Cisco Sg3008 Manual
Have a look at the manual Cisco Sg3008 Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Security: SSH Server SSH Server Configuration Pages 473 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 23
24 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 474 Access Control The Access Control List (ACL) feature is part of the security mechanism. ACL definitions serve as one of the mechanisms to define traffic flows that are given a specific Quality of Service (QoS). For more information see Quality of Service. ACLs enable network managers to define patterns (filter and actions) for ingress traffic. Packets, entering the device on a port or LAG with an active ACL, are either admitted or denied entry. This section contains the following topics: •Access Control Lists •Defining MAC-based ACLs •IPv4-based ACLs •IPv6-Based ACLs •Defining ACL Binding Access Control Lists An Access Control List (ACL) is an ordered list of classification filters and actions. Each single classification rule, together with its action, is called an Access Control Element (ACE). Each ACE is made up of filters that distinguish traffic groups and associated actions. A single ACL may contain one or more ACEs, which are matched against the contents of incoming frames. Either a DENY or PERMIT action is applied to frames whose contents match the filter. The device supports a maximum of 512 ACLs, and a maximum of 512 ACEs.
Access Control Access Control Lists 475 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 24 When a packet matches an ACE filter, the ACE action is taken and that ACL processing is stopped. If the packet does not match the ACE filter, the next ACE is processed. If all ACEs of an ACL have been processed without finding a match, and if another ACL exists, it is processed in a similar manner. NOTEIf no match is found to any ACE in all relevant ACLs, the packet is dropped (as a default action). Because of this default drop action you must explicitly add ACEs into the ACL to permit the desired traffic, including management traffic, such as Telnet, HTTP or SNMP that is directed to the device itself. For example, if you do not want to discard all the packets that do not match the conditions in an ACL, you must explicitly add a lowest priority ACE into the ACL that permits all the traffic. If IGMP/MLD snooping is enabled on a port bound with an ACL, add ACE filters in the ACL to forward IGMP/MLD packets to the device. Otherwise, IGMP/MLD snooping fails at the port. The order of the ACEs within the ACL is significant, since they are applied in a first- fit manner. The ACEs are processed sequentially, starting with the first ACE. ACLs can be used for security, for example by permitting or denying certain traffic flows, and also for traffic classification and prioritization in the QoS Advanced mode. NOTEA port can be either secured with ACLs or configured with advanced QoS policy, but not both. There can only be one ACL per port, with the exception that it is possible to associate both an IP-based ACL and an IPv6-based ACL with a single port. To associate more than one ACL with a port, a policy with one or more class maps must be used. The following types of ACLs can be defined (depending on which part of the frame header is examined): •MAC ACL—Examines Layer 2 fields only, as described in Defining MAC- based ACLs •IP ACL—Examines the Layer 3 layer of IP frames, as described in IPv4- based ACLs •IPv6 ACL—Examines the Layer 3 layer of IPv4 frames as described in Defining IPv6-Based ACL If a frame matches the filter in an ACL, it is defined as a flow with the name of that ACL. In advanced QoS, these frames can be referred to using this Flow name, and QoS can be applied to these frames (see QoS Advanced Mode).
Access Control Defining MAC-based ACLs Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 476 24 Creating ACLs Workflow To create ACLs and associate them with an interface, perform the following: 1. Create one or more of the following types of ACLs: a. MAC-based ACL by using the MAC Based ACL page and the MAC Based ACE page b. IP-based ACL by using the IPv4 Based ACL page and the IPv4 Based ACE page c. IPv6-based ACL by using the IPv6 Based ACL page and the IPv6 Based ACE page 2. Associate the ACL with interfaces by using the ACL Binding page. Modifying ACLs Workflow An ACL can only be modified if it is not in use. The following describes the process of unbinding an ACL in order to modify it: 1. If the ACL does not belong to a QoS Advanced Mode class map, but it has been associated with an interface, unbind it from the interface using the ACL Binding page. 2. If the ACL is part of the class map and not bound to an interface, then it can be modified. 3. If the ACL is part of a class map contained in a policy bound to an interface, you must perform the chain of unbinding as follows: •Unbind the policy containing the class map from the interface by using Policy Binding. •Delete the class map containing the ACL from the policy using the Configuring a Policy (Edit). •Delete the class map containing the ACL, by using Defining Class Mapping. Only then can the ACL be modified, as described in this section. Defining MAC-based ACLs MAC-based ACLs are used to filter traffic based on Layer 2 fields. MAC-based ACLs check all frames for a match.
