Cisco Sg3008 Manual
Have a look at the manual Cisco Sg3008 Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Security Management Access Method 344 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 18 A caution message displays if you selected any other access profile, warning you that, depending on the selected access profile, you might be disconnected from the web-based configuration utility. STEP 3Click OK to select the active access profile or click Cancel to discontinue the action. STEP 4Click Add to open the Add Access Profile page. The page allows you to configure a new profile and one rule. STEP 5Enter the Access Profile Name. This name can contain up to 32 characters. STEP 6Enter the parameters. •Rule Priority—Enter the rule priority. When the packet is matched to a rule, user groups are either granted or denied access to the device. The rule priority is essential to matching packets to rules, as packets are matched on a first-match basis. One is the highest priority. •Management Method—Select the management method for which the rule is defined. The options are: -All—Assigns all management methods to the rule. -Te l n e t—Users requesting access to the device that meets the Telnet access profile criteria are permitted or denied access. -Secure Telnet (SSH)—Users requesting access to the device that meets the SSH access profile criteria, are permitted or denied access. -HT TP— Users requesting access to the device that meets the HTTP access profile criteria, are permitted or denied. -Secure HTTP (HTTPS)—Users requesting access to the device that meets the HTTPS access profile criteria, are permitted or denied. -SNMP—Users requesting access to the device that meets the SNMP access profile criteria are permitted or denied. •Action—Select the action attached to the rule. The options are: -Permit—Permits access to the device if the user matches the settings in the profile. -Deny—Denies access to the device if the user matches the settings in the profile. •Applies to Interface—Select the interface attached to the rule. The options are:
Security Management Access Method Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 345 18 -All—Applies to all ports, VLANs, and LAGs. -User Defined—Applies to selected interface. •Interface—Enter the interface number if User Defined was selected. •Applies to Source IP Address—Select the type of source IP address to which the access profile applies. The Source IP Address field is valid for a subnetwork. Select one of the following values: -All—Applies to all types of IP addresses. -User Defined—Applies to only those types of IP addresses defined in the fields. •IP Address—Enter the source IP address. •Mask—Select the format for the subnet mask for the source IP address, and enter a value in one of the fields: - Network Mask—Select the subnet to which the source IP address belongs and enter the subnet mask in dotted decimal format. - Prefix Length—Select the Prefix Length and enter the number of bits that comprise the source IP address prefix. STEP 7Click Apply. The access profile is written to the Running Configuration file. You can now select this access profile as the active access profile. Defining Profile Rules Access profiles can contain up to 128 rules to determine who is permitted to manage and access the device, and the access methods that may be used. Each rule in an access profile contains an action and criteria (one or more parameters) to match. Each rule has a priority; rules with the lowest priority are checked first. If the incoming packet matches a rule, the action associated with the rule is performed. If no matching rule is found within the active access profile, the packet is dropped. For example, you can limit access to the device from all IP addresses except IP addresses that are allocated to the IT management center. In this way, the device can still be managed and has gained another layer of security. To add profile rules to an access profile:
Security Management Access Method 346 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 18 STEP 1Click Security > Mgmt Access Method > Profile Rules. STEP 2Select the Filter field, and an access profile. Click Go. The selected access profile appears in the Profile Rule Table. STEP 3Click Add to add a rule. STEP 4Enter the parameters. •Access Profile Name—Select an access profile. •Rule Priority—Enter the rule priority. When the packet is matched to a rule, user groups are either granted or denied access to the device. The rule priority is essential to matching packets to rules, as packets are matched on a first-fit basis. •Management Method—Select the management method for which the rule is defined. The options are: -All—Assigns all management methods to the rule. -Te l n e t—Users requesting access to the device that meets the Telnet access profile criteria are permitted or denied access. -Secure Telnet (SSH)—Users requesting access to the device that meets the Telnet access profile criteria, are permitted or denied access. -HT TP— A s s i g n s H T T P a c c e s s to t h e r u l e . U s e r s re q u e s t i n g a c c e s s to t h e device that meets the HTTP access profile criteria, are permitted or denied. -Secure HTTP (HTTPS)—Users requesting access to the device that meets the HTTPS access profile criteria, are permitted or denied. -SNMP—Users requesting access to the device that meets the SNMP access profile criteria are permitted or denied. •Action—Select Permit to permit the users that attempt to access the device by using the configured access method from the interface and IP source defined in this rule. Or select Deny to deny access. •Applies to Interface—Select the interface attached to the rule. The options are: -All—Applies to all ports, VLANs, and LAGs. -User Defined—Applies only to the port, VLAN, or LAG selected.
