If you can't read please download the document
Upload
trinhtuong
View
256
Download
11
Embed Size (px)
Citation preview
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOSRelease 15.0(2)EXFirst Published: July 10, 2013
Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.comTel: 408 526-4000 800 553-NETS (6387)Fax: 408 527-0883
Text Part Number: OL-29048-01
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITEDWARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITHTHE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain versionof the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California.
NOTWITHSTANDINGANYOTHERWARRANTYHEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS"WITH ALL FAULTS.CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OFMERCHANTABILITY, FITNESS FORA PARTICULAR PURPOSEANDNONINFRINGEMENTORARISING FROMACOURSEOFDEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUTLIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERSHAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, networktopology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentionaland coincidental.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnershiprelationship between Cisco and any other company. (1110R)
2013 Cisco Systems, Inc. All rights reserved.
http://www.cisco.com/go/trademarkshttp://www.cisco.com/go/trademarks
C O N T E N T S
P r e f a c e Preface xxi
Document Conventions xxi
Related Documentation xxiii
Obtaining Documentation and Submitting a Service Request xxiii
C H A P T E R 1 Using the Command-Line Interface 1
Information About Using the Command-Line Interface 1
Command Modes 1
Understanding Abbreviated Commands 3
No and Default Forms of Commands 3
CLI Error Messages 4
Configuration Logging 4
Using the Help System 4
How to Use the CLI to Configure Features 6
Configuring the Command History 6
Changing the Command History Buffer Size 6
Recalling Commands 6
Disabling the Command History Feature 7
Enabling and Disabling Editing Features 7
Editing Commands Through Keystrokes 8
Editing Command Lines That Wrap 9
Searching and Filtering Output of show and more Commands 10
Accessing the CLI on a Switch Stack 11
Accessing the CLI Through a Console Connection or Through Telnet 11
C H A P T E R 2 Security Features Overview 13
Security Features Overview 13
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 iii
C H A P T E R 3 Preventing Unauthorized Access 17
Finding Feature Information 17
Preventing Unauthorized Access 17
C H A P T E R 4 Controlling Switch Access with Passwords and Privilege Levels 19
Finding Feature Information 19
Restrictions for Controlling Switch Access with Passwords and Privileges 19
Information About Passwords and Privilege Levels 20
Default Password and Privilege Level Configuration 20
Additional Password Security 20
Password Recovery 21
Terminal Line Telnet Configuration 21
Username and Password Pairs 21
Privilege Levels 22
How to Control Switch Access with Passwords and Privilege Levels 22
Setting or Changing a Static Enable Password 22
Protecting Enable and Enable Secret Passwords with Encryption 24
Disabling Password Recovery 26
Setting a Telnet Password for a Terminal Line 27
Configuring Username and Password Pairs 29
Setting the Privilege Level for a Command 31
Changing the Default Privilege Level for Lines 33
Logging into and Exiting a Privilege Level 34
Monitoring Switch Access 35
Configuration Examples for Setting Passwords and Privilege Levels 35
Example: Setting or Changing a Static Enable Password 35
Example: Protecting Enable and Enable Secret Passwords with Encryption 35
Example: Setting a Telnet Password for a Terminal Line 36
Example: Setting the Privilege Level for a Command 36
Additional References 36
C H A P T E R 5 Configuring TACACS+ 39
Finding Feature Information 39
Prerequisites for TACACS+ 39
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EXiv OL-29048-01
Contents
Information About TACACS+ 41
TACACS+ and Switch Access 41
TACACS+ Overview 41
TACACS+ Operation 43
Method List 44
TACACS+ Configuration Options 44
TACACS+ Login Authentication 44
TACACS+ Authorization for Privileged EXEC Access and Network Services 44
TACACS+ Accounting 45
Default TACACS+ Configuration 45
How to Configure TACACS+ 45
Identifying the TACACS+ Server Host and Setting the Authentication Key 45
Configuring TACACS+ Login Authentication 47
Configuring TACACS+ Authorization for Privileged EXEC Access and Network Services 50
Starting TACACS+ Accounting 52
Establishing a Session with a Router if the AAA Server is Unreachable 53
Monitoring TACACS+ 54
Additional References 54
Feature Information for TACACS+ 55
C H A P T E R 6 Configuring RADIUS 57
Finding Feature Information 57
Prerequisites for Configuring RADIUS 57
Restrictions for Configuring RADIUS 58
Information about RADIUS 59
RADIUS and Switch Access 59
RADIUS Overview 59
RADIUS Operation 60
RADIUS Change of Authorization 61
Change-of-Authorization Requests 62
RFC 5176 Compliance 63
Preconditions 64
CoA Request Response Code 64
Session Identification 64
CoA ACK Response Code 65
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 v
Contents
CoA NAK Response Code 65
CoA Request Commands 65
Session Reauthentication 66
Session Reauthentication in a Switch Stack 66
Session Termination 67
CoA Disconnect-Request 67
CoA Request: Disable Host Port 67
CoA Request: Bounce-Port 68
Stacking Guidelines for Session Termination 68
Stacking Guidelines for CoA-Request Bounce-Port 68
Stacking Guidelines for CoA-Request Disable-Port 69
Default RADIUS Configuration 69
RADIUS Server Host 69
RADIUS Login Authentication 70
AAA Server Groups 70
AAA Authorization 71
RADIUS Accounting 71
Vendor-Specific RADIUS Attributes 71
Vendor-Proprietary RADIUS Server Communication 83
How to Configure RADIUS 83
Identifying the RADIUS Server Host 83
Configuring RADIUS Login Authentication 86
Defining AAA Server Groups 88
Configuring RADIUS Authorization for User Privileged Access and Network Services 90
Starting RADIUS Accounting 92
Establishing a Session with a Router if the AAA Server is Unreachable 93
Configuring Settings for All RADIUS Servers 93
Configuring the Switch to Use Vendor-Specific RADIUS Attributes 95
Configuring the Switch for Vendor-Proprietary RADIUS Server Communication 97
Configuring CoA on the Switch 98
Configuring RADIUS Server Load Balancing 101
Monitoring CoA Functionality 101
Configuration Examples for Controlling Switch Access with RADIUS 102
Examples: Identifying the RADIUS Server Host 102
Example: Using Two Different RADIUS Group Servers 102
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EXvi OL-29048-01
Contents
Examples: Configuring the Switch to Use Vendor-Specific RADIUS Attributes 103
Example: Configuring the Switch for Vendor-Proprietary RADIUS Server Communication 103
Additional References 104
Feature Information for RADIUS 105
C H A P T E R 7 Configuring Local Authentication and Authorization 107
Finding Feature Information 107
How to Configure Local Authentication and Authorization 107
Configuring the Switch for Local Authentication and Authorization 107
Monitoring Local Authentication and Authorization 110
Additional References 110
Feature Information for Local Authentication and Authorization 111
C H A P T E R 8 Configuring Secure Shell (SSH) 113
Finding Feature Information 113
Prerequisites for Configuring Secure Shell 113
Restrictions for Configuring Secure Shell 114
Information about SSH 114
SSH and Switch Access 115
SSH Servers, Integrated Clients, and Supported Versions 115
SSH Configuration Guidelines 115
Secure Copy Protocol Overview 116
Secure Copy Protocol 116
How to Configure SSH 117
Setting Up the Switch to Run SSH 117
Configuring the SSH Server 118
Monitoring the SSH Configuration and Status 121
Additional References 121
Feature Information for SSH 122
C H A P T E R 9 Configuring Secure Socket Layer HTTP 125
Finding Feature Information 125
Information about Secure Sockets Layer (SSL) HTTP 125
Secure HTTP Servers and Clients Overview 125
Certificate Authority Trustpoints 126
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 vii
Contents
CipherSuites 127
Default SSL Configuration 128
SSL Configuration Guidelines 128
How to Configure Secure HTTP Servers and Clients 129
Configuring a CA Trustpoint 129
Configuring the Secure HTTP Server 131
Configuring the Secure HTTP Client 134
Monitoring Secure HTTP Server and Client Status 135
Additional References 136
Feature Information for Secure Socket Layer HTTP 137
C H A P T E R 1 0 Configuring IPv4 ACLs 139
Finding Feature Information 139
Prerequisites for Configuring IPv4 Access Control Lists 139
