SMC Networks SMC8126PL2-F General Security Measures

General Security Measures

4-123

4

General Security Measures

This switch supports many methods of segregating traffic for clients attached to

each of the data ports, and for ensuring that only authorized clients gain access to

the network. Private VLANs and port-based authentication using IEEE 802.1X are

commonly used for these purposes. In addition to these methods, several other

options of providing client security are described in this section. These include

port-based authentication, which can be configured to allow network client access

by specifying a fixed set of MAC addresses. The addresses assigned to DHCP

clients can also be carefully controlled using static or dynamic bindings with the IP

Source Guard and DHCP Snooping commands.

Table 4-39 Client Security Commands

Command Group Function Page

Private VLANs Configures private VLANs, including uplink and downlink ports 4-233

Port Security*

* The priority of execution for these filtering commands is Port Security, Port Authentication, Network Access, Access

Control Lists, DHCP Snooping, and then IP Source Guard.

Configures secure addresses for a port 4-124

Port Authentication*Configures host authentication on specific ports using 802.1X 4-112

Network Access*Configures MAC authentication and dynamic VLAN assignment 4-126

Access Control Lists*Provides filtering for IPv4 frames (based on address, protocol,

Layer 4 protocol port number or TCP control code), IPv6 frames

(based on address, next header type, or flow label), or non-IP

frames (based on MAC address or Ethernet type)

4-143

DHCP Snooping*Filters untrusted DHCP messages on insecure ports by building and

maintaining a DHCP snooping binding table

4-131

IP Source Guard*Filters IP traffic on insecure ports for which the source address

