Cisco Systems SF300-24P, SG30052PK9NA, SRW2024PK9NA, SRW224G4K9AR, SRW224G4PK9NA, SRW248G4PK9NA Security: Secure Sensitive Data Management

18

Cisco Small Business 300 Series Managed Switch Administration Guide 360

Security: Secure Sensitive Data Management

Secure Sensitive Data (SSD) is an architecture that facilitates the protection of

sensitive data on a device, such as passwords and keys. The facility makes use of

passphrases, encryption, access control, and user authentication to provide a

secure solution to managing sensitive data.

The facility is extended to protect the integrity of configuration files, to secure the

configuration process, and to support SSD zero-touch auto configuration.

•Introduction

•SSD Rules

•SSD Properties

•Configuration Files

•SSD Management Channels

•Menu CLI and Password Recovery

•Configuring SSD

Introduction

SSD protects sensitive data on a device, such as passwords and keys, permits

and denies access to sensitive data encrypted and in plain text based on user

credentials and SSD rules, and protects configuration files containing sensitive data

from being tampered with.

In addition, SSD enables the secure backup and sharing of configuration files

containing sensitive data.

SSD provides users with the flexibility to configure the desired level of protection

on their sensitive data; from no protection with sensitive data in plaintext, minimum

protection with encryption based on the default passphrase, and better protection with

encryption based on user-defined passphrase.

