|
|
This chapter consists of these sections:
These sections describe how to use secure port filtering on the Catalyst 5000 series switches:
You can use secure port filtering to block input to an Ethernet or Fast Ethernet port when the Media Access Control (MAC) address of the station attempting to access the port is different from the MAC address specified for that port.
When a secure port receives a packet, the source MAC address of the packet is compared to the secure source address configured for the port. If the MAC address of the device attached to the port differs from the secure address, the port is disabled, the Link LED for that port turns orange, and a link-down trap is sent to the Simple Network Management Protocol (SNMP) manager.
You can specify the secure MAC address for the port manually or you can have the port dynamically learn the MAC address of the connected device. Once the address is specified or learned, it is stored in nonvolatile RAM (NVRAM) and maintained even after a reset.
These guidelines apply when configuring secure port filtering on the Catalyst 5000 series switches:
To enable secure port filtering, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Enable port security on the desired ports. If desired, specify the secure MAC address. | set port security mod_num/port_num enable [mac_addr] |
Step 2 Verify the configuration. | show port [mod_num[/port_num]] |
This example shows how to enable secure port filtering on a port using the learned MAC address on a port and verify the configuration:
Console> (enable) set port security 2/1 enable
Port 2/1 port security enabled with the learned mac address. Trunking disabled for Port 2/1 due to Security Mode Console> (enable) show port 2/1
Port Name Status Vlan Level Duplex Speed Type ----- ------------------ ---------- ---------- ------ ------ ----- ------------ 2/1 connected 522 normal half 100 100BaseTX Port Security Secure-Src-Addr Last-Src-Addr Shutdown Trap IfIndex ----- -------- ----------------- ----------------- -------- -------- -------2/1 enabled 00-90-2b-03-34-08 00-90-2b-03-34-08 No disabled 1081 Port Broadcast-Limit Broadcast-Drop -------- --------------- -------------- 2/1 - 0 Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize ----- ---------- ---------- ---------- ---------- --------- 2/1 0 0 0 0 0 Port Single-Col Multi-Coll Late-Coll Excess-Col Carri-Sen Runts Giants ----- ---------- ---------- ---------- ---------- --------- --------- --------- 2/1 0 0 0 0 0 0 0 Last-Time-Cleared -------------------------- Fri Jul 10 1998, 17:53:38 Console> (enable)
This example shows how to enable secure port filtering on a port and manually specify the secure MAC address:
Console> (enable) set port security 2/1 enable 00-90-2b-03-34-08
Port 2/1 port security enabled with 00-90-2b-03-34-08 as the secure mac address Trunking disabled for Port 2/1 due to Security Mode Console> (enable)
To disable secure port filtering, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Disable port security on the desired ports. | set port security mod_num/port_num disable |
Step 2 Verify the configuration. | show port [mod_num[/port_num]] |
This example shows how to disable secure port filtering on a port:
Console> (enable) set port security 2/1 disable
Port 2/1 port security disabled. Console> (enable)
These sections describe how to use IP permit lists on the Catalyst 5000 series switches:
IP permit prevents inbound Telnet and SNMP access to the switch from unauthorized source IP addresses. All other Transmission Control Protocol/Internet Protocol (TCP/IP) services (such as IP traceroute and IP ping) continue to work normally when you enable the IP permit list. Outbound Telnet, Trivial File Transfer Protocol (TFTP), and other IP-based services are unaffected by the IP permit list.
Telnet attempts from unauthorized source IP addresses are denied a connection. SNMP requests from unauthorized IP addresses receive no response; the request times out. If you want to log unauthorized access attempts to the console or a syslog server, you must change the logging severity level for IP, as described in the "Enabling IP Permit List" section. If you want to generate SNMP traps when unauthorized access attempts are made, you must enable IP permit list (ippermit) SNMP traps, as described in the "Enabling IP Permit List" section. Multiple access attempts from the same unauthorized host only trigger notifications every ten minutes.
You can configure up to ten entries in the permit list. Each entry consists of an IP address and subnet mask pair in dotted decimal format. The bits set to one in the mask are checked for a match against the source IP address of incoming packets, while the bits set to zero are not checked. This process allows wildcard address specification.
If you do not specify the mask for an IP permit list entry, or if you enter a host name instead of an IP address, the mask has an implicit value of all bits set to one (255.255.255.255 or 0xffffffff), which matches only the IP address of that host.
You can specify the same IP address in more than one entry in the permit list if the masks are different. The mask is applied to the address before it is stored in NVRAM, so that entries that have the same effect (but different addresses) are not stored. When you add such an address to the IP permit list, the system displays the address after the mask is applied.