cannot be identified via DHCP snooping nor static source bindings

4-139

Contents

Main Page Page Page About This Guide Page Contents Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Tables Page Page Page Figures Page Page Page 1-1 Chapter 1: Introduction Key Features Table 1-1 Key Features 1-2 Description of Software Features Description of Software Features 1-3 1-4 Description of Software Features 1-5 1-6 System Defaults System Defaults 1-7 Table 1-2 System Defaults (Continued) 1-8 Table 1-2 System Defaults (Continued) 2-1 Chapter 2: Initial Configuration Connecting to the Switch Configuration Options 2-2 Required Connections 2-3 Remote Connections Basic Configuration Console Connection 2-4 Setting Passwords Setting an IP Address Manual Configuration 2-5 Dynamic Configuration 2-6 Enabling SNMP Management Access Community Strings (for SNMP version 1 and 2c clients) 2-7 Trap Receivers 2-8 Configuring Access for SNMP Version 3 Clients Managing System Files Managing System Files 2-9 Saving Configuration Settings Page 3-1 Chapter 3: Configuring the Switch Using the Web Interface Navigating the Web Browser Interface Home Page 3-3 Configuration Options Panel Display 3-4 Main Menu 3-5 3-6 3-7 3-8 3-9 3-10 3-11 Basic Configuration Displaying System Information 3-12 Figure 3-3 System Information CLI Specify the hostname, location and contact information. 3-13 Displaying Switch Hardware/Software Versions 3-14 CLI Use the following command to display version information. 3-15 Displaying Bridge Extension Capabilities 3-16 Setting the Switchs IP Address Page 3-18 Using DHCP/BOOTP 3-19 Enabling Jumbo Frames 3-20 Managing Firmware Downloading System Software from a Server 3-21 3-22 Saving or Restoring Configuration Settings 3-23 Downloading Configuration Settings from a Server 3-24 Console Port Settings 3-25 3-26 Telnet Settings 3-27 3-28 Configuring Event Logging System Log Configuration 3-29 Remote Log Configuration 3-30 3-31 Displaying Log Messages Simple Mail Transfer Protocol 3-32 3-33 Renumbering the System 3-34 Resetting the System 3-35 Setting the System Clock Setting the Time Manually Configuring SNTP 3-36 Setting the Time Zone 3-37 Simple Network Management Protocol 3-38 3-39 Enabling the SNMP Agent Setting Community Access Strings 3-40 Specifying Trap Managers and Trap Types 3-41 3-42 3-43 Configuring SNMPv3 Management Access Setting the Local Engine ID 3-44 Specifying a Remote Engine ID 3-45 Configuring SNMPv3 Users 3-46 3-47 Configuring Remote SNMPv3 Users 3-48 3-49 Configuring SNMPv3 Groups 3-50 3-51 3-52 Setting SNMPv3 Views 3-53 3-54 User Authentication Configuring User Accounts Page 3-56 Configuring Local/Remote Logon Authentication 3-57 Page 3-59 Configuring Encryption Keys 3-60 3-61 AAA Authorization and Accounting 3-62 Configuring AAA RADIUS Group Settings 3-63 Configuring AAA TACACS+ Group Settings Configuring AAA Accounting 3-64 Page Page 3-67 AAA Accounting Exec Command Privileges 3-68 AAA Accounting Exec Settings AAA Accounting Summary Page 3-70 Authorization Settings Page 3-72 Authorization Summary 3-73 Configuring HTTPS 3-74 Replacing the Default Secure-site Certificate 3-75 Configuring the Secure Shell 3-76 3-77 Generating the Host Key Pair 3-78 3-79 Configuring the SSH Server 3-80 Configuring 802.1X Port Authentication 3-81 Displaying 802.1X Global Settings 3-82 Configuring 802.1X Global Settings 3-83 Configuring Port Settings for 802.1X Page 3-85 3-86 Displaying 802.1X Statistics This switch can display statistics for dot1x protocol exchanges for any port. 3-87 Filtering IP Addresses for Management Access 3-88 3-89 General Security Measures 3-90 Configuring Port Security 3-91 Access Control Lists Configuring Access Control Lists 3-92 Setting the ACL Name and Type 3-93 Configuring a Standard IP ACL 3-94 Configuring an Extended IP ACL 3-95 3-96 Configuring a MAC ACL 3-97 3-98 Binding a Port to an Access Control List 3-99 Filtering IP Addresses for Management Access 3-100 3-101 DHCP Snooping 3-102 DHCP Snooping Configuration 3-103 DHCP Snooping VLAN Configuration DHCP Snooping Information Option Configuration 3-104 3-105 DHCP Snooping