Cisco Sg2008 Manual
Have a look at the manual Cisco Sg2008 Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Multicast Configuring MLD Multicast Router Interfaces Cisco Small Business SG200 Series 8-port Smart Switch 141 8 Configuring MLD Multicast Router Interfaces An MLD multicast router must exist to manage the MLD clients in a VLAN. For each VLAN that supports MLD snooping, the switch must be statically configured with or dynamically learn one or more interfaces where there is an MLD multicast router. The interface that has an MLD router is known a MLD Multicast router Interface. A VLAN that is MLD snooping-enabled must have one or more MLD multicast router interfaces. An MLD multicast router can serve one or more VLANs. To enable a switch port or LAG as an MLD Mrouter interface: STEP 1Click Multicast > MLD Mrouter in the navigation window. By default, the MLD MRouter Table lists each switch port. To show LAGs, select LAG from the Interface Type list. STEP 2Select the port or LAG to configure and click Edit. STEP 3Select Enable for the Mode. STEP 4Move VLAN IDs between the Available and Selected lists. VLANs in the Selected list use this port or LAG as the MLD Mrouter interface. •To select a VLAN: Click a VLAN in the Available list, and then click the right- arrow button to move it to the Selected list. •To remove a VLAN: Click a VLAN in the Selected list, and then click the left- arrow button to move it to the Available list. STEP 5Click Apply and then click Close. In the MLD Mrouter Table, the interface displays Enable in the Mode column and lists the included VLANs.
9 Cisco Small Business SG200 Series 8-port Smart Switch 142 IP Configuration This chapter describes the Address Resolution Protocol (ARP) and Domain Name System (DNS) client features. It includes the following topics: •ARP Table •Domain Name System ARP Table The switch maintains an Address Resolution Protocol (ARP) Table. Each entry in the table includes the IP address and the MAC addresses of a device that has recently communicated with the switch. You can use the ARP page to display ARP entries learned by the management VLAN. To display this page, click IP Configuration > ARP in the navigation window. You can click Clear ARP to delete all entries from the table, except for the management port IP address and MAC address. Domain Name System The switch supports IPv4 DNS client functionality. When enabled as a DNS client, the switch provides a hostname lookup service to other applications on the switch such as ping, RADIUS, syslog, Auto Configuration, and TFTP. The switch can be configured with DNS servers that resolve hostnames to IP addresses. The switch can also be configured with static host-name-to-IP-address mappings that bypass the DNS server.
IP Configuration Domain Name System Cisco Small Business SG200 Series 8-port Smart Switch 143 9 Se e the following topic s for more information on the configuration pages available in the IP Configuration > Domain Name System menu. •Configuring DNS Servers •Hostname Mapping Configuring DNS Servers To resolve a hostname to an IP address, the client contacts one or more DNS servers. DNS servers can be learned dynamically if the management interface is configured as a DHCP client (see Management Interface). You can also use the DNS Servers page to statically configure DNS servers. DNS client functionality is enabled by default. Configuring Global DNS Settings To configure the DNS server mode and global settings: STEP 1Click IP Configuration > Domain Name System > DNS Servers in the navigation window. STEP 2Select Enable to implement DNS client functionality on the switch, if it is not already enabled. STEP 3Enter the following parameters: •Default Domain Name—Specify a domain name to be used to complete an unqualified hostname. For example, finance.yahoo.com is a fully qualified domain name. If only the unqualified hostname, finance, is specified, the default domain name yahoo.com would be appended, with a period in between. In your entry, do not include the period that separates the unqualified hostname from the domain name. The range is 1–255 alphanumeric characters. •Domain retry—Specify the number of times to retry sending DNS queries. The range is 0–100 and the default value is 2 times. •Domain timeout—Specify the time in seconds that the switch waits for a response to a DNS query. The range is 0–3600 seconds and the default is 3seconds.
