Cisco Sg3008 Manual
Have a look at the manual Cisco Sg3008 Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Security ARP Inspection 374 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 18 STEP 1Click Security > ARP Inspection > Properties. Enter the following fields: •ARP Inspection Status—Select to enable ARP Inspection. •ARP Packet Validation—Select to enable the following validation checks: -Source MAC — Compares the packets source MAC address in the Ethernet header against the senders MAC address in the ARP request. This check is performed on both ARP requests and responses. -Destination MAC — Compares the packets destination MAC address in the Ethernet header against the destination interfaces MAC address. This check is performed for ARP responses. -IP Addresses — Compares the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0, 255.255.255.255, and all IP Multicast addresses. •Log Buffer Inter val—Select one of the following options: -Retry Frequency—Enable sending SYSLOG messages for dropped packets. Entered the frequency with which the messages are sent. -Never—Disabled SYSLOG dropped packet messages. STEP 2Click Apply. The settings are defined, and the Running Configuration file is updated. Defining Dynamic ARP Inspection Interfaces Settings Packets from untrusted ports/LAGs are checked against the ARP Access Rules table and the DHCP Snooping Binding database if DHCP Snooping is enabled (see the DHCP Snooping Binding Database page). By default, ports/LAGs are ARP Inspection untrusted. To change the ARP trusted status of a port/LAG: STEP 1Click Security > ARP Inspection > Interface Settings. The ports/LAGs and their ARP trusted/untrusted status are displayed. STEP 2To set a port/LAG as untrusted, select the port/LAG and click Edit.
Security ARP Inspection Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 375 18 STEP 3Select Tr u s t e d or Untrusted and click Apply to save the settings to the Running Configuration file. Defining ARP Inspection Access Control To add entries to the ARP Inspection table: STEP 1Click Security > ARP Inspection > ARP Access Control. STEP 2To add an entry, click Add. STEP 3Enter the fields: •ARP Access Control Name—Enter a user-created name. •MAC Address—MAC address of packet. •IP Address—IP address of packet. STEP 4Click Apply. The settings are defined, and the Running Configuration file is updated. Defining ARP Inspection Access Control Rules To add more rules to a previously-created ARP Access Control group: STEP 1Click Security > ARP Inspection > ARP Access Control Rules. The currently-defined access rules are displayed. STEP 2To add more rules to a group, click Add. STEP 3Select a Access Control Group and enter the fields: •MAC Address—MAC address of packet. •IP Address—IP address of packet. STEP 4Click Apply. The settings are defined, and the Running Configuration file is updated.
Security First Hop Securit y 376 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 18 Defining ARP Inspection VLAN Settings To enable ARP Inspection on VLANs and associate Access Control Groups with a VLAN: STEP 1Click Security > ARP Inspection > VLAN Settings. STEP 2To enable ARP Inspection on a VLAN, move the VLAN from the Available VL ANs list to the Enabled VLANs list. STEP 3To associate an ARP Access Control group with a VLAN, click Add. Select the VLAN number and select a previously-defined ARP Access Control group. STEP 4Click Apply. The settings are defined, and the Running Configuration file is updated. First Hop Security Security: IPV6 First Hop Security
Security First Hop Security Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 377 18
Security First Hop Securit y 378 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 18
Security First Hop Security Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 379 18
Security First Hop Securit y 380 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 18
19 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 381 Security: 802.1X Authentication This section describes 802.1X authentication. It covers the following topics: •Overview of 802.1X •Authenticator Overview •Common Tasks •802.1X Configuration Through the GUI •Defining Time Ranges •Authentication Method and Port Mode Support Overview of 802.1X 802.1x authentication restricts unauthorized clients from connecting to a LAN through publicity-accessible ports. 802.1x authentication is a client-server model. In this model, network devices have the following specific roles. •Client or supplicant •Authenticator •Authentication server
Security: 802.1X Authentication Overview of 802.1X 382 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 19 This is described in the figure below: A network device can be either a client/supplicant, authenticator or both per port. Client or Supplicant A client or supplicant is a network device that requests access to the LAN. The client is connected to an authenticator. If the client uses the 802.1x protocol for authentication, it runs the supplicant part of the 802.1x protocol and the client part of the EAP protocol. No special software is required on the client to use MAC-based or web-based authentication. Authenticator An authenticator is a network device that provides network services and to which supplicant ports are connected. The following authentication modes on ports are supported (these modes are set in Security > 802.1X/MAC/Web Authentication > Host and Authentication): •Single-host—Supports port-based authentication with a single client per port. •Multi-host—Supports port-based authentication with a multiple clients per port. •Multi-sessions—Supports client-based authentication with a multiple clients per port.
Security: 802.1X Authentication Authenticator Overview Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 383 19 See Port Host Modes for more information. The following authentication methods are supported: •802.1x-based—Supported in all authentication modes. •MAC-based—Supported in all authentication modes. •WEB-based—Supported only in multi-sessions modes. In 802.1x-based authentication, the authenticator extracts the EAP messages from the 802.1x messages (EAPOL frames) and passes them to the authentication server, using the RADIUS protocol. With MAC-based or web-based authentication, the authenticator itself executes the EAP client part of the software. Authentication Server An authentication server performs the actual authentication of the client. The authentication server for the device is a RADIUS authentication server with EAP extensions. Authenticator Overview Port Administrative Authentication States The port administrative state determines whether the client is granted access to the network. The port administrative state can be configured in the Security > 802.1X/MAC/ Web Authentication > Port Authentication page. The following values are available: •force-authorized Port authentication is disabled and the port transmits all traffic in accordance with its static configuration without requiring any authentication. The switch sends the 802.1x EAP-packet with the EAP success message inside when it receives the 802.1x EAPOL-start message. This is the default state.