Cisco Sg3008 Manual
Have a look at the manual Cisco Sg3008 Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Security: IPV6 First Hop Security Configuring First Hop Security through Web GUI Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 433 20 Policy Attachment (Port) To attach a policy to one or more ports or LAGs: STEP 1Click Security > First Hop Security > Policy Attachment (Port). The list of policies that are already attached are displayed along with their Interface number, Policy Type, Policy Name and VLAN List. STEP 2To attach a policy to a port or LAG, click Add and enter the following fields: •Interface—Select the interface on which the policy will be attached. •Policy Type—Select the policy type to attach to the interface. •Policy Name—Select the name of the policy to attach to the interface •VLAN List—Select the VLANs to which the policy is attached. Select All VLANs or enter a range of VLANs. STEP 3Click Apply to add the settings to the Running Configuration file. Neighbor Binding Table To add or modify entries in the Neighbor Binding table: STEP 1Click Security > First Hop Security > Neighbor Binding Table STEP 2Select one of the following clear table options: •Static Only—Clear all static entries in the table. •Dynamic Only—Clear all dynamic entries in the table. •All Dynamic & Static —Clear all dynamic and static entries in the table. STEP 3Click Add to add a new entry to the table. STEP 4Enter the following fields: •VLAN ID—VLAN ID of the entry. •IPv6 Address—Source IPv6 address of the entry. •Interface Name— Port on which packet is received. •MAC Address— Neighbor MAC address of the packet.
Security: IPV6 First Hop Security Configuring First Hop Security through Web GUI 434 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 20 FHS Status To display the global configuration for the FHS features: STEP 1Click Security > First Hop Security > FHS Status. STEP 2Select a port, LAG or VLAN for which the FHS state is reported. STEP 3The following fields are displayed for the selected interface: •FHS Status -FHS State on Current VL AN:—Is FHS enabled on the current VLAN. -Packet Drop Logging:—Is this feature enabled for the current interface (at the level of global configuration or in a policy attached to the interface). •RA Guard Status -RA Guard State on Current VL AN:—Is RA Guard enabled on the current VLAN. -Device Role:—RA device role. -Managed Configuration Flag:—Is verification of the managed configuration flag enabled. -Other Configuration Flag:—Is verification of the other configuration flag enabled. -RA Address List:—RA address list to be matched. -RA Prefix List:—RA prefix list to be matched. -Minimal Hop Limit:—Is minimum RA hop limit verification enabled. -Maximal Hop Limit:—Is maximum RA hop limit verification enabled. -Minimal Router Preference:—Is minimum router preference verification enabled. -Maximal Router Preference:—Is maximum router preference verification enabled. •ND Inspection Status -ND Inspection State on Current VL AN:—Is ND Inspection enabled on the current VLAN.
Security: IPV6 First Hop Security Configuring First Hop Security through Web GUI Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 435 20 -Device Role:—ND Inspection device role. -Drop Unsecure:—Are unsecure messages dropped. -Minimal Securit y Level:—If unsecure messages are not dropped, what is the minimum security level for packets to be forwarded. -Validate Source MAC:—Is source MAC address verification enabled. •DHCP Guard Status -DHCPv6 Guard State on Current VL AN:—Is DHCPv6 Guard enabled on the current VLAN. -Device Role:—DHCP device role. -Match Reply Prefixes:—Is DHCP reply prefixes verification enabled. -Match Ser ver Addres s:—Is DHCP server addresses verification enabled. -Minimal Preference:—Is verification of the minimal preference enabled. -Maximal Preference:—Is verification of the maximum preference enabled. •Neighbor Binding Status -Neighbor Binding State on Current VL AN:—Is Neighbor Binding enabled on the current VLAN. -Device Role:—Neighbor Binding device role. -Logging Binding:—Is logging of Neighbor Binding table events enabled. -Max Entries per VL AN:—Maximum number of dynamic Neighbor Binding table entries per VLAN allowed. -Max Entries per Inter face:—Maximum number of Neighbor Binding table entries per interface allowed. -Max Entries per MAC Address:—Maximum number of Neighbor Binding table entries per MAC address allowed.
