Cisco Sg3008 Manual
Have a look at the manual Cisco Sg3008 Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Security: IPV6 First Hop Security Common Tasks Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 423 20 STEP 3If required, either configure a user-defined policy or add rules to the default p olicie s for the feature. STEP 4Attach the policy to a VLAN, port or LAG using either the Policy Attachment (VLAN) or Policy Attachment (Port) pages. Router Advertisement Guard Work Flow STEP 1In the RA Guard Settings page, enter the list of VLANs on which this feature is enabled. STEP 2In this same page, set the global configuration values that are used if no values are set in a policy. STEP 3If required, either configure a user-defined policy or add rules to the default p olicie s for the feature. STEP 4Attach the policy to a VLAN, port or LAG using either the Policy Attachment (VLAN) or Policy Attachment (Port) pages. DHCPv6 Guard Work Flow STEP 1In the DHCPv6 Guard Settings page, enter the list of VLANs on which this feature is enabled. STEP 2In this same page, set the global configuration values that are used if no values are set in a policy. STEP 3If required, either configure a user-defined policy or add rules to the default p olicie s for the feature. STEP 4Attach the policy to a VLAN, port or LAG using either the Policy Attachment (VLAN) or Policy Attachment (Port) pages. Neighbor Discovery Inspection Work Flow STEP 1In the ND Inspection Settings page, enter the list of VLANs on which this feature is enabled. STEP 2In this same page, set the global configuration values that are used if no values are set in a policy.
Security: IPV6 First Hop Security Default Settings and Configuration 424 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 20 STEP 3If required, either configure a user-defined policy or add rules to the default p olicie s for the feature. STEP 4Attach the policy to a VLAN, port or LAG using either the Policy Attachment (VLAN) or Policy Attachment (Port) pages. Neighbor Binding Work Flow STEP 1In the Neighbor Bindings Settings page, enter the list of VLANs on which this feature is enabled. STEP 2In this same page, set the global configuration values that are used if no values are set in a policy. STEP 3If required, either configure a user-defined policy or add rules the default policies for the feature. STEP 4Add any manual entries required in the Neighbor Binding Table page STEP 5Attach the policy to a VLAN, port or LAG using either the Policy Attachment (VLAN) or Policy Attachment (Port) pages. Default Settings and Configuration If IPv6 First Hop Security is enabled on a VLAN, the switch traps the following messages by default: •Router Advertisement (RA) messages •Router Solicitation (RS) messages •Neighbor Advertisement (NA) messages •Neighbor Solicitation (NS) messages •ICMPv6 Redirect messages •Certification Path Advertisement (CPA) messages •Certification Path Solicitation (CPS) message •DHCPv6 messages The FHS features are disabled by default.
Security: IPV6 First Hop Security Before You Start Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 425 20 Before You Start No preliminary tasks are required. Configuring First Hop Security through Web GUI FHS Common Settings Use the FHS Settings page to enable the FHS Common feature on a specified group of VLANs and to set the global configuration value for logging packet dropping. If required, a policy can be added or the packet drop logging can be added to the system-defined default policy. To configure First Hop Security Common on ports or LAGs: STEP 1Click Security > First Hop Security > FHS Settings. STEP 2Enter the following global configuration fields: •FHS VLAN List—Enter one or more VLANs on which First Hop Security is enabled. •Packet Dropped Logging—Select to create a SYSLOG when a packet is dropped by a First Hop Security feature. This is the global default value if no policy is defined. STEP 3Create a FHS policy if required by clicking Add. Enter the following fields: •Policy Name—Enter a user-defined policy name. •Packet Drop Logging—Select to create a SYSLOG when a packet is dropped as a result of a First Hop Security feature within this policy. -Inherit—Use the value from the VLAN or the global configuration. -Enable—Create a SYSLOG when a packet is dropped as a result of First Hop Security. -Disable—Do not create a SYSLOG when a packet is dropped as a result of First Hop Security.
Security: IPV6 First Hop Security Configuring First Hop Security through Web GUI 426 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 20 RA Guard Settings Use the RA Guard Settings page to enable the RA Guard feature on a specified group of VLANs and to set the global configuration values for this feature. If required, a policy can be added or the system-defined default RA Guard policies can be configured in this page. To configure RA Guard on ports or LAGs: STEP 1Click Security > First Hop Security > RA Guard Settings. STEP 2Enter the following global configuration fields: •RA Guard VLAN List—Enter one or more VLANs on which RA Guard is enabled. •Minimal Hop Limit—This field indicates whether the RA Guard policy will check the minimum hop limit of the packet received. -Minimal Hop Limit—Verifies that the hop-count limit is greater than or equal to this value. -No Verification—Disables verification of the lower boundary of the hop count limit. •Maximal Hop Limit—This field indicates whether the RA Guard policy will check the maximum hop limit of the packet received. -Maximal Hop Limit—Verifies that the hop-count limit is less than or equal to this value. The value of the high boundary must be equal or greater than the value of the low boundary. -No Verification—Disables verification of the high boundary of the hop- count limit. •Managed Configuration Flag—This field specifies verification of the advertised Managed Address Configuration flag within an IPv6 RA Guard policy. -No Verification—Disables verification of the advertised Managed Address Configuration flag. -On—Enables verification of the advertised Managed Address Configuration flag. -Off—The value of the flag must be 0.