IP Configuration Domain Name System Cisco Small Business SG200 Series 8-port Smart Switch 144 9 NOTE: Default domain names may be learned from reply messages from a DHCP server. These names display in the Default Domain Name List. STEP 4Click Apply. Your changes are saved to the Running Configuration. Adding DNS Servers The DNS Servers Table lists the configured servers. To add a DNS server: STEP 1Click Add. STEP 2Specify the DNS server IPv4 or IPv6 address. STEP 3Click Apply and then click Close. Your changes are saved to the Running Configuration and the server appears in the DNS Servers Table. Hostname Mapping Use the Host Mapping page to view and configure associations between hostnames and IP addresses. You can statically associate a hostname with an IP address. You can also view hostnames that have been learned dynamically through applications that use the DNS lookup service. NOTEIf you configure a static hostname and IP address, and that same hostname IP address mapping is later learned from DNS, the entry becomes dynamic and it is no longer saved as a static entry in the the Running Configuration. Configuring Static DNS Mappings The Host Mapping Table lists hostnames that are statically assigned to IP addresses on the switch. To configure a static hostname mapping: STEP 1Click IP Configuration > Domain Name System > Host Mapping in the navigation window. STEP 2Click Add. STEP 3Enter a hostname from 1–255 alphanumeric characters. The hostname must begin with a letter. STEP 4Enter an IPv4 or IPv6 address to be associated with the hostname.
IP Configuration Domain Name System Cisco Small Business SG200 Series 8-port Smart Switch 145 9 STEP 5Click Apply and then click Close. Your changes are saved to the Running Configuration. Viewing and Deleting Dynamic DNS Entries The DNS Dynamic Entries table displays hostnames that have been learned by applications that use DNS lookup services. For example, if you ping a hostname, the DNS lookup service is invoked and an associated IP address is learned and added to the table. The DNS Dynamic Entries table displays the following fields: •Hostname—Host name assigned to the IP address (or to an official hostname). •To t a l—Number of minutes the hostname has been reserved for this assignment. •Elapsed—Number of minutes that have elapsed since the hostname was assigned. •Type—Identifies the hostname as one of the following: -IP Address—The assigned hostname is associated with an IP address. -Canonical—The assigned hostname is an alias or nickname for a properly denoted (official) hostname. For example, www.google.com might be a hostname alias associated with the official hostname www.l.google.com. •Addresses—If the Type is IP, this field displays the IPv4 address or the IPv6 address that is associated with the hostname. If the Type is Canonical, this field displays the canonical hostname that the alias is associated with. A canonical DNS address might have more than one hostname alias associated with it. To delete a dynamic entry, select it and click Delete. To delete all dynamic entries from the table, click Delete All Dynamic Entries.
10 Cisco Small Business SG200 Series 8-port Smart Switch 146 Security This chapter describes the security features for the port, user, and server. It includes the following topics: •RADIUS •Password Strength •Management Access Profile Rules •Authentication Methods •Storm Control •Port Security •802.1X RADIUS The switch supports Remote Authorization Dial-In User Service (RADIUS) client functionality. RADIUS has become the protocol of choice by administrators of large accessible networks for authenticating users prior to access. To authenticate users in a secure manner, a RADIUS client and RADIUS server are configured with the same shared password or secret. This secret is used to generate one-way encrypted authenticators that are present in all RADIUS packets. Without knowledge of the secret, the possibility of a malicious user correctly spoofing packets is sufficiently reduced. The RADIUS client on the switch is used for switch management access authentication and IEEE 802.1X (dot1X) port access control (see Management Access Profile Rules and 802.1X). You can use the RADIUS page to configure global RADIUS settings and add RADIUS servers.
Security RADIUS Cisco Small Business SG200 Series 8-port Smart Switch 147 10 Configuring Global RADIUS Settings To configure the global settings: STEP 1Click Security > RADIUS in the navigation window. STEP 2Enter the parameters: •Retries—Maximum number of times the RADIUS client retransmits requests to the RADIUS server. The range is 1 to 10. The default is 3. •Timeout for Reply—Number of seconds the switch waits for a RADIUS server to reply to a server request before sending another request. The range is 1 to 30. The default is 3. •Dead Time—Length of time a RADIUS server is bypassed once the switch determines it is unavailable. Bypassing unavailable switches improves switch response times. The range is 0 to 2000. The default is 0. •RADIUS Attribute 4 (NAS-IP Address)—Select to enable the switch to include the network access server (NAS) attribute in Access Request RADIUS server packets. If this option is disabled, the RADIUS client uses the switch management port address as the NAS-IP Address. •NAS-IP Address—IP address to include in Access Request packets. This field is editable only when RADIUS Attribute 4 is enabled. The address should be unique to the NAS within the scope of the RADIUS server. NOTE: The Current RADIUS Server field displays the IP address of the most recently configured RADIUS server, if any. STEP 3Click Apply. Your changes are saved to the Running Configuration. Adding a RADIUS Server You can configure multiple RADIUS servers and configure priority levels that determine the order they are contacted. ! CAUTIONAll management users are created with read-write permissions. Ensure that all RADIUS server users you configure have the same privilege levels; otherwise they are not granted access to the switch.