Table 17-1 shows the default IP permit list configuration.
| Feature | Default Value |
|---|---|
IP permit list enable state | Disabled |
Permit list entries | None configured |
IP syslog message severity level | 2 |
SNMP IP permit trap (ippermit) | Disabled |
These sections describe how to configure the IP permit list on the Catalyst 5000 series switches:
To add IP addresses to the IP permit list, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Specify the IP addresses to add to the IP permit list. | set ip permit ip_address [mask] |
Step 2 Verify the IP permit list configuration. | show ip permit |
This example shows how to add IP addresses to the IP permit list and verify the configuration:
Console> (enable) set ip permit 172.16.0.0 255.255.0.0
172.16.0.0 with mask 255.255.0.0 added to IP permit list. Console> (enable) set ip permit 172.20.52.32 255.255.255.224
172.20.52.32 with mask 255.255.255.224 added to IP permit list. Console> (enable) set ip permit 172.20.52.3
172.20.52.3 added to IP permit list. Console> (enable) show ip permit
IP permit list feature disabled. Permit List Mask ---------------- ---------------- 172.16.0.0 255.255.0.0 172.20.52.3 172.20.52.32 255.255.255.224 Denied IP Address Last Accessed Time Type ----------------- ------------------ ------ Console> (enable)
| Caution Before enabling the IP permit list, make sure you add the IP address of your workstation or network management system to the permit list, especially when configuring through SNMP. Failure to do so could result in your connection being dropped by the switch you are configuring. We recommend you disable the IP permit list before clearing IP permit entries or host addresses. |
To enable IP permit list on the switch, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Enable the IP permit list. | set ip permit enable |
Step 2 If desired, enable the IP permit trap to generate traps for unauthorized access attempts. | set snmp trap enable ippermit |
Step 3 If desired, configure the logging level to see syslog messages for unauthorized access attempts. | set logging level ip 4 default |
Step 4 Verify the IP permit list configuration. | show ip permit |
This example shows how to enable IP permit list and verify the configuration (shown by the arrows):
Console> (enable) set ip permit enable
IP permit list enabled. Console> (enable) set snmp trap enable ippermit
SNMP IP Permit traps enabled. Console> (enable) set logging level ip 4 default
System logging facility <ip> set to severity 4(warnings) Console> (enable) show ip permit
IP permit list feature enabled. Permit List Mask ---------------- ---------------- 172.16.0.0 255.255.0.0 172.20.52.3 172.20.52.32 255.255.255.224 Denied IP Address Last Accessed Time Type ----------------- ------------------ ------ 171.68.180.16 07/16/98,00:00:38 Telnet 171.69.218.217 07/16/98,00:18:57 SNMP Console> (enable) show snmp
RMON: Disabled Extended Rmon: Extended RMON module is not present Traps Enabled:ippermit Port Traps Enabled: None Community-Access Community-String ---------------- -------------------- read-only public read-write private read-write-all secret Trap-Rec-Address Trap-Rec-Community ---------------------------------------- -------------------- Console> (enable)
| Caution We recommend you disable IP permit list before clearing IP permit entries or host addresses. |
To clear an entry from the IP permit list, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Specify the IP address to remove from the IP permit list. | clear ip permit {ip_address [mask] | all} |
Step 2 Verify the IP permit list configuration. | show ip permit |
This example shows how to clear an IP permit list entry:
Console> (enable) clear ip permit 172.16.0.0 255.255.0.0
172.16.0.0 with mask 255.255.0.0 cleared from IP permit list. Console> (enable) clear ip permit all
IP permit list cleared. Console> (enable)
To disable IP permit list on the switch, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Disable IP permit list on the switch. | set ip permit disable |
Step 2 Verify the IP permit list configuration. | show ip permit |
This example shows how to disable IP permit list:
Console> (enable) set ip permit disable
IP permit list disabled. Console> (enable)
These sections describe how to use TACACS+ authentication on the Catalyst 5000 series switches:
TACACS+ controls access to network devices by exchanging Network Access Server (NAS) information between a network device and a centralized database to determine the identity of a user or entity. TACACS+ is an enhanced version of TACACS, a User Datagram Protocol (UDP)-based access-control protocol specified by RFC 1492. TACACS+ uses TCP to ensure reliable delivery and encrypt all traffic between the TACACS+ server and the TACACS+ daemon on a network device.
TACACS+ works with many authentication types, including fixed password, one-time password, and challenge-response authentication. TACACS+ authentication usually occurs in these instances:
When you request privileged or restricted services, TACACS+ encrypts your user password information using the MD5 encryption algorithm and adds a TACACS+ packet header. This header information identifies the packet type being sent (for example, an authentication packet), the packet sequence number, the encryption type used, and the total packet length. The TACACS+ protocol then forwards the packet to the TACACS+ server.
A TACACS+ server can provide authentication, authorization, and accounting functions. These services, while all part of TACACS+, are independent of one another, so that a given TACACS+ configuration can use any or all of the three services. On the Catalyst 5000 series switches, only the authentication feature is supported.
When the TACACS+ server receives the packet, it does the following:
You can configure a TACACS+ key on the Catalyst 5000 series switch. This key, which must be the same as the one configured on the server daemon, encrypts packets transmitted to the server. If you do not configure a TACACS+ key, packets are not encrypted.
If local password authentication is enabled and TACACS+ password authentication fails, the local password authentication is invoked. Disabling TACACS+ authentication automatically reenables local authentication.