Security: IPV6 First Hop Security Configuring First Hop Security through Web GUI Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 427 20 •Other Configuration Flag—This field specifies verification of the advertised Other Configuration flag within an IPv6 RA Guard policy. -No Verification—Disables verification of the advertised Other Configuration flag. -On—Enables verification of the advertised Managed Other flag. -Off—The value of the flag must be 0. •Minimal Route Preference—This field indicates whether the RA Guard policy will verify the minimum advertised Default Router Preference value in RA messages within an RA Guard policy. -No Verification—Disables verification of the low boundary of Advertised Default Router Preference. -Low—Specifies the minimum allowed Advertised Default Router Preference value. The following values are acceptable: low, medium and high (see RFC4191). -Medium—Specifies the minimum allowed Advertised Default Router Preference value. The following values are acceptable: low, medium and high (see RFC4191). -High—Specifies the minimum allowed Advertised Default Router Preference value. The following values are acceptable: low, medium and high (see RFC4191). •Maximal Route Preference—This field indicates whether the RA Guard policy will verify the maximum advertised Default Router Preference value in RA messages within an RA Guard policy. -No Verification—Disables verification of the high boundary of Advertised Default Router Preference. -Low—Specifies the maximum allowed Advertised Default Router Preference value. The following values are acceptable: low, medium and high (see RFC4191). -Medium—Specifies the maximum allowed Advertised Default Router Preference value. The following values are acceptable: low, medium and high (see RFC4191). -High—Specifies the maximum allowed Advertised Default Router Preference value. The following values are acceptable: low, medium and high (see RFC4191).
Security: IPV6 First Hop Security Configuring First Hop Security through Web GUI 428 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 20 To create an RA Guard policy or to configure the system-defined default policies, click Add and enter the above parameters. If required, click either Attach Policy to VL AN or Attach Policy to Interface. DHCPv6 Guard Settings Use the DHCPv6 Guard Settings page to enable the DHCPv6 Guard feature on a specified group of VLANs and to set the global configuration values for this feature. If required, a policy can be added or the system-defined default DHCPv6 Guard policies can be configured in this page. To configure DHCPv6 Guard on ports or LAGs: STEP 1Click Security > First Hop Security > DHCPv6 Guard Settings. STEP 2Enter the following global configuration fields: •DHCPv6 Guard VLAN List—Enter one or more VLANs on which DHCPv6 Guard is enabled. •Minimal Preference—This field indicates whether the DHCPv6 Guard policy will check the minimum advertised preference value of the packet received. -No Verification—Disables verification of the minimum advertised preference value of the packet received. -User Defined—Verifies that the advertised preference value is greater than or equal to this value. This value must be less than the Maximal Preference value. •Maximal Preference—This field indicates whether the DHCPv6 Guard policy will check the maximum advertised preference value of the packet received. This value must be greater than the Minimal Preference value. -No Verification—Disables verification of the lower boundary of the hop count limit. -User Defined—Verifies that the advertised preference value is less than or equal to this value. STEP 3If required, click Add to create a DHCPv6 policy. STEP 4Enter the following fields: •Policy Name—Enter a user-defined policy name.
Security: IPV6 First Hop Security Configuring First Hop Security through Web GUI Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 429 20 •Device Role—Select either Server or Client to specify the role of the device attached to the port for DHCPv6 Guard. -Inherited—Role of device is inherited from either the VLAN or system default (client). -Client—Role of device is client. -Host—Role of device is host. •Match Reply Prefixes—Select to enable verification of the advertised prefixes in received DHCP reply messages within a DHCPv6 Guard policy. -Inherited—Value is inherited from either the VLAN or system default (no verification). -No Verification—Advertised prefixes are not verified. -Match List— IPv6 prefix list to be matched. •Match Server Address—Select to enable verification of the DHCP servers and relay’s IPv6 address in received DHCP reply messages within a DHCPv6 Guard policy. -Inherited—Value is inherited from either the VLAN or system default (no verification). -No Verification—Disables verification of the DHCP servers and relay’s IPv6 address. -Match List— IPv6 prefix list to be matched. •Minimal Preference—See above. •Maximal Preference—See above. STEP 5If required, click either At tach Policy to VL AN or Attach Policy to Interface. Neighbor Discovery Inspection Settings Use the ND Inspection Settings page to enable the ND Inspection feature on a specified group of VLANs and to set the global configuration values for this feature. If required, a policy can be added or the system-defined default ND Inspection policies can be configured in this page.