Security: IPV6 First Hop Security Configuring First Hop Security through Web GUI 436 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 20 FHS Statistics To display FHS statistics: STEP 1Click Security > First Hop Security > FHS Statistics: STEP 2The following fields are displayed: •NDP (Neighbor Discovery Protocol) Messages—The number of received and bridged messages are displayed for the following types of messages: -RA—Router Advertisement messages -CPA—Certification Path Advertisement messages -ICMPv6—Internet Control Message IPv6 Protocol messages. -NS—Neighbor Solicitation messages. -RS—Router Solicitation message. -CPS—Certification Path Solicitation messages. •DHCPv6 Messages—The number of received and bridged messages are displayed for the various types of DHCPv6 messages The following fields are displayed in the FHS Dropped Message Table •Protocol— Dropped message protocol. •Message Type—Type of message dropped. •Count—Number of messages dropped. •Reason—Reason that the messages were dropped.
Security: IPV6 First Hop Security Configuring First Hop Security through Web GUI Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 437 20
21 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 438 Security: Secure Sensitive Data Management Secure Sensitive Data (SSD) is an architecture that facilitates the protection of sensitive data on a device, such as passwords and keys. The facility makes use of passphrases, encryption, access control, and user authentication to provide a secure solution to managing sensitive data. The facility is extended to protect the integrity of configuration files, to secure the configuration process, and to support SSD zero-touch auto configuration. •Introduction •SSD Rules •SSD Properties •Configuration Files •SSD Management Channels •Menu CLI and Password Recovery •Configuring SSD Introduction SSD protects sensitive data on a device, such as passwords and keys, permits and denies access to sensitive data encrypted and in plain text based on user credentials and SSD rules, and protects configuration files containing sensitive data from being tampered with. In addition, SSD enables the secure backup and sharing of configuration files containing sensitive data. SSD provides users with the flexibility to configure the desired level of protection on their sensitive data; from no protection with sensitive data in plaintext, minimum protection with encryption based on the default passphrase, and better protection with encryption based on user-defined passphrase.
Security: Secure Sensitive Data Management SSD Rules Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 439 21 SSD grants read permission to sensitive data only to authenticated and authorized users, and according to SSD rules. A device authenticates and authorizes management access to users through the user authentication process. Whether or not SSD is used, it is recommended that the administrator secure the authentication process by using the local authentication database, and/or secure the communication to the external authentication servers used in the user authentication process. In summary, SSD protects sensitive data on a device with SSD rules, SSD properties, and user authentication. And SSD rules, SSD properties, and user authentication configurations of the device are themselves sensitive data protected by SSD . SSD Management SSD management includes a collection of configuration parameters that define the handling and security of sensitive data. The SSD configuration parameters themselves are sensitive data and are protected under SSD. All configuration of SSD is performed through the SSD pages that are only available to users with the correct permissions (see SSD Rules). SSD Rules SSD rules define the read permissions and default read mode given to a user session on a management channel. An SSD rule is uniquely identified by its user and SSD management channel. Different SSD rules might exist for the same user but for different channels, and conversely, different rules might exist for the same channel but for different users. Read permissions determine how sensitive data can be viewed: in only encrypted form, in only plaintext form, in both encrypted or plaintext, or no permission to view sensitive data. The SSD rules themselves are protected as sensitive data. A device can support a total of 32 SSD rules. A device grants a user the SSD read permission of the SSD rule that best matches the user identity/credential and the type of management channel from which the user is/will access the sensitive data. A device comes with a set of default SSD rules. An administrator can add, delete, and change SSD rules as desired.
