Cisco Sg3008 Manual

							Security
Management Access Method
344 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 
18
A caution message displays if you selected any other access profile, warning you 
that, depending on the selected access profile, you might be disconnected from 
the web-based configuration utility.
STEP  3Click OK to select the active access profile or click Cancel to discontinue the 
action. 
STEP  4Click Add to open the Add Access Profile page. The page allows you to configure 
a new profile and one rule. 
STEP  5Enter the Access Profile Name. This name can contain up to 32 characters.
STEP  6Enter the parameters.
•Rule Priority—Enter the rule priority. When the packet is matched to a rule, 
user groups are either granted or denied access to the device. The rule 
priority is essential to matching packets to rules, as packets are matched on 
a first-match basis. One is the highest priority.
•Management Method—Select the management method for which the rule 
is defined. The options are:
-All—Assigns all management methods to the rule.
-Te l n e t—Users requesting access to the device that meets the Telnet 
access profile criteria are permitted or denied access.
-Secure Telnet (SSH)—Users requesting access to the device that meets 
the SSH access profile criteria, are permitted or denied access.
-HT TP— Users requesting access to the device that meets the HTTP 
access profile criteria, are permitted or denied.
-Secure HTTP (HTTPS)—Users requesting access to the device that 
meets the HTTPS access profile criteria, are permitted or denied.
-SNMP—Users requesting access to the device that meets the SNMP 
access profile criteria are permitted or denied.
•Action—Select the action attached to the rule. The options are:
-Permit—Permits access to the device if the user matches the settings in 
the profile.
-Deny—Denies access to the device if the user matches the settings in 
the profile.
•Applies to Interface—Select the interface attached to the rule. The options 
are: 
						

							Security
Management Access Method
Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)  345
18
 
-All—Applies to all ports, VLANs, and LAGs.
-User Defined—Applies to selected interface.
•Interface—Enter the interface number if User Defined was selected.
•Applies to Source IP Address—Select the type of source IP address to 
which the access profile applies. The Source IP Address field is valid for a 
subnetwork. Select one of the following values:
-All—Applies to all types of IP addresses.
-User Defined—Applies to only those types of IP addresses defined in 
the fields.
•IP Address—Enter the source IP address.
•Mask—Select the format for the subnet mask for the source IP address, and 
enter a value in one of the fields:
-
Network Mask—Select the subnet to which the source IP address 
belongs and enter the subnet mask in dotted decimal format.
-
Prefix Length—Select the Prefix Length and enter the number of bits that 
comprise the source IP address prefix.
STEP  7Click Apply. The access profile is written to the Running Configuration file. You can 
now select this access profile as the active access profile.
Defining Profile Rules
Access profiles can contain up to 128 rules to determine who is permitted to 
manage and access the device, and the access methods that may be used. 
Each rule in an access profile contains an action and criteria (one or more 
parameters) to match. Each rule has a priority; rules with the lowest priority are 
checked first. If the incoming packet matches a rule, the action associated with the 
rule is performed. If no matching rule is found within the active access profile, the 
packet is dropped.
For example, you can limit access to the device from all IP addresses except IP 
addresses that are allocated to the IT management center. In this way, the device 
can still be managed and has gained another layer of security.
To add profile rules to an access profile: 
						

							Security
Management Access Method
346 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 
18
STEP 1Click Security > Mgmt Access Method > Profile Rules.
STEP  2Select the Filter field, and an access profile. Click Go.
The selected access profile appears in the Profile Rule Table.
STEP  3Click Add to add a rule.
STEP  4Enter the parameters.
•Access Profile Name—Select an access profile.
•Rule Priority—Enter the rule priority. When the packet is matched to a rule, 
user groups are either granted or denied access to the device. The rule 
priority is essential to matching packets to rules, as packets are matched on 
a first-fit basis. 
•Management Method—Select the management method for which the rule 
is defined. The options are:
-All—Assigns all management methods to the rule.
-Te l n e t—Users requesting access to the device that meets the Telnet 
access profile criteria are permitted or denied access.
-Secure Telnet (SSH)—Users requesting access to the device that meets 
the Telnet access profile criteria, are permitted or denied access.
-HT TP— A s s i g n s  H T T P  a c c e s s  to  t h e  r u l e .  U s e r s  re q u e s t i n g  a c c e s s  to  t h e  
device that meets the HTTP access profile criteria, are permitted or 
denied.
-Secure HTTP (HTTPS)—Users requesting access to the device that 
meets the HTTPS access profile criteria, are permitted or denied.
-SNMP—Users requesting access to the device that meets the SNMP 
access profile criteria are permitted or denied.
•Action—Select Permit to permit the users that attempt to access the device 
by using the configured access method from the interface and IP source 
defined in this rule. Or select Deny to deny access.
•Applies to Interface—Select the interface attached to the rule. The options 
are:
-All—Applies to all ports, VLANs, and LAGs.
-User Defined—Applies only to the port, VLAN, or LAG selected. 
						