Contents

Main Chapter 1: Getting Started 1 Chapter 2: Status and Statistics 12 Chapter 3: Administration: System Log 28 Chapter 4: Administration: File Management 34 Chapter 5: Administration: General Information 56 Chapter 6: Administration: Time Settings 72 Chapter 7: Administration: Diagnostics 84 Chapter 8: Administration: Discovery 92 Chapter 9: Port Management 124 Chapter 10: Smartport 144 Chapter 11: Port Management: PoE 176 Chapter 12: VLAN Management 184 Chapter 13: Spanning Tree 218 Chapter 14: Managing MAC Address Tables 232 Chapter 15: Multicast 236 Chapter 16: IP Configuration 254 DHCP Server 276 IPv6 Management and Interfaces 284 Domain Name 297 Chapter 17: Security 302 Defining Users 303 Configuring TACACS+ 306 Page IP Source Guard 349 Dynamic ARP Inspection 353 Chapter 18: Security: Secure Sensitive Data Management 360 Introduction 360 SSD Rules 361 Chapter 19: Security: SSH Client 380 Chapter 20: Security: SSH Server 390 Chapter 21: Access Control 396 Chapter 22: Quality of Service 412 Chapter 23: SNMP 446 Page Page Getting Started Starting the Web-based Configuration Utilit y Browser Restrictions Launching the Configuration Utility Logging In HTTP/HTTPS Password Expiration Logging Out Quick Start Device Configuration Interface Naming Conventions Window Navigation Application Header Page Management Buttons Page Page Status and Statistics Viewing Ethernet Interfaces Viewing Etherlike Statistics Page Viewing GVRP Statistics Viewing 802.1X EAP Statistics Viewing TCAM Utilization[ Managing RMON Viewing RMON Statistics Page Configuring RMON History , Viewing the RMON History Table Defining RMON Events Control Page Viewing the RMON Events Logs Defining RMON Alarms Page Page Page Administration: System Log Setting System Log Settings Page Setting Remote Logging Settings Viewing Memory Logs RAM Memory Flash Memory Page Administration: File Management System Files Files and File Type s File Actions Upgrade/Backup Firmware/Language Upgrade/Backing Firmware or Language File Page Page Active Image Download/Backup Configuration/Log Configuration File Backwards Compatibility Downloading or Backing-up a Configuration or Log File Page Page Page Configuration Files Properties Copy/Save Configuration DHCP Auto Configuration DHCP Server Options Auto Configuration Download Protocol (TFTP or SCP) SSH Client Authentication Parameters Auto Configuration Process Page Configuring DHCP Auto Configuration Web Configuration Auto By File Extension SSH Client Authentication Remote SSH Server Authentication SCP Only Page Administration: General Information Device Models Page System Information Displaying the System Summary System Information: Page Console Settings (Autobaud Rate Suppor t) Rebooting the Device Administration > File Management > Copy/Save Configuration Page Routing Resources Monitoring Fan Status Page Defining Idle Session Timeout Idle Session Timeout Pinging a Host Page Traceroute Page Page Administration: Time Settings System Time Options Time Time Zone and Daylight Savings Time (DST) SNTP Modes Configuring System Time Selecting Source of System Time USA By Dates Recurring By Dates Adding a Unicast SNTP Server In Process Page Configuring the SNTP Mode Defining SNTP Authentication Time Range Absolute Time Range Recurring Time Range Administration: Diagnostics Testing Copper Ports Preconditions to Running the Copper Port Test Page Displaying Optical Module Status MSA-compatible SFPs Configuring Port and VLAN Mirroring Page Viewing CPU Utilization and Secure Core Technology Page Page Administration: Discovery Configuring Bonjour Discovery Bonjour in Layer 2 System Mode Bonjour in Layer 3 System Mode LLDP and CDP Configuring LLDP LLDP Overview LLDP Configuration Workflow Setting LLDP Properties Flooding Filtering Editing LLDP Port Settings Page LLDP MED Network Policy LLDP Media Endpoint Discovery Setting LLDP MED Network Policy Configuring LLDP MED Port Settings . Network Policy Displaying LLDP Port Status Displaying LLDP Local Information Global Management Address MAC/PHY Details 802.3 Details 802.3 Link Aggregation 802.3 Energy Efficient Ethernet (EEE) (If device supports EEE) MED Details Endpoint Class 1 Location Information Network Policy Table Untagged Displaying LLDP Neighbors Information Port Details Basic Details Management Address Table MAC/PHY Details 802.3 Power via MDI 802.3 Details 802.3 Link Aggregation 802.3 Energy Efficient Ethernet (EEE) MED Details 802.1 VLAN and Protocol PPVID Table VLAN IDs Protocol IDs Accessing LLDP Statistics Tot a l Discarded Unrecognized LLDP Overloading Page Configuring CDP Setting CDP Properties CDP Configuration Workflow Flooding Filtering Bridging Page Editing CDP Interface Settings Displaying CDP Local Information Page Displaying CDP Neighbors Information Page Viewing CDP Statistics Port Management Configuring Ports Setting Port Configuration Page Page Configuring Link Aggregation Link Aggregation Overview Load Balancing LAG Management Default Settings and Configuration Static and Dynamic LAG Workflow Defining LAG Management Configuring LAG Settings Page Configuring LACP LACP Priority and Rules LACP With No Link Partner Setting LACP Parameter Settings Configuring Green Ethernet Green Ethernet Overview Power Saving by Disabling Port LEDs 802.3az Energy Efficient Ethernet Feature 802.3az EEE Overview Advertise Capabilities Negotiation Link Level Discovery for 802.3az EEE