Access Control Defining MAC-based ACLs 477 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 24 MAC-based ACLs are defined in the MAC Based ACL page. The rules are defined in the MAC Based ACE page. To define a MAC-based ACL: STEP 1Click Access Control > MAC-Based ACL. This page contains a list of all currently-defined MAC-based ACLs. STEP 2Click Add. STEP 3Enter the name of the new ACL in the ACL Name field. ACL names are case-sensitive. STEP 4Click Apply. The MAC-based ACL is saved to the Running Configuration file. Adding Rules to a MAC-based ACL NOTEEach MAC-based rule consumes one TCAM rule. Note that the TCAM allocation is performed in couples, such that, for the first ACE, 2 TCAM rules are allocated and the second TCAM rule is allocated to the next ACE, and so forth. To add rules (ACEs) to an ACL: STEP 1Click Access Control > Mac-Based ACE. STEP 2Select an ACL, and click Go. The ACEs in the ACL are listed. STEP 3Click Add. STEP 4Enter the parameters. •ACL Name—Displays the name of the ACL to which an ACE is being added. •Priority—Enter the priority of the ACE. ACEs with higher priority are processed first. One is the highest priority. •Action—Select the action taken upon a match. The options are: - Permit—Forward packets that meet the ACE criteria. - Deny—Drop packets that meet the ACE criteria. - Shutdown—Drop packets that meet the ACE criteria, and disable the port from where the packets were received. Such ports can be reactivated from the Port Settings page.
Access Control Defining MAC-based ACLs Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 478 24 •Time Range—Select to enable limiting the use of the ACL to a specific time range. •Time Range Name—If Time Range is selected, select the time range to be used. Time ranges are defined in the Time Range section. •Destination MAC Address—Select Any if all destination addresses are acceptable or User defined to enter a destination address or a range of destination addresses. •Destination MAC Address Value—Enter the MAC address to which the destination MAC address is to be matched and its mask (if relevant). •Destination MAC Wildcard Mask—Enter the mask to define a range of MAC addresses. Note that this mask is different than in other uses, such as subnet mask. Here, setting a bit as 1 indicates dont care and 0 indicates to mask that value. NOTEGiven a mask of 0000 0000 0000 0000 0000 0000 1111 1111 (which means that you match on the bits where there is 0 and dont match on the bits where there are 1s). You need to translate the 1s to a decimal integer and you write 0 for each four zeros. In this example since 1111 1111 = 255, the mask would be written: as 0.0.0.255. •Source MAC Address—Select Any if all source address are acceptable or User defined to enter a source address or range of source addresses. •Source MAC Address Value—Enter the MAC address to which the source MAC address is to be matched and its mask (if relevant). •Source MAC Wildcard Mask—Enter the mask to define a range of MAC addresses. •VLAN ID—Enter the VLAN ID section of the VLAN tag to match. •802.1p—Select Include to use 802.1p. •802.1p Value—Enter the 802.1p value to be added to the VPT tag. •802.1p Mask—Enter the wildcard mask to be applied to the VPT tag. •Ethertype—Enter the frame Ethertype to be matched. STEP 5Click Apply. The MAC-based ACE is saved to the Running Configuration file.
Access Control IPv4-based ACLs 479 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 24 IPv4-based ACLs IPv4-based ACLs are used to check IPv4 packets, while other types of frames, such as ARPs, are not checked. The following fields can be matched: •IP protocol (by name for well-known protocols, or directly by value) •Source/destination ports for TCP/UDP traffic •Flag values for TCP frames •ICMP and IGMP type and code •Source/destination IP addresses (including wildcards) •DSCP/IP-precedence value NOTEACLs are also used as the building elements of flow definitions for per-flow QoS handling (see QoS Advanced Mode). The IPv4 Based ACL page enables adding ACLs to the system. The rules are defined in the IPv4 Based ACE page. IPv6 ACLs are defined in the IPv6 Based ACL page. Defining an IPv4-based ACL To define an IPv4-based ACL: STEP 1Click Access Control > IPv4-Based ACL. This page contains all currently defined IPv4-based ACLs. STEP 2Click Add. STEP 3Enter the name of the new ACL in the ACL Name field. The names are case-sensitive. STEP 4Click Apply. The IPv4-based ACL is saved to the Running Configuration file.