Restrictions for Configuring IPv4 Access Control Lists 140
Information about Network Security with ACLs 141
Cisco TrustSec and ACLs 141
ACL Overview 141
Access Control Entries 142
ACL Supported Types 142
Supported ACLs 142
ACL Precedence 142
Port ACLs 143
Router ACLs 144
VLAN Maps 145
ACEs and Fragmented and Unfragmented Traffic 145
ACEs and Fragmented and Unfragmented Traffic Examples 146
ACLs and Switch Stacks 146
Active Switch and ACL Functions 146
Stack Member and ACL Functions 147
Active Switch Failure and ACLs 147
Standard and Extended IPv4 ACLs 147
IPv4 ACL Switch Unsupported Features 147
Access List Numbers 148
Numbered Standard IPv4 ACLs 149
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EXviii OL-29048-01
Contents
Numbered Extended IPv4 ACLs 149
Named IPv4 ACLs 150
ACL Logging 150
Smart Logging 151
Hardware and Software Treatment of IP ACLs 151
VLAN Map Configuration Guidelines 151
VLAN Maps with Router ACLs 152
VLAN Maps and Router ACL Configuration Guidelines 152
Time Ranges for ACLs 153
IPv4 ACL Interface Considerations 153
How to Configure ACLs 154
Configuring IPv4 ACLs 154
Creating a Numbered Standard ACL 154
Creating a Numbered Extended ACL 156
Creating Named Standard ACLs 160
Creating Extended Named ACLs 161
Configuring Time Ranges for ACLs 163
Applying an IPv4 ACL to a Terminal Line 165
Applying an IPv4 ACL to an Interface 167
Creating Named MAC Extended ACLs 168
Applying a MAC ACL to a Layer 2 Interface 170
Configuring VLAN Maps 172
Creating a VLAN Map 174
Applying a VLAN Map to a VLAN 176
Configuring VACL Logging 177
Monitoring IPv4 ACLs 179
Configuration Examples for ACLs 180
Examples: Using Time Ranges with ACLs 180
Examples: Including Comments in ACLs 180
Examples: Troubleshooting ACLs 181
IPv4 ACL Configuration Examples 182
ACLs in a Small Networked Office 182
Examples: ACLs in a Small Networked Office 183
Example: Numbered ACLs 183
Examples: Extended ACLs 183
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 ix
Contents
Examples: Named ACLs 184
Examples: Time Range Applied to an IP ACL 185
Examples: Configuring Commented IP ACL Entries 185
Examples: ACL Logging 186
Configuration Examples for ACLs and VLAN Maps 187
Example: Creating an ACL and a VLAN Map to Deny a Packet 187
Example: Creating an ACL and a VLAN Map to Permit a Packet 187
Example: Default Action of Dropping IP Packets and Forwarding MAC Packets 187
Example: Default Action of Dropping MAC Packets and Forwarding IP Packets 188
Example: Default Action of Dropping All Packets 188
Configuration Examples for Using VLAN Maps in Your Network 189
Example: Wiring Closet Configuration 189
Example: Restricting Access to a Server on Another VLAN 190
Example: Denying Access to a Server on Another VLAN 190
Configuration Examples of Router ACLs and VLAN Maps Applied to VLANs 191
Example: ACLs and Switched Packets 191
Example: ACLs and Bridged Packets 192
Example: ACLs and Routed Packets 193
Example: ACLs and Multicast Packets 193
Additional References 194
Feature Information for IPv4 Access Control Lists 195
C H A P T E R 1 1 Configuring IPv6 ACLs 197
Finding Feature Information 197
IPv6 ACLs Overview 197
Switch Stacks and IPv6 ACLs 198
Interactions with Other Features and Switches 198
Restrictions for IPv6 ACLs 199
Default Configuration for IPv6 ACLs 199
Configuring IPv6 ACLs 200
Attaching an IPv6 ACL to an Interface 203
Monitoring IPv6 ACLs 205
Additional References 206
C H A P T E R 1 2 Configuring DHCP 209
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EXx OL-29048-01
Contents
Finding Feature Information 209
Information About DHCP 209
DHCP Server 209
DHCP Relay Agent 209
DHCP Snooping 210
Option-82 Data Insertion 211
Cisco IOS DHCP Server Database 214
DHCP Snooping Binding Database 214
DHCP Snooping and Switch Stacks 216
How to Configure DHCP Features 216
Default DHCP Snooping Configuration 216
DHCP Snooping Configuration Guidelines 217
Configuring the DHCP Server 217
DHCP Server and Switch Stacks 217
Configuring the DHCP Relay Agent 218
Specifying the Packet Forwarding Address 219
Prerequisites for Configuring DHCP Snooping and Option 82 221
Enabling DHCP Snooping and Option 82 222
Enabling the Cisco IOS DHCP Server Database 226
Monitoring DHCP Snooping Information 226
Configuring DHCP Server Port-Based Address Allocation 226
Information About Configuring DHCP Server Port-Based Address Allocation 226
Default Port-Based Address Allocation Configuration 227
Port-Based Address Allocation Configuration Guidelines 227
Enabling the DHCP Snooping Binding Database Agent 227
Enabling DHCP Server Port-Based Address Allocation 229
Monitoring DHCP Server Port-Based Address Allocation 231
Additional References 231
Feature Information for DHCP Snooping and Option 82 232
C H A P T E R 1 3 Configuring IP Source Guard 235
Finding Feature Information 235
Information About IP Source Guard 235
IP Source Guard 235
IP Source Guard for Static Hosts 236
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 xi
Contents
IP Source Guard Configuration Guidelines 237
How to Configure IP Source Guard 238
Enabling IP Source Guard 238
Configuring IP Source Guard for Static Hosts on a Layer 2 Access Port 239
Monitoring IP Source Guard 241
Additional References 242
C H A P T E R 1 4 Configuring Dynamic ARP Inspection 243
Finding Feature Information 243
Restrictions for Dynamic ARP Inspection 243
Understanding Dynamic ARP Inspection 245
Interface Trust States and Network Security 246
Rate Limiting of ARP Packets 247
Relative Priority of ARP ACLs and DHCP Snooping Entries 248
Logging of Dropped Packets 248
Default Dynamic ARP Inspection Configuration 248
Relative Priority of ARP ACLs and DHCP Snooping Entries 249
Configuring ARP ACLs for Non-DHCP Environments 249
Configuring Dynamic ARP Inspection in DHCP Environments 252
Limiting the Rate of Incoming ARP Packets 255
Performing Dynamic ARP Inspection Validation Checks 257
Monitoring DAI 259
Verifying the DAI Configuration 260
Additional References 260
C H A P T E R 1 5 Configuring IEEE 802.1x Port-Based Authentication 263
Finding Feature Information 263
Information About 802.1x Port-Based Authentication 263
Port-Based Authentication Process 264
Port-Based Authentication Initiation and Message Exchange 266
Authentication Manager for Port-Based Authentication 268
Port-Based Authentication Methods 268
Per-User ACLs and Filter-Ids 269
Port-Based Authentication Manager CLI Commands 269
Ports in Authorized and Unauthorized States 270
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EXxii OL-29048-01
Contents
Port-Based Authentication and Switch Stacks 271
802.1x Host Mode 272
802.1x Multiple Authentication Mode 273
Multi-auth Per User VLAN assignment 273
Limitation in Multi-auth Per User VLAN assignment 274
MAC Move 275
MAC Replace 275
802.1x Accounting 276
802.1x Accounting Attribute-Value Pairs 276
802.1x Readiness Check 277
Switch-to-RADIUS-Server Communication 278
802.1x Authentication with VLAN Assignment 278
802.1x Authentication with Per-User ACLs 280
802.1x Authentication with Downloadable ACLs and Redirect URLs 281
Cisco Secure ACS and Attribute-Value Pairs for the Redirect URL 282
Cisco Secure ACS and Attribute-Value Pairs for Downloadable ACLs 282
VLAN ID-based MAC Authentication 283
802.1x Authentication with Guest VLAN 283
802.1x Authentication with Restricted VLAN 284
802.1x Authentication with Inaccessible Authentication Bypass 285
Inaccessible Authentication Bypass Support on Multiple-Authentication Ports 285
Inaccessible Authentication Bypass Authentication Results 286
Inaccessible Authentication Bypass Feature Interactions 286
802.1x Critical Voice VLAN 287
802.1x User Distribution 287
802.1x User Distribution Configuration Guidelines 288
IEEE 802.1x Authentication with Voice VLAN Ports 288
IEEE 802.1x Authentication with Port Security 289
IEEE 802.1x Authentication with Wake-on-LAN 289
IEEE 802.1x Authentication with MAC Authentication Bypass 290
Network Admission Control Layer 2 IEEE 802.1x Validation 291
Flexible Authentication Ordering 291
Open1x Authentication 292
Multidomain Authentication 292
Limiting Login for Users 294
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 xiii
Contents
802.1x Supplicant and Authenticator Switches with Network Edge Access Topology
(NEAT) 294
Voice Aware 802.1x Security 295
Common Session ID 296
How to Configure 802.1x Port-Based Authentication 296
Default 802.1x Authentication Configuration 296
802.1x Authentication Configuration Guidelines 298
802.1x Authentication 298
VLANAssignment, Guest VLAN, Restricted VLAN, and Inaccessible Authentication
Bypass 299
