Cisco Sg2008 Manual
Have a look at the manual Cisco Sg2008 Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Security Management Access Profile Rules Cisco Small Business SG200 Series 8-port Smart Switch 151 10 To limit access to the web-based switch configuration utility only to specified users, for example, you can create a rule in which HTTP access is denied to all users, and then create another rule in which specific users are permitted. The rule that permits the specific users must have a higher Rule Priority than the rule that denies all users. CAUTION: If a profile is activated that denies access to an intranet or domain where a current web management session is active, the session remains active until logout or timeout. Future sessions are blocked by the profile. Active sessions using Internet Explorer 8 are terminated immediately unless the switch management IP address is added to the Local Intranet Sites list in Internet Explorer. See Starting the Web-Based Switch Configuration Utility for instructions . •Action—Select the action to be performed when the rules criteria is matched. -Permit—The specified interface, user, or IP address is permitted access to the switch that would otherwise be explicitly forbidden by a deny rule. -Deny—The specified interface, user, or IP address is denied access to the switch. •Applies to Interface—Select All to apply this rule to all interfaces (ports and LAGs). Or, select User Defined and select the port or LAG that the rule applies to. •Applies to User—Select All to apply this rule to all system users. Or, select User Defined and select a User Name that the rule applies to. •Applies to Source IP Address—Select All to apply the rule to any source IP addresses. Or select User Defined and specify a source IPv4 address and mask that this rule applies to. STEP 6Click Apply and then click Close. Your changes are saved to the Running Configuration. The new rule appears in the Profile Rule Table. You can select the rule and click Edit to modify it or click Delete to remove it from the access profile. NOTEUser cisco will not be denied management access.
Security Management Access Profile Rules Cisco Small Business SG200 Series 8-port Smart Switch 152 10 Modifying and Deleting Access Profiles and Rules Before you can delete an Access Profile or modify the rules, you must disable the profile. To disable an access profile: STEP 1Select the profile in the Access Profile Table and click Edit. STEP 2Uncheck the Enable box. STEP 3Click Apply, and then click Close. When you finish making changes, re-enable the access profile. To delete an access profile (after disabling it): STEP 1Select the profile in the Access Profile Table. STEP 2Click Delete. To delete a profile rule (after disabling the access profile): STEP 1Select the rule in the Profile Rule Table. STEP 2Click Delete. To modify a profile rule (after disabling the access profile): STEP 1Select the rule in the Profile Rule Table and click Edit. STEP 2Enter the new settings. STEP 3Click Apply, and then click Close. To enable an access profile (after completing all changes): STEP 1Select the profile in the Access Profile Table and click Edit. STEP 2Check the Enable box.
Security Authentication Methods Cisco Small Business SG200 Series 8-port Smart Switch 153 10 STEP 3Click Apply, and then click Close. Authentication Methods You can use the Authentication Methods page to specify how users are allowed access to switch ports. To select the authentication method: STEP 1Click Security > Authentication Methods in the navigation window. STEP 2 an authentication method from the list: •Local—A user ID and password combination from the supplicant is compared with a locally-stored user database on the switch. •None—No authentication method is used. •RADIUS—Authentication requests are passed to a RADIUS server that replies with RADIUS Access-Accept or Access-Reject frames. If the switch cannot reach the server, the request is denied. •RADIUS, None—Authentication requests are passed to a RADIUS server that replies with RADIUS Access-Accept or Access-Reject frames. If the switch cannot reach the server, then no authentication method is used and the request is accepted. •RADIUS, Local—Authentication requests are passed to a RADIUS server. If the switch cannot reach the server, the local user database is used to accept or reject the request . NOTEWhen the (Radius, None) or the (Radius, Local) option is selected, None or Local is used only if the Radius Server specified is incorrect or it is not specified; if it is correct, but the credentials are incorrect, the authentication fails and does not fall back to the None or the Local option. STEP 3Click Apply. Your changes are saved to the Running Configuration.
Security Storm Control Cisco Small Business SG200 Series 8-port Smart Switch 154 10 Storm Control A traffic storm is the result of an excessive number of broadcast, multicast, or unknown unicast messages simultaneously transmitted across a network by a port. Forwarded message responses might create a loop and overload network resources and cause the network to time-out. The switch measures the incoming broadcast, multicast, or unknown unicast packet rate per port and discards packets when a rate exceeds a defined value. Storm control can be enabled or disabled on each interface. Storm control is disabled by default on all ports for all packet types. Use the Storm Control page to enable and configure storm control on the switch ports. To display and configure storm control settings for a port: STEP 1Click Security > Storm Control in the navigation window. STEP 2Select the port to configure and click Edit. STEP 3For broadcast, multicast, and unicast traffic, specify the following storm control parameters for the selected port: •Mode—Select Enable to turn on storm control protection for the traffic type. •Rate Threshold Type—Select the measurement the switch uses to determine whether traffic exceeds the threshold: -Percent—Traffic is dropped when it exceeds a percentage of the total capability of the link. -pps (packets per second—Traffic is dropped when it exceeds the set number of packet-per-second on the link for this type of traffic. •Rate Threshold—Specify the maximum rate at which this type of packet is forwarded. If the Rate Threshold Type is Percent, enter a percentage of the total port capability (0–100 percent). If the Rate Threshold Type is pps, enter a packet per second rate (0–14880000). Ports that operate at 10 Mbps, 100 Mbps, or 1000 Mbps have a maximum throughput of 14880, pps 148800 pps, or 1488000 pps correspondingly.