Access Control IPv4-based ACLs Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 480 24 Adding Rules (ACEs) to an IPv4-Based ACL NOTEEach IPv4-based rule consumes one TCAM rule. Note that the TCAM allocation is performed in couples, such that, for the first ACE, 2 TCAM rules are allocated and the second TCAM rule is allocated to the next ACE, and so forth. To add rules (ACEs) to an IPv4-based ACL: STEP 1Click Access Control > IPv4-Based ACE. STEP 2Select an ACL, and click Go. All currently-defined IP ACEs for the selected ACL are displayed. STEP 3Click Add. STEP 4Enter the parameters. •ACL Name—Displays the name of the ACL. •Priority—Enter the priority. ACEs with higher priority are processed first. •Action—Select the action assigned to the packet matching the ACE. The options are as follows: - Permit—Forward packets that meet the ACE criteria. - Deny—Drop packets that meet the ACE criteria. - Shutdown—Drop packet that meets the ACE criteria and disable the port to which the packet was addressed. Ports are reactivated from the Port Management page. •Time Range—Select to enable limiting the use of the ACL to a specific time range. •Time Range Name—If Time Range is selected, select the time range to be used. Time ranges are defined in the Time Range section. •Protocol—Select to create an ACE based on a specific protocol or protocol ID. Select Any (IPv4) to accept all IP protocols. Otherwise select one of the following protocols from the drop-down list: - ICMP—Internet Control Message Protocol - IGMP—Internet Group Management Protocol - IP in IP—IP in IP encapsulation - TCP—Transmission Control Protocol
Access Control IPv4-based ACLs 481 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 24 -EGP—Exterior Gateway Protocol - IGP—Interior Gateway Protocol - UDP—User Datagram Protocol - HMP—Host Mapping Protocol - RDP—Reliable Datagram Protocol. - IDPR—Inter-Domain Policy Routing Protocol - IPV6—IPv6 over IPv4 tunneling - IPV6:ROUT—Matches packets belonging to the IPv6 over IPv4 route through a gateway - IPV6:FRAG—Matches packets belonging to the IPv6 over IPv4 Fragment Header - IDRP—Inter-Domain Routing Protocol - RSVP—ReSerVation Protocol - AH—Authentication Header - IPV6:ICMP—Internet Control Message Protocol - EIGRP—Enhanced Interior Gateway Routing Protocol - OSPF—Open Shortest Path First - IPIP—IP in IP - PIM—Protocol Independent Multicast - L2TP—Layer 2 Tunneling Protocol - ISIS—IGP-specific protocol •Protocol ID to Match—Instead of selecting the name, enter the protocol ID. •Source IP Address—Select Any if all source address are acceptable or User defined to enter a source address or range of source addresses. •Source IP Address Value—Enter the IP address to which the source IP address is to be matched.
Access Control IPv4-based ACLs Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 482 24 •Source IP Wildcard Mask—Enter the mask to define a range of IP addresses. Note that this mask is different than in other uses, such as subnet mask. Here, setting a bit as 1 indicates dont care and 0 indicates to mask that value. NOTEGiven a mask of 0000 0000 0000 0000 0000 0000 1111 1111 (which means that you match on the bits where there is 0 and dont match on the bits where there are 1s). You need to translate the 1s to a decimal integer and you write 0 for each four zeros. In this example since 1111 1111 = 255, the mask would be written: as 0.0.0.255. •Destination IP Address—Select Any if all destination address are acceptable or User defined to enter a destination address or range of destination addresses. •Destination IP Address Value—Enter the IP address to which the destination IP address is to be matched. •Destination IP Wildcard Mask—Enter the mask to define a range of IP addresses. •Source Port—Select one of the following: -Any—Match to all source ports. -Single—Enter a single TCP/UDP source port to which packets are matched. This field is active only if 800/6-TCP or 800/17-UDP is selected in the Select from List drop-down menu. -Range—Select a range of TCP/UDP source ports to which the packet is matched. There are eight different port ranges that can be configured (shared between source and destination ports). TCP and UDP protocols each have eight port ranges. •Destination Port—Select one of the available values that are the same as the Source Port field described above. NOTEYou must specify the IP protocol for the ACE before you can enter the source and/or destination port. •TCP Flags—Select one or more TCP flags with which to filter packets. Filtered packets are either forwarded or dropped. Filtering packets by TCP flags increases packet control, which increases network security. •Type of Service—The service type of the IP packet. - Any—Any service type