Port Configuration 3-106 DHCP Snooping Binding Information 3-107 IP Source Guard Configuring Ports for IP Source Guard 3-108 3-109 Configuring Static Binding for IP Source Guard 3-110 3-111 Displaying Information for Dynamic IP Source Guard Bindings 3-112 Port Configuration Displaying Connection Status 3-113 3-114 Configuring Interface Connections 3-115 3-116 Creating Trunk Groups 3-117 Statically Configuring a Trunk } active links statically configured 3-118 Enabling LACP on Selected Ports } } Page 3-120 Configuring Parameters for LACP Group Members 3-121 3-122 You can display statistics for LACP protocol messages. Displaying LACP Port Counters 3-123 CLI The following example displays LACP counters. 3-124 Displaying LACP Settings and Status for the Local Side 3-125 Figure 3-76 LACP - Port Internal Information 3-126 Displaying LACP Settings and Status for the Remote Side 3-127 Setting Broadcast Storm Thresholds 3-128 Configuring Local Port Mirroring 3-129 Configuring Rate Limits Rate Limit Configuration 3-130 Showing Port Statistics 3-131 3-132 3-133 3-134 Power Over Ethernet Settings Power Over Ethernet Settings 3-135 Switch Power Status 3-136 Setting a Switch Power Budget Displaying Port Power Status Power Over Ethernet Settings 3-137 Configuring Port PoE Power 3-138 Address Table Settings 3-139 Address Table Settings Setting Static Addresses 3-140 Displaying the Address Table Address Table Settings 3-141 Changing the Aging Time 3-142 Spanning Tree Algorithm Configuration 3-143 3-144 Displaying Global Settings for STA 3-145 3-146 Web Click Spanning Tree, STA, Information. This command displays global STA settings, followed by settings for each port CLI Figure 3-89 Displaying Spanning Tree Information Configuring Global Settings for STA 3-148 3-149 Page 3-151 Displaying Interface Settings for STA 3-152 3-153 3-154 Configuring Interface Settings for STA 3-155 3-156 Page 3-158 Configuring Multiple Spanning Trees Page 3-160 CLI This displays STA settings for instance 1, followed by settings for each port. Displaying Interface Settings for MSTP 3-162 3-163 Configuring Interface Settings for MSTP 3-164 VLAN Configuration IEEE 802.1Q VLANs 3-165 Assigning Ports to VLANs 3-166 3-167 Forwarding Tagged/Untagged Frames Enabling or Disabling GVRP (Global Setting) 3-168 Displaying Basic VLAN Information 3-169 Displaying Current VLANs 3-170 Creating VLANs Page 3-172 CLI This example creates a new VLAN. 3-173 Adding Static Members to VLANs (VLAN Index) 3-174 3-175 Adding Static Members to VLANs (Port Index) 3-176 Configuring VLAN Behavior for Interfaces 3-177 3-178 Configuring IEEE 802.1Q Tunneling 3-179 3-180 3-181 Enabling QinQ Tunneling on the Switch 3-182 Adding an Interface to a QinQ Tunnel 3-183 3-184 Configuring Private VLANs Enabling Private VLANs 3-185 Configuring Uplink and Downlink Ports Protocol VLANs 3-186 Configuring Protocol VLAN Groups 3-187 Mapping Protocols to VLANs Page 3-189 Class of Service Configuration Layer 2 Queue Settings Setting the Default Priority for Interfaces 3-190 3-191 Mapping CoS Values to Egress Queues 3-192 3-193 Selecting the Queue Mode 3-194 Setting the Service Weight for Traffic Classes 3-195 Layer 3/4 Priority Settings Mapping Layer 3/4 Priorities to CoS Values Selecting IP Precedence/DSCP Priority 3-196 Mapping IP Precedence 3-197 Mapping DSCP Priority 3-198 3-199 Mapping IP Port Priority 3-200 Quality of Service 3-201 Configuring Quality of Service Parameters Configuring a Class Map 3-202 Page 3-204 Creating QoS Policies 3-205 Page 3-207 Attaching a Policy Map to Ingress Queues 3-208 Multicast Filtering 3-209 Layer 2 IGMP (Snooping and Query) 3-210 Configuring IGMP Snooping and Query Parameters 3-211 3-212 Enabling IGMP Immediate Leave 3-213 3-214 Displaying Interfaces Attached to a Multicast Router 3-215 Specifying Static Interfaces for a Multicast Router 3-216 Displaying Port Members of Multicast Services 3-217 Assigning Ports to Multicast Services 3-218 IGMP Filtering and Throttling Enabling IGMP Filtering and Throttling 3-219 Configuring IGMP Filter Profiles 3-220 3-221 Configuring IGMP Filtering and Throttling