Security: Secure Sensitive Data Management SSD Rules 440 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 21 NOTEA device may not support all the channels defined by SSD. Elements of an SSD Rule An SSD rule includes the following elements: •User type—The user types supported in order of most preference to least preference are as follows: (If a user matches multiple SSD rules, the rule with the most preference User Type will be applied). -Specific—The rule applies to a specific user. -Default User (cisco)—The rule applies to the default user (cisco). -Level 15—The rule applies to users with privilege level 15. -All—The rule applies to all users. •User Name—If user type is Specific, a user name is required. •Channel. Type of SSD management channel to which the rule is applied. The channel types supported are: -Secure—Specifies the rule applies only to secure channels. Depending on the device, it may support some or all of the following secure channels: Console port interface, SCP, SSH, and HTTPS. -Insecure—Specifies that this rule applies only to insecure channels. Depending on the device, it may support some or all of the following insecure channels: Telnet, TFTP, and HTTP. -Secure XML SNMP—Specifies that this rule applies only to XML over HTTPS or SNMPv3 with privacy. A device may or may not support all of the secure XML and SNMP channels. -Insecure XML SNMP—Specifies that this rule applies only to XML over HTTP or SNMP v1/v2 and SNMP v3 without privacy. A device may or may not support all of the secure XML and SNMP channels. •Read Permission—The read permissions associate with the rules. These can be the following: -(Lowest) Exclude—Users are not permitted to access sensitive data in any form. -(Middle) Encrypted Only—Users are permitted to access sensitive data as encrypted only.
Security: Secure Sensitive Data Management SSD Rules Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 441 21 -(Higher) Plaintext Only—Users are permitted to access sensitive data in plaintext only. Users will also have read and write permission to SSD parameters as well. -(Highest) Both—Users have both encrypted and plaintext permissions and are permitted to access sensitive data as encrypted and in plaintext. Users will also have read and write permission to SSD parameters as well. Each management channel allows specific read permissions. The following summarizes these. •Default Read Mode—All default read modes are subjected to the read permission of the rule. The following options exist, but some might be rejected, depending on the read permission. If the user-defined read permission for a user is Exclude (for example), and the default read mode is Encrypted, the user-defined read permission prevails. -Exclude—Do not allow reading sensitive data. -Encrypted—Sensitive data is presented in encrypted form. -Plaintext—Sensitive data is presented in plaintext form. Each management channel allows specific read presumptions. The following summarizes these. * The Read mode of a session can be temporarily changed in the SSD Properties page if the new read mode does not violate the read permission. Management Channel Read Permission Options Allowed Secure Both, Encrypted Only Insecure Both, Encrypted Only Secure XML SNMP Exclude, Plaintext Only Insecure XML SNMP Exclude, Plaintext Only Read Permission Default Read Mode Allowed Exclude Exclude Encrypted Only *Encrypted Plaintext Only *Plaintext Both *Plaintext , Encr ypted
Security: Secure Sensitive Data Management SSD Rules 442 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 21 NOTENote the following: •The default Read mode for the Secure XML SNMP and Insecure XML SNMP management channels must be identical to their read permission. •Read permission Exclude is allowed only for Secure XML SNMP and Insecure XML SNMP management channels; Exclude is not allowed for regular secure and insecure channels. •Exclude sensitive data in secure and Insecure XML-SNMP management channels means that the sensitive data is presented as a 0 (meaning null string or numeric 0). If the user wants to view sensitive data, the rule must be changed to plaintext. •By default, an SNMPv3 user with privacy and XML-over-secure channels permissions is considered to be a level-15 user. •SNMP users on Insecure XML and SNMP (SNMPv1,v2, and v3 with no privacy) channel are considered as All users. •SNMP community names are not used as user names to match SSD rules. •Access by a specific SNMPv3 user can be controlled by configuring an SSD rule with a user name matching the SNMPv3 user name. •There must always be at least one rule with read permission: Plaintext Only or Both, because only users with those permissions are able to access the SSD pages. •Changes in the default read mode and read permissions of a rule will become effective, and will be applied to the affected user(s) and channel of all active management sessions immediately, excluding the session making the changes even if the rule is applicable. When a rule is changed (add, delete, edit), a system will update all the affected CLI/GUI sessions. NOTEWhen the SSD rule applied upon the session login is changed from within that session, the user must log out and back in to see the change. NOTEWhen doing a file transfer initiated by an XML or SNMP command, the underlying protocol used is TFTP. Therefore, the SSD rule for insecure channel will apply. SSD Rules and User Authentication SSD grants SSD permission only to authenticated and authorized users and according to the SSD rules. A device depends on its user authentication process to authenticate and authorize management access. To protect a device and its data including sensitive data and SSD configurations from unauthorized access, it