Security RADIUS Cisco Small Business SG200 Series 8-port Smart Switch 148 10 To add a RADIUS Server to the RADIUS Table: STEP 1Click Add STEP 2Enter the parameters: •RADIUS Server—IP address or hostname of the server. •Priority—The lower the priority number value, higher the priority of the server. For example, server configured with priority value 1 has higher priority than server configured with priority value 2. If all the servers are configured with the same or the default priority value, the switch tries the RADIUS servers in a first-come, first served basis. The range is 1 to 65535. The default is 8. •Key String—A shared secret text string used for authenticating and encrypting all RADIUS communications between the switch and the RADIUS server. This secret must match the secret configured on the RADIUS server. This must be an ASCII alphanumeric value between 32 to 176 characters. •Authentication Port—Port number used for RADIUS authentication requests and replies. The default port, 1812, is the well-know IANA port number for RADIUS authentication services. The range is 1025 to 65535. The default is 1812. •Message Authenticator—This field is selected by default. When enabled, the message authenticator attribute is included in RADIUS request messages to the server. This attribute protects the RADIUS messages from spoofing and tampering. The shared secret is used as the key. If the RADIUS Message Authenticator attribute is present in the packet, it is verified by the server. If verification fails, the server drops the request packet. STEP 3Click Apply and then click Close. Your changes are saved to the Running Configuration.
Security Password Strength Cisco Small Business SG200 Series 8-port Smart Switch 149 10 Password Strength You can use the Password Strength page to configure characteristics of secure management user passwords. To configure password strength settings: STEP 1Click Security > Password Strength in the navigation window. STEP 2Enter the following parameters: •Strength Check—Select Enable to configure the types of checks to be performed: •Minimum Password Length—The minimum number of characters required for a management user password. Set the minimum password length to a value in the range of 0–64 characters. •Password Aging Time—Select the checkbox and enter the time after which a password expires, from 1–365 days. When a password ages out, the user must chose a new password before continuing. •Password Exclude Keyword Check—Select Enable to check for preconfigured keywords in a password when a user attempts to create or change the password. The preconfigured keywords are cisco and ocsic. •Password User Name Check—Select Enable to prevent users from including their user name in their password when they create or change it. •Character Can Repeat Itself Consecutively a Maximum of 3 Times— Select Enable to have the switch check whether any character in the password is repeated consecutively more than three times. •Minimum Number of Character Classes—Select the checkbox and enter the minimum number of character classes that must be represented in the password string. The four possible character classes are: uppercase letters, lowercase letters, numbers, and special characters available on a standard keyboard. STEP 3Click Apply and then click Close. Your changes are saved to the Running Configuration.
Security Management Access Profile Rules Cisco Small Business SG200 Series 8-port Smart Switch 150 10 Management Access Profile Rules Use the Management Access Profile Rules page to define a profile and rules for accessing the device for management purposes. You can limit access to specific user names, ingress ports or LAGs, and source IP addresses. To display this page, click Security > Management Access Profile Rules in the navigation window. The Access Profile Table lists the profile name of the currently configured profile, if one exists. The Profile Rule Table shows the existing rules for the profile. By default, no access profiles and rules are configured on the switch. You can create and enable only one profile and all the rules you create are assigned to that profile. Configuring an Access Profile and Rules To create an access profile and assign rules to it: STEP 1In the Access Profile Table, click Add. STEP 2Specify the Access Profile Name and select Enable. STEP 3Click Apply and then click Close. The new profile appears in the Access Profile Table. Next, add the rules to the profile. STEP 4In the Profile Rule table, click Add. STEP 5Specify any of the following parameters to restrict or allow access: •Rule Priority—The rules are validated against the incoming management request in the ascending order of their priorities. If a rule matches, the specified action is performed and rules below are ignored. For example, if you configure Source IP 10.10.10.10 with priority 1 to Permit, and configure Source IP 10.10.10.10 with priority 2 to Deny, then access is permitted to this IP address when the profile is active, and the second rule is ignored. The range is 1 to 16, with 1 having the highest priority.