Availability of 802.3az EEE Default Configuration Interactions Between Features Setting Global Green Ethernet Properties Setting Green Ethernet Properties for Ports Page Page Smartport Page What is a Smartport Smartport Types Page Special Smartport Type s Smartport Macros Applying a Smartport Type to an Interface Macro Failure and the Reset Operation How the Smartport Feature Works Auto Smartport Enabling Auto Smartport Identifying Smartport Type Using CDP/LLDP Information to Identify Smartport Types Multiple Devices Attached to the Port Switch Persistent Auto Smartport Interface Error Handling Default Configuration Relationships with Other Features and Backwards Compatibility Common Smartport Tasks Workflow2: To configure an interface as a static Smartport, perform the following step s: Workflow4: To rerun a Smartport macro after it has failed, perform the following steps: Unknown Configuring Smartport Using The Web-b ased Interface Smartport Properties Smartport Type Settings Smartport Interface Settings Port Type Unknown Page Built-in Smartport Macros desktop no_desktop printer no_printer guest no_guest]] server no_server host no_host ip_camera no_ip_camera ip_phone no_ip_phone ip_phone_desktop no_ip_phone_desktop switch no_switch router no_router [no_router] #macro description No router ap Page Port Management: PoE PoE on the Device PoE Features PoE Operation PoE Configuration Considerations Page Configuring PoE Properties Class Limit Port Limit Configuring PoE Settings PoE priority example: Page Page Page VLAN Management VLANs VLAN Description VLAN Roles QinQ VLAN Configuration Workflow Configuring Default VLAN Settings Page Creating VLANs Configuring VLAN Interface Settings Defining VLAN Membership Configuring Port to VLAN Configuring VLAN Membership GVRP Settings Defining GVRP Settings VLAN Groups MAC-based Groups Assigning MAC-based VLAN Groups Mapping VLAN Group to VLAN Per Interface Voice VLAN Voice VLAN Overview Dynamic Voice VLAN Modes Voice End-Points Auto Voice VLAN, Auto Smartports, CDP, and LLDP Defaults Voice VLAN Triggers Auto Voice VLAN Voice VLAN QoS Voice VLAN Constraints Voice VLAN Workflows Workflow1: To configure Auto Voice VLAN: Workflow2: To configure the Telephony OUI Method Configuring Voice VLAN Configuring Voice VLAN Properties Auto Voice VLAN Activation Enable Auto Voice VLAN Administration > Discovery > LLDP > LLDP MED Network Policy Displaying Auto Voice VLAN Settings Page Configuring Telephony OUI Adding OUIs to the Telephony OUI Table Page Adding Interfaces to Voice VLAN on Basis of OUIs Access Port Multicast T V VLAN IGMP Snooping Differences Between Regular and Multic ast TV VLANs Configuration Multicast TV Group to VLAN Port Multicast VLAN Membership Customer Port Multicast TV VL AN Mapping CPE VLANs to Multicast TV VLANs CPE Port Multicast VLAN Membership Page Spanning Tree STP Flavors Configuring STP Status and Global Settings Page Defining Spanning Tree Interface Settings Page Configuring Rapid Spanning Tree Settings Enable Root Auto Disable Page Multiple Spanning Tree Defining MSTP Properties Mapping VLANs to a MSTP Instance Defining MSTP Instance Settings Defining MSTP Interface Settings Boundary Managing MAC Address Tables Types of MAC Addresses Configuring Static MAC Addresses Managing Dynamic MAC Addresses Configuring Dynamic MAC Address Aging Time Querying Dynamic Addresses Defining Reserved MAC Address es Ethernet V2 Bridge Discard All Multicast Multicast Forwarding Typical Multicast Setup Page Multicast Address Properties Defining Multicast Properties Page Adding MAC Group Address Page Adding IP Multicast Group Addresses Configuring IGMP Snooping Page Page MLD Snooping Page Querying IGMP/MLD IP Multicast Group Defining Multicast Router Ports Defining Forward All Multicast Defining Unregistered Multicast Settings Page IP Configuration Layer 2 IP Addressing Layer 3 IP Addressing IPv4 Management and Interfaces IPv4 Interface Defining an IPv4 Interface in Layer 2 System Mode File Management DHCP Auto Configuration Administration Defining IPv4 Interface in Layer 3 System Mode Dynamic IP Address Static IP Address IPv4 Routes Remote Reject ARP All Normal Age Out ARP Proxy UDP Relay/IP Helper DHCPv4 Snooping/Relay DHCPv4 Snooping DHCPv4 Relay DHCPv4 in Layer 2 and Layer 3 Transparent DHCP Relay Option 82 Interactions Between DHCPv4 Snooping, DHCP v4 Relay and Option 82 Page Page Page DHCP Snooping Binding Database DHCP Trusted Ports How the DHCP Snooping Binding Database is Built Page DHCP Snooping Along With DHCP Relay DHCP Default Configuration Configuring DHCP Work Flow DHCP Snooping/Relay Properties Backup Database Update Interval Backup Database Verify MAC Address Interface Settings DHCP Snooping Trusted Interfaces DHCP Snooping Binding Database Static DHCP Server DHCP Options Page Dependencies Between Features Default Settings and Configurations Workflow for Enabling Feature DHCPv4 Server Network Pool Page Excluded Addresses Static Hosts Page Address Binding IPv6 Management and Interfaces IPv6 Global Configuration IPv6 Interface Page DHCPv6 Client Details IPv6 Tunnel ISATAP Tunnels Configuring Tunnels Auto Interface Manual None Defining IPv6 Addresses IPv6 Default Router List Reachable Time . Delay Time. Reachable Time. Defining IPv6 Neighbors Information Incomplete Reachable Viewing IPv6 Route Tables Local DHCPv6 Relay Dependencies with Other Features Global Destinations