for Interfaces 3-222 3-223 Multicast VLAN Registration 3-224 Configuring Global MVR Settings Page 3-226 Displaying MVR Interface Status 3-227 Displaying Port Members of Multicast Groups 3-228 Configuring MVR Interface Status 3-229 3-230 Assigning Static Multicast Groups to Interfaces 3-231 Configuring Domain Name Service Configuring General DNS Service Parameters 3-232 3-233 Configuring Static DNS Host to Address Entries 3-234 3-235 Displaying the DNS Cache 3-236 Switch Clustering Cluster Configuration Switch Clustering 3-237 3-238 Cluster Member Configuration Switch Clustering 3-239 Displaying Information on Cluster Members 3-240 Cluster Candidate Information 4-1 Chapter 4: Command Line Interface Using the Command Line Interface Accessing the CLI Console Connection 4-2 Telnet Connection 4-3 Entering Commands Keywords and Arguments Minimum Abbreviation Command Completion Getting Help on Commands Showing Commands 4-5 Partial Keyword Lookup Negating the Effect of Commands Using Command History 4-6 Understanding Command Modes Exec Commands 4-7 Configuration Commands 4-8 Table 4-2 Configuration Modes 4-9 Command Line Processing 4-10 Command Groups 4-11 General Commands enable 4-12 disable configure 4-13 show history reload 4-14 prompt end 4-15 exit quit 4-16 System Management Commands Device Designation Commands hostname 4-17 System Status Commands show startup-config 4-18 Example Related Commands show running-config (4-18) show running-config 4-19 4-20 Example Related Commands show startup-config (4-17) 4-21 show system show users 4-22 show version 4-23 Frame Size Commands jumbo frame 4-24 File Management Commands 4-25 copy 4-26 4-27 The following example shows how to download a configuration file: 4-28 delete dir 4-29 whichboot 4-30 boot system 4-31 Line Commands line 4-32 login 4-33 password 4-34 timeout login response exec-timeout 4-35 password-thresh 4-36 silent-time databits 4-37 parity 4-38 speed stopbits 4-39 disconnect show line 4-40 Example To show all lines, enter this command: Event Logging Commands Table 4-13 Event Logging Commands 4-41 logging on 4-42 logging history 4-43 logging host logging facility 4-44 logging trap clear log 4-45 show logging 4-46 show log 4-47 SMTP Alert Commands logging sendmail host 4-48 logging sendmail level 4-49 logging sendmail source-email logging sendmail destination-email 4-50 logging sendmail show logging sendmail 4-51 Time Commands sntp client 4-52 sntp server 4-53 sntp poll show sntp 4-54 clock timezone 4-55 calendar set show calendar 4-56 Switch Cluster Commands cluster 4-57 cluster commander 4-58 cluster ip-pool cluster member 4-59 rcommand show cluster 4-60 show cluster members show cluster candidates 4-61 SNMP Commands 4-62 snmp-server show snmp 4-63 snmp-server community 4-64 snmp-server contact snmp-server location 4-65 snmp-server host 4-66 4-67 snmp-server enable traps 4-68 snmp-server engine-id 4-69 show snmp engine-id snmp-server view 4-70 4-71 show snmp view snmp-server group 4-72 4-73 show snmp group Example 4-74 snmp-server user 4-75 show snmp user 4-76 Authentication Commands Table 4-24 show snmp user - display description Table 4-25 Authentication Commands 4-77 User Account and Privilege Level Commands username 4-78 enable password 4-79 privilege privilege rerun 4-80 show privilege Authentication Sequence 4-81 authentication login 4-82 authentication enable 4-83 RADIUS Client radius-server host 4-84 radius-server port radius-server key 4-85 radius-server retransmit radius-server timeout show radius-server 4-86 TACACS+ Client 4-87 tacacs-server host tacacs-server port 4-88 tacacs-server key tacacs-server retransmit 4-89 tacacs-server timeout show tacacs-server 4-90 AAA Commands aaa group server 4-91 server 4-92 aaa accounting dot1x 4-93 aaa accounting exec 4-94 aaa accounting commands 4-95 aaa accounting update accounting dot1x 4-96 accounting exec accounting commands 4-97 aaa authorization exec 4-98 authorization exec show accounting 4-99 Web Server Commands ip http port 4-100 ip http server ip http secure-server 4-101 ip http secure-port 4-102 Telnet Server Commands ip telnet server 