Security Por t Securit y Cisco Small Business SG200 Series 8-port Smart Switch 155 10 NOTE: The actual rate of ingress traffic required to activate Storm Control is based on the actual size of incoming packets and the hard-coded average packet size (512 bytes) parameter. A packet-per-second rate is calculated, as the switch requires a pps value to execute or not execute storm control versus an absolute data rate measured in kilobits-per-second (kbps). For example, if the configured pps limit for broadcast packets is 10 percent, this value is converted to approximately 20000 pps for a 100 Mbps port. STEP 4Click Apply and then click Close. Your changes are saved to the Running Configuration. Port Security You can enable port security on a per-port basis. When a port is secured (locked), the switch forwards only those packets with a source MAC address that is secured at the port. All other packets are discarded. This includes discarding any packet from a port with a source MAC address that is secured at another port. A secure MAC address can be statically configured or dynamically learned. The maximum number of secure MAC addresses at a secured port is 256. Static secure MAC addresses are configured using the Static Addresses page. Both static and dynamic secure MAC addresses are subject to aging limits (see Configuring the Aging Time for Dynamic Addresses). To display the Por t Security page, click Security > Port Security in the navigation window. The Port Security Table shows the current security configuration for each port. You can select LAG from the Inter face Type list to display data for LAGs only. By default, port security is disabled globally and on each interface. Enabling Port Security To configure port security: STEP 1On the Por t Security page, select Enable for the global Admin Mode and click Apply. STEP 2Select the port or LAG to configure and click Edit. STEP 3Configure the following settings:
Security Por t Securit y Cisco Small Business SG200 Series 8-port Smart Switch 156 10 •Interface Status—Select Lock to enable port security on the interface. When an interface transitions from unlocked to locked, all addresses that had been dynamically learned by the switch on that port are removed from its MAC address list. •Max No. of Static MAC Addresses—Specify the maximum number of static secure MAC addresses at the port/LAG. Static secure MAC address are configured on the Static Addresses page. The total number of secure addresses cannot exceed 256. •Max No. of Dynamic MAC Addresses—Specify the maximum number of dynamic secure MAC addresses that can be learned from the port/LAG. The total number of secure addresses cannot exceed 256. When port-security is enabled on a port, and static or dynamic limits are set to new values, the following rules apply: -If the new value is greater than the old value, no action is taken for either the dynamic or static addresses. -If the new value is less than the old value, the following actions are taken: Dynamic Addresses—The switch initiates a flush of all learned addresses on the port. Static Addresses—The switch retains the static addresses (up to the static limit) regardless of whether the addresses are configured as secure, permanent, or delete on timeout. It then deletes the remaining static addresses from the MAC address table. •Action on Violation—Select how the switch handles incoming packets that are not allowed on the locked port: -Discard—Packets are dropped. -Forward—Packets are forwarded, but the source MAC addresses are not added to the forwarding database. -Shutdown—Packets are discarded and the port is shut down. •Trap Fre quency—Specify the number of seconds between traps when a locked port receives incoming packets that are not allowed on the port. This field displays only when the Action of Violation field is set to Discard with Tr a p . •Convert dynamic addresses to static—Select Enable to convert all dynamic secure MAC addresses to static secure MAC addresses.