Security Management Access Authentication Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 347 18 •Interface—Enter the interface number. •Applies to Source IP Address—Select the type of source IP address to which the access profile applies. The Source IP Address field is valid for a subnetwork. Select one of the following values: -All—Applies to all types of IP addresses. -User Defined—Applies to only those types of IP addresses defined in the fields. •IP Version—Select the supported IP version of the source address: IPv6 or IPv4. •IP Address—Enter the source IP address. •Mask—Select the format for the subnet mask for the source IP address, and enter a value in one of the field: -Net work Mask—Select the subnet to which the source IP address belongs and enter the subnet mask in dotted decimal format. -Prefix Length—Select the Prefix Length and enter the number of bits that comprise the source IP address prefix. STEP 5Click Apply, and the rule is added to the access profile. Management Access Authentication You can assign authentication methods to the various management access methods, such as SSH, console, Telnet, HTTP, and HTTPS. The authentication can be performed locally or on a TACACS+ or RADIUS server. For the RADIUS server to grant access to the web-based configuration utility, the RADIUS server must return cisco-avpair = shell:priv-lvl=15. User authentication occurs in the order that the authentication methods are selected. If the first authentication method is not available, the next selected method is used. For example, if the selected authentication methods are RADIUS and Local, and all configured RADIUS servers are queried in priority order and do not reply, the user is authenticated locally.
Security Secure Sensitive Data Management 348 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 18 If an authentication method fails or the user has insufficient privilege level, the user is denied access to the device. In other words, if authentication fails at an authentication method, the device stops the authentication attempt; it does not continue and does not attempt to use the next authentication method. To define authentication methods for an access method: STEP 1Click Security > Management Access Authentication. STEP 2Select an access method from the Application list. STEP 3Use the arrows to move the authentication method between the Optional Methods column and the Selected Methods column. The first method selected is the first method that is used. •RADIUS—User is authenticated on a RADIUS server. You must have configured one or more RADIUS servers. •TA C A C S +—User authenticated on the TACACS+ server. You must have configured one or more TACACS+ servers. •None—User is allowed to access the device without authentication. •Local—Username and password are checked against the data stored on the local device. These username and password pairs are defined in the User Accounts page. NOTEThe Local or None authentication method must always be selected last. All authentication methods selected after Local or None are ignored. STEP 4Click Apply. The selected authentication methods are associated with the access method. Secure Sensitive Data Management See Security: Secure Sensitive Data Management.
Security SSL Server Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 349 18 SSL Server This section describes the Secure Socket Layer (SSL) feature. SSL Overview The Secure Socket Layer (SSL) feature is used to open an HTTPS session to the device. An HTTPS session may be opened with the default certificate that exists on the device. Some browsers generate warnings when using a default certificate, since this certificate is not signed by a Certification Authority (CA). It is best practice to have a certificate signed by a trusted CA. To open an HTTPS session with a user-created certificate, perform the following actions: 1. Generate a certificate. 2. Request that the certificate be certified by a CA. 3. Import the signed certificate into the device. Default Settings and Configuration By default, the device contains a certificate that can be modified. HTTPS is enabled by default. SSL Server Authentication Settings It may be required to generate a new certificate to replace the default certificate found on the device. To create a new certificate: STEP 1Click Security > SSL Server > SSL Server Authentication Settings. Information appears for certificate 1 and 2 in the SSL Server Key Table. These fields are defined in the Edit page except for the following fields: •Valid From—Specifies the date from which the certificate is valid.
Security SSL Server 350 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 18 •Valid To—Specifies the date up to which the certificate is valid. •Certificate Source—Specifies whether the certificate was generated by the system (Auto Generated) or the user (User Defined). STEP 2Select an active certificate. STEP 3Click Generate Certificate Request. STEP 4Enter the following fields: •Regenerate RSA Key—Select to regenerate the RSA key. •Key Length—Enter the length of the RSA key to be generated. •Common Name—Specifies the fully-qualified device URL or IP address. If unspecified, defaults to the lowest IP address of the device (when the certificate is generated). •Organization Unit—Specifies the organization-unit or department name. •Organization Name—Specifies the organization name. •Location—Specifies the location or city name. •State—Specifies the state or province name. •Country—Specifies the country name. •Duration—Specifies the number of days a certification is valid. STEP 5Click Generate Certificate Request. This creates a key that must be entered on the Certification Authority (CA). To import a certificate: STEP 1Click Security > SSL Server > SSL Server Authentication Settings. STEP 2Click Import Certificate. STEP 3Enter the following fields: •Certificate ID—Select the active certificate. •Certificate—Copy in the received certificate. •Import RSA KEY-Pair—Select to enable copying in the new RSA key-pair. •Public Key—Copy in the RSA public key.