MAC Authentication Bypass 300
Maximum Number of Allowed Devices Per Port 300
Configuring 802.1x Readiness Check 300
Configuring Voice Aware 802.1x Security 302
Configuring 802.1x Violation Modes 304
Configuring 802.1x Authentication 306
Configuring 802.1x Port-Based Authentication 307
Configuring the Switch-to-RADIUS-Server Communication 309
Configuring the Host Mode 311
Configuring Periodic Re-Authentication 312
Changing the Quiet Period 313
Changing the Switch-to-Client Retransmission Time 314
Setting the Switch-to-Client Frame-Retransmission Number 316
Setting the Re-Authentication Number 317
Enabling MAC Move 318
Enabling MAC Replace 319
Configuring 802.1x Accounting 321
Configuring a Guest VLAN 323
Configuring a Restricted VLAN 324
Configuring Number of Authentication Attempts on a Restricted VLAN 326
Configuring 802.1x Inaccessible Authentication Bypass with Critical Voice VLAN 328
Example of Configuring Inaccessible Authentication Bypass 331
Configuring 802.1x Authentication with WoL 332
Configuring MAC Authentication Bypass 333
Formatting a MAC Authentication Bypass Username and Password 334
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EXxiv OL-29048-01
Contents
Configuring 802.1x User Distribution 335
Example of Configuring VLAN Groups 336
Configuring NAC Layer 2 802.1x Validation 337
Configuring Limiting Login for Users 339
Configuring an Authenticator Switch with NEAT 340
Configuring a Supplicant Switch with NEAT 342
Configuring 802.1x Authentication with Downloadable ACLs and Redirect URLs 345
Configuring Downloadable ACLs 345
Configuring a Downloadable Policy 347
Configuring VLAN ID-based MAC Authentication 350
Configuring Flexible Authentication Ordering 350
Configuring Open1x 352
Disabling 802.1x Authentication on the Port 354
Resetting the 802.1x Authentication Configuration to the Default Values 355
Monitoring 802.1x Statistics and Status 356
Additional References 357
Feature Information for 802.1x Port-Based Authentication 358
C H A P T E R 1 6 Configuring Web-Based Authentication 359
Finding Feature Information 359
Web-Based Authentication Overview 359
Device Roles 360
Host Detection 361
Session Creation 361
Authentication Process 362
Local Web Authentication Banner 362
Web Authentication Customizable Web Pages 365
Guidelines 365
Authentication Proxy Web Page Guidelines 367
Redirection URL for Successful Login Guidelines 368
Web-based Authentication Interactions with Other Features 368
Port Security 368
LAN Port IP 368
Gateway IP 369
ACLs 369
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 xv
Contents
Context-Based Access Control 369
EtherChannel 369
How to Configure Web-Based Authentication 369
Default Web-Based Authentication Configuration 369
Web-Based Authentication Configuration Guidelines and Restrictions 370
Web-Based Authentication Configuration Task List 371
Configuring the Authentication Rule and Interfaces 371
Configuring AAA Authentication 373
Configuring Switch-to-RADIUS-Server Communication 375
Configuring the HTTP Server 377
Customizing the Authentication Proxy Web Pages 378
Specifying a Redirection URL for Successful Login 380
Configuring the Web-Based Authentication Parameters 381
Configuring a Web-Based Authentication Local Banner 382
Configuring Web-Based Authentication without SVI 384
Configuring Web-Based Authentication with VRF Aware 385
Removing Web-Based Authentication Cache Entries 387
Monitoring Web-Based Authentication Status 387
Feature Information for Web-Based Authentication 388
C H A P T E R 1 7 Configuring Port-Based Traffic Control 389
Overview of Port-Based Traffic Control 390
Finding Feature Information 390
Information About Storm Control 390
Storm Control 390
How Traffic Activity is Measured 391
Traffic Patterns 391
How to Configure Storm Control 392
Configuring Storm Control and Threshold Levels 392
Configuring Small-Frame Arrival Rate 395
Finding Feature Information 397
Information About Protected Ports 397
Protected Ports 397
Default Protected Port Configuration 398
Protected Ports Guidelines 398
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EXxvi OL-29048-01
Contents
How to Configure Protected Ports 398
Configuring a Protected Port 398
Monitoring Protected Ports 400
Where to Go Next 400
Additional References 400
Feature Information 401
Finding Feature Information 401
Information About Port Blocking 402
Port Blocking 402
How to Configure Port Blocking 402
Blocking Flooded Traffic on an Interface 402
Monitoring Port Blocking 404
Where to Go Next 404
Additional References 404
Feature Information 405
Prerequisites for Port Security 406
Restrictions for Port Security 406
Information About Port Security 406
Port Security 406
Types of Secure MAC Addresses 406
Sticky Secure MAC Addresses 407
Security Violations 407
Port Security Aging 408
Port Security and Switch Stacks 408
Default Port Security Configuration 409
Port Security Configuration Guidelines 409
Overview of Port-Based Traffic Control 411
How to Configure Port Security 411
Enabling and Configuring Port Security 411
Enabling and Configuring Port Security Aging 415
Finding Feature Information 417
Information About Storm Control 418
Storm Control 418
How Traffic Activity is Measured 418
Traffic Patterns 419
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 xvii
Contents
How to Configure Storm Control 419
Configuring Storm Control and Threshold Levels 419
Configuring Small-Frame Arrival Rate 422
Finding Feature Information 424
Information About Protected Ports 424
Protected Ports 424
Default Protected Port Configuration 425
Protected Ports Guidelines 425
How to Configure Protected Ports 425
Configuring a Protected Port 425
Monitoring Protected Ports 427
Where to Go Next 427
Additional References 427
Feature Information 428
Finding Feature Information 428
Information About Port Blocking 429
Port Blocking 429
How to Configure Port Blocking 429
Blocking Flooded Traffic on an Interface 429
Monitoring Port Blocking 431
Where to Go Next 431
Additional References 431
Feature Information 432
Configuration Examples for Port Security 432
Additional References 433
Finding Feature Information 434
Information About Protocol Storm Protection 434
Protocol Storm Protection 434
Default Protocol Storm Protection Configuration 435
How to Configure Protocol Storm Protection 435
Enabling Protocol Storm Protection 435
Monitoring Protocol Storm Protection 436
Additional References 437
C H A P T E R 1 8 Configuring IPv6 First Hop Security 439
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EXxviii OL-29048-01
Contents
Finding Feature Information 439
Prerequisites for First Hop Security in IPv6 439
Restrictions for First Hop Security in IPv6 440
Information about First Hop Security in IPv6 440
How to Configure an IPv6 Snooping Policy 442
How to Attach an IPv6 Snooping Policy to an Interface 444
How to Attach an IPv6 Snooping Policy to a Layer 2 EtherChannel Interface 445
How to Attach an IPv6 Snooping Policy to VLANs Globally 446
How to Configure the IPv6 Binding Table Content 447
How to Configure an IPv6 Neighbor Discovery Inspection Policy 449
How to Attach an IPv6 Neighbor Discovery Inspection Policy to an Interface 451
How to Attach an IPv6 Neighbor Discovery Inspection Policy to a Layer 2 EtherChannel
Interface 452
How to Attach an IPv6 Neighbor Discovery Inspection Policy to VLANs Globally 453
How to Configure an IPv6 Router Advertisement Guard Policy 454
How to Attach an IPv6 Router Advertisement Guard Policy to an Interface 456
How toAttach an IPv6 Router Advertisement Guard Policy to a Layer 2 EtherChannel Interface
458
How to Configure an IPv6 DHCP Guard Policy 459
How to Attach an IPv6 DHCP Guard Policy to an Interface or a VLAN on an Interface 461
How to Attach an IPv6 DHCP Guard Policy to a Layer 2 EtherChannel Interface 462
How to Attach an IPv6 DHCP Guard Policy to VLANs Globally 463
How to Configure IPv6 Source Guard 464
How to Attach an IPv6 Source Guard Policy to an Interface 466
Additional References 467
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 xix
Contents
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EXxx OL-29048-01
Contents
Preface
Document Conventions, page xxi
Related Documentation, page xxiii
Obtaining Documentation and Submitting a Service Request, page xxiii
Document ConventionsThis document uses the following conventions:
DescriptionConvention
Both the ^ symbol and Ctrl represent the Control (Ctrl) key on a keyboard. Forexample, the key combination^D orCtrl-Dmeans that you hold down the Controlkey while you press the D key. (Keys are indicated in capital letters but are notcase sensitive.)