You can configure the following TACACS+ parameters on the Catalyst 5000 series switches:
Table 17-2 shows the default TACACS+ authentication configuration.
| Feature | Default Value |
|---|---|
Local login authentication | Enabled |
Local enable authentication | Enabled |
TACACS+ login authentication | Disabled |
TACACS+ enable authentication | Disabled |
TACACS+ key | None specified |
TACACS+ login attempts | 3 |
TACACS+ server timeout | 5 seconds |
TACACS+ directed request | Disabled |
These guidelines apply when configuring TACACS+ authentication on the Catalyst 5000 series switches:
These sections describe how to configure TACACS+ authentication on the Catalyst 5000 series switches:
To configure TACACS+ authentication, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Specify the IP address of one or more TACACS+ servers. | set tacacs server ip_addr [primary] |
Step 2 Enable TACACS+ authentication for login mode. | set authentication login tacacs enable |
Step 3 Enable TACACS+ authentication for enable mode. | set authentication enable tacacs enable |
Step 4 Verify the TACACS+ configuration. | show tacacs |
This example shows how to enable TACACS+ authentication and verify the configuration
Console> (enable) set tacacs server 172.20.52.3
172.20.52.3 added to TACACS server table as primary server. Console> (enable) set authentication login tacacs enable
Tacacs Login authentication set to enable. Console> (enable) set authentication enable tacacs enable
Tacacs Enable authentication set to enable. Console> (enable) show tacacs
Login authentication tacacs: enabled Login authentication local: enabled Enable authentication tacacs: enabled Enable authentication local: enabled Tacacs key: Tacacs login attempts: 3 Tacacs timeout: 5 seconds Tacacs direct request: disabled Tacacs-Server Status ---------------------------------------- ------- 172.20.52.3 primary Console> (enable)
| Caution Make sure that TACACS+ authentication is configured and operating correctly before disabling local login or enable authentication. If you disable local authentication and TACACS+ is not configured correctly, or if the TACACS+ server is not online, you might be unable to log in to the Catalyst 5000 series switch. |
To disable local authentication on the switch, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Disable local login authentication on the switch. | set authentication login local disable |
Step 2 Disable local enable authentication on the switch. | set authentication enable local disable |
Step 3 Verify the TACACS+ configuration. | show tacacs |
This example shows how to disable local authentication and verify the configuration:
Console> (enable) set authentication login local disable
Local Login authentication set to disable. Console> (enable) set authentication enable local disable
Local Enable authentication set to disable. Console> (enable) show tacacs
Login authentication tacacs: enabled Login authentication local: disabled Enable authentication tacacs: enabled Enable authentication local: disabled Tacacs key: Tacacs login attempts: 3 Tacacs timeout: 5 seconds Tacacs direct request: disabled Tacacs-Server Status ---------------------------------------- ------- 172.20.52.3 primary Console> (enable)
To specify the TACACS+ key, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Configure the key used to encrypt packets. | set tacacs key key |
Step 2 Verify the TACACS+ configuration. | show tacacs |
This example shows how to specify the TACACS+ key and verify the configuration (shown by the arrow):
Console> (enable) set tacacs key Secret_Word
The tacacs key has been set to Secret_Word. Console> (enable) show tacacs
Login authentication tacacs: enabled Login authentication local: disabled Enable authentication tacacs: enabled Enable authentication local: disabledTacacs key: Secret_Word Tacacs login attempts: 5 Tacacs timeout: 10 seconds Tacacs direct request: disabled Tacacs-Server Status ---------------------------------------- ------- 172.20.52.3 primary Console> (enable)
To modify TACACS+ authentication options, such as the number of login attempts allowed and the timeout interval for contacting the TACACS+ server, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Configure the number of login attempts allowed to the TACACS+ server. | set tacacs attempts N |
Step 2 Set the timeout interval in which the server daemon must respond. | set tacacs timeout N |
Step 3 Verify the TACACS+ configuration. | show tacacs |
This example shows how to set the number of login attempts and the server timeout interval and how to verify the configuration (shown by the arrows):
Console> (enable) set tacacs attempts 5
Tacacs number of attempts set to 5. Console> (enable) set tacacs timeout 10
Tacacs timeout set to 10 seconds. Console> (enable) show tacacs
Login authentication tacacs: enabled Login authentication local: disabled Enable authentication tacacs: enabled Enable authentication local: disabled Tacacs key:Tacacs login attempts: 5
Tacacs timeout: 10 seconds Tacacs direct request: disabled Tacacs-Server Status ---------------------------------------- ------- 172.20.52.3 primary Console> (enable)
To disable TACACS+ authentication, perform this task in privileged mode:
| Task | Command |
|---|---|
Step 1 Disable TACACS+ authentication for login mode. | set authentication login tacacs disable |
Step 2 Disable TACACS+ authentication for enable mode. | set authentication enable tacacs disable |
Step 3 Verify the TACACS+ configuration. | show tacacs |
This example shows how to disable TACACS+ authentication:
Console> (enable) set authentication login tacacs disable
Tacacs Login authentication set to disable. Console> (enable) set authentication enable tacacs disable
Tacacs Enable authentication set to disable. Console> (enable)
|
|