Security SSH Server Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 351 18 •Private Key (Encrypted)—Select and copy in the RSA private key in encrypted form. •Private Key (Plaintext)—Select and copy in the RSA private key in plain text form. STEP 4Click Display Sensitive Data as Encrypted to display this key as encrypted. When this button is clicked, the private keys are written to the configuration file in encrypted form (when Apply is clicked). STEP 5Click Apply to apply the changes to the Running Configuration. The Details button displays the certificate and RSA key pair. This is used to copy the certificate and RSA key-pair to another device (using copy/paste). When you click Display Sensitive Data as Encrypted, the private keys are displayed in encrypted form. SSH Server See Security: SSH Server. SSH Client See Security: SSH Client. Configuring TCP/UDP Services The TCP/UDP Services page enables TCP or UDP-based services on the device, usually for security reasons. The device offers the following TCP/UDP services: •HTTP—Enabled by factory default •HTTPS—Enabled by factory default •SNMP—Disabled by factory default
Security Configuring TCP/UDP Services 352 Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 18 •Te l n e t—Disabled by factory default •SSH—Disabled by factory default The active TCP connections are also displayed in this window. To configure TCP/UDP services: STEP 1Click Security > TCP/UDP Ser vices. STEP 2Enable or disable the following TCP/UDP services on the displayed services. •HTTP Service—Indicates whether the HTTP service is enabled or disabled. •HTTPS Service—Indicates whether the HTTPS service is enabled or disabled. •SNMP Service—Indicates whether the SNMP service is enabled or disabled. •Te l n e t S e r v i c e—Indicates whether the Telnet service is enabled or disabled. •SSH Service—Indicates whether the SSH server service is enabled or disabled. The TCP Service Table displays the following fields for each service: •Service Name—Access method through which the device is offering the TCP ser vice. •Type—IP protocol the service uses. •Local IP Address—Local IP address through which the device is offering the service. •Local Port—Local TCP port through which the device is offering the service. •Remote IP Address—IP address of the remote device that is requesting the service. •Remote Port—TCP port of the remote device that is requesting the service. •State—Status of the service. The UDP Services table displays the following information: •Service Name—Access method through which the device is offering the UDP service. •Type—IP protocol the service uses.
Security Defining Storm Control Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version) 353 18 •Local IP Address—Local IP address through which the device is offering the service. •Local Port—Local UDP port through which the device is offering the service. •Application Instance—The service instance of the UDP service. (For example, when two senders send data to the same destination.) STEP 3Click Apply. The services are written to the Running Configuration file. Defining Storm Control When Broadcast, Multicast, or Unknown Unicast frames are received, they are duplicated, and a copy is sent to all possible egress ports. This means that in practice they are sent to all ports belonging to the relevant VLAN. In this way, one ingress frame is turned into many, creating the potential for a traffic storm. Storm protection enables you to limit the number of frames entering the device and to define the types of frames that are counted towards this limit. When the rate of Broadcast, Multicast, or Unknown Unicast frames is higher than the user-defined threshold, frames received beyond the threshold are discarded. To define Storm Control: STEP 1Click Security > Storm Control. All the fields on this page are described in the Edit Storm Control page except for the Storm Control Rate Threshold (%). It displays the percent of the total available bandwidth for unknown Unicast, Multicast, and Broadcast packets before storm control is applied at the port. The default value is 10% of the maximum rate of the port and is set in the Edit Storm Control page. STEP 2Select a port and click Edit. STEP 3Enter the parameters. •Interface—Select the port for which storm control is enabled. •Storm Control—Select to enable Storm Control. •Storm Control Rate Threshold—Enter the maximum rate at which unknown packets can be forwarded. The default for this threshold is 10,000 for FE devices and 100,000 for GE devices.