							Security
Management Access Authentication
Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)  347
18
 
•Interface—Enter the interface number.
•Applies to Source IP Address—Select the type of source IP address to 
which the access profile applies. The Source IP Address field is valid for a 
subnetwork. Select one of the following values:
-All—Applies to all types of IP addresses.
-User Defined—Applies to only those types of IP addresses defined in 
the fields.
•IP Version—Select the supported IP version of the source address: IPv6 or 
IPv4. 
•IP Address—Enter the source IP address.
•Mask—Select the format for the subnet mask for the source IP address, and 
enter a value in one of the field:
-Net work Mask—Select the subnet to which the source IP address 
belongs and enter the subnet mask in dotted decimal format.
-Prefix Length—Select the Prefix Length and enter the number of bits that 
comprise the source IP address prefix.
STEP  5Click Apply, and the rule is added to the access profile.
Management Access Authentication
You can assign authentication methods to the various management access 
methods, such as SSH, console, Telnet, HTTP, and HTTPS. The authentication can 
be performed locally or on a TACACS+ or RADIUS server. 
For the RADIUS server to grant access to the web-based configuration utility, the 
RADIUS server must return cisco-avpair = shell:priv-lvl=15.
User authentication occurs in the order that the authentication methods are 
selected. If the first authentication method is not available, the next selected 
method is used. For example, if the selected authentication methods are RADIUS 
and Local, and all configured RADIUS servers are queried in priority order and do 
not reply, the user is authenticated locally. 
						

							Security
Secure Sensitive Data Management
348 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 
18
If an authentication method fails or the user has insufficient privilege level, the user 
is denied access to the device. In other words, if authentication fails at an 
authentication method, the device stops the authentication attempt; it does not 
continue and does not attempt to use the next authentication method. 
To define authentication methods for an access method:
STEP 1Click Security > Management Access Authentication.
STEP  2Select an access method from the Application list.
STEP  3Use the arrows to move the authentication method between the Optional Methods 
column and the Selected Methods column. The first method selected is the first 
method that is used.
•RADIUS—User is authenticated on a RADIUS server. You must have 
configured one or more RADIUS servers.
•TA C A C S +—User authenticated on the TACACS+ server. You must have 
configured one or more TACACS+ servers.
•None—User is allowed to access the device without authentication.
•Local—Username and password are checked against the data stored on the 
local device. These username and password pairs are defined in the User 
Accounts page. 
NOTEThe Local or None authentication method must always be 
selected last. All authentication methods selected after Local or None 
are ignored. 
STEP  4Click Apply. The selected authentication methods are associated with the access 
method.
Secure Sensitive Data Management
See Security: Secure Sensitive Data Management. 
						

							Security
SSL Server
Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)  349
18
 
SSL Server
This section describes the Secure Socket Layer (SSL) feature.
SSL Overview
The Secure Socket Layer (SSL) feature is used to open an HTTPS session to the 
device. 
An HTTPS session may be opened with the default certificate that exists on the 
device.
Some browsers generate warnings when using a default certificate, since this 
certificate is not signed by a Certification Authority (CA). It is best practice to have 
a certificate signed by a trusted CA.
To open an HTTPS session with a user-created certificate, perform the following 
actions:
1. Generate a certificate.
2. Request that the certificate be certified by a CA.
3. Import the signed certificate into the device.
Default Settings and Configuration
By default, the device contains a certificate that can be modified.
HTTPS is enabled by default.
SSL Server Authentication Settings
It may be required to generate a new certificate to replace the default certificate 
found on the device.
To create a new certificate:
STEP 1Click Security > SSL Server > SSL Server Authentication Settings.
Information appears for certificate 1 and 2 in the SSL Server Key Table. These 
fields are defined in the Edit page except for the following fields:
•Valid From—Specifies the date from which the certificate is valid.  
						

							Security
SSL Server
350 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 
18
•Valid To—Specifies the date up to which the certificate is valid. 
•Certificate Source—Specifies whether the certificate was generated by 
the system (Auto Generated) or the user (User Defined). 
STEP  2Select an active certificate.
STEP  3Click Generate Certificate Request. 
STEP  4Enter the following fields:
•Regenerate RSA Key—Select to regenerate the RSA key.
•Key Length—Enter the length of the RSA key to be generated.
•Common Name—Specifies the fully-qualified device URL or IP address.   If 
unspecified, defaults to the lowest IP address of the device (when the 
certificate is generated).
•Organization Unit—Specifies the organization-unit or department name.
•Organization Name—Specifies the organization name. 
•Location—Specifies the location or city name. 
•State—Specifies the state or province name. 
•Country—Specifies the country name. 
•Duration—Specifies the number of days a certification is valid. 
STEP  5Click Generate Certificate Request. This creates a key that must be entered on 
the Certification Authority (CA).
To import a certificate:
STEP 1Click Security > SSL Server > SSL Server Authentication Settings.
STEP  2Click Import Certificate.
STEP  3Enter the following fields:
•Certificate ID—Select the active certificate.
•Certificate—Copy in the received certificate.
•Import RSA KEY-Pair—Select to enable copying in the new RSA key-pair.
•Public Key—Copy in the RSA public key. 
						