Interface Settings Domain Name DNS Settings Search List Host Mapping OK Negative Cache No Response Security Defining Users Setting User Accounts Page Setting Password Complexity Rules Configuring TACACS+ Accounting Using a TACACS+ Server Defaults Interactions With Other Features Workflow Configuring a TACACS+ Server Page Page Configuring RADIUS Accounting Using a RADIUS Server Defaults Interactions With Other Features Radius Workflow Page Page Configuring Management Access Authentication Defining Management Access Method Active Access Profile Page Network Mask Prefix Length Defining Profile Rules Page SSL Server SSL Overview Default Settings and Configuration SSL Server Authentication Settings Page Configuring TCP/UDP Services Defining Storm Control Configuring Port Security Page Page Configuring 802.1X Dynamic VLAN Assignment (DVA) Unauthenticated VLANs and the Guest VLAN 802.1X Parameters Workflow Defining 802.1X Properties Page Configuring Unauthenticated VLANs Defining 802.1X Port Authentication Page Page Defining Host and Session Authentication Page Viewing Authenticated Hosts Defining Time Ranges Denial of Service Prevention Secure Core Technol ogy (SCT) Types of DoS Attacks Defense Against DoS Attacks Dependencies Between Features Default Configuration Configuring DoS Prevention Security Suite Settings Page SYN Protection Martian Addresses From Reserved List Prefix Length SYN Filtering SYN Rate Protection ICMP Filtering IP Fragmented Filtering IP Source Guard Interactions with Other Features Filtering Configuring IP Source Guard Work Flow Enabling IP Source Guard Configuring IP Source Guard on Interfaces Binding Database Dynamic ARP Inspection ARP Cache Poisoning How ARP Prevents Cache Poisoning Interaction Between ARP Inspection and DHCP Snooping ARP Defaults ARP Inspection Work Flow Defining ARP Inspection Properties Defining Dynamic ARP Inspection Interfaces Settings Defining ARP Inspection Access Control Defining ARP Inspection Access C ontrol Rules Defining ARP Inspection VLAN Settings Page Security: Secure Sensitive Data Management Introduction SSD Management SSD Rules Elements of an SSD Rule Page Page SSD Rules and User Authentication Default SSD Rules SSD Default Read Mode Session Override SSD Properties Passphrase Default and User-defined Passphrases Local Passphrase Configuration File Passphrase Control Configuration File Integrity Control Read Mode Configuration Files File SSD Indicator SSD Control Block Startup Configuration File Running Configuration File Backup and Mirror Configuration File Sensitive Data Zero-Touch Auto Configuration SSD Management Channels Menu CLI and Password Recovery Configuring SSD SSD Properties SSD Rules Page Page Page Security: SSH Client Secure Copy (SCP) and SSH Protection Methods Passwords Public/Private Keys Import Keys SSH Server Authentication SSH Client Authentication Supported Algorithms Before You Begin Common Tasks Workflow2: To import the public/private keys from one device to another: Workflow3: To define a trusted server: Workflow4: To change your password on an SSH server: SSH Client Configuration Through the GUI SSH User Authentication SSH Server Authentication Modifying the User Password on the SSH Server Page Security: SSH Server Common Tasks Workflow3: To import an RSA or DSA key from device A to device B, perform the following steps: SSH Server Configuration Pages SSH User Authentication Automatic Login SSH Server Authentication Page Page Access Control Access Control Lists Defining IPv6-Based ACL Creating ACLs Workflow Modifying ACLs Workflow Defining MAC-based ACLs Adding Rules to a MAC-based ACL Permit Shutdown Deny Page IPv4-based ACLs Defining an IPv4-based ACL Adding Rules (ACEs) to an IPv4-Based ACL IGP EGP TCP IP in IP Page Any DSCP to Match IP Precedence to Match IPv6-Based ACLs Defining an IPv6-based ACL Adding Rules (ACEs) for an IPv6-Based ACL Page Page Defining ACL Binding Page Page Quality of Service QoS Features and Components QoS Modes QoS Workflow Configuring QoS - General Setting QoS Properties Configuring QoS Queues Strict Priority % of WRR Bandwidth WRR Weight Mapping CoS/802.1p to a Queue Page Mapping DSCP to Queue Page Page Configuring Bandwidth Page Configuring Egress Shaping per Queue Configuring VLAN Ingress Rate Limit Page TCP Congestion Avoidance QoS Basic Mode Workflow to Configure Basic QoS Mode Configuring Global Settings Interface QoS Settings QoS Advanced Mode Notes: Workflow to Configure Advanced QoS Mode Configuring Global Settings Configuring Out-of-Profile DSCP Mapping Page Defining Class Mapping IP or MAC IP and MAC MAC IP QoS Policers Defining Aggregate Policers Configuring a Policy Policy Class Maps Set Always Trust Use default trust mode Page Policy Binding Managing QoS Statistics Policer Statistics Viewing Single Policer Statistics Viewing Aggregated Policer Statistics Viewing Queues Statistics Page Page Page SNMP SNMP Versions and Workflow SNMPv1 and v2 SNMPv3 SNMP Workflow If you decide to use SNMPv1 or v2: , . If you decide to use SNMPv3: Supported MIBs Model OIDs SNMP Engine ID Page Configuring SNMP Views Creating SNMP Groups To create an SNMP group: Managing SNMP Users Page Defining SNMP Communities Page Defining Trap Settings Notification Recipients Defining SNMPv1,2 Notification Recipients Page Defining SNMPv3 Notification Recipients No Authentication Authentication Privacy SNMP Notification Filters