^ or Ctrl
Commands and keywords and user-entered text appear in bold font.bold font
Document titles, new or emphasized terms, and arguments for which you supplyvalues are in italic font.
Italic font
Terminal sessions and information the system displays appear in courier font.Courier font
Bold Courier font indicates text that the user must enter.Bold Courier font
Elements in square brackets are optional.[x]
An ellipsis (three consecutive nonbolded periods without spaces) after a syntaxelement indicates that the element can be repeated.
...
A vertical line, called a pipe, indicates a choice within a set of keywords orarguments.
|
Optional alternative keywords are grouped in brackets and separated by verticalbars.
[x | y]
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 xxi
DescriptionConvention
Required alternative keywords are grouped in braces and separated by verticalbars.
{x | y}
Nested set of square brackets or braces indicate optional or required choiceswithin optional or required elements. Braces and a vertical bar within squarebrackets indicate a required choice within an optional element.
[x {y | z}]
A nonquoted set of characters. Do not use quotation marks around the string orthe string will include the quotation marks.
string
Nonprinting characters such as passwords are in angle brackets.< >
Default responses to system prompts are in square brackets.[ ]
An exclamation point (!) or a pound sign (#) at the beginning of a line of codeindicates a comment line.
!, #
Reader Alert Conventions
This document may use the following conventions for reader alerts:
Means reader take note. Notes contain helpful suggestions or references to material not covered in themanual.
Note
Means the following information will help you solve a problem.Tip
Means reader be careful. In this situation, you might do something that could result in equipment damageor loss of data.
Caution
Means the described action saves time. You can save time by performing the action described in theparagraph.
Timesaver
IMPORTANT SAFETY INSTRUCTIONS
This warning symbol means danger. You are in a situation that could cause bodily injury. Before youwork on any equipment, be aware of the hazards involved with electrical circuitry and be familiar withstandard practices for preventing accidents. Use the statement number provided at the end of each warningto locate its translation in the translated safety warnings that accompanied this device. Statement 1071
SAVE THESE INSTRUCTIONS
Warning
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EXxxii OL-29048-01
PrefaceDocument Conventions
Related Documentation
Before installing or upgrading the switch, refer to the switch release notes.Note
Cisco Validated Designs documents, located at:http://www.cisco.com/go/designzone
Obtaining Documentation and Submitting a Service RequestFor information on obtaining documentation, submitting a service request, and gathering additional information,see the monthlyWhat's New in Cisco Product Documentation, which also lists all new and revised Ciscotechnical documentation, at:
http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html
Subscribe to theWhat's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feedand set content to be delivered directly to your desktop using a reader application. The RSS feeds are a freeservice and Cisco currently supports RSS version 2.0.
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 xxiii
PrefaceRelated Documentation
http://www.cisco.com/go/designzonehttp://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EXxxiv OL-29048-01
PrefaceObtaining Documentation and Submitting a Service Request
C H A P T E R 1Using the Command-Line Interface
Information About Using the Command-Line Interface, page 1
How to Use the CLI to Configure Features, page 6
Information About Using the Command-Line Interface
Command ModesThe Cisco IOS user interface is divided into many different modes. The commands available to you dependon whichmode you are currently in. Enter a questionmark (?) at the system prompt to obtain a list of commandsavailable for each command mode.
You can start a CLI session through a console connection, through Telnet, an SSH, or by using the browser.
When you start a session, you begin in user mode, often called user EXEC mode. Only a limited subset ofthe commands are available in user EXECmode. For example, most of the user EXEC commands are one-timecommands, such as show commands, which show the current configuration status, and clear commands,which clear counters or interfaces. The user EXEC commands are not saved when the switch reboots.
To have access to all commands, youmust enter privileged EXECmode. Normally, youmust enter a passwordto enter privileged EXEC mode. From this mode, you can enter any privileged EXEC command or enterglobal configuration mode.
Using the configurationmodes (global, interface, and line), you canmake changes to the running configuration.If you save the configuration, these commands are stored and used when the switch reboots. To access thevarious configuration modes, you must start at global configuration mode. From global configuration mode,you can enter interface configuration mode and line configuration mode .
This table describes the main command modes, how to access each one, the prompt you see in that mode, andhow to exit the mode.
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 1
Table 1: Command Mode Summary
About This ModeExit MethodPromptAccess MethodMode
Use this mode to
Changeterminalsettings.
Perform basictests.
Display systeminformation.
Enter logout orquit.Switch>
Begin a sessionusing Telnet, SSH,or console.
User EXEC
Use this mode toverify commandsthat you haveentered. Use apassword to protectaccess to this mode.
Enter disableto exit.Switch#
While in userEXEC mode, enterthe enablecommand.
Privileged EXEC
Use this mode toconfigure parametersthat apply to theentire switch.
To exit toprivilegedEXEC mode,enter exit orend, or pressCtrl-Z.
Switch(config)#While in privilegedEXEC mode, enterthe configurecommand.
Globalconfiguration
Use this mode toconfigure VLANparameters. WhenVTP mode istransparent, you cancreateextended-rangeVLANs (VLAN IDsgreater than 1005)and saveconfigurations in theswitch startupconfiguration file.
To exit toglobalconfigurationmode, enter theexit command.
To return toprivilegedEXEC mode,pressCtrl-Z orenter end.
Switch(config-vlan)#While in globalconfigurationmode, enter thevlan vlan-idcommand.
VLANconfiguration
Use this mode toconfigure parametersfor the Ethernetports.
Switch(config-if)#While in globalconfigurationmode, enter theinterface command(with a specificinterface).
Interfaceconfiguration
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX2 OL-29048-01
Using the Command-Line InterfaceCommand Modes
About This ModeExit MethodPromptAccess MethodMode
To exit toglobalconfigurationmode, enterexit.
To return toprivilegedEXEC mode,pressCtrl-Z orenter end.
Use this mode toconfigure parametersfor the terminal line.
To exit toglobalconfigurationmode, enterexit.
To return toprivilegedEXEC mode,pressCtrl-Z orenter end.
Switch(config-line)#While in globalconfigurationmode, specify a linewith the line vty orline consolecommand.
Line configuration
Understanding Abbreviated CommandsYou need to enter only enough characters for the switch to recognize the command as unique.
This example shows how to enter the show configuration privileged EXEC command in an abbreviated form:
Switch# show conf
No and Default Forms of CommandsAlmost every configuration command also has a no form. In general, use the no form to disable a feature orfunction or reverse the action of a command. For example, the no shutdown interface configuration commandreverses the shutdown of an interface. Use the command without the keyword no to reenable a disabled featureor to enable a feature that is disabled by default.
Configuration commands can also have a default form. The default form of a command returns the commandsetting to its default. Most commands are disabled by default, so the default form is the same as the no form.However, some commands are enabled by default and have variables set to certain default values. In thesecases, the default command enables the command and sets variables to their default values.
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 3
Using the Command-Line InterfaceUnderstanding Abbreviated Commands
CLI Error MessagesThis table lists some error messages that you might encounter while using the CLI to configure your switch.
Table 2: Common CLI Error Messages
How to Get HelpMeaningError Message
Reenter the command followed bya question mark (?) without anyspace between the command andthe question mark.
The possible keywords that you canenter with the command appear.
You did not enter enoughcharacters for your switch torecognize the command.
% Ambiguous command: "showcon"
Reenter the command followed bya question mark (?) with a spacebetween the command and thequestion mark.
The possible keywords that you canenter with the command appear.
You did not enter all of thekeywords or values required by thiscommand.
% Incomplete command.
Enter a questionmark (?) to displayall of the commands that areavailable in this command mode.
The possible keywords that you canenter with the command appear.
You entered the commandincorrectly. The caret (^) marks thepoint of the error.
% Invalid input detected at^ marker.
Configuration LoggingYou can log and view changes to the switch configuration. You can use the Configuration Change Loggingand Notification feature to track changes on a per-session and per-user basis. The logger tracks eachconfiguration command that is applied, the user who entered the command, the time that the command wasentered, and the parser return code for the command. This feature includes a mechanism for asynchronousnotification to registered applications whenever the configuration changes. You can choose to have thenotifications sent to the syslog.
Only CLI or HTTP changes are logged.Note
Using the Help SystemYou can enter a question mark (?) at the system prompt to display a list of commands available for eachcommand mode. You can also obtain a list of associated keywords and arguments for any command.
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX4 OL-29048-01
Using the Command-Line InterfaceCLI Error Messages
SUMMARY STEPS
1. help2. abbreviated-command-entry ?3. abbreviated-command-entry 4. ?5. command ?6. command keyword ?