4-103 Secure Shell Commands 4-104 4-105 ip ssh server 4-106 ip ssh timeout ip ssh authentication-retries 4-107 ip ssh server-key size delete public-key 4-108 ip ssh crypto host-key generate ip ssh crypto zeroize 4-109 ip ssh save host-key show ip ssh 4-110 Example show ssh This command displays the current SSH server connections. Command Mode Table 4-36 show ssh - display description 4-111 show public-key 4-112 802.1X Port Authentication dot1x system-auth-control 4-113 dot1x default dot1x max-req dot1x port-control 4-114 dot1x operation-mode 4-115 dot1x re-authenticate dot1x re-authentication 4-116 dot1x timeout quiet-period dot1x timeout re-authperiod 4-117 dot1x timeout tx-period dot1x timeout supp-timeout 4-118 show dot1x 4-119 4-120 4-121 Management IP Filter Commands management 4-122 show management 4-123 General Security Measures 4-124 Port Security Commands port security 4-125 4-126 Network Access (MAC Address Authentication) network-access max-mac-count 4-127 network-access mode 4-128 mac-authentication reauth-time mac-authentication intrusion-action 4-129 mac-authentication max-mac-count show network-access 4-130 show network-access mac-address-table 4-131 Example DHCP Snooping Commands Table 4-42 DHCP Snooping Commands 4-132 ip dhcp snooping 4-133 ip dhcp snooping vlan 4-134 ip dhcp snooping trust 4-135 ip dhcp snooping verify mac-address 4-136 ip dhcp snooping information option 4-137 ip dhcp snooping information policy 4-138 show ip dhcp snooping show ip dhcp snooping binding 4-139 IP Source Guard Commands ip source-guard 4-140 4-141 ip source-guard binding 4-142 show ip source-guard show ip source-guard binding 4-143 Access Control List Commands IP ACLs 4-144 access-list ip 4-145 permit, deny (Standard ACL) 4-146 permit, deny (Extended ACL) 4-147 4-148 show ip access-list ip access-group 4-149 show ip access-group MAC ACLs 4-150 access-list mac permit, deny (MAC ACL) 4-151 4-152 show mac access-list mac access-group 4-153 show mac access-group 4-154 ACL Information show access-list show access-group 4-155 Interface Commands interface 4-156 description speed-duplex 4-157 negotiation 4-158 capabilities 4-159 flowcontrol 4-160 media-type shutdown 4-161 switchport packet-rate 4-162 clear counters 4-163 show interfaces status 4-164 show interfaces counters 4-165 show interfaces switchport 4-166 Table 4-49 Interfaces Switchport Statistics 4-167 Link Aggregation Commands 4-168 channel-group 4-169 lacp 4-170 lacp system-priority 4-171 lacp admin-key (Ethernet Interface) 4-172 lacp admin-key (Port Channel) 4-173 lacp port-priority 4-174 show lacp 4-175 Table 4-52 show lacp internal - display description 4-176 Table 4-53 show lacp neighbors - display description 4-177 Table 4-54 show lacp sysid - display description 4-178 Mirror Port Commands port monitor Mirror Port Commands 4-179 show port monitor 4-180 RSPAN Mirroring Commands RSPAN Mirroring Commands 4-181 rspan source 4-182 rspan destination RSPAN Mirroring Commands 4-183 rspan remote vlan 4-184 no rspan session show rspan Rate Limit Commands 4-185 Rate Limit Commands rate-limit 4-186 Power over Ethernet Commands power mainpower maximum allocation 4-187 power inline compatible 4-188 power inline 4-189 power inline maximum allocation power inline priority 4-190 power inline overload-auto-recover 4-191 show power inline status 4-192 show power mainpower Address Table Commands 4-193 mac-address-table static 4-194 clear mac-address-table dynamic show mac-address-table 4-195 mac-address-table aging-time show mac-address-table aging-time 4-196 Spanning Tree Commands 4-197 spanning-tree spanning-tree mode 4-198 spanning-tree forward-time 4-199 spanning-tree hello-time 4-200 spanning-tree max-age spanning-tree priority 4-201 spanning-tree pathcost method 4-202 spanning-tree transmission-limit spanning-tree mst-configuration 4-203 mst vlan mst priority 4-204 name 4-205 revision max-hops 4-206 spanning-tree spanning-disabled spanning-tree cost 4-207 4-208 spanning-tree port-priority spanning-tree edge-port 4-209 spanning-tree portfast 4-210 spanning-tree link-type 4-211 spanning-tree mst cost 4-212 