							Security
SSH Server
Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)  351
18
 
•Private Key (Encrypted)—Select and copy in the RSA private key in 
encrypted form. 
•Private Key (Plaintext)—Select and copy in the RSA private key in plain text 
form. 
STEP  4Click Display Sensitive Data as Encrypted to display this key as encrypted. 
When this button is clicked, the private keys are written to the configuration file in 
encrypted form (when Apply is clicked).
STEP  5Click Apply to apply the changes to the Running Configuration.
The Details button displays the certificate and RSA key pair. This is used to copy 
the certificate and RSA key-pair to another device (using copy/paste). When you 
click Display Sensitive Data as Encrypted, the private keys are displayed in 
encrypted form.
SSH Server
See Security: SSH Server.
SSH Client
See Security: SSH Client.
Configuring TCP/UDP Services
The TCP/UDP Services page enables TCP or UDP-based services on the device, 
usually for security reasons. 
The device offers the following TCP/UDP services:
•HTTP—Enabled by factory default
•HTTPS—Enabled by factory default
•SNMP—Disabled by factory default 
						

							Security
Configuring TCP/UDP Services
352 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 
18
•Te l n e t—Disabled by factory default
•SSH—Disabled by factory default
The active TCP connections are also displayed in this window.
To configure TCP/UDP services:
STEP 1Click Security > TCP/UDP Ser vices.
STEP  2Enable or disable the following TCP/UDP services on the displayed services.
•HTTP Service—Indicates whether the HTTP service is enabled or disabled.
•HTTPS Service—Indicates whether the HTTPS service is enabled or 
disabled.
•SNMP Service—Indicates whether the SNMP service is enabled or 
disabled.
•Te l n e t  S e r v i c e—Indicates whether the Telnet service is enabled or disabled.
•SSH Service—Indicates whether the SSH server service is enabled or 
disabled.
The TCP Service Table displays the following fields for each service:
•Service Name—Access method through which the device is offering the 
TCP ser vice.
•Type—IP protocol the service uses.
•Local IP Address—Local IP address through which the device is offering 
the service.
•Local Port—Local TCP port through which the device is offering the service.
•Remote IP Address—IP address of the remote device that is requesting the 
service.
•Remote Port—TCP port of the remote device that is requesting the service.
•State—Status of the service.
The UDP Services table displays the following information:
•Service Name—Access method through which the device is offering the 
UDP service.
•Type—IP protocol the service uses. 
						

							Security
Defining Storm Control
Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)  353
18
 
•Local IP Address—Local IP address through which the device is offering 
the service.
•Local Port—Local UDP port through which the device is offering the service.
•Application Instance—The service instance of the UDP service. (For 
example, when two senders send data to the same destination.)
STEP  3Click Apply. The services are written to the Running Configuration file.
Defining Storm Control
When Broadcast, Multicast, or Unknown Unicast frames are received, they are 
duplicated, and a copy is sent to all possible egress ports. This means that in 
practice they are sent to all ports belonging to the relevant VLAN. In this way, one 
ingress frame is turned into many, creating the potential for a traffic storm. 
Storm protection enables you to limit the number of frames entering the device 
and to define the types of frames that are counted towards this limit.
When the rate of Broadcast, Multicast, or Unknown Unicast frames is higher than 
the user-defined threshold, frames received beyond the threshold are discarded.
To define Storm Control:
STEP 1Click Security > Storm Control.
All the fields on this page are described in the Edit Storm Control page except for 
the Storm Control Rate Threshold (%). It displays the percent of the total 
available bandwidth for unknown Unicast, Multicast, and Broadcast packets 
before storm control is applied at the port. The default value is 10% of the 
maximum rate of the port and is set in the Edit Storm Control page.
STEP  2Select a port and click Edit.
STEP  3Enter the parameters.
•Interface—Select the port for which storm control is enabled. 
•Storm Control—Select to enable Storm Control.
•Storm Control Rate Threshold—Enter the maximum rate at which unknown 
packets can be forwarded. The default for this threshold is 10,000 for FE 
devices and 100,000 for GE devices.