DETAILED STEPS
PurposeCommand or Action
Obtains a brief description of the help system in anycommand mode.
help
Example:Switch# help
Step 1
Obtains a list of commands that begin with a particularcharacter string.
abbreviated-command-entry ?
Example:Switch# di?dir disable disconnect
Step 2
Completes a partial command name.abbreviated-command-entry
Example:Switch# sh confSwitch# show configuration
Step 3
Lists all commands available for a particular commandmode.
?
Example:Switch> ?
Step 4
Lists the associated keywords for a command.command ?
Example:Switch> show ?
Step 5
Lists the associated arguments for a keyword.command keyword ?
Example:Switch(config)# cdp holdtime ? Length of time (in sec) that receiver
Step 6
must keep this packet
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 5
Using the Command-Line InterfaceUsing the Help System
How to Use the CLI to Configure Features
Configuring the Command HistoryThe software provides a history or record of commands that you have entered. The command history featureis particularly useful for recalling long or complex commands or entries, including access lists. You cancustomize this feature to suit your needs.
Changing the Command History Buffer SizeBy default, the switch records ten command lines in its history buffer. You can alter this number for a currentterminal session or for all sessions on a particular line. This procedure is optional.
SUMMARY STEPS
1. terminal history [size number-of-lines]
DETAILED STEPS
PurposeCommand or Action
Changes the number of command lines that the switch records duringthe current terminal session in privileged EXEC mode. You canconfigure the size from 0 to 256.
terminal history [size number-of-lines]
Example:Switch# terminal history size 200
Step 1
Recalling CommandsTo recall commands from the history buffer, perform one of the actions listed in this table. These actions areoptional.
The arrow keys function only on ANSI-compatible terminals such as VT100s.Note
SUMMARY STEPS
1. Ctrl-P or use the up arrow key2. Ctrl-N or use the down arrow key3. show history
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX6 OL-29048-01
Using the Command-Line InterfaceHow to Use the CLI to Configure Features
DETAILED STEPS
PurposeCommand or Action
Recalls commands in the history buffer, beginningwith themost recent command.Repeat the key sequence to recall successively older commands.
Ctrl-P or use the up arrow keyStep 1
Returns to more recent commands in the history buffer after recalling commandswith Ctrl-P or the up arrow key. Repeat the key sequence to recall successivelymore recent commands.
Ctrl-N or use the down arrow keyStep 2
Lists the last several commands that you just entered in privileged EXEC mode.The number of commands that appear is controlled by the setting of the terminal
show history
Example:Switch# show history
Step 3
history global configuration command and the history line configurationcommand.
Disabling the Command History FeatureThe command history feature is automatically enabled. You can disable it for the current terminal session orfor the command line. This procedure is optional.
SUMMARY STEPS
1. terminal no history
DETAILED STEPS
PurposeCommand or Action
Disables the feature during the current terminal session inprivileged EXEC mode.
terminal no history
Example:Switch# terminal no history
Step 1
Enabling and Disabling Editing FeaturesAlthough enhanced editing mode is automatically enabled, you can disable it and reenable it.
SUMMARY STEPS
1. terminal editing2. terminal no editing
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 7
Using the Command-Line InterfaceEnabling and Disabling Editing Features
DETAILED STEPS
PurposeCommand or Action
Reenables the enhanced editing mode for the current terminalsession in privileged EXEC mode.
terminal editing
Example:Switch# terminal editing
Step 1
Disables the enhanced editing mode for the current terminalsession in privileged EXEC mode.
terminal no editing
Example:Switch# terminal no editing
Step 2
Editing Commands Through KeystrokesThe keystrokes help you to edit the command lines. These keystrokes are optional.
The arrow keys function only on ANSI-compatible terminals such as VT100s.Note
Table 3: Editing Commands
DescriptionEditing Commands
Moves the cursor back one character.Ctrl-B or use the left arrow key
Moves the cursor forward one character.Ctrl-F or use the right arrow key
Moves the cursor to the beginning of the commandline.
Ctrl-A
Moves the cursor to the end of the command line.Ctrl-E
Moves the cursor back one word.Esc B
Moves the cursor forward one word.Esc F
Transposes the character to the left of the cursor withthe character located at the cursor.
Ctrl-T
Erases the character to the left of the cursor.Delete or Backspace key
Deletes the character at the cursor.Ctrl-D
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX8 OL-29048-01
Using the Command-Line InterfaceEnabling and Disabling Editing Features
Deletes all characters from the cursor to the end ofthe command line.
Ctrl-K
Deletes all characters from the cursor to the beginningof the command line.
Ctrl-U or Ctrl-X
Deletes the word to the left of the cursor.Ctrl-W
Deletes from the cursor to the end of the word.Esc D
Capitalizes at the cursor.Esc C
Changes the word at the cursor to lowercase.Esc L
Capitalizes letters from the cursor to the end of theword.
Esc U
Designates a particular keystroke as an executablecommand, perhaps as a shortcut.
Ctrl-V or Esc Q
Scrolls down a line or screen on displays that arelonger than the terminal screen can display.
TheMore prompt is used for any output thathas more lines than can be displayed on theterminal screen, including show commandoutput. You can use the Return and Spacebar keystrokes whenever you see the Moreprompt.
Note
Return key
Scrolls down one screen.Space bar
Redisplays the current command line if the switchsuddenly sends a message to your screen.
Ctrl-L or Ctrl-R
Editing Command Lines That WrapYou can use a wraparound feature for commands that extend beyond a single line on the screen. When thecursor reaches the right margin, the command line shifts ten spaces to the left. You cannot see the first tencharacters of the line, but you can scroll back and check the syntax at the beginning of the command. Thekeystroke actions are optional.
To scroll back to the beginning of the command entry, press Ctrl-B or the left arrow key repeatedly. You canalso press Ctrl-A to immediately move to the beginning of the line.
The arrow keys function only on ANSI-compatible terminals such as VT100s.Note
The following example shows how to wrap a command line that extends beyond a single line on the screen.
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 9
Using the Command-Line InterfaceEnabling and Disabling Editing Features
SUMMARY STEPS
1. access-list2. Ctrl-A3. Return key
DETAILED STEPS
PurposeCommand or Action
Displays the global configuration command entry that extends beyondone line.
access-list
Example:
Switch(config)# access-list 101 permit tcp
Step 1
When the cursor first reaches the end of the line, the line is shifted tenspaces to the left and redisplayed. The dollar sign ($) shows that theline has been scrolled to the left. Each time the cursor reaches the endof the line, the line is again shifted ten spaces to the left.
10.15.22.25 255.255.255.0 10.15.22.35Switch(config)# $ 101 permit tcp10.15.22.25 255.255.255.0 10.15.22.35255.25Switch(config)# $t tcp 10.15.22.25255.255.255.0 131.108.1.20 255.255.255.0eqSwitch(config)# $15.22.25 255.255.255.010.15.22.35 255.255.255.0 eq 45
Checks the complete syntax.Ctrl-AStep 2
Example:Switch(config)# access-list 101 permit tcp10.15.22.25 255.255.255.0 10.15.2$
The dollar sign ($) appears at the end of the line to show that the linehas been scrolled to the right.
Execute the commands.Return keyStep 3
The software assumes that you have a terminal screen that is 80 columnswide. If you have a different width, use the terminal width privilegedEXEC command to set the width of your terminal.
Use line wrapping with the command history feature to recall andmodify previous complex command entries.
Searching and Filtering Output of show and more CommandsYou can search and filter the output for show andmore commands. This is useful when you need to sortthrough large amounts of output or if you want to exclude output that you do not need to see. Using thesecommands is optional.
SUMMARY STEPS
1. {show |more} command | {begin | include | exclude} regular-expression
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX10 OL-29048-01
Using the Command-Line InterfaceSearching and Filtering Output of show and more Commands
DETAILED STEPS
PurposeCommand or Action
Searches and filters the output.{show |more} command | {begin | include | exclude}regular-expression
Step 1
Expressions are case sensitive. For example, if you enter| exclude output, the lines that contain output are notdisplayed, but the lines that contain output appear.Example:
Switch# show interfaces | include protocolVlan1 is up, line protocol is upVlan10 is up, line protocol is downGigabitEthernet1/0/1 is up, line protocol is downGigabitEthernet1/0/2 is up, line protocol is up
Accessing the CLI on a Switch StackYou can access the CLI through a console connection, through Telnet, a SSH, or by using the browser.
Youmanage the switch stack and the stack member interfaces through the . You cannot manage stack memberson an individual switch basis. You can connect to the through the console port or the Ethernet managementport of one or more stack members. Be careful with using multiple CLI sessions on the . Commands that youenter in one session are not displayed in the other sessions. Therefore, it is possible to lose track of the sessionfrom which you entered commands.