Security 802.1X Cisco Small Business SG200 Series 8-port Smart Switch 157 10 •Reset Port—Select to reset the port if it has been shut down by the Port Security feature. STEP 4Click Apply and then click Close. Your changes are saved to the Running Configuration. Viewing and Configuring Secure MAC Addresses To view the current list of secure MAC addresses, associated ports, and VLANs, click Secure Address Table on the Por t Security page. For each interface, the Secure Address Table lists each secured statically configured MAC address, regardless of the locked or unlocked status of the port. The table also lists dynamically learned MAC addresses for locked ports. Dynamic entries for a port are cleared when the port is changed from locked to unlocked or when the link goes down. You can click Static Address Table to display the page for configuring static addresses. See Configuring Static MAC Addresses. Be sure to set the Status field for the entry to Secure. You can click Port Security Table to redisplay the Port Security page. 802.1X Local Area Networks (LANs) are often deployed in environments that permit unauthorized devices to be physically attached to the LAN infrastructure, or permit unauthorized users to attempt to access the LAN through equipment already attached. In such environments, it might be desirable to restrict access to the services offered by the LAN to those users and devices that are permitted to use those services. Port-based access control provides a method for networks to control whether hosts can access services provided by a connected port. You can configure the switch to use port-based network access control based on the IEEE 802.1x protocol. The 802.1x protocol defines three types of entities: • Supplicant: An entity that requests access to a port at the remote end of the link. The supplicant provides credentials to the network that another node
Security 802.1X Cisco Small Business SG200 Series 8-port Smart Switch 158 10 on the network—the authenticator—uses to request authentication from a server. • Authenticator: An entity that facilitates the authentication of the supplicant on the remote end of a link. An authenticator grants port access to a supplicant if the authentication succeeds. • Authentication Server: A server, such as a RADIUS server, that performs the authentication on behalf of the authenticator, and indicates whether the supplicant is authorized to access services provided via the authenticating port. In the authentication process, 802.1X supports Extensible Authentication Protocol (EAP) over LANs (EAPOL) message exchanges between supplicants and authenticators. A switch port can be configured either as an authenticator or a supplicant, but not both. Se e the following topic s for more information on the configuration pages available in the Security > 802.1X menu. •Defining 802.1X Properties •Modifying Port PAE Capabilities •Configuring Port Authentication •Configuring Supplicant Port Authentication •Displaying Authenticated Hosts Defining 802.1X Properties Use the 802.1X Proper ties page to configure the global 802.1X administrative mode on the switch. To enable 802.1X security globally: STEP 1Click Security > 802.1X > Properties in the navigation window. STEP 2Select Enable for the Port Based Authentication State to allow 802.1X port-based authentication globally on the switch. STEP 3Select an authentication method from the Authentication Method list: •None—No authentication method is used.
Security 802.1X Cisco Small Business SG200 Series 8-port Smart Switch 159 10 •Local—The switch performs local authentication of a remote supplicant based on EAP-MD5. The supplicant identification must be one of the management users configured on the switch (see Managing User Accounts). •RADIUS—The switch depends on one or more external RADIUS servers to perform the authentication. You must configure the supplicant identity and authentication directly the servers. (See RADIUS for information.) •RADIUS, None—The switch depends on one or more external RADIUS servers to perform the authentication. (See description of RADIUS above.) If the switch cannot reach any servers, then no authentication is used. •RADIUS, Local—The switch depends on one or more external RADIUS servers to perform the authentication (see description of RADIUS above.) If the switch cannot reach any servers, it performs the authentication locally (see previous description of Local). NOTEWhen the (Radius, None) or the (Radius, Local) option is selected, None or Local is used only if the Radius Server specified is incorrect or it is not specified; if it is correct, but the credentials are incorrect, the authentication fails and does not fall back to the None or the Local option. STEP 4Click Apply. Your changes are saved to the Running Configuration. NOTESee Modifying Port PAE Capabilities for instructions on selecting the role for individual ports, and Configuring Port Authentication for instructions on configuring authentication on individual ports. Modifying Port PAE Capabilities Use the Por t PAE Capabilities page to view and configure each port’s 802.1X role as authenticator or supplicant. To modify the role of a port as an authenticator or supplicant: STEP 1Click Security > 802.1X > Port PAE Capabilities in the navigation window. STEP 2Select the port to configure and click Edit.
Security 802.1X Cisco Small Business SG200 Series 8-port Smart Switch 160 10 STEP 3Select the role for the port: •Authenticator—Select this option if the port must authenticate the remote supplicant before granting access to a local port. •Supplicant—Select this option if the port must be connected to an authenticator and ask permission from the remote authenticator before accessing a remote port. When a port is acting as a Supplicant, the user name and password defined in the User Accounts list of the switch must be entered in the Radius Server for the authentication to succeed. STEP 4Click Apply and then click Close. Your changes are saved to the Running Configuration. Configuring Port Authentication Use the Por t Authentication page to configure port access control on ports that serve as authenticators. By default, all ports are set to Authenticator. To enable a port as an authenticator, see Modifying Port PAE Capabilities. To edit a port authenticator settings: STEP 1Click Security > 802.1X > Port Authentication in the navigation window. The Port Authentication Table displays the current configuration of each port. STEP 2Select the port to configure and click Edit. STEP 3Enter the parameters: •Local Database User Name—Use the left and right arrows to move the configured management users to the Available or Selected lists. Only users in the Selected list have access to the port, subject to authentication. This list is applicable only when the authentication is local, and not when a RADIUS server is used for authentication. •Current Port Control—The current authorization status of the port (Authorized or Unauthorized). •Administrative Port Control—Select the port authorization mode. The possible values are: -Force Unauthorized—Select this option to always deny por t access by supplicants attaching to the port. If selected, the port control status becomes Unauthorized.