Security: IPV6 First Hop Security Configuring First Hop Security through Web GUI 430 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 20 To configure ND Inspection on ports or LAGs: STEP 1Click Security > First Hop Security > ND Inspection Settings. STEP 2Enter the following global configuration fields: •ND Inspection VLAN List—Enter one or more VLANs on which ND Inspection is enabled. •Drop Unsecure—Select to enable dropping messages with no CGA or RSA Signature option within an IPv6 ND Inspection policy. •Minimal Security Level—If unsecure messages are not dropped, select the security level below which messages are not forwarded. -No Verification—Disables verification of the security level. -User Defined—Specify the security level of the message to be for warde d. STEP 3If required, click Add to create an ND Inspection policy. STEP 4Enter the following fields: •Policy Name—Enter a user-defined policy name. •Device Role—Select either Server or Client to specify the role of the device attached to the port for ND Inspection. -Inherited—Role of device is inherited from either the VLAN or system default (client). -Client—Role of device is client. -Host—Role of device is host. •Drop Unsecure—See above. •Minimal Security Level—See above. •Validate Source MAC—Specify whether to globally enable checking source MAC address against the link-layer address: -Inherited—Inherit value from VLAN or system default (disabled). -Enable—Enable checking source MAC address against the link-layer address. -Disable—Disable checking source MAC address against the link-layer address.
Security: IPV6 First Hop Security Configuring First Hop Security through Web GUI Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 431 20 STEP 5If required, click either At tach Policy to VL AN or Attach Policy to Interface. Neighbor Binding Settings The Neighbor Binding table is a database table of IPv6 neighbors connected to a device is created from information sources, such as Neighbor Discovery Protocol (NDP) snooping. This database, or binding, table is used by various IPv6 guard features to prevent spoofing and redirect attacks. Use the Neighbor Binding Settings page to enable the Neighbor Binding feature on a specified group of VLANs and to set the global configuration values for this feature. If required, a policy can be added or the system-defined default Neighbor Binding policies can be configured in this page. To configure Neighbor Binding on ports or LAGs: STEP 1Click Security > First Hop Security > Neighbor Binding Settings. STEP 2Enter the following global configuration fields: •Neighbor Binding VLAN List—Enter one or more VLANs on which Neighbor Binding is enabled. •Manual Neighbor Binding—Select to indicate that entries can be added to the Neighbor Binding table manually. •Neighbor Binding Lifetime—Enter the length of time that addresses remain in the Neighbor Bindings table. •Neighbor Binding Logging—This field indicates whether to enable validation of a bound IPv6 address against the Neighbor Prefix table and logging of Binding table main events. •Neighbor Binding Entry Limits—Specify the maximum number of Neighbor Binding entries per type of interface or address: -Entries Per VL AN:—Specifies the neighbor binding limit per number of VLANs. -Entries Per Inter face:—Specifies the neighbor binding limit per interface. -Entries Per MAC Address:—Specifies the neighbor binding limit per MAC address. STEP 3If required, click Add to create a Neighbor Binding policy.
Security: IPV6 First Hop Security Configuring First Hop Security through Web GUI 432 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 20 STEP 4Enter the following fields: •Policy Name—Enter a user-defined policy name. •Device Role—Select either Server or Client to specify the role of the device attached to the port for the Neighbor Binding policy. -Inherited—Role of device is inherited from either the VLAN or system default (client). -Client—Role of device is client. -Host—Role of device is host. •Neighbor Binding Logging—See above. •Neighbor Binding Entry Limits—See above. STEP 5If required, click either Attach Policy to VL AN or Attach Policy to Interface. Policy Attachment (VLAN) To attach a policy to one or more VLANs: STEP 1Click Security > First Hop Security > Policy Attachment (VLAN). The list of policies that are already attached are displayed along with their Policy Type, Policy Name and VLAN List. STEP 2To attach a policy to a VLAN, click Add and enter the following fields: •Policy Type—Select the policy type to attach to the interface. •Policy Name—Select the name of the policy to attach to the interface •VLAN List—Select the VLANs to which the policy is attached. Select All VLANs or enter a range of VLANs. STEP 3Click Apply to add the settings to the Running Configuration file.