spanning-tree mst port-priority spanning-tree protocol-migration 4-213 show spanning-tree 4-214 4-215 show spanning-tree mst configuration VLAN Commands 4-216 GVRP and Bridge Extension Commands bridge-ext gvrp 4-217 show bridge-ext switchport gvrp 4-218 show gvrp configuration garp timer 4-219 show garp timer 4-220 Editing VLAN Groups vlan database 4-221 vlan 4-222 Configuring VLAN Interfaces interface vlan 4-223 switchport mode 4-224 switchport acceptable-frame-types switchport ingress-filtering 4-225 switchport native vlan 4-226 switchport allowed vlan 4-227 switchport forbidden vlan 4-228 Displaying VLAN Information show vlan 4-229 Configuring IEEE 802.1Q Tunneling 4-230 dot1q-tunnel system-tunnel-control switchport dot1q-tunnel mode 4-231 switchport dot1q-tunnel tpid 4-232 show dot1q-tunnel 4-233 Configuring Port-based Traffic Segmentation pvlan 4-234 pvlan up-link/down-link show pvlan 4-235 Configuring Private VLANs 4-236 private-vlan 4-237 private vlan association 4-238 switchport mode private-vlan switchport private-vlan host-association 4-239 switchport private-vlan mapping show vlan private-vlan 4-240 Configuring Protocol-based VLANs 4-241 protocol-vlan protocol-group (Configuring Groups) protocol-vlan protocol-group (Configuring Interfaces) 4-242 show protocol-vlan protocol-group 4-243 show interfaces protocol-vlan protocol-group 4-244 Class of Service Commands Priority Commands (Layer 2) 4-245 queue mode switchport priority default 4-246 queue bandwidth 4-247 queue cos-map 4-248 show queue mode 4-249 show queue bandwidth show queue cos-map 4-250 Priority Commands (Layer 3 and 4) map ip port (Global Configuration) 4-251 map ip port (Interface Configuration) map ip precedence (Global Configuration) 4-252 map ip precedence (Interface Configuration) map ip dscp (Global Configuration) 4-253 map ip dscp (Interface Configuration) 4-254 show map ip port 4-255 show map ip precedence show map ip dscp 4-256 4-257 Quality of Service Commands 4-258 class-map 4-259 match 4-260 rename description 4-261 policy-map class 4-262 set 4-263 police 4-264 service-policy show class-map 4-265 show policy-map show policy-map interface 4-266 Multicast Filtering Commands IGMP Snooping Commands 4-267 ip igmp snooping ip igmp snooping vlan static 4-268 ip igmp snooping version ip igmp snooping leave-proxy 4-269 ip igmp snooping immediate-leave 4-270 show ip igmp snooping show mac-address-table multicast 4-271 IGMP Query Commands (Layer 2) ip igmp snooping querier 4-272 ip igmp snooping query-count 4-273 ip igmp snooping query-interval ip igmp snooping query-max-response-time 4-274 ip igmp snooping router-port-expire-time 4-275 Static Multicast Routing Commands ip igmp snooping vlan mrouter 4-276 show ip igmp snooping mrouter 4-277 IGMP Filtering and Throttling Commands ip igmp filter (Global Configuration) 4-278 ip igmp profile permit, deny 4-279 range ip igmp filter (Interface Configuration) 4-280 ip igmp max-groups 4-281 ip igmp max-groups action show ip igmp filter 4-282 show ip igmp profile 4-283 show ip igmp throttle interface 4-284 Multicast VLAN Registration Commands mvr (Global Configuration) 4-285 4-286 mvr (Interface Configuration) 4-287 show mvr 4-288 4-289 Table 4-91 show mvr members - display description Table 4-90 show mvr interface - display description (Continued) 4-290 Domain Name Service Commands ip host 4-291 clear host ip domain-name 4-292 ip domain-list 4-293 ip name-server 4-294 ip domain-lookup 4-295 show hosts show dns 4-296 show dns cache clear dns cache 4-297 IP Interface Commands ip address 4-298 ip default-gateway 4-299 ip dhcp restart show ip interface 4-300 show ip redirects ping 4-301 Page A-1 Appendix A: Software Specifications Software Features Software Specifications A-2 A Management Features Standards Management Information Bases A-3 A Management Information Bases Page B-1 Appendix B: Troubleshooting Problems Accessing the Management Interface Troubleshooting B-2 B Using System Logs Glossary Page Page Page Page Page Page Page Index Index-1 Numerics A B Index-2 D E F G Index-3 J K L M Index-4 N P Index-5 Q R S Index-6 T U Index-7 V W