We recommend using one CLI session when managing the switch stack.Note
If you want to configure a specific stack member port, you must include the stack member number in the CLIcommand interface notation.
Accessing the CLI Through a Console Connection or Through TelnetBefore you can access the CLI, you must connect a terminal or a PC to the switch console or connect a PC tothe Ethernet management port and then power on the switch, as described in the hardware installation guidethat shipped with your switch.
If your switch is already configured, you can access the CLI through a local console connection or through aremote Telnet session, but your switch must first be configured for this type of access.
You can use one of these methods to establish a connection with the switch:
Connect the switch console port to a management station or dial-up modem, or connect the Ethernetmanagement port to a PC. For information about connecting to the console or Ethernet managementport, see the switch hardware installation guide.
Use any Telnet TCP/IP or encrypted Secure Shell (SSH) package from a remote management station.The switch must have network connectivity with the Telnet or SSH client, and the switch must have anenable secret password configured.
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 11
Using the Command-Line InterfaceAccessing the CLI on a Switch Stack
The switch supports up to 16 simultaneous Telnet sessions. Changes made by one Telnet user arereflected in all other Telnet sessions.
The switch supports up to five simultaneous secure SSH sessions.
After you connect through the console port, through the Ethernet management port, through a Telnetsession or through an SSH session, the user EXEC prompt appears on the management station.
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX12 OL-29048-01
Using the Command-Line InterfaceAccessing the CLI Through a Console Connection or Through Telnet
C H A P T E R 2Security Features Overview
Security Features Overview, page 13
Security Features OverviewThe switch supports a LAN base image or a LAN lite image with a reduced feature set, depending on switchhardware. The security features are as follows:
IPv6 First Hop SecurityA suite of security features to be applied at the first hop switch to protectagainst vulnerabilities inherent in IPv6 networks. These include, Binding Integrity Guard (BindingTable), Router Advertisement Guard (RA Guard), DHCP Guard, IPv6 Neighbor Discovery Inspection(ND Guard), and IPv6 Source Guard.
Web AuthenticationAllows a supplicant (client) that does not support IEEE 802.1x functionality tobe authenticated using a web browser.
To use Web Authentication, the switch must be running the LAN Base image.Note
Local Web Authentication BannerA custom banner or an image file displayed at a web authenticationlogin screen.
IEEE 802.1x Authentication with ACLs and the RADIUS Filter-Id Attribute
To use Web Authentication, the switch must be running the LAN Base image.Note
Password-protected access (read-only and read-write access) to management interfaces (device manager,Network Assistant, and the CLI) for protection against unauthorized configuration changes
Multilevel security for a choice of security level, notification, and resulting actions
Static MAC addressing for ensuring security
Protected port option for restricting the forwarding of traffic to designated ports on the same switch
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 13
Port security option for limiting and identifying MAC addresses of the stations allowed to access theport
VLAN aware port security option to shut down the VLAN on the port when a violation occurs,insteadof shutting down the entire port.
Port security aging to set the aging time for secure addresses on a port.
Protocol storm protection to control the rate of incoming protocol traffic to a switch by dropping packetsthat exceed a specified ingress rate.
BPDU guard for shutting down a Port Fast-configured port when an invalid configuration occurs.
Standard and extended IP access control lists (ACLs) for defining inbound security policies on Layer 2interfaces (port ACLs).
Extended MAC access control lists for defining security policies in the inbound direction on Layer 2interfaces.
Source and destination MAC-based ACLs for filtering non-IP traffic.
DHCP snooping to filter untrusted DHCP messages between untrusted hosts and DHCP servers.
IP source guard to restrict traffic on nonrouted interfaces by filtering traffic based on the DHCP snoopingdatabase and IP source bindings
Dynamic ARP inspection to prevent malicious attacks on the switch by not relaying invalid ARP requestsand responses to other ports in the same VLAN
IEEE 802.1x port-based authentication to prevent unauthorized devices (clients) from gaining access tothe network. These 802.1x features are supported:
Multidomain authentication (MDA) to allow both a data device and a voice device, such as an IPphone (Cisco or non-Cisco), to independently authenticate on the same IEEE 802.1x-enabled switchport.
To use MDA, the switch must be running the LAN Base image.Note
Dynamic voice virtual LAN (VLAN) for MDA to allow a dynamic voice VLAN on anMDA-enabled port.
VLAN assignment for restricting 802.1x-authenticated users to a specified VLAN.
Support for VLAN assignment on a port configured for multi-auth mode. The RADIUS serverassigns a VLAN to the first host to authenticate on the port, and subsequent hosts use the sameVLAN. Voice VLAN assignment is supported for one IP phone.
To use this feature, the switch must be running the LAN Base image. Multi-auth hostmode is not supported in LAN Lite image.
Note
Port security for controlling access to 802.1x ports.
Voice VLAN to permit a Cisco IP Phone to access the voice VLAN regardless of the authorizedor unauthorized state of the port.
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX14 OL-29048-01
Security Features OverviewSecurity Features Overview
IP phone detection enhancement to detect and recognize a Cisco IP phone.
Guest VLAN to provide limited services to non-802.1x-compliant users.
Restricted VLAN to provide limited services to users who are 802.1x compliant, but do not havethe credentials to authenticate via the standard 802.1x processes.
To use authentication with restricted VLANs, the switch must be running the LANBaseimage.
Note
802.1x accounting to track network usage.
802.1x with wake-on-LAN to allow dormant PCs to be powered on based on the receipt of a specificEthernet frame.
802.1x readiness check to determine the readiness of connected end hosts before configuring IEEE802.1x on the switch.
To use 802.1x readiness check, the switch must be running the LAN Base image.Note
Voice aware 802.1x security to apply traffic violation actions only on the VLAN onwhich a securityviolation occurs.
To use voice aware 802.1x authentication, the switch must be running the LAN Baseimage.
Note
MAC authentication bypass (MAB) to authorize clients based on the client MAC address.
To use MAC authentication bypass, the switch must be running the LAN Base image.Note
Network Admission Control (NAC) Layer 2 802.1x validation of the antivirus condition or postureof endpoint systems or clients before granting the devices network access.
To use NAC, the switch must be running the LAN Base image.Note
Network Edge Access Topology (NEAT) with 802.1X switch supplicant, host authorization withCISP, and auto enablement to authenticate a switch outside a wiring closet as a supplicant to anotherswitch.
IEEE 802.1x with open access to allow a host to access the network before being authenticated.
IEEE 802.1x authentication with downloadable ACLs and redirect URLs to allow per-user ACLdownloads from a Cisco Secure ACS server to an authenticated switch.
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 15
Security Features OverviewSecurity Features Overview
Support for dynamic creation or attachment of an auth-default ACL on a port that has no configuredstatic ACLs.
To use this feature, the switch must be running the LAN Base image.Note
Flexible-authentication sequencing to configure the order of the authentication methods that a porttries when authenticating a new host.
Multiple-user authentication to allow more than one host to authenticate on an 802.1x-enabledport.
TACACS+, a proprietary feature for managing network security through a TACACS server for bothIPv4 and IPv6.
RADIUS for verifying the identity of, granting access to, and tracking the actions of remote users throughauthentication, authorization, and accounting (AAA) services for both IPv4 and IPv6.
Enhancements to RADIUS, TACACS+, and SSH to function over IPv6.
Secure Socket Layer (SSL) Version 3.0 support for the HTTP 1.1 server authentication, encryption, andmessage integrity and HTTP client authentication to allow secure HTTP communications (requires thecryptographic version of the software).
IEEE 802.1x Authentication with ACLs and the RADIUS Filter-Id Attribute.
Support for IP source guard on static hosts.
RADIUS Change of Authorization (CoA) to change the attributes of a certain session after it isauthenticated.When there is a change in policy for a user or user group in AAA, administrators can sendthe RADIUS CoA packets from the AAA server, such as Cisco Identity Services Engine, or Cisco SecureACS to reinitialize authentication, and apply to the new policies.
IEEE 802.1x User Distribution to allow deployments with multiple VLANs (for a group of users) toimprove scalability of the network by load balancing users across different VLANs. Authorized usersare assigned to the least populated VLAN in the group, assigned by RADIUS server.
Support for critical VLAN with multiple-host authentication so that when a port is configured formulti-auth, and an AAA server becomes unreachable, the port is placed in a critical VLAN in order tostill permit access to critical resources.
Support for Network Edge Access Topology (NEAT) to change the port host mode and to apply astandard port configuration on the authenticator switch port.
VLAN-ID based MAC authentication to use the combined VLAN and MAC address information foruser authentication to prevent network access from unauthorized VLANs.
MAC move to allow hosts (including the hosts connected behind an IP phone) to move across portswithin the same switch without any restrictions to enable mobility. With MAC move, the switch treatsthe reappearance of the same MAC address on another port in the same way as a completely new MACaddress.
Support for 3DES and AES with version 3 of the Simple Network Management Protocol (SNMPv3).This release adds support for the 168-bit Triple Data Encryption Standard (3DES) and the 128-bit,192-bit, and 256-bit Advanced Encryption Standard (AES) encryption algorithms to SNMPv3.
Support for Cisco TrustSec SXP protocol in LAN Base image only.
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX16 OL-29048-01
Security Features OverviewSecurity Features Overview
C H A P T E R 3Preventing Unauthorized Access
Finding Feature Information, page 17
Preventing Unauthorized Access, page 17
Finding Feature InformationYour software release may not support all the features documented in this module. For the latest caveats andfeature information, see Bug Search Tool and the release notes for your platform and software release. Tofind information about the features documented in this module, and to see a list of the releases in which eachfeature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is notrequired.
Preventing Unauthorized AccessYou can prevent unauthorized users from reconfiguring your switch and viewing configuration information.Typically, you want network administrators to have access to your switch while you restrict access to userswho dial from outside the network through an asynchronous port, connect from outside the network througha serial port, or connect through a terminal or workstation from within the local network.
To prevent unauthorized access into your switch, you should configure one or more of these security features:
At a minimum, you should configure passwords and privileges at each switch port. These passwordsare locally stored on the switch. When users attempt to access the switch through a port or line, theymust enter the password specified for the port or line before they can access the switch.
For an additional layer of security, you can also configure username and password pairs, which arelocally stored on the switch. These pairs are assigned to lines or ports and authenticate each user beforethat user can access the switch. If you have defined privilege levels, you can also assign a specificprivilege level (with associated rights and privileges) to each username and password pair.
If you want to use username and password pairs, but you want to store them centrally on a server insteadof locally, you can store them in a database on a security server. Multiple networking devices can thenuse the same database to obtain user authentication (and, if necessary, authorization) information.
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 17
http://www.cisco.com/go/cfn
You can also enable the login enhancements feature, which logs both failed and unsuccessful loginattempts. Login enhancements can also be configured to block future login attempts after a set numberof unsuccessful attempts are made. For more information, see the Cisco IOS Login Enhancementsdocumentation.
Related Topics
Configuring Username and Password Pairs, on page 29TACACS+ and Switch Access, on page 41Setting a Telnet Password for a Terminal Line, on page 27
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX18 OL-29048-01
Preventing Unauthorized AccessPreventing Unauthorized Access
C H A P T E R 4Controlling Switch Access with Passwords andPrivilege Levels
Finding Feature Information, page 19
Restrictions for Controlling Switch Access with Passwords and Privileges, page 19
Information About Passwords and Privilege Levels, page 20
How to Control Switch Access with Passwords and Privilege Levels, page 22
Monitoring Switch Access, page 35
Configuration Examples for Setting Passwords and Privilege Levels, page 35
Additional References, page 36
Finding Feature InformationYour software release may not support all the features documented in this module. For the latest caveats andfeature information, see Bug Search Tool and the release notes for your platform and software release. Tofind information about the features documented in this module, and to see a list of the releases in which eachfeature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support.To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is notrequired.
Restrictions for Controlling Switch Access with Passwordsand Privileges
The following are the restrictions for controlling switch access with passwords and privileges:
Disabling password recovery will not work if you have set the switch to boot up manually by using theboot manual global configuration command. This command produces the boot loader prompt (switch:)after the switch is power cycled.
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 19
http://www.cisco.com/go/cfn
Related Topics
Disabling Password Recovery, on page 26Password Recovery, on page 21
Information About Passwords and Privilege Levels
Default Password and Privilege Level ConfigurationA simple way of providing terminal access control in your network is to use passwords and assign privilegelevels. Password protection restricts access to a network or network device. Privilege levels define whatcommands users can enter after they have logged into a network device.
This table shows the default password and privilege level configuration.
Table 4: Default Password and Privilege Levels
Default SettingFeature
No password is defined. The default is level 15(privileged EXEC level). The password is notencrypted in the configuration file.
Enable password and privilege level
No password is defined. The default is level 15(privileged EXEC level). The password is encryptedbefore it is written to the configuration file.
Enable secret password and privilege level
No password is defined.Line password
Additional Password SecurityTo provide an additional layer of security, particularly for passwords that cross the network or that are storedon a Trivial File Transfer Protocol (TFTP) server, you can use either the enable password or enable secretglobal configuration commands. Both commands accomplish the same thing; that is, you can establish anencrypted password that users must enter to access privileged EXECmode (the default) or any privilege levelyou specify.
We recommend that you use the enable secret command because it uses an improved encryption algorithm.
If you configure the enable secret command, it takes precedence over the enable password command; thetwo commands cannot be in effect simultaneously.
If you enable password encryption, it applies to all passwords including username passwords, authenticationkey passwords, the privileged command password, and console and virtual terminal line passwords.
Related Topics
Protecting Enable and Enable Secret Passwords with Encryption, on page 24Example: Protecting Enable and Enable Secret Passwords with Encryption, on page 35
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX20 OL-29048-01
Controlling Switch Access with Passwords and Privilege LevelsInformation About Passwords and Privilege Levels
Password RecoveryBy default, any end user with physical access to the switch can recover from a lost password by interruptingthe boot process while the switch is powering on and then by entering a new password.
The password-recovery disable feature protects access to the switch password by disabling part of thisfunctionality. When this feature is enabled, the end user can interrupt the boot process only by agreeing to setthe system back to the default configuration. With password recovery disabled, you can still interrupt the bootprocess and change the password, but the configuration file (config.text) and the VLAN database file (vlan.dat)are deleted.
If you disable password recovery, we recommend that you keep a backup copy of the configuration file on asecure server in case the end user interrupts the boot process and sets the system back to default values. Donot keep a backup copy of the configuration file on the switch. If the switch is operating in VTP transparentmode, we recommend that you also keep a backup copy of the VLAN database file on a secure server. Whenthe switch is returned to the default system configuration, you can download the saved files to the switch byusing the Xmodem protocol.
To re-enable password recovery, use the service password-recovery global configuration command.
Related Topics
Disabling Password Recovery, on page 26Restrictions for Controlling Switch Access with Passwords and Privileges, on page 19
Terminal Line Telnet ConfigurationWhen you power-up your switch for the first time, an automatic setup program runs to assign IP informationand to create a default configuration for continued use. The setup program also prompts you to configure yourswitch for Telnet access through a password. If you did not configure this password during the setup program,you can configure it when you set a Telnet password for a terminal line.
Related Topics
Setting a Telnet Password for a Terminal Line, on page 27Example: Setting a Telnet Password for a Terminal Line, on page 36
Username and Password PairsYou can configure username and password pairs, which are locally stored on the switch. These pairs areassigned to lines or ports and authenticate each user before that user can access the switch. If you have definedprivilege levels, you can also assign a specific privilege level (with associated rights and privileges) to eachusername and password pair.
Related Topics
Configuring Username and Password Pairs, on page 29
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 21
Controlling Switch Access with Passwords and Privilege LevelsPassword Recovery
Privilege LevelsCisco switches (and other devices) use privilege levels to provide password security for different levels ofswitch operation. By default, the Cisco IOS software operates in two modes (privilege levels) of passwordsecurity: user EXEC (Level 1) and privileged EXEC (Level 15). You can configure up to 16 hierarchicallevels of commands for each mode. By configuring multiple passwords, you can allow different sets of usersto have access to specified commands.
Privilege Levels on Lines
Users can override the privilege level you set using the privilege level line configuration command by loggingin to the line and enabling a different privilege level. They can lower the privilege level by using the disablecommand. If users know the password to a higher privilege level, they can use that password to enable thehigher privilege level. You might specify a high level or privilege level for your console line to restrict lineusage.
For example, if you want many users to have access to the clear line command, you can assign it level 2 securityand distribute the level 2 password fairly widely. But if you want more restricted access to the configurecommand, you can assign it level 3 security and distribute that password to a more restricted group of users.
Command Privilege Levels
When you set a command to a privilege level, all commands whose syntax is a subset of that command arealso set to that level. For example, if you set the show ip traffic command to level 15, the show commandsand show ip commands are automatically set to privilege level 15 unless you set them individually to differentlevels.
Related Topics
Setting the Privilege Level for a Command, on page 31Example: Setting the Privilege Level for a Command, on page 36Changing the Default Privilege Level for Lines, on page 33Logging into and Exiting a Privilege Level, on page 34
How to Control Switch Access with Passwords and PrivilegeLevels
Setting or Changing a Static Enable PasswordThe enable password controls access to the privileged EXEC mode. Follow these steps to set or change astatic enable password:
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX22 OL-29048-01
Controlling Switch Access with Passwords and Privilege LevelsPrivilege Levels
SUMMARY STEPS
1. enable2. configure terminal3. enable password password4. end5. show running-config6. copy running-config startup-config
DETAILED STEPS
PurposeCommand or Action
Enables privileged EXEC mode. Enter your password if prompted.enableStep 1
Example:
Switch> enable
Enters the global configuration mode.configure terminal
Example:
Switch# configure terminal
Step 2
Defines a new password or changes an existing password for access toprivileged EXEC mode.
enable password password
Example:
Switch(config)# enable password
Step 3
By default, no password is defined.
For password, specify a string from 1 to 25 alphanumeric characters. Thestring cannot start with a number, is case sensitive, and allows spaces butsecret321
ignores leading spaces. It can contain the question mark (?) character ifyou precede the question mark with the key combination Crtl-v whenyou create the password; for example, to create the password abc?123,do this:
1 Enter abc.
2 Enter Crtl-v.
3 Enter ?123.
When the system prompts you to enter the enable password, you neednot precede the question mark with the Ctrl-v; you can simply enterabc?123 at the password prompt.
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 23
Controlling Switch Access with Passwords and Privilege LevelsSetting or Changing a Static Enable Password
PurposeCommand or Action
Returns to privileged EXEC mode.end
Example:
Switch(config)# end
Step 4
Verifies your entries.show running-config
Example:
Switch# show running-config
Step 5
(Optional) Saves your entries in the configuration file.copy running-config startup-config
Example:
Switch# copy running-config
Step 6
startup-config
Related Topics
Example: Setting or Changing a Static Enable Password, on page 35
Protecting Enable and Enable Secret Passwords with EncryptionFollow these steps to establish an encrypted password that users must enter to access privileged EXEC mode(the default) or any privilege level you specify:
SUMMARY STEPS
1. enable2. configure terminal3. Use one of the following:
enable password [level level]{password | encryption-type encrypted-password}
enable secret [level level]{password | encryption-type encrypted-password}
4. service password-encryption5. end6. show running-config7. copy running-config startup-config
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX24 OL-29048-01
Controlling Switch Access with Passwords and Privilege LevelsProtecting Enable and Enable Secret Passwords with Encryption
DETAILED STEPS
PurposeCommand or Action
Enables privileged EXEC mode. Enter your password if prompted.enableStep 1
Example:
Switch> enable
Enters the global configuration mode.configure terminal
Example:
Switch# configure terminal
Step 2
Use one of the following:Step 3 Defines a new password or changes an existing password foraccess to privileged EXEC mode.
enable password [level level]{password | encryption-typeencrypted-password}
Defines a secret password, which is saved using a nonreversibleencryption method.
(Optional) For level, the range is from 0 to 15. Level 1 isnormal user EXEC mode privileges. The default level is 15(privileged EXEC mode privileges).
enable secret [level level]{password | encryption-typeencrypted-password}
For password, specify a string from 1 to 25 alphanumericcharacters. The string cannot start with a number, is case
Example:Switch(config)# enable passwordexample102
sensitive, and allows spaces but ignores leading spaces. Bydefault, no password is defined.
(Optional) For encryption-type, only type 5, a Ciscoproprietary encryption algorithm, is available. If you specifyor
Switch(config)# enable secret level 1password secret123sample
an encryption type, you must provide an encryptedpasswordan encrypted password that you copy fromanother switch configuration.
If you specify an encryption type and then enter a cleartext password, you can not re-enter privileged EXECmode. You cannot recover a lost encrypted password byany method.
Note
(Optional) Encrypts the password when the password is defined or whenthe configuration is written.
service password-encryption
Example:
Switch(config)# service
Step 4
Encryption prevents the password from being readable in theconfiguration file.
password-encryption
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 25
Controlling Switch Access with Passwords and Privilege LevelsProtecting Enable and Enable Secret Passwords with Encryption
PurposeCommand or Action
Returns to privileged EXEC mode.end
Example:
Switch(config)# end
Step 5
Verifies your entries.show running-config
Example:
Switch# show running-config
Step 6
(Optional) Saves your entries in the configuration file.copy running-config startup-config
Example:
Switch# copy running-config
Step 7
startup-config
Related Topics
Additional Password Security, on page 20
Example: Protecting Enable and Enable Secret Passwords with Encryption, on page 35
Disabling Password RecoveryFollow these steps to disable password recovery to protect the security of your switch:
Before You Begin
If you disable password recovery, we recommend that you keep a backup copy of the configuration file on asecure server in case the end user interrupts the boot process and sets the system back to default values. Donot keep a backup copy of the configuration file on the switch. If the switch is operating in VTP transparentmode, we recommend that you also keep a backup copy of the VLAN database file on a secure server. Whenthe switch is returned to the default system configuration, you can download the saved files to the switch byusing the Xmodem protocol.
SUMMARY STEPS
1. enable2. configure terminal3. system disable password recovery switch {all | }4. end
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX26 OL-29048-01
Controlling Switch Access with Passwords and Privilege LevelsDisabling Password Recovery
DETAILED STEPS
PurposeCommand or Action
Enables privileged EXEC mode. Enter your password if prompted.enableStep 1
Example:
Switch> enable
Enters the global configuration mode.configure terminal
Example:
Switch# configure terminal
Step 2
Disables password recovery.system disable password recovery switch {all| }
Step 3
all - Sets the configuration on switches in stack.
Example:
Switch(config)# system disable password
- Sets the configuration on the Switch Number selected.
This setting is saved in an area of the flash memory that is accessibleby the boot loader and the Cisco IOS image, but it is not part of thefile system and is not accessible by any user.
recovery switch all
Returns to privileged EXEC mode.end
Example:
Switch(config)# end
Step 4
What to Do Next
To remove disable password recovery, use the no system disable password recovery switch all globalconfiguration command.
Related Topics
Password Recovery, on page 21
Restrictions for Controlling Switch Access with Passwords and Privileges, on page 19
Setting a Telnet Password for a Terminal LineBeginning in user EXEC mode, follow these steps to set a Telnet password for the connected terminal line:
Before You Begin
Attach a PC or workstation with emulation software to the switch console port, or attach a PC to theEthernet management port.
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX OL-29048-01 27
Controlling Switch Access with Passwords and Privilege LevelsSetting a Telnet Password for a Terminal Line
The default data characteristics of the console port are 9600, 8, 1, no parity. You might need to pressthe Return key several times to see the command-line prompt.
SUMMARY STEPS
1. enable2. configure terminal3. line vty 0 154. password password5. end6. show running-config7. copy running-config startup-config
DETAILED STEPS
PurposeCommand or Action
If a password is required for access to privileged EXECmode, you will be prompted for it.
Note
Enters privileged EXEC mode.
enable
Example:
Switch> enable
Step 1
Enters the global configuration mode.configure terminal
Example:
Switch# configure terminal
Step 2
Configures the number of Telnet sessions (lines), and enters lineconfiguration mode.
line vty 0 15
Example:
Switch(config)# line vty 0 15
Step 3
There are 16 possible sessions on a command-capable Switch. The0 and 15 mean that you are configuring all 16 possible Telnetsessions.
Sets a Telnet password for the line or lines.password passwordStep 4
Example:
Switch(config-line)# password abcxyz543
For password, specify a string from 1 to 25 alphanumeric characters.The string cannot start with a number, is case sensitive, and allowsspaces but ignores leading spaces. By default, no password isdefined.
Returns to privileged EXEC mode.end
Example:
Switch(config-line)# end
Step 5
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX28 OL-29048-01
Controlling Switch Access with Passwords and Privilege LevelsSetting a Telnet Password for a Terminal Line
PurposeCommand or Action
Verifies your entries.show running-config
Example:
Switch# show running-config
Step 6
(Optional) Saves your entries in the configuration file.copy running-config startup-config
Example:
Switch# copy running-config
Step 7
startup-config
Related Topics
Preventing Unauthorized Access, on page 17Terminal Line Telnet Configuration, on page 21
Example: Setting a Telnet Password for a Terminal Line, on page 36
Configuring Username and Password PairsFollow these steps to configure username and password pairs:
SUMMARY STEPS
1. enable2. configure terminal3. username name [privilege level] {password encryption-type password}4. Use one of the following:
line console 0
line vty 0 15
5. login local6. end7. show running-config8. copy running-config startup-config
Catalyst 2960-X Switch Security Configu