Adding an NQL to an ACL Clause Showing NQL Configurations Configuring the Secure Shell Daemon Protocol # license Enabling SSH Config# no restrict ssh Configuring SSH AccessConfiguring Sshd in the CSS Configuring Sshd Keepalive Configuring Sshd Server-Keybits Configuring Sshd Port Config# sshd version Configuring Sshd VersionConfig# sshd server-keybits Config# no sshd server-keybits # show sshd config Configuring Telnet Access When Using SshdShowing Sshd Configurations Config# no restrict telnet # show sshd sessions # show sshd version Ptyfd Radius Server Configuring the CSS as a Client of a Radius Server Config# radius-server secondary 172.27.56.79 secret Hello Radius Configuration Quick StartConfig# radius-server primary 172.27.56.76 secret Hello #config virtual authentication primary radius Configuring a Radius Server for Use with the CSS Configuring Authorization Settings Configuring Authentication Settings Specifying a Primary Radius Server Specifying a Secondary Radius Server Config# no radius-server primaryConfig# no radius-server secondary Config# no radius-server timeout Configuring the Radius Server TimeoutsConfiguring the Radius Server Retransmits Config# radius-server timeout Config# no radius-server dead-time Configuring the Radius Server Dead-TimeConfig# no radius-server retransmit Config# radius-server dead-time DOWN, Unknown Config# show radius statistics secondary 3describes the fields in the show radius statistics output OL-5650-02 TACACS+ Server TACACS+ Configuration Quick Start Config# show tacacs-server Configuring Authorization Settings Configuring Global TACACS+ Attributes #config no tacacs-server timeout Setting the Global CSS TACACS+ Timeout Period#config tacacs-server timeout #config no tacacs-server key Setting the Global TACACS+ Keepalive Frequency#config tacacs-server key market #config tacacs-server key acskefterefesdtx Defining a TACACS+ Server Config# no tacacs-server frequency OL-5650-02 #config no tacacs-server 192.168.11.1 Setting TACACS+ Authorization #config no tacacs-server authorize non-config #config tacacs-server authorize config#config tacacs-server authorize non-config #config no tacacs-server authorize config Setting TACACS+ Accounting Showing TACACS+ Server Configuration Information Field Description OL-5650-02 Configuring Firewall Load Balancing Overview of Fwlb Firewall Synchronization Configuring Fwlb Config# no ip firewall Configuring a Keepalive Timeout for a FirewallConfig# ip firewall 1 192.168.27.1 192.168.28.1 Config# no ip firewall timeout Configuring an IP Static Route for a FirewallConfig# ip firewall timeout Config# ospf redistribute firewall metric 3 type1 Configuring Ospf to Advertise Firewall RoutesConfig# ip route 192.168.2.0/24 firewall 1 Config# no ip route 192.168.2.0/24 firewall Config# rip redistribute firewall Configuring RIP to Advertise Firewall RoutesExample of Fwlb Static Route Configuration Config# no ospf redistribute firewall Config# ip route 0.0.0.0/0 firewall Config# ip firewall 1 192.168.28.1 192.168.27.1Config# ip route 192.168.2.0/24 firewall Config# ip firewall 2 192.168.28.2 192.168.27.2 Example of Fwlb Configuring Fwlb with VIP and Virtual Interface Redundancy Fwlb with VIP/Interface Redundancy Configuration Cisco Content Services Switch Security Configuration Guide CSS-OUT-L Configuration Example of Firewall and Route Configurations CSS-IN-L Configuration Displaying Firewall Flow Summaries Config# show flows 192.165.22.1Config# show flows Displaying Firewall IP Routes Config# show ip routes firewall Displaying Firewall IP Information Config# show ip firewall OL-5650-02 IN-1 D E IN-2 IN-3 FTP IN-4 